High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 9786–phpok3w | A vulnerability was identified in 9786 phpok3w up to 901d96a06809fb28b17f3a4362c59e70411c933c. Impacted is an unknown function of the file show.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-28 | 7.3 | CVE-2025-15142 | VDB-338520 | 9786 phpok3w show.php sql injection VDB-338520 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715574 | phpok3w 1.0 SQL Injection https://gitee.com/9786/phpok3w/issues/IDD1IZ |
| Alteryx–Server | A vulnerability was found in Alteryx Server. Affected by this issue is some unknown functionality of the file /gallery/api/status/. Performing manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. Upgrading to version 2023.1.1.13.486, 2023.2.1.10.293, 2024.1.1.9.236, 2024.2.1.6.125 and 2025.1.1.1.31 can resolve this issue. Upgrading the affected component is recommended. | 2025-12-26 | 7.3 | CVE-2025-15097 | VDB-338428 | Alteryx Server status improper authentication VDB-338428 | CTI Indicators (IOB, IOC, IOA) Submit #710169 | Alteryx Alteryx Server 2020/2021/2022/2023/2024/2025 Authentication Bypass Issues https://ict-strypes.eu/wp-content/uploads/2025/12/Alteryx-Second-Research.pdf https://gist.github.com/apostolovd/f84631eed2f0c0e83e2e174b1480f08c https://help.alteryx.com/release-notes/en/release-notes/server-release-notes/server-2025-1-release-notes.html |
| Anviz Biometric Technology Co., Ltd.–Anviz AIM CrossChex Standard | Anviz AIM CrossChex Standard 4.3.6.0 contains a CSV injection vulnerability that allows attackers to execute commands by inserting malicious formulas in user import fields. Attackers can craft payloads in fields like ‘Name’, ‘Gender’, or ‘Position’ to trigger Excel macro execution when importing user data. | 2025-12-24 | 9.8 | CVE-2018-25135 | ExploitDB-45765 Anviz Biometric Technology Product Homepage Zero Science Lab Disclosure (ZSL-2018-5498) |
| beaverbuilder–Beaver Builder Page Builder Drag and Drop Website Builder | The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the ‘duplicate_wpml_layout’ function in all versions up to, and including, 2.9.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary posts with the content of other existing posts, potentially exposing private and password-protected content and deleting any content that is not saved in revisions or backups. Posts must have been created with Beaver Builder to be copied or updated. | 2025-12-23 | 8.1 | CVE-2025-12934 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc2db74d-61b9-498a-a0d8-e43466b06f37?source=cve https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-builder-model.php#L181 https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-builder-model.php#L5490 https://plugins.trac.wordpress.org/changeset/3425646/beaver-builder-lite-version/trunk |
| Beward R&D Co., Ltd–N100 H.264 VGA IP Camera | Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the ‘READ.filePath’ parameter. Attackers can exploit the fileread script or SendCGICMD API to access sensitive files like /etc/passwd and /etc/issue by supplying absolute file paths. | 2025-12-24 | 8.8 | CVE-2019-25246 | ExploitDB-46320 Beward Product Homepage Zero Science Lab Disclosure (ZSL-2019-5511) |
| Beward–N100 H.264 VGA IP Camera | Beward N100 M2.1.6.04C014 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve the camera’s RTSP stream by exploiting the lack of authentication in the video access mechanism. | 2025-12-24 | 7.5 | CVE-2019-25248 | ExploitDB-46317 Beward Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5509) |
| Centreon–Infra Monitoring – Open-tickets | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Centreon Infra Monitoring – Open-tickets (Notification rules configuration parameters, Open tickets modules) allows SQL Injection to user with elevated privileges.This issue affects Infra Monitoring – Open-tickets: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4. | 2025-12-22 | 7.2 | CVE-2025-12514 | https://github.com/centreon/centreon/releases |
| CMSimple–CMSimple | CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection. | 2025-12-23 | 7.2 | CVE-2021-47732 | ExploitDB-49751 Official CMSimple Vendor Homepage VulnCheck Advisory: CMSimple 5.2 Stored Cross-Site Scripting via Filebrowser External Input |
| Cmsimple–Cmsimple | CMSimple 5.4 contains an authenticated remote code execution vulnerability that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit the template editing functionality by crafting a reverse shell payload and saving it through the template editing endpoint with a valid CSRF token. | 2025-12-23 | 8.8 | CVE-2021-47735 | ExploitDB-50356 Official CMSimple Homepage VulnCheck Advisory: CMSimple 5.4 Authenticated Remote Code Execution via Template Editing |
| Cmsimple-Xh–CMSimple_XH | CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitrary command execution on the server. | 2025-12-23 | 8.8 | CVE-2021-47736 | ExploitDB-50367 Official Vendor Homepage VulnCheck Advisory: CMSimple_XH 1.7.4 Authenticated Remote Code Execution via Content Editing |
| Cobiansoft–Cobian Backup Gravity | Cobian Backup Gravity 11.2.0.582 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the CobianBackup11 service to inject malicious code that would execute with LocalSystem privileges during service startup. | 2025-12-22 | 8.4 | CVE-2022-50688 | ExploitDB-50791 Cobian Backup Official Vendor Homepage VulnCheck Advisory: Cobian Backup Gravity 11.2.0.582 Unquoted Service Path Privilege Escalation |
| code-projects–Online Farm System | A vulnerability was identified in code-projects Online Farm System 1.0. Affected is an unknown function of the file /addProduct.php. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-12-23 | 7.3 | CVE-2025-15049 | VDB-337854 | code-projects Online Farm System addProduct.php sql injection VDB-337854 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721001 | code-projects Online Farm System V1.0 SQL Injection https://github.com/xiaotsai/tttt/issues/1 https://code-projects.org/ |
| code-projects–Refugee Food Management System | A vulnerability was determined in code-projects Refugee Food Management System 1.0. The affected element is an unknown function of the file /home/home.php. This manipulation of the argument a causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-22 | 7.3 | CVE-2025-15012 | VDB-337718 | code-projects Refugee Food Management System home.php sql injection VDB-337718 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #719788 | Code-projects Refugee Food Management System v1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr17/issues/2 https://code-projects.org/ |
| code-projects–Simple Stock System | A vulnerability was found in code-projects Simple Stock System 1.0. Impacted is an unknown function of the file /logout.php. The manipulation of the argument uname results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2025-12-22 | 7.3 | CVE-2025-15011 | VDB-337717 | code-projects Simple Stock System logout.php sql injection VDB-337717 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #719663 | Code-projects Simple Stock System v1.0 SQL Injection https://github.com/chunmingshanan/CVE/issues/1 https://code-projects.org/ |
| code-projects–Student Information System | A flaw has been found in code-projects Student Information System 1.0. This issue affects some unknown processing of the file /searchresults.php. Executing manipulation of the argument searchbox can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. | 2025-12-24 | 7.3 | CVE-2025-15053 | VDB-337859 | code-projects Student Information System searchresults.php sql injection VDB-337859 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #720796 | Fabian Ros Student Information System In PHP With Source Code November 2, 2025 SQL Injection https://github.com/i4G5d/CRITICAL-SEVERITY-VULNERABILITY-REPORT-Widespread-SQLI https://code-projects.org/ |
| CodexThemes–TheGem Theme Elements (for Elementor) | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in CodexThemes TheGem Theme Elements (for Elementor).This issue affects TheGem Theme Elements (for Elementor): from n/a through 5.10.5.1. | 2025-12-23 | 7.5 | CVE-2025-68560 | https://vdp.patchstack.com/database/wordpress/plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-10-5-1-local-file-inclusion-vulnerability?_s_id=cve |
| D-Link–DSL-124 Wireless N300 ADSL2+ | D-Link DSL-124 ME_1.00 contains a configuration file disclosure vulnerability that allows unauthenticated attackers to retrieve router settings through a POST request. Attackers can send a specific POST request to the router’s configuration endpoint to download a complete backup file containing sensitive network credentials and system configurations. | 2025-12-22 | 7.5 | CVE-2023-53974 | ExploitDB-51129 D-Link Official Homepage D-Link MEA Product Details Page VulnCheck Advisory: D-Link DSL-124 ME_1.00 Backup Configuration File Disclosure via Unauthenticated Request |
| DB Elettronica Telecomunicazioni SpA–Screen SFT DAB 600/C | Screen SFT DAB 600/C Firmware 1.9.3 contains a session management vulnerability that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reuse the same IP address and issue unauthorized requests to the userManager API to remove user accounts without proper authentication. | 2025-12-22 | 9.8 | CVE-2023-53968 | ExploitDB-51457 DB Elettronica Telecomunicazioni Official Website SFT DAB Series Product Page Zero Science Lab Disclosure (ZSL-2022-5773) VulnCheck Advisory: Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Erase Account |
| DB Elettronica Telecomunicazioni SpA–Screen SFT DAB 600/C | Screen SFT DAB 600/C firmware 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without requiring the current credentials. Attackers can exploit the userManager.cgx API endpoint by sending a crafted POST request with a new MD5-hashed password to directly modify the admin account’s authentication. | 2025-12-22 | 7.5 | CVE-2023-53967 | ExploitDB-51458 DB Elettronica Telecomunicazioni SpA Homepage SFT DAB Series Product Page Zero Science Lab Disclosure (ZSL-2022-5774) VulnCheck Advisory: Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Admin Password Change |
| DB Elettronica Telecomunicazioni SpA–Screen SFT DAB 600/C | Screen SFT DAB 600/C firmware 1.9.3 contains a session management vulnerability that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reuse the same IP address and issue unauthorized requests to the userManager API to change user passwords without proper authentication. | 2025-12-22 | 7.5 | CVE-2023-53969 | ExploitDB-51456 DB Elettronica Telecomunicazioni Official Website SFT DAB Series Product Page Zero Science Lab Disclosure (ZSL-2022-5772) VulnCheck Advisory: Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Password Change |
| DB Elettronica Telecomunicazioni SpA–Screen SFT DAB 600/C | Screen SFT DAB 600/C Firmware 1.9.3 contains a weak session management vulnerability that allows attackers to bypass authentication controls by reusing IP-bound session identifiers. Attackers can exploit the vulnerable deviceManagement API endpoint to reset device configurations by sending crafted POST requests with manipulated session parameters. | 2025-12-22 | 7.5 | CVE-2023-53970 | ExploitDB-51459 DB Elettronica Telecomunicazioni Product Homepage SFT DAB Series Product Page Zero Science Lab Disclosure (ZSL-2022-5775) VulnCheck Advisory: Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Reset Board Config |
| devolo AG–dLAN 550 duo+ Starter Kit | devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a password by manipulating system configuration parameters. | 2025-12-24 | 9.8 | CVE-2019-25249 | ExploitDB-46325 Official Vendor Homepage Zero Science Lab Disclosure (ZSL-2019-5508) |
| Eaton–Eaton UPS Companion Software | Improper authentication of library files in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the software package. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center. | 2025-12-26 | 8.6 | CVE-2025-59887 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1026.pdf |
| Eaton–Eaton xComfort ECI | Improper input validation at one of the endpoints of Eaton xComfort ECI’s web interface, could lead into an attacker with network access to the device executing privileged user commands. As cybersecurity standards continue to evolve and to meet our requirements today, Eaton has decided to discontinue the product. Upon retirement or end of support, there will be no new security updates, non-security updates, or paid assisted support options, or online technical content updates. | 2025-12-23 | 8.8 | CVE-2025-59886 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1022.pdf |
| Eaton–UPS Companion software | Due to insecure library loading in the Eaton UPS Companion software executable, an attacker with access to the software package could perform arbitrary code execution . This security issue has been fixed in the latest version of EUC which is available on the Eaton download center. | 2025-12-26 | 7.8 | CVE-2025-67450 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1027.pdf |
| Echo Call Center Services Trade and Industry Inc.–Specto CM | Unrestricted Upload of File with Dangerous Type vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Remote Code Inclusion.This issue affects Specto CM: before 17032025. | 2025-12-24 | 8.8 | CVE-2025-2155 | https://www.usom.gov.tr/bildirim/tr-25-0480 |
| Eclipse Foundation–BlueChi | A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can lead to privilege escalation, unauthorized service execution, and potential system compromise. | 2025-12-24 | 7.2 | CVE-2025-2515 | https://access.redhat.com/security/cve/CVE-2025-2515 RHBZ#2353313 https://github.com/eclipse-bluechi/bluechi/commit/fe0d28301ce2bd45f0b1d8a98a94efef799fbc73#diff-64140c83db42a8888f346a40de293b80f79ebf7d75ce4137b22567e360bce607 https://github.com/eclipse-bluechi/bluechi/issues/1069 https://github.com/eclipse-bluechi/bluechi/pull/1073 |
| Epic Games–Easy Anti-Cheat | Epic Games Easy Anti-Cheat 4.0 contains an unquoted service path vulnerability that allows local non-privileged users to execute arbitrary code with elevated system privileges. Attackers can exploit the service configuration by inserting malicious code in the system root path that would execute with LocalSystem privileges during application startup. | 2025-12-23 | 8.4 | CVE-2021-47739 | ExploitDB-49841 Epic Games Official Website Easy Anti-Cheat Official Website Zero Science Lab Disclosure (ZSL-2021-5652) VulnCheck Advisory: Epic Games Easy Anti-Cheat 4.0 Local Privilege Escalation via Unquoted Service Path |
| FantasticLBP–Hotels_Server | A security vulnerability has been detected in FantasticLBP Hotels_Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. Affected by this issue is some unknown functionality of the file /controller/api/Room.php. Such manipulation of the argument hotelId leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 7.3 | CVE-2025-15127 | VDB-338505 | FantasticLBP Hotels_Server Room.php sql injection VDB-338505 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711809 | Github Hotels_Server v1.0 SQL Injection https://github.com/liangmingpku/CVE/issues/1 |
| fedify-dev–fedify | Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify’s document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2. | 2025-12-22 | 7.5 | CVE-2025-68475 | https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93 https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779 https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a https://github.com/fedify-dev/fedify/releases/tag/1.6.13 https://github.com/fedify-dev/fedify/releases/tag/1.7.14 https://github.com/fedify-dev/fedify/releases/tag/1.8.15 https://github.com/fedify-dev/fedify/releases/tag/1.9.2 |
| FLIR Systems, Inc.–Brickstream 3D+ | FLIR Brickstream 3D+ 2.1.742.1842 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can retrieve video stream images by directly accessing multiple image endpoints like middleImage.jpg, rightimage.jpg, and leftimage.jpg. | 2025-12-24 | 7.5 | CVE-2018-25136 | ExploitDB-45607 FLIR Brickstream Product Homepage Zero Science Lab Disclosure (ZSL-2018-5496) |
| FLIR Systems, Inc.–FLIR AX8 Thermal Camera | FLIR AX8 Thermal Camera 1.32.16 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly connect to the RTSP stream using tools like VLC or FFmpeg to view and record thermal camera footage. | 2025-12-24 | 7.5 | CVE-2018-25139 | ExploitDB-45606 FLIR Systems Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5492) |
| FLIR Systems, Inc.–FLIR Brickstream 3D+ | FLIR Brickstream 3D+ 2.1.742.1842 contains an unauthenticated vulnerability in the ExportConfig REST API that allows attackers to download sensitive configuration files. Attackers can exploit the getConfigExportFile.cgi endpoint to retrieve system configurations, potentially enabling authentication bypass and privilege escalation. | 2025-12-24 | 7.5 | CVE-2018-25137 | ExploitDB-45599 FLIR Brickstream Product Homepage Zero Science Lab Disclosure (ZSL-2018-5495) |
| FLIR Systems, Inc.–Thermal Traffic Cameras | FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. Attackers can directly modify device configurations, access system information, and potentially initiate denial of service by sending crafted WebSocket messages without authentication. | 2025-12-24 | 7.5 | CVE-2018-25140 | ExploitDB-45539 FLIR Systems Official Website Zero Science Lab Disclosure (ZSL-2018-5490) |
| FLIR Systems–FLIR AX8 Thermal Camera | FLIR AX8 Thermal Camera 1.32.16 contains hard-coded SSH and web panel credentials that cannot be changed through normal camera operations. Attackers can exploit these persistent credentials to gain unauthorized shell access and login to multiple camera interfaces using predefined username and password combinations. | 2025-12-24 | 7.5 | CVE-2018-25138 | ExploitDB-45629 FLIR Systems Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5494) |
| FLIR–FLIR Thermal Traffic Cameras | FLIR thermal traffic cameras contain an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve video streams by accessing specific endpoints like /live.mjpeg, /snapshot.jpg, and RTSP streaming URLs without authentication. | 2025-12-24 | 7.5 | CVE-2018-25141 | ExploitDB-45537 FLIR Official Vendor Homepage Zero Science Lab Disclosure (ZSL-2018-5489) |
| FluidSynth–fluidsynth | FluidSynth is a software synthesizer based on the SoundFont 2 specifications. From versions 2.5.0 to before 2.5.2, a race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed memory, if the synthesizer is being concurrently destroyed, or samples of the (unloaded) DLS file are concurrently used to synthesize audio. This issue has been patched in version 2.5.2. The problem will not occur, when explicitly unloading a DLS file (before synth destruction), provided that at the time of unloading, no samples of the respective file are used by active voices. The problem will not occur in versions of FluidSynth that have been compiled without native DLS support. | 2025-12-23 | 7 | CVE-2025-68617 | https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-ffw2-xvvp-39ch https://github.com/FluidSynth/fluidsynth/issues/1717 https://github.com/FluidSynth/fluidsynth/issues/1728 https://github.com/FluidSynth/fluidsynth/commit/685e54cdc44911ace31774260bd0c9ec89887491 https://github.com/FluidSynth/fluidsynth/commit/962b9946b5cb6b16f0c08b89dd1b7016d4fce886 |
| FreyrSCADA–IEC-60870-5-104 | FreyrSCADA/IEC-60870-5-104 server v21.06.008 allows remote attackers to cause a denial of service by sending specific message sequences. | 2025-12-23 | 7.5 | CVE-2024-9684 | https://github.com/FreyrSCADA/IEC-60870-5-104/issues/6 https://drive.google.com/drive/folders/1pBPZR59d_rlixH7ZysUmmbOEZvjZV9g1 |
| Gitea–Gitea | Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API. | 2025-12-26 | 8.2 | CVE-2025-68939 | https://blog.gitea.com/release-of-1.23.0/ https://github.com/go-gitea/gitea/releases/tag/v1.23.0 https://github.com/go-gitea/gitea/pull/32151 |
| GnuPG–GnuPG | In GnuPG through 2.4.8, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. | 2025-12-28 | 7.8 | CVE-2025-68973 | https://gpg.fail/memcpy https://news.ycombinator.com/item?id=46403200 https://www.openwall.com/lists/oss-security/2025/12/28/5 https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9 https://github.com/gpg/gnupg/blob/ff30683418695f5d2cc9e6cf8c9418e09378ebe4/g10/armor.c#L1305-L1306 |
| Guangzhou V-SOLUTION Electronic Technology Co., Ltd.–SOL GPON/EPON OLT Platform | V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers can send a crafted HTTP POST request to the user management endpoint with ‘user_role_mod’ set to integer value ‘1’ to elevate their privileges. | 2025-12-24 | 9.8 | CVE-2019-25237 | ExploitDB-47435 V-SOL Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5538) |
| Guangzhou V-SOLUTION Electronic Technology–GPON/EPON OLT Platform | V-SOL GPON/EPON OLT Platform 2.03 contains an unauthenticated information disclosure vulnerability that allows attackers to download configuration files via direct object reference. Attackers can retrieve sensitive configuration data by sending HTTP GET requests to the usrcfg.conf endpoint, potentially enabling authentication bypass and system access. | 2025-12-24 | 7.5 | CVE-2019-25239 | ExploitDB-47433 V-SOL Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5534) |
| Hasura–Hasura GraphQL | Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resources and potentially crash the GraphQL endpoint. | 2025-12-22 | 7.5 | CVE-2021-47713 | ExploitDB-49789 Hasura GraphQL Engine GitHub Repository VulnCheck Advisory: Hasura GraphQL 1.3.3 Denial of Service via Malicious GraphQL Query |
| Hitachi–Hitachi Infrastructure Analytics Advisor | Cross-site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.5-00. | 2025-12-24 | 8.2 | CVE-2025-66444 | https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-133/index.html |
| Hitachi–Hitachi Infrastructure Analytics Advisor | Authorization bypass vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.5-00. | 2025-12-24 | 7.1 | CVE-2025-66445 | https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-133/index.html |
| Hotech Software Inc.–Otello | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Hotech Software Inc. Otello allows Stored XSS.This issue affects Otello: from 2.4.0 before 2.4.4. | 2025-12-23 | 7.3 | CVE-2025-13183 | https://www.usom.gov.tr/bildirim/tr-25-0476 |
| IBM–API Connect | IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application. | 2025-12-26 | 9.8 | CVE-2025-13915 | https://www.ibm.com/support/pages/node/7255149 |
| IBM–Concert | IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system. | 2025-12-26 | 7.8 | CVE-2025-12771 | https://www.ibm.com/support/pages/node/7255549 |
| IBM–Concert | IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link. | 2025-12-26 | 7.7 | CVE-2025-64645 | https://www.ibm.com/support/pages/node/7255549 |
| IdeaBox Creations–PowerPack Pro for Elementor | Missing Authorization vulnerability in IdeaBox Creations PowerPack Pro for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PowerPack Pro for Elementor: from n/a through 2.10.6. | 2025-12-23 | 7.5 | CVE-2024-24844 | https://vdp.patchstack.com/database/wordpress/plugin/powerpack-elements/vulnerability/wordpress-powerpack-pro-for-elementor-plugin-2-10-6-unauthenticated-plugin-settings-reset-vulnerability?_s_id=cve |
| InternLM–lmdeploy | LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim’s machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1. | 2025-12-26 | 8.8 | CVE-2025-67729 | https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee |
| iSeeQ–Hybrid DVR WH-H4 | iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without authentication. | 2025-12-24 | 9.8 | CVE-2019-25236 | ExploitDB-47562 iSeeQ Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5539) |
| itsourcecode–Online Frozen Foods Ordering System | A vulnerability was determined in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /contact_us.php. This manipulation of the argument Name causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-24 | 7.3 | CVE-2025-15073 | VDB-338330 | itsourcecode Online Frozen Foods Ordering System contact_us.php sql injection VDB-338330 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721321 | itsourcecode Online Frozen Foods Ordering System v1.0 SQL Injection https://github.com/24ggee/CVE/issues/1 https://itsourcecode.com/ |
| itsourcecode–Online Frozen Foods Ordering System | A vulnerability was identified in itsourcecode Online Frozen Foods Ordering System 1.0. This vulnerability affects unknown code of the file /customer_details.php. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-12-25 | 7.3 | CVE-2025-15074 | VDB-338331 | itsourcecode Online Frozen Foods Ordering System customer_details.php sql injection VDB-338331 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721389 | itsourcecode Online Frozen Foods Ordering System v1.0 SQL Injection https://github.com/ttting888/CVE/issues/1 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A security flaw has been discovered in itsourcecode Student Management System 1.0. This affects an unknown part of the file /record.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-12-23 | 7.3 | CVE-2025-15034 | VDB-337747 | itsourcecode Student Management System record.php sql injection VDB-337747 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #720615 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/29 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A security flaw has been discovered in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /student_p.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-12-25 | 7.3 | CVE-2025-15075 | VDB-338332 | itsourcecode Student Management System student_p.php sql injection VDB-338332 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721406 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/30 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A security vulnerability has been detected in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /form137.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-12-25 | 7.3 | CVE-2025-15077 | VDB-338334 | itsourcecode Student Management System form137.php sql injection VDB-338334 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721484 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/BUPT424201/CVE/issues/2 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A vulnerability was detected in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /list_report.php. The manipulation of the argument sy results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2025-12-25 | 7.3 | CVE-2025-15078 | VDB-338335 | itsourcecode Student Management System list_report.php sql injection VDB-338335 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721485 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/BUPT424201/CVE/issues/3 https://itsourcecode.com/ |
| iWT Ltd.–FaceSentry Access Control System | FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the ‘strInIP’ and ‘strInPort’ parameters. | 2025-12-24 | 8.8 | CVE-2019-25243 | ExploitDB-47064 Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5523) |
| iWT Ltd.–FaceSentry Access Control System | FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration to escalate privileges and gain root access by executing sudo commands without authentication. | 2025-12-24 | 7.5 | CVE-2019-25241 | ExploitDB-47067 Vendor Product Homepage Zero Science Lab Disclosure (ZSL-2019-5526) |
| jackq–XCMS | A flaw has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. This impacts an unknown function of the file Public/javascripts/admin/plupload-2.1.2/examples/upload.php. This manipulation causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-27 | 7.3 | CVE-2025-15109 | VDB-338480 | jackq XCMS upload.php unrestricted upload VDB-338480 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711696 | XCMS 1.0 Unrestricted Upload https://gitee.com/jackq/XCMS/issues/IDC4ZT |
| kermitproject–C-Kermit | C-Kermit (aka ckermit) through 10.0 Beta.12 (aka 416-beta12) before 244644d allows a remote Kermit system to overwrite files on the local system, or retrieve arbitrary files from the local system. | 2025-12-24 | 8.9 | CVE-2025-68920 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123025 https://github.com/KermitProject/ckermit/pull/20 https://www.kermitproject.org/ftp/kermit/test/tar/ https://www.complete.org/kermit/ |
| kiboit–PhastPress | The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path. | 2025-12-23 | 9.8 | CVE-2025-14388 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eec9bbc0-5a68-4624-a672-bd6227d6fa45?source=cve https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9641 https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9608 https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9570 https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9597 https://plugins.trac.wordpress.org/changeset/3418139 |
| KYOCERA Corporation–KYOCERA Net Admin | KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system files. Attackers can craft a malicious XML file with external entity references to retrieve sensitive configuration data like database credentials through an out-of-band channel attack. | 2025-12-24 | 7.5 | CVE-2019-25253 | ExploitDB-44430 Kyocera Official Website Zero Science Lab Disclosure (ZSL-2018-5459) |
| langchain-ai–langchain | LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain’s dumps() and dumpd() functions. The functions do not escape dictionaries with ‘lc’ keys when serializing free-form dictionaries. The ‘lc’ key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5. | 2025-12-23 | 9.3 | CVE-2025-68664 | https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm https://github.com/langchain-ai/langchain/pull/34455 https://github.com/langchain-ai/langchain/pull/34458 https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8 https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6 https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81 https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5 |
| langchain-ai–langchainjs | LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS’s toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with ‘lc’ keys when serializing free-form data in kwargs. The ‘lc’ key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3 | 2025-12-23 | 8.6 | CVE-2025-68665 | https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6 https://github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62 https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8 https://github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.3 |
| Leica Geosystems AG–GR10/GR25/GR30/GR50 GNSS | Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a stored cross-site scripting vulnerability in the configuration file upload functionality. Attackers can upload a malicious HTML file to that executes arbitrary JavaScript in a user’s browser session when viewed. | 2025-12-24 | 7.2 | CVE-2018-25131 | ExploitDB-46091 Leica Geosystems Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5503) |
| lemon8866–StreamVault | StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126. | 2025-12-26 | 10 | CVE-2025-66203 | https://github.com/lemon8866/StreamVault/security/advisories/GHSA-c747-q388-3v6m https://github.com/lemon8866/StreamVault/releases/tag/251226 |
| LogicalDOC Srl–LogicalDOC Enterprise | LogicalDOC Enterprise 7.7.4 contains multiple post-authentication file disclosure vulnerabilities that allow attackers to read arbitrary files through unverified ‘suffix’ and ‘fileVersion’ parameters. Attackers can exploit directory traversal techniques in /thumbnail and /convertpdf endpoints to access sensitive system files like win.ini and /etc/passwd by manipulating path traversal sequences. | 2025-12-24 | 7.5 | CVE-2019-25258 | ExploitDB-44019 LogicalDOC Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5450) |
| luiswang–WebTareas | WebTareas 2.4 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the chat photo upload functionality. Attackers can upload a PHP file with arbitrary code to the /files/Messages/ directory and execute it directly through the generated file path. | 2025-12-22 | 8.8 | CVE-2023-53971 | ExploitDB-51089 WebTareas Project Homepage VulnCheck Advisory: WebTareas 2.4 Authenticated Remote Code Execution via File Upload |
| luiswang–WebTareas | WebTareas 2.4 contains a SQL injection vulnerability in the webTareasSID cookie parameter that allows unauthenticated attackers to manipulate database queries. Attackers can exploit error-based and time-based blind SQL injection techniques to extract database information and potentially access sensitive system data. | 2025-12-22 | 7.5 | CVE-2023-53972 | ExploitDB-51087 WebTareas Project Homepage VulnCheck Advisory: WebTareas 2.4 Unauthenticated SQL Injection via Session Cookie Parameter |
| Mattermost–Mattermost | Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555 | 2025-12-22 | 7.2 | CVE-2025-14273 | https://mattermost.com/security-updates |
| MegaSys Computer Technologies–Telenium Online Web Application | Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an attacker can inject arbitrary Perl code through a crafted HTTP request, leading to remote code execution on the server. | 2025-12-24 | 9.8 | CVE-2025-8769 | https://megasys.com/support/ https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2024/icsa-24-263-04.json |
| Microhard Systems–Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak | Microhard Systems IPn4G 1.1.0 contains a service vulnerability that allows authenticated users to enable a restricted SSH shell with a default ‘msshc’ user. Attackers can exploit a custom ‘ping’ command in the NcFTP environment to escape the restricted shell and execute commands with root privileges. | 2025-12-24 | 8.8 | CVE-2018-25143 | ExploitDB-45041 Microhard Systems Product Homepage Zero Science Lab Disclosure (ZSL-2018-5486) |
| Microhard Systems–Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials | Microhard Systems IPn4G 1.1.0 contains hardcoded default credentials that cannot be changed through normal gateway operations. Attackers can exploit these default credentials to gain unauthorized root-level access to the device by logging in with predefined username and password combinations. | 2025-12-24 | 7.5 | CVE-2018-25147 | ExploitDB-45040 Microhard Systems Product Homepage Zero Science Lab Disclosure (ZSL-2018-5480) |
| Microhard Systems–Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit | Microhard Systems IPn4G 1.1.0 contains multiple authenticated remote code execution vulnerabilities in the admin interface that allow attackers to create crontab jobs and modify system startup scripts. Attackers can exploit hidden admin features to execute arbitrary commands with root privileges, including starting services, disabling firewalls, and writing files to the system. | 2025-12-24 | 8.8 | CVE-2018-25148 | ExploitDB-45038 Microhard Systems Product Web Page Zero Science Lab Disclosure (ZSL-2018-5479) |
| Mitsubishi Electric Europe–smartRTU | A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands. | 2025-12-24 | 7.5 | CVE-2025-3232 | https://emea.mitsubishielectric.com/fa/products/quality/quality-news-information https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-09 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-105-09.json |
| Mybb–MyBB | MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language configuration editing interface. | 2025-12-22 | 8.8 | CVE-2023-53979 | ExploitDB-51213 Official MyBB Vendor Homepage Researcher Disclosure VulnCheck Advisory: MyBB 1.8.32 Authenticated Remote Code Execution via Chained Vulnerabilities |
| Keycloak–Keycloak | A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable. | 2025-12-23 | 7.5 | CVE-2025-11419 | RHSA-2025:18254 RHSA-2025:18255 RHSA-2025:18889 RHSA-2025:18890 https://access.redhat.com/security/cve/CVE-2025-11419 RHBZ#2402142 |
| PuneethReddyHC–PuneethReddyHC event-management 1.0 | Improper input handling in /Grocery/search_products_itname.php inPuneethReddyHC event-management 1.0 permits SQL injection via the sitem_name POST parameter. Crafted payloads can alter query logic and disclose database contents. Exploitation may result in sensitive data disclosure and backend compromise. | 2025-12-23 | 9.8 | CVE-2025-65354 | https://www.notion.so/JD-Cloud-Unauth-RCE-2d22b76e8e0c802c975bf186b208d0c2 |
| n8n-io–n8n | n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: “[“n8n-nodes-base.code”]”, disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables. | 2025-12-26 | 9.9 | CVE-2025-68668 | https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced in version 1.103.0. This behavior can enable a malicious actor with workflow creation permissions to execute arbitrary JavaScript in the context of the n8n editor interface. This issue has been patched in version 1.114.0. Workarounds for this issue involve restricting workflow creation and modification privileges to trusted users only, avoiding use of untrusted HTML responses in the “Respond to Webhook” node, and using an external reverse proxy or HTML sanitizer to filter responses that include executable scripts. | 2025-12-26 | 7.3 | CVE-2025-61914 | https://github.com/n8n-io/n8n/security/advisories/GHSA-58jc-rcg5-95f3 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to version 2.0.0, in self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. This allows a workflow editor to perform actions on the n8n host with the same privileges as the n8n process, including: reading files from the host filesystem (subject to any file-access restrictions configured on the instance and OS/container permissions), and writing files to the host filesystem (subject to the same restrictions). This issue has been patched in version 2.0.0. Workarounds for this issue involve limiting file operations by setting N8N_RESTRICT_FILE_ACCESS_TO to a dedicated directory (e.g., ~/.n8n-files) and ensure it contains no sensitive data, keeping N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES=true (default) to block access to .n8n and user-defined config files, and disabling high-risk nodes (including the Code node) using NODES_EXCLUDE if workflow editors are not fully trusted. | 2025-12-26 | 7.1 | CVE-2025-68697 | https://github.com/n8n-io/n8n/security/advisories/GHSA-j4p8-h8mh-rh8q |
| nanbingxyz–5ire | 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. In versions 0.15.2 and prior, an RCE vulnerability exists in useMarkdown.ts, where the markdown-it-mermaid plugin is initialized with securityLevel: ‘loose’. This configuration explicitly permits the rendering of HTML tags within Mermaid diagram nodes. This issue has not been patched at time of publication. | 2025-12-23 | 9.7 | CVE-2025-68669 | https://github.com/nanbingxyz/5ire/security/advisories/GHSA-5hpf-p8fw-j349 https://github.com/nanbingxyz/5ire/blob/c40d05a2b546094789fc727daa5383bb15034442/src/hooks/useMarkdown.ts#L156 https://github.com/nanbingxyz/5ire/releases/tag/v0.15.2 |
| nanomq–nanomq | NanoMQ MQTT Broker (NanoMQ) is an Edge Messaging Platform. Prior to version 0.24.2, there is a classical data racing issue about sub info list which could result in heap use after free crash. This issue has been patched in version 0.24.2. | 2025-12-27 | 7.5 | CVE-2025-59946 | https://github.com/nanomq/nanomq/security/advisories/GHSA-xg37-23w7-72p5 https://github.com/nanomq/nanomq/issues/1863 |
| net-snmp–net-snmp | net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash. This issue has been patched in versions 5.9.5 and 5.10.pre2. | 2025-12-22 | 9.8 | CVE-2025-68615 | https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq |
| NetBT Consulting Services Inc.–e-Fatura | Unquoted Search Path or Element vulnerability in NetBT Consulting Services Inc. E-Fatura allows Leveraging/Manipulating Configuration File Search Paths, Redirect Access to Libraries.This issue affects e-Fatura: before 1.2.15. | 2025-12-22 | 7.3 | CVE-2025-14018 | https://www.usom.gov.tr/bildirim/tr-25-0474 |
| NovaRad Corporation–NovaPACS Diagnostics Viewer | NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack. | 2025-12-24 | 9.8 | CVE-2018-25142 | ExploitDB-45337 NovaRad Corporation Product Homepage Zero Science Lab Disclosure (ZSL-2018-5488) |
| NVIDIA–Isaac Launchable | NVIDIA Isaac Launchable contains a vulnerability where an attacker could exploit a hard-coded credential issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and data tampering. | 2025-12-23 | 9.8 | CVE-2025-33222 | https://nvd.nist.gov/vuln/detail/CVE-2025-33222 https://www.cve.org/CVERecord?id=CVE-2025-33222 https://nvidia.custhelp.com/app/answers/detail/a_id/5749 |
| NVIDIA–Isaac Launchable | NVIDIA Isaac Launchable contains a vulnerability where an attacker could cause an execution with unnecessary privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, information disclosure and data tampering. | 2025-12-23 | 9.8 | CVE-2025-33223 | https://nvd.nist.gov/vuln/detail/CVE-2025-33223 https://www.cve.org/CVERecord?id=CVE-2025-33223 https://nvidia.custhelp.com/app/answers/detail/a_id/5749 |
| NVIDIA–Isaac Launchable | NVIDIA Isaac Launchable contains a vulnerability where an attacker could cause an execution with unnecessary privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, information disclosure and data tampering. | 2025-12-23 | 9.8 | CVE-2025-33224 | https://nvd.nist.gov/vuln/detail/CVE-2025-33224 https://www.cve.org/CVERecord?id=CVE-2025-33224 https://nvidia.custhelp.com/app/answers/detail/a_id/5749 |
| OpenOps–OpenOps | OpenOps before 0.6.11 allows remote code execution in the Terraform block. | 2025-12-24 | 7.4 | CVE-2025-68922 | https://github.com/openops-cloud/openops/pull/1767 https://linear.app/openops/issue/OPS-3254 https://github.com/openops-cloud/openops/releases/tag/0.6.11 https://github.com/openops-cloud/openops/compare/0.6.10…0.6.11 |
| Orangescrum–orangescrum | Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim’s unique ID from the page source and replace their own session cookie to gain unauthorized access to another user’s account. | 2025-12-23 | 8.8 | CVE-2021-47721 | ExploitDB-50551 Official Product Homepage VulnCheck Advisory: Orangescrum 1.8.0 Authenticated Privilege Escalation via User Session Manipulation |
| Orangescrum–orangescrum | Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information. | 2025-12-23 | 7.1 | CVE-2021-47720 | ExploitDB-50553 Official Product Homepage VulnCheck Advisory: Orangescrum 1.8.0 Authenticated SQL Injection via Multiple Parameters |
| Pexip–Infinity | Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange Tokens. This allows a remote attacker to read potentially sensitive data and excessively consume resources, leading to a denial of service. | 2025-12-25 | 8.2 | CVE-2025-59683 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip–Infinity | Pexip Infinity before 37.0 has improper input validation in signalling that allows a remote attacker to trigger a software abort via a crafted signalling message, resulting in a denial of service. | 2025-12-25 | 7.5 | CVE-2025-32095 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip–Infinity | Pexip Infinity 33.0 through 37.0 before 37.1 has improper input validation in signaling that allows an attacker to trigger a software abort, resulting in a denial of service. | 2025-12-25 | 7.5 | CVE-2025-32096 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip–Infinity | Pexip Infinity 35.0 through 37.2 before 38.0 has Improper Input Validation in signalling that allows an attacker to trigger a software abort, resulting in a denial of service. | 2025-12-25 | 7.5 | CVE-2025-48704 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip–Infinity | Pexip Infinity before 39.0 has Missing Authentication for a Critical Function in a product-internal API, allowing an attacker (who already has access to execute code on one node within a Pexip Infinity installation) to impact the operation of other nodes within the installation. | 2025-12-25 | 7.5 | CVE-2025-66377 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip–Infinity | Pexip Infinity before 39.0 has Improper Input Validation in the media implementation, allowing a remote attacker to trigger a software abort via a crafted media stream, resulting in a denial of service. | 2025-12-25 | 7.5 | CVE-2025-66379 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip–Infinity | Pexip Infinity 35.0 through 38.1 before 39.0, in non-default configurations that use Direct Media for WebRTC, has Improper Input Validation in signalling that allows an attacker to trigger a software abort, resulting in a temporary denial of service. | 2025-12-25 | 7.5 | CVE-2025-66443 | https://docs.pexip.com/admin/security_bulletins.htm |
| ProjectSend–projectSend | ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server. | 2025-12-22 | 9.8 | CVE-2023-53980 | ExploitDB-51238 Official Product Homepage VulnCheck Advisory: ProjectSend r1605 Remote Code Execution via File Extension Manipulation |
| Ragic–Enterprise Cloud Database | Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information and log into the system as any user. | 2025-12-22 | 9.8 | CVE-2025-15016 | https://www.twcert.org.tw/tw/cp-132-10587-797c6-1.html https://www.twcert.org.tw/en/cp-139-10588-771e5-2.html |
| Ragic–Enterprise Cloud Database | Enterprise Cloud Database developed by Ragic has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 2025-12-22 | 7.5 | CVE-2025-15015 | https://www.twcert.org.tw/tw/cp-132-10587-797c6-1.html https://www.twcert.org.tw/en/cp-139-10588-771e5-2.html |
| Riello–NetMan | Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/certsupload.cgi /../ directory traversal for file upload with resultant code execution. | 2025-12-24 | 9.1 | CVE-2025-68916 | https://github.com/gerico-lab/riello-multiple-vulnerabilities-2025 |
| Rifatron Co., Ltd.–DVR | Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web Viewer module by specifying channel numbers to retrieve sequential video snapshots without authentication. | 2025-12-24 | 9.8 | CVE-2019-25240 | ExploitDB-47368 Rifatron Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5532) |
| Ross Video Ltd.–DashBoard | Ross Video DashBoard 8.5.1 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files due to improper permission settings. Attackers can exploit the ‘M’ or ‘C’ flags for ‘Authenticated Users’ group to replace the DashBoard.exe binary with a malicious executable. | 2025-12-24 | 8.8 | CVE-2019-25245 | ExploitDB-46742 Ross Video Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5516) |
| Ruben Garcia–AutomatorWP | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Ruben Garcia AutomatorWP allows SQL Injection.This issue affects AutomatorWP: from n/a through 5.2.4. | 2025-12-23 | 7.6 | CVE-2025-68561 | https://vdp.patchstack.com/database/wordpress/plugin/automatorwp/vulnerability/wordpress-automatorwp-plugin-5-2-4-sql-injection-vulnerability?_s_id=cve |
| saiftheboss7–onlinemcqexam | A vulnerability was found in saiftheboss7 onlinemcqexam up to 0e56806132971e49721db3ef01868098c7b42ada. This vulnerability affects unknown code of the file /admin/quesadd.php. Performing manipulation of the argument ans1/ans2 results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 7.3 | CVE-2025-15140 | VDB-338518 | saiftheboss7 onlinemcqexam quesadd.php sql injection VDB-338518 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715219 | Github Online MCQ EXAM V1.0 SQL Injection Submit #715463 | github.com An online MCQ Exam system v1.0 SQL Injection (Duplicate) https://github.com/Anti1i/cve/issues/4 |
| Sigb–PMB | PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized ‘id’ parameter by injecting conditional sleep statements to extract information or perform time-based blind SQL injection attacks. | 2025-12-23 | 8.2 | CVE-2023-53982 | ExploitDB-51197 Vendor Homepage Software Download Repository VulnCheck Advisory: PMB 7.4.6 SQL Injection Vulnerability via Unsanitized Storage Parameter |
| simstudioai–sim | A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue. | 2025-12-26 | 7.3 | CVE-2025-15099 | VDB-338430 | simstudioai sim CRON Secret internal.ts improper authentication VDB-338430 | CTI Indicators (IOB, IOC, IOA) Submit #710255 | https://github.com/simstudioai https://github.com/simstudioai/sim ≤ v0.5.21 Authentication Bypass by Primary Weakness https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2 https://github.com/simstudioai/sim/pull/2343 https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2#-steps-to-reproduce https://github.com/simstudioai/sim/commit/e359dc2946b12ed5e45a0ec9c95ecf91bd18502a |
| Smartwares–Smartwares HOME easy | Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information. | 2025-12-24 | 9.8 | CVE-2019-25235 | ExploitDB-47595 Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5540) |
| SOCA Technology Co., Ltd–SOCA Access Control System | SOCA Access Control System 180612 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through unvalidated POST parameters. Attackers can bypass authentication, retrieve password hashes, and gain administrative access with full system privileges by exploiting injection flaws in Login.php and Card_Edit_GetJson.php. | 2025-12-24 | 8.2 | CVE-2018-25128 | ExploitDB-46833 SOCA Technology Product Homepage Zero Science Lab Disclosure (ZSL-2019-5519) |
| SOCA Technology Co., Ltd–SOCA Access Control System | SOCA Access Control System 180612 contains multiple insecure direct object reference vulnerabilities that allow attackers to access sensitive user credentials. Attackers can retrieve authenticated and unauthenticated user password hashes and pins through unprotected endpoints like Get_Permissions_From_DB.php and Ac10_ReadSortCard. | 2025-12-24 | 7.5 | CVE-2018-25129 | ExploitDB-46832 SOCA Technology Product Homepage Zero Science Lab Disclosure (ZSL-2019-5517) |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access hidden system resources. Attackers can exploit the vulnerability by manipulating user-supplied input to execute privileged functionalities without proper authentication. | 2025-12-22 | 9.8 | CVE-2023-53955 | ExploitDB-51169 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5723) VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Authorization Bypass via Insecure Object References |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands through the ‘password’ parameter. Attackers can exploit the login.php and index.php scripts by injecting shell commands via the ‘password’ POST parameter to execute commands with web server privileges. | 2025-12-22 | 9.8 | CVE-2023-53963 | ExploitDB-51173 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5738) VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Remote Command Injection |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x contains an SQL injection vulnerability in the ‘index.php’ authentication mechanism that allows attackers to manipulate login credentials. Attackers can inject malicious SQL code through the ‘password’ POST parameter to bypass authentication and potentially gain unauthorized access to the system. | 2025-12-22 | 8.2 | CVE-2023-53960 | ExploitDB-51171 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5726) VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x SQL Injection via Authentication Bypass |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated directory traversal vulnerability that allows remote attackers to write arbitrary files through the ‘upgfile’ parameter in upload.cgi. Attackers can exploit the vulnerability by sending crafted multipart form-data POST requests with directory traversal sequences to write files to unintended system locations. | 2025-12-22 | 7.5 | CVE-2023-53962 | ExploitDB-51172 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5730) VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Directory Traversal File Write |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated vulnerability in the /usr/cgi-bin/restorefactory.cgi endpoint that allows remote attackers to reset device configuration. Attackers can send a POST request to the endpoint with specific data to trigger a factory reset and bypass authentication, gaining full system control. | 2025-12-22 | 7.5 | CVE-2023-53964 | ExploitDB-51174 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5742) VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Factory Reset Vulnerability |
| SOUND4 Ltd.–SOUND4 LinkAndShare Transmitter | SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafted environment variables. Attackers can manipulate the username environment variable with format string payloads to potentially execute arbitrary code and crash the application. | 2025-12-22 | 9.8 | CVE-2023-53966 | ExploitDB-51259 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5744) VulnCheck Advisory: SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow |
| SOUND4 Ltd.–SOUND4 Server Service | SOUND4 Server Service 4.1.102 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted binary path by inserting malicious code in the system root path that could execute with LocalSystem privileges during service startup. | 2025-12-22 | 8.4 | CVE-2023-53965 | ExploitDB-51167 SOUND4 Official Website Zero Science Lab Disclosure (ZSL-2022-5721) VulnCheck Advisory: SOUND4 Server Service 4.1.102 Local Privilege Escalation via Unquoted Service Path |
| Synaccess Networks Inc.–netBooter NP-02x/NP-08x | Synaccess netBooter NP-02x/NP-08x 6.8 contains an authentication bypass vulnerability in the webNewAcct.cgi script that allows unauthenticated attackers to create admin user accounts. Attackers can exploit the missing control check by sending crafted POST requests to create administrative accounts and gain unauthorized control over power supply management. | 2025-12-24 | 9.8 | CVE-2018-25134 | ExploitDB-45920 Vendor Product Homepage Zero Science Lab Disclosure (ZSL-2018-5500) |
| Tenda–CH22 | A weakness has been identified in Tenda CH22 1.0.0.1. Impacted is an unknown function of the file /public/. Executing manipulation can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-12-25 | 7.3 | CVE-2025-15076 | VDB-338333 | Tenda CH22 public path traversal VDB-338333 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721411 | Tenda CH22 V1.0.0.1 Authentication Bypass Issues https://github.com/master-abc/cve/blob/main/Tenda%20CH22%20V1.0.0.1%20Router%20Authentication%20Bypass%20Vulnerability%20in%20R7WebsSecurityHandler%20function.md https://www.tenda.com.cn/ |
| Tenda–WH450 | A weakness has been identified in Tenda WH450 1.0.0.18. Affected by this vulnerability is an unknown functionality of the file /goform/CheckTools of the component HTTP Request Handler. This manipulation of the argument ipaddress causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-12-22 | 9.8 | CVE-2025-15006 | VDB-337712 | Tenda WH450 HTTP Request CheckTools stack-based overflow VDB-337712 | CTI Indicators (IOB, IOC, IOA) Submit #719315 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/CheckTools/CheckTools.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/CheckTools/CheckTools.md#reproduce https://www.tenda.com.cn/ |
| Tenda–WH450 | A security vulnerability has been detected in Tenda WH450 1.0.0.18. Affected by this issue is some unknown functionality of the file /goform/L7Im of the component HTTP Request Handler. Such manipulation of the argument page leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-12-22 | 9.8 | CVE-2025-15007 | VDB-337713 | Tenda WH450 HTTP Request L7Im stack-based overflow VDB-337713 | CTI Indicators (IOB, IOC, IOA) Submit #719316 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Im/L7Im.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Im/L7Im.md#poc https://www.tenda.com.cn/ |
| Tenda–WH450 | A vulnerability has been found in Tenda WH450 1.0.0.18. This issue affects some unknown processing of the file /goform/SafeUrlFilter. The manipulation of the argument page leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-12-22 | 9.8 | CVE-2025-15010 | VDB-337716 | Tenda WH450 SafeUrlFilter stack-based overflow VDB-337716 | CTI Indicators (IOB, IOC, IOA) Submit #719219 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeUrlFilter/SafeUrlFilter.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeUrlFilter/SafeUrlFilter.md#reproduce https://www.tenda.com.cn/ |
| Tenda–WH450 | A vulnerability was detected in Tenda WH450 1.0.0.18. Impacted is an unknown function of the file /goform/NatStaticSetting. The manipulation of the argument page results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. | 2025-12-23 | 9.8 | CVE-2025-15044 | VDB-337849 | Tenda WH450 NatStaticSetting stack-based overflow VDB-337849 | CTI Indicators (IOB, IOC, IOA) Submit #720856 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/NatStaticSetting/NatStaticSetting.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/NatStaticSetting/NatStaticSetting.md#reproduce https://www.tenda.com.cn/ |
| Tenda–WH450 | A flaw has been found in Tenda WH450 1.0.0.18. The affected element is an unknown function of the file /goform/Natlimit of the component HTTP Request Handler. This manipulation of the argument page causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-12-23 | 9.8 | CVE-2025-15045 | VDB-337850 | Tenda WH450 HTTP Request Natlimit stack-based overflow VDB-337850 | CTI Indicators (IOB, IOC, IOA) Submit #720882 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/Natlimit/Natlimit.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/Natlimit/Natlimit.md#reproduce https://www.tenda.com.cn/ |
| Tenda–WH450 | A vulnerability has been found in Tenda WH450 1.0.0.18. The impacted element is an unknown function of the file /goform/PPTPClient of the component HTTP Request Handler. Such manipulation of the argument netmsk leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-12-23 | 9.8 | CVE-2025-15046 | VDB-337851 | Tenda WH450 HTTP Request PPTPClient stack-based overflow VDB-337851 | CTI Indicators (IOB, IOC, IOA) Submit #720883 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPClient/PPTPClient.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPClient/PPTPClient.md#reproduce https://www.tenda.com.cn/ |
| Tenda–WH450 | A vulnerability was found in Tenda WH450 1.0.0.18. This affects an unknown function of the file /goform/PPTPDClient of the component HTTP Request Handler. Performing manipulation of the argument Username results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. | 2025-12-23 | 9.8 | CVE-2025-15047 | VDB-337852 | Tenda WH450 HTTP Request PPTPDClient stack-based overflow VDB-337852 | CTI Indicators (IOB, IOC, IOA) Submit #720884 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPDClient/PPTPDClient.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPDClient/PPTPDClient.md#reproduce https://www.tenda.com.cn/ |
| Tenda–WH450 | A vulnerability was detected in Tenda WH450 1.0.0.18. This affects an unknown part of the file /goform/L7Port of the component HTTP Request Handler. Performing manipulation of the argument page results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-12-22 | 7.3 | CVE-2025-15008 | VDB-337714 | Tenda WH450 HTTP Request L7Port stack-based overflow VDB-337714 | CTI Indicators (IOB, IOC, IOA) Submit #719317 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Prot/L7Prot.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Prot/L7Prot.md#reproduce https://www.tenda.com.cn/ |
| Tenda–WH450 | A vulnerability was determined in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/CheckTools of the component HTTP Request Handler. Executing manipulation of the argument ipaddress can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-23 | 7.3 | CVE-2025-15048 | VDB-337853 | Tenda WH450 HTTP Request CheckTools command injection VDB-337853 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #720885 | Tenda WH450 V1.0.0.18 Command Injection https://github.com/z472421519/BinaryAudit/blob/main/PoC/CMD/Tenda_WH450/CheckTools/CheckTools.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/CMD/Tenda_WH450/CheckTools/CheckTools.md#reproduce https://www.tenda.com.cn/ |
| Tenda–WH450 | A vulnerability has been found in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/PPTPServer. Such manipulation of the argument ip1 leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-28 | 7.2 | CVE-2025-15160 | VDB-338535 | Tenda WH450 PPTPServer stack-based overflow VDB-338535 | CTI Indicators (IOB, IOC, IOA) Submit #720886 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPServer/PPTPServer.md https://www.tenda.com.cn/ |
| Tenda–WH450 | A vulnerability was found in Tenda WH450 1.0.0.18. Affected is an unknown function of the file /goform/PPTPUserSetting. Performing manipulation of the argument delno results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-12-28 | 7.2 | CVE-2025-15161 | VDB-338536 | Tenda WH450 PPTPUserSetting stack-based overflow VDB-338536 | CTI Indicators (IOB, IOC, IOA) Submit #720887 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPUserSetting/PPTPUserSetting.md https://www.tenda.com.cn/ |
| Tenda–WH450 | A vulnerability was determined in Tenda WH450 1.0.0.18. Affected by this vulnerability is an unknown functionality of the file /goform/RouteStatic. Executing manipulation of the argument page can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-28 | 7.2 | CVE-2025-15162 | VDB-338537 | Tenda WH450 RouteStatic stack-based overflow VDB-338537 | CTI Indicators (IOB, IOC, IOA) Submit #721210 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/RouteStatic/RouteStatic.md https://www.tenda.com.cn/ |
| The GNU Project | Free Software Foundation, Inc.–GNU Barcode | GNU Barcode 0.99 contains a buffer overflow vulnerability in its code 93 encoding process that allows attackers to trigger memory corruption. Attackers can exploit boundary errors during input file processing to potentially execute arbitrary code on the affected system. | 2025-12-24 | 9.8 | CVE-2018-25154 | ExploitDB-44797 GNU Barcode Official Product Page FSF Directory Entry for Barcode |
| The GNU Project | Free Software Foundation, Inc.–GNU Barcode | GNU Barcode 0.99 contains a memory leak vulnerability in the command line processing function within cmdline.c. Attackers can exploit this vulnerability by providing specially crafted input that causes unfreed memory allocations, potentially leading to denial of service conditions. | 2025-12-24 | 7.5 | CVE-2018-25153 | ExploitDB-44798 GNU Barcode Product Homepage FSF Directory Entry for Barcode |
| thedigicraft–Atom CMS | Atom CMS 2.0 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries through unvalidated parameters. Attackers can inject malicious SQL code in the ‘id’ parameter of the admin index page to execute time-based blind SQL injection attacks. | 2025-12-22 | 8.2 | CVE-2023-53975 | ExploitDB-51086 Atom CMS GitHub Repository VulnCheck Advisory: Atom CMS 2.0 Unauthenticated SQL Injection via Admin Index Page |
| Thembay–Diza | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Thembay Diza allows PHP Local File Inclusion. This issue affects Diza: from n/a through 1.3.15. | 2025-12-23 | 7.5 | CVE-2025-68544 | https://vdp.patchstack.com/database/wordpress/theme/diza/vulnerability/wordpress-diza-theme-1-3-15-local-file-inclusion-vulnerability?_s_id=cve |
| Thembay–Nika | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Thembay Nika allows PHP Local File Inclusion. This issue affects Nika: from n/a through 1.2.14. | 2025-12-23 | 7.5 | CVE-2025-68546 | https://vdp.patchstack.com/database/wordpress/theme/nika/vulnerability/wordpress-nika-theme-1-2-14-local-file-inclusion-vulnerability?_s_id=cve |
| thibaud-rohmer–PhotoShow | PhotoShow 3.0 contains a remote code execution vulnerability that allows authenticated administrators to inject malicious commands through the exiftran path configuration. Attackers can exploit the ffmpeg configuration settings by base64 encoding a reverse shell command and executing it through a crafted video upload process. | 2025-12-22 | 7.2 | CVE-2023-53981 | ExploitDB-51236 Researcher Disclosure Software Repository VulnCheck Advisory: PhotoShow 3.0 Remote Code Execution via Exiftran Path Injection |
| TRENDnet–TEW-800MB | A security vulnerability has been detected in TRENDnet TEW-800MB 1.0.1.0. Affected is the function do_setWizard_asp of the file /goform/wizardset of the component Management Interface. The manipulation of the argument WizardConfigured leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 8.8 | CVE-2025-15136 | VDB-338514 | TRENDnet TEW-800MB Management wizardset do_setWizard_asp command injection VDB-338514 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714042 | TRENDnet TEW-800mb v1.0.1.0 Command Injection https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-2c7e5dd4c5a58067bc81e530bf3191c0 |
| TRENDnet–TEW-800MB | A vulnerability was detected in TRENDnet TEW-800MB 1.0.1.0. Affected by this vulnerability is the function sub_F934 of the file NTPSyncWithHost.cgi. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 8.8 | CVE-2025-15137 | VDB-338515 | TRENDnet TEW-800MB NTPSyncWithHost.cgi sub_F934 command injection VDB-338515 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714241 | TRENDnet TEW-800mb v1.0.1.0 Command Injection https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-NTP-2c7e5dd4c5a580f999adcaff2c31978b |
| tychesoftwares–Print Invoice & Delivery Notes for WooCommerce | The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the ‘WooCommerce_Delivery_Notes::update’ function. This is due to missing capability check in the ‘WooCommerce_Delivery_Notes::update’ function, PHP enabled in Dompdf, and missing escape in the ‘template.php’ file. This makes it possible for unauthenticated attackers to execute code on the server. | 2025-12-24 | 9.8 | CVE-2025-13773 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769?source=cve https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-notes https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L347 https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L473 https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/templates/pdf/simple/invoice/template.php#L36 https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/wcdn-front-function.php#L37 https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/vendor/dompdf/dompdf/src/PhpEvaluator.php#L52 |
| UTT– 512W | A vulnerability has been found in UTT è¿›å– 512W up to 1.7.7-171114. This affects the function strcpy of the file /goform/APSecurity. The manipulation of the argument wepkey1 leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-12-25 | 8.8 | CVE-2025-15089 | VDB-338418 | UTT è¿›å– 512W APSecurity strcpy buffer overflow VDB-338418 | CTI Indicators (IOB, IOC, IOA) Submit #708348 | UTT è¿›å– 512W v3v1.7.7-171114 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/14.md https://github.com/cymiao1978/cve/blob/main/new/14.md#poc |
| UTT– 512W | A vulnerability was found in UTT è¿›å– 512W up to 1.7.7-171114. This vulnerability affects the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-12-25 | 8.8 | CVE-2025-15090 | VDB-338419 | UTT è¿›å– 512W formConfigNoticeConfig strcpy buffer overflow VDB-338419 | CTI Indicators (IOB, IOC, IOA) Submit #708349 | UTT è¿›å– 512W v3v1.7.7-171114 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/15.md https://github.com/cymiao1978/cve/blob/main/new/15.md#poc |
| UTT– 512W | A vulnerability was determined in UTT è¿›å– 512W up to 1.7.7-171114. This issue affects the function strcpy of the file /goform/formPictureUrl. This manipulation of the argument importpictureurl causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-25 | 8.8 | CVE-2025-15091 | VDB-338420 | UTT è¿›å– 512W formPictureUrl strcpy buffer overflow VDB-338420 | CTI Indicators (IOB, IOC, IOA) Submit #708350 | UTT è¿›å– 512W v3v1.7.7-171114 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/16.md https://github.com/cymiao1978/cve/blob/main/new/16.md#poc |
| UTT– 512W | A vulnerability was identified in UTT è¿›å– 512W up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/ConfigExceptMSN. Such manipulation of the argument remark leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-12-26 | 8.8 | CVE-2025-15092 | VDB-338421 | UTT è¿›å– 512W ConfigExceptMSN strcpy buffer overflow VDB-338421 | CTI Indicators (IOB, IOC, IOA) Submit #708351 | UTT è¿›å– 512W v3v1.7.7-171114 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/17.md https://github.com/cymiao1978/cve/blob/main/new/17.md#poc |
| Verisay Communication and Information Technology Industry and Trade Ltd. Co.–Aidango | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Aidango allows Cross-Site Scripting (XSS).This issue affects Aidango: before 2.144.4. | 2025-12-25 | 7.6 | CVE-2025-2307 | https://www.usom.gov.tr/bildirim/tr-25-0487 |
| Verisay Communication and Information Technology Industry and Trade Ltd. Co.–Titarus | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Titarus allows Cross-Site Scripting (XSS).This issue affects Titarus: before 2.144.4. | 2025-12-25 | 7.6 | CVE-2025-2405 | https://www.usom.gov.tr/bildirim/tr-25-0485 |
| Verisay Communication and Information Technology Industry and Trade Ltd. Co.–Trizbi | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Trizbi allows Cross-Site Scripting (XSS).This issue affects Trizbi: before 2.144.4. | 2025-12-25 | 7.6 | CVE-2025-2406 | https://www.usom.gov.tr/bildirim/tr-25-0486 |
| VillaTheme–WPBulky | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in VillaTheme WPBulky allows Blind SQL Injection. This issue affects WPBulky: from n/a through 1.1.13. | 2025-12-23 | 7.6 | CVE-2025-68550 | https://vdp.patchstack.com/database/wordpress/plugin/wpbulky-wp-bulk-edit-post-types/vulnerability/wordpress-wpbulky-plugin-1-1-13-sql-injection-vulnerability?_s_id=cve |
| Wondershare–Wondershare MirrorGo | Wondershare MirrorGo 2.0.11.346 contains a local privilege escalation vulnerability due to incorrect file permissions on executable files. Unprivileged local users can replace the ElevationService.exe with a malicious file to execute arbitrary code with LocalSystem privileges. | 2025-12-22 | 8.4 | CVE-2022-50690 | ExploitDB-50787 Wondershare Official Homepage VulnCheck Advisory: Wondershare MirrorGo 2.0.11.346 Local Privilege Escalation via Insecure File Permissions |
| WPJobBoard–WPJobBoard | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in WPJobBoard allows Blind SQL Injection. This issue affects WPJobBoard: from n/a through 5.9.0. | 2025-12-24 | 8.6 | CVE-2023-36525 | https://vdp.patchstack.com/database/wordpress/plugin/wpjobboard/vulnerability/wordpress-wpjobboard-plugin-5-9-0-unauth-blind-sql-injection-sqli-vulnerability?_s_id=cve |
| Xspeeder–SXZOS | Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used. | 2025-12-27 | 10 | CVE-2025-54322 | https://www.xspeeder.com https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts |
| Zillya–Zillya Total Security | Zillya Total Security 3.0.2367.0 contains a privilege escalation vulnerability that allows low-privileged users to copy files to unauthorized system locations using the quarantine module. Attackers can leverage symbolic link techniques to restore quarantined files to restricted directories, potentially enabling system-level access through techniques like DLL hijacking. | 2025-12-22 | 8.4 | CVE-2023-53973 | ExploitDB-51151 Zillya Official Homepage VulnCheck Advisory: Zillya Total Security 3.0.2367.0 Local Privilege Escalation via Quarantine Module |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AVE S.p.A.–DOMINAplus | AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions. | 2025-12-24 | 5.3 | CVE-2019-25233 | ExploitDB-47821 AVE S.p.A. Official Website DOMINAplus Product Page Zero Science Lab Disclosure (ZSL-2019-5547) |
| Beward R&D Co., Ltd–BEWARD Intercom | Beward Intercom 2.3.1 contains a credentials disclosure vulnerability that allows local attackers to access plain-text authentication credentials stored in an unencrypted database file. Attackers can read the BEWARD.INTERCOM.FDB file to extract usernames and passwords, enabling unauthorized access to IP cameras and door stations. | 2025-12-24 | 6.2 | CVE-2018-25130 | ExploitDB-46267 Beward Product Homepage Zero Science Lab Disclosure (ZSL-2019-5505) |
| Beward R&D Co., Ltd–N100 H.264 VGA IP Camera | Beward N100 H.264 VGA IP Camera M2.1.6 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft a malicious web page with a hidden form to add an admin user by tricking a logged-in user into submitting the form. | 2025-12-24 | 5.3 | CVE-2019-25247 | ExploitDB-46318 Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5510) |
| bnayawpguy–Resoto | Missing Authorization vulnerability in bnayawpguy Resoto allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Resoto: from n/a through 1.0.8. | 2025-12-24 | 4.3 | CVE-2023-28619 | https://vdp.patchstack.com/database/wordpress/theme/resoto/vulnerability/wordpress-resoto-theme-1-0-8-authenticated-arbitrary-plugin-activation?_s_id=cve |
| Bob–Hostel | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Bob Hostel allows DOM-Based XSS. This issue affects Hostel: from n/a through 1.1.5.1. | 2025-12-24 | 5.9 | CVE-2023-32120 | https://vdp.patchstack.com/database/wordpress/plugin/hostel/vulnerability/wordpress-hostel-plugin-1-1-5-1-cross-site-scripting-xss?_s_id=cve |
| BTicino S.p.A.–Legrand BTicino Driver Manager F454 | Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow attackers to perform administrative actions without proper request validation. Attackers can exploit cross-site request forgery to change passwords and inject stored cross-site scripting payloads through unvalidated GET parameters. | 2025-12-24 | 5.3 | CVE-2019-25244 | ExploitDB-46850 BTicino Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5521) Zero Science Lab Disclosure (ZSL-2019-5522) |
| Carlo Gavazzi AB–SmartHouse Webapp | SmartHouse Webapp 6.5.33 contains multiple cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform unauthorized actions. Attackers can exploit these vulnerabilities by tricking logged-in users into visiting malicious websites or injecting malicious scripts into various application parameters. | 2025-12-24 | 5.3 | CVE-2019-25234 | ExploitDB-47730 SmartHouse Product Website Zero Science Lab Disclosure (ZSL-2019-5553) |
| Centreon–Infra Monitoring | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Centreon Infra Monitoring (Hostgroup configuration page) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19, from 23.10.0 before 23.10.29. | 2025-12-22 | 6.8 | CVE-2025-54890 | https://github.com/centreon/centreon/releases |
| Centreon–Infra Monitoring | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4. | 2025-12-22 | 6.8 | CVE-2025-8460 | https://github.com/centreon/centreon/releases |
| checkpoint–Identity Agent | An authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being accessible in the Windows Registry keys for Check Point Identity Agent running on a Terminal Server. | 2025-12-22 | 6.5 | CVE-2025-8304 | https://support.checkpoint.com/results/sk/sk184263 |
| checkpoint–Identity Awareness | An authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being printed in plaintext in Identity Agent for Terminal Services debug files. | 2025-12-22 | 6.5 | CVE-2025-8305 | https://support.checkpoint.com/results/sk/sk184264 |
| ChenJinchuang–Lin-CMS-TP5 | A flaw has been found in ChenJinchuang Lin-CMS-TP5 up to 0.3.3. This vulnerability affects the function Upload of the file application/lib/file/LocalUploader.php of the component File Upload Handler. Executing manipulation of the argument File can lead to code injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-28 | 6.3 | CVE-2025-15129 | VDB-338507 | ChenJinchuang Lin-CMS-TP5 File Upload LocalUploader.php upload code injection VDB-338507 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #712754 | lin-cms-tp5 1.0 Unrestricted Upload https://github.com/ChenJinchuang/lin-cms-tp5/issues/65 |
| Cmsimple–CMSimple | CMSimple 5.4 contains a cross-site scripting vulnerability that allows attackers to bypass input filtering by using HTML to Unicode encoding. Attackers can inject malicious scripts by encoding payloads like ‘)-alert(1)// and execute arbitrary JavaScript when victims interact with delete buttons. | 2025-12-23 | 6.1 | CVE-2021-47733 | ExploitDB-50612 CMSimple Official Homepage VulnCheck Advisory: CMSimple 5.4 Cross-Site Scripting via HTML Unicode Encoding |
| Cmsimple–CMSimple | CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path and uploading malicious PHP code through session file upload mechanisms. | 2025-12-23 | 5.5 | CVE-2021-47734 | ExploitDB-50547 Official CMSimple Homepage VulnCheck Advisory: CMSimple 5.4 Authenticated Local File Inclusion Remote Code Execution |
| Cobiansoft–Cobian Backup Gravity | Cobian Backup 11 Gravity 11.2.0.582 contains a denial of service vulnerability in the FTP password input field that allows attackers to crash the application. Attackers can generate a specially crafted 800-byte buffer and paste it into the password field to trigger an application crash. | 2025-12-22 | 6.2 | CVE-2022-50687 | ExploitDB-50790 Cobian Backup Official Vendor Homepage VulnCheck Advisory: Cobian Backup 11 Gravity 11.2.0.582 Local Denial of Service via Password Field |
| Cobiansoft–Cobian Reflector | Cobian Reflector 0.9.93 RC1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the password input field. Attackers can paste a large 8000-byte buffer into the password field to trigger an application crash during SFTP task configuration. | 2025-12-22 | 6.2 | CVE-2022-50689 | ExploitDB-50789 Cobian Software Official Homepage VulnCheck Advisory: Cobian Reflector 0.9.93 RC1 Local Denial of Service via Password Field |
| code-projects–Student File Management System | A security vulnerability has been detected in code-projects Student File Management System 1.0. This affects an unknown part of the file /save_file.php. Such manipulation of the argument File leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-12-24 | 6.3 | CVE-2025-15050 | VDB-337857 | code-projects Student File Management System save_file.php unrestricted upload VDB-337857 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721073 | Code-Projects å¦ç”Ÿæ–‡ä»¶ç®¡ç†ç³»ç»Ÿ V1.0 ä»»æ„æ–‡ä»¶ä¸Šä¼ Submit #721039 | code-projects.org å¦ç”Ÿæ–‡ä»¶ç®¡ç†ç³»ç»Ÿ V1.0 æ–‡ä»¶ä¸Šä¼ (Duplicate) https://github.com/Bai-public/CVE/issues/3 https://code-projects.org/ |
| CodexThemes–TheGem Theme Elements (for Elementor) | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in CodexThemes TheGem Theme Elements (for Elementor).This issue affects TheGem Theme Elements (for Elementor): from n/a through 5.10.5.1. | 2025-12-23 | 6.5 | CVE-2025-68559 | https://vdp.patchstack.com/database/wordpress/plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-10-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Cszcms–CSZ CMS | CSZ CMS 1.2.7 contains a persistent cross-site scripting vulnerability that allows unauthorized users to embed malicious JavaScript in private messages. Attackers can send messages with script payloads in the user-agent header, which will execute when an admin views the message in the backend dashboard. | 2025-12-23 | 6.4 | CVE-2021-47738 | ExploitDB-48354 Official CSZ CMS Vendor Homepage CSZ CMS SourceForge Project VulnCheck Advisory: CSZ CMS 1.2.7 Persistent Cross-Site Scripting via Private Messaging |
| Cszcms–CSZ CMS | CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks. | 2025-12-23 | 5.4 | CVE-2021-47737 | ExploitDB-48357 Official CSZ CMS Vendor Homepage CSZ CMS SourceForge Project VulnCheck Advisory: CSZ CMS 1.2.7 HTML Injection Vulnerability via Member Dashboard |
| dayrui–XunRuiCMS | A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. The impacted element is the function dr_show_error/dr_exit_msg of the file /dayrui/Fcms/Init.php of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 4.3 | CVE-2025-15144 | VDB-338522 | dayrui XunRuiCMS JSONP Callback Init.php dr_exit_msg cross site scripting VDB-338522 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716122 | xunruicms 4.7.1 xss https://note-hxlab.wetolink.com/share/gbCf35DJ3los |
| Delta Electronics–DVP15MC11T | Delta Electronics DVP15MC11T lacks proper validation of the modbus/tcp packets and can lead to denial of service. | 2025-12-22 | 4 | CVE-2025-59301 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00020_DVP15MC11T%20Modbus%20TCP%20DoS%20Vulnerability.pdf |
| devolo AG–dLAN 550 duo+ Starter Kit | Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by exploiting predictable URL actions when a logged-in user visits the site. | 2025-12-24 | 5.3 | CVE-2019-25250 | ExploitDB-46324 Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5507) |
| Eaton–UPS Companion software | Improper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the file system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center. | 2025-12-26 | 6.7 | CVE-2025-59888 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1026.pdf |
| Ecessa Corporation–Ecessa Edge EV150 | Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint to add superuser accounts with arbitrary credentials. | 2025-12-24 | 5.3 | CVE-2018-25152 | ExploitDB-44932 Ecessa Corporation Product Homepage |
| Ecessa Corporation–Ecessa ShieldLink SL175EHQ | Ecessa ShieldLink SL175EHQ 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a hidden form to add a superuser account by tricking a logged-in administrator into loading the page. | 2025-12-24 | 5.3 | CVE-2018-25150 | ExploitDB-44938 Ecessa Corporation Product Homepage |
| Ecessa Corporation–WANWorx WVR-30 | Ecessa WANWorx WVR-30 versions before 10.7.4 contain a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft a malicious web page with a hidden form to create a new superuser account by tricking an authenticated administrator into loading the page. | 2025-12-24 | 4.3 | CVE-2018-25151 | ExploitDB-44936 Ecessa Corporation Official Website |
| Echo Call Center Services Trade and Industry Inc.–Specto CM | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Stored XSS.This issue affects Specto CM: before 17032025. | 2025-12-24 | 5.4 | CVE-2025-2154 | https://www.usom.gov.tr/bildirim/tr-25-0480 |
| floooh–sokol | A vulnerability was identified in floooh sokol up to 5d11344150973f15e16d3ec4ee7550a73fb995e0. The impacted element is the function _sg_validate_pipeline_desc in the library sokol_gfx.h. Such manipulation leads to stack-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The name of the patch is b95c5245ba357967220c9a860c7578a7487937b0. It is best practice to apply a patch to resolve this issue. | 2025-12-22 | 5.3 | CVE-2025-15013 | VDB-337719 | floooh sokol sokol_gfx.h _sg_validate_pipeline_desc stack-based overflow VDB-337719 | CTI Indicators (IOB, IOC, IOA) Submit #719820 | floooh sokol e0832c9 Stack-based Buffer Overflow https://github.com/floooh/sokol/issues/1404 https://github.com/seyhajin/sokol/pull/246 https://github.com/oneafter/1212/blob/main/stack1 https://github.com/seyhajin/sokol/commit/b95c5245ba357967220c9a860c7578a7487937b0 |
| floooh–sokol | A vulnerability was detected in floooh sokol up to 16cbcc864012898793cd2bc57f802499a264ea40. The impacted element is the function _sg_pipeline_desc_defaults in the library sokol_gfx.h. The manipulation results in stack-based buffer overflow. The attack requires a local approach. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is identified as 5d11344150973f15e16d3ec4ee7550a73fb995e0. It is advisable to implement a patch to correct this issue. | 2025-12-28 | 5.3 | CVE-2025-15155 | VDB-338533 | floooh sokol sokol_gfx.h _sg_pipeline_desc_defaults stack-based overflow VDB-338533 | CTI Indicators (IOB, IOC, IOA) Submit #719823 | floooh sokol e0832c9 Stack-based Buffer Overflow https://github.com/floooh/sokol/issues/1405 https://github.com/floooh/sokol/issues/1406#issuecomment-3649548096 https://github.com/oneafter/1212/blob/main/hbf1 https://github.com/floooh/sokol/commit/5d11344150973f15e16d3ec4ee7550a73fb995e0 |
| FreshRSS–FreshRSS | FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0. | 2025-12-26 | 4.3 | CVE-2025-68148 | https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78 https://github.com/FreshRSS/FreshRSS/pull/8029 https://github.com/FreshRSS/FreshRSS/commit/7d4854a0a4f5665db599f18c34035786465639f3 |
| Fujitsu / Fsas Technologies–ETERNUS SF ACM/SC/Express | Fujitsu / Fsas Technologies ETERNUS SF ACM/SC/Express (DX / AF Management Software) before 16.8-16.9.1 PA 2025-12, when collected maintenance data is accessible by a principal/authority other than ETERNUS SF Admin, allows an attacker to potentially affect system confidentiality, integrity, and availability. | 2025-12-24 | 5.6 | CVE-2025-68919 | https://security.ts.fujitsu.com/ProductSecurity/content/FsasTech-PSIRT-FTI-STR-2025-111413-Security-Notice.pdf |
| getmaxun–maxun | A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-27 | 6.3 | CVE-2025-15106 | VDB-338477 | getmaxun Authentication Endpoint auth.ts router.get improper authorization VDB-338477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710268 | https://github.com/getmaxun https://github.com/getmaxun/maxun ≤ v0.0.28 Authentication Bypass Issues https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc72cb49ffe9a22b |
| Gitea–Gitea | Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text. | 2025-12-26 | 5.4 | CVE-2025-68942 | https://blog.gitea.com/release-of-1.22.2/ https://github.com/go-gitea/gitea/releases/tag/v1.22.2 https://github.com/go-gitea/gitea/pull/31966 |
| Gitea–Gitea | Gitea before 1.21.8 inadvertently discloses users’ login times by allowing (for example) the lastlogintime explore/users sort order. | 2025-12-26 | 5.3 | CVE-2025-68943 | https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10/ https://github.com/go-gitea/gitea/releases/tag/v1.21.8 https://github.com/go-gitea/gitea/pull/29430 |
| Gitea–Gitea | Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries. | 2025-12-26 | 5 | CVE-2025-68944 | https://blog.gitea.com/release-of-1.22.2/ https://github.com/go-gitea/gitea/releases/tag/v1.22.2 https://github.com/go-gitea/gitea/pull/31967 |
| Gitea–Gitea | In Gitea before 1.21.2, an anonymous user can visit a private user’s project. | 2025-12-26 | 5.8 | CVE-2025-68945 | https://blog.gitea.com/release-of-1.21.2/ https://github.com/go-gitea/gitea/releases/tag/v1.21.2 https://github.com/go-gitea/gitea/pull/28423 |
| Gitea–Gitea | In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS. | 2025-12-26 | 5.4 | CVE-2025-68946 | https://blog.gitea.com/release-of-1.20.1/ https://github.com/go-gitea/gitea/releases/tag/v1.20.1 https://github.com/go-gitea/gitea/pull/25960 |
| Gitea–Gitea | Gitea before 1.25.2 mishandles authorization for deletion of releases. | 2025-12-26 | 4.3 | CVE-2025-68938 | https://blog.gitea.com/release-of-1.25.2/ https://github.com/go-gitea/gitea/releases/tag/v1.25.2 https://github.com/go-gitea/gitea/pull/36002/commits/d4262131b39899d9e9ee5caa2635c810d476e43f#diff-8962bac89952027d50fa51f31f59d65bedb4c02bde0265eced5cf256cbed306d |
| Gitea–Gitea | Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources. | 2025-12-26 | 4.9 | CVE-2025-68941 | https://blog.gitea.com/release-of-1.22.3/ https://github.com/go-gitea/gitea/releases/tag/v1.22.3 https://github.com/go-gitea/gitea/pull/32218 |
| GnuPG–GnuPG | In GnuPG through 2.4.8, if a signed message has f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an “invalid armor” message is printed during verification). This is related to use of f as a marker to denote truncation of a long plaintext line. | 2025-12-27 | 5.9 | CVE-2025-68972 | https://gpg.fail/formfeed https://news.ycombinator.com/item?id=46404339 |
| Guangzhou V-SOLUTION Electronic Technology Co., Ltd.–SOL GPON/EPON OLT Platform | V-SOL GPON/EPON OLT Platform 2.03 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to create admin users, enable SSH, or modify system settings by tricking authenticated administrators into loading a specially crafted page. | 2025-12-24 | 4.3 | CVE-2019-25238 | ExploitDB-47434 V-SOL Product Homepage Zero Science Lab Disclosure (ZSL-2019-5536) |
| h-moses–moga-mall | A vulnerability was identified in h-moses moga-mall up to 392d631a5ef15962a9bddeeb9f1269b9085473fa. This vulnerability affects the function addProduct of the file src/main/java/com/ms/product/controller/PmsProductController.java. Such manipulation of the argument objectName leads to unrestricted upload. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. | 2025-12-28 | 6.3 | CVE-2025-15152 | VDB-338529 | h-moses moga-mall PmsProductController.java addProduct unrestricted upload VDB-338529 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721988 | https://github.com/h-moses/moga-mall moga-mall 1.0 Upload any file https://github.com/zyhzheng500-maker/cve/blob/main/moga-mall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
| Hasura–Hasura GraphQL | Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pg_read_file() PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server. | 2025-12-22 | 5.5 | CVE-2021-47714 | ExploitDB-49790 Hasura GraphQL Engine GitHub Repository VulnCheck Advisory: Hasura GraphQL 1.3.3 Local File Read via SQL Injection |
| Hasura–Hasura GraphQL | Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the add_remote_schema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL definitions to potentially access internal network resources. | 2025-12-22 | 5.3 | CVE-2021-47715 | ExploitDB-49791 Hasura GraphQL Engine GitHub Repository VulnCheck Advisory: Hasura GraphQL 1.3.3 Server-Side Request Forgery via Remote Schema Injection |
| IBM–Aspera Faspex 5 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim’s Web browser within the security context of the hosting site. | 2025-12-26 | 5.4 | CVE-2025-36230 | https://www.ibm.com/support/pages/node/7255331 |
| IBM–Concert | IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user. | 2025-12-24 | 6.2 | CVE-2025-36154 | https://www.ibm.com/support/pages/node/7255549 |
| IBM–Concert | IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | 2025-12-26 | 5.9 | CVE-2025-1721 | https://www.ibm.com/support/pages/node/7255549 |
| IBM–Db2 Intelligence Center | IBM Db2 Intelligence Center 1.1.0, 1.1.1, 1.1.2 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms. | 2025-12-26 | 4.3 | CVE-2025-14687 | https://www.ibm.com/support/pages/node/7255160 |
| IBM–DS8A00( R10.1) | IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms. | 2025-12-26 | 6.7 | CVE-2025-36192 | https://www.ibm.com/support/pages/node/7255039 |
| iWT Ltd.–FaceSentry Access Control System | FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage. | 2025-12-24 | 4.3 | CVE-2019-25242 | ExploitDB-47065 Vendor Product Homepage Zero Science Lab Disclosure (ZSL-2019-5524) |
| jackq–XCMS | A vulnerability has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. Affected is the function Upload of the file Admin/Home/Controller/ProductImageController.class.php of the component Backend. Such manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-27 | 4.7 | CVE-2025-15110 | VDB-338481 | jackq XCMS Backend ProductImageController.class.php upload unrestricted upload VDB-338481 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711702 | XCMS 1.1 Unrestricted Upload https://gitee.com/jackq/XCMS/issues/IDC5C8 |
| jcthiele–OpenXRechnungToolbox | OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java. | 2025-12-24 | 5 | CVE-2024-58335 | https://github.com/jcthiele/OpenXRechnungToolbox/commit/6c50e8979924b09f336c976cbad3a9ebfe25ebf9 https://invoice.secvuln.info |
| JD–Cloud BE6500 | A vulnerability has been found in JD Cloud BE6500 4.4.1.r4308. This issue affects the function sub_4780 of the file /jdcapi. Such manipulation of the argument ddns_name leads to command injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 6.3 | CVE-2025-15081 | VDB-338409 | JD Cloud BE6500 jdcapi sub_4780 command injection VDB-338409 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707276 | JD cloud 京东云 JD Cloud BE6500 4.4.1.r4308 Command Injection https://gist.github.com/isstabber/4ed3554130681e50b3e987c3c4ee1f29 |
| Jewel Theme–Master Addons for Elementor | Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Master Addons for Elementor: from n/a through 2.0.5.3. | 2025-12-24 | 6.5 | CVE-2023-40679 | https://vdp.patchstack.com/database/wordpress/plugin/master-addons/vulnerability/wordpress-master-elementor-addons-plugin-2-0-3-broken-access-control-vulnerability?_s_id=cve |
| joey-zhou–xiaozhi-esp32-server-java | A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts the function tryAuthenticateWithCookies of the file AuthenticationInterceptor.java of the component Cookie Handler. Executing manipulation can lead to improper authentication. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Upgrading to version 4.0.0 will fix this issue. It is recommended to upgrade the affected component. | 2025-12-28 | 6.3 | CVE-2025-15135 | VDB-338513 | joey-zhou xiaozhi-esp32-server-java Cookie AuthenticationInterceptor.java tryAuthenticateWithCookies improper authentication VDB-338513 | CTI Indicators (IOB, IOC, IOA) Submit #713990 | joey-zhou xiaozhi-esp32-server-java V3.0.0 Improper Authentication https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143 https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issuecomment-3666534810 https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issue-3722315701 https://github.com/joey-zhou/xiaozhi-esp32-server-java/releases/tag/v4.0.0 |
| ketr–JEPaaS | A vulnerability was detected in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is the function postilService.loadPostils of the file /je/postil/postil/loadPostil. Performing manipulation of the argument keyWord results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 6.3 | CVE-2025-15088 | VDB-338416 | ketr JEPaaS loadPostil postilService.loadPostils sql injection VDB-338416 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708321 | 北京凯特伟业科技有é™å…¬å¸ jepaas v7.2.8 SQL Injection https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/jepaas-v7.2.8-sqlinject1.md https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/jepaas-v7.2.8-sqlinject1.md#2%E5%A4%8D%E7%8E%B0replicate |
| kieranoshea–Calendar | The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘event_desc’ parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can convince an administrator to enable lower privilege users to manage calendar events via the plugin settings. | 2025-12-23 | 6.4 | CVE-2025-14548 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2e61489d-a433-4d44-bb12-8c84204922b9?source=cve https://plugins.trac.wordpress.org/browser/calendar/trunk/calendar.php#L2154 https://plugins.trac.wordpress.org/browser/calendar/trunk/calendar.php#L899 https://plugins.trac.wordpress.org/changeset?new=3419088%40calendar%2Ftrunk&old=3122280%40calendar%2Ftrunk |
| Kunal Nagar–Custom 404 Pro | Cross-Site Request Forgery (CSRF) vulnerability in Kunal Nagar Custom 404 Pro allows Cross Site Request Forgery. This issue affects Custom 404 Pro: from n/a through 3.12.0. | 2025-12-22 | 4.3 | CVE-2025-62880 | https://vdp.patchstack.com/database/wordpress/plugin/custom-404-pro/vulnerability/wordpress-custom-404-pro-plugin-3-12-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| KYOCERA Corporation–KYOCERA Net Admin | KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious web pages that automatically submit forms to add new admin accounts with predefined credentials when a logged-in user visits the page. | 2025-12-24 | 5.3 | CVE-2019-25254 | ExploitDB-44431 KYOCERA Official Website Zero Science Lab Disclosure (ZSL-2018-5458) |
| leap13–Premium Addons for Elementor Powerful Elementor Templates & Widgets | The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘get_template_content’ function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates. | 2025-12-23 | 5.3 | CVE-2025-14155 | https://www.wordfence.com/threat-intel/vulnerabilities/id/135c33bb-5ec2-4697-9340-1d2651ff3a0b?source=cve https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/addons-integration.php#L1624 https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/addons-integration.php#L90 https://plugins.trac.wordpress.org/changeset/3416254/ |
| leap13–Premium Addons for Elementor Powerful Elementor Templates & Widgets | The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the ‘insert_inner_template’ function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link. | 2025-12-23 | 4.3 | CVE-2025-14163 | https://www.wordfence.com/threat-intel/vulnerabilities/id/77b57f2a-0b46-4b4a-bdca-1c5218d739ce?source=cve https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/templates/classes/manager.php#L246 https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/templates/classes/manager.php#L40 https://plugins.trac.wordpress.org/changeset/3416254/ |
| LearningCircuit–local-deep-research | Local Deep Research is an AI-powered research assistant for deep, iterative research. In versions from 1.3.0 to before 1.3.9, the download service (download_service.py) makes HTTP requests using raw requests.get() without utilizing the application’s SSRF protection (safe_requests.py). This can allow attackers to access internal services and attempt to reach cloud provider metadata endpoints (AWS/GCP/Azure), as well as perform internal network reconnaissance, by submitting malicious URLs through the API, depending on the deployment and surrounding controls. This issue has been patched in version 1.3.9. | 2025-12-23 | 6.3 | CVE-2025-67743 | https://github.com/LearningCircuit/local-deep-research/security/advisories/GHSA-9c54-gxh7-ppjc https://github.com/LearningCircuit/local-deep-research/commit/b79089ff30c5d9ae77e6b903c408e1c26ad5c055 |
| librenms–librenms | LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject HTML code. This issue has been patched in version 25.12.0. | 2025-12-22 | 4.3 | CVE-2025-68614 | https://github.com/librenms/librenms/security/advisories/GHSA-c89f-8g7g-59wj https://github.com/librenms/librenms/commit/ebe6c79bf4ce0afeb575c1285afe3934e44001f1 |
| liweiyi–ChestnutCMS | A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used. | 2025-12-22 | 6.3 | CVE-2025-15009 | VDB-337715 | liweiyi ChestnutCMS Filename upload FilenameUtils.getExtension unrestricted upload VDB-337715 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #719590 | liweiyi ChestnutCMS <=1.5.8 Unrestricted Upload https://github.com/yuccun/CVE/blob/main/ChestnutCMS-Arbitrary_File_Upload.md https://github.com/yuccun/CVE/blob/main/ChestnutCMS-Arbitrary_File_Upload.md#vulnerability-proof |
| loganhong–php loganSite | A security flaw has been discovered in loganhong php loganSite up to c035fb5c3edd0b2a5e32fd4051cbbc9e61a31426. This affects an unknown function of the file /includes/article_detail.php of the component Article Handler. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-12-22 | 6.3 | CVE-2025-15014 | VDB-337720 | loganhong php loganSite Article article_detail.php sql injection VDB-337720 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #720037 | loganhong php 1 SQL Injection https://github.com/ssiled/cve/issues/1 |
| LogicalDOC Srl–LogicalDOC Enterprise | LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like antivirus.command, ocr.Tesseract.path, and other system paths to execute arbitrary system commands with elevated privileges. | 2025-12-24 | 6.5 | CVE-2019-25257 | ExploitDB-44021 Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5452) |
| macrozheng–mall | A security vulnerability has been detected in macrozheng mall up to 1.0.3. This vulnerability affects unknown code of the file /member/address/update/ of the component Member Endpoint. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-12-28 | 4.3 | CVE-2025-15118 | VDB-338496 | macrozheng mall Member Endpoint update improper authorization VDB-338496 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711758 | mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/31 |
| marshmallow-code–marshmallow | Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2. | 2025-12-22 | 5.3 | CVE-2025-68480 | https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5 https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508 |
| Mattermost–Mattermost | Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to. | 2025-12-24 | 4.3 | CVE-2025-13767 | https://mattermost.com/security-updates |
| Mattermost–Mattermost | Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts | 2025-12-24 | 4.1 | CVE-2025-64641 | MMSA-2025-00551 |
| Microhard Systems–Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks | Microhard Systems IPn4G 1.1.0 contains an authentication bypass vulnerability in the hidden system-editor.sh script that allows authenticated attackers to read, modify, or delete arbitrary files. Attackers can exploit unsanitized ‘path’, ‘savefile’, ‘edit’, and ‘delfile’ parameters to perform unauthorized file system modifications through GET and POST requests. | 2025-12-24 | 5.5 | CVE-2018-25144 | ExploitDB-45037 Microhard Systems Product Homepage Zero Science Lab Disclosure (ZSL-2018-5485) |
| Microhard Systems–Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download | Microhard Systems IPn4G 1.1.0 contains a configuration file disclosure vulnerability that allows authenticated attackers to download sensitive system configuration files. Attackers can retrieve configuration files from multiple directories including ‘/www’, ‘/etc/m_cli/’, and ‘/tmp’ to access system passwords and network settings. | 2025-12-24 | 6.5 | CVE-2018-25145 | ExploitDB-45036 Microhard Systems Product Web Page Zero Science Lab Disclosure (ZSL-2018-5484) |
| Microhard Systems–Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities | Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated users into loading a specially crafted page. | 2025-12-24 | 4.3 | CVE-2018-25149 | ExploitDB-45034 Microhard Systems Product Web Page Zero Science Lab Disclosure (ZSL-2018-5478) |
| Microhard Systems–Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS | Microhard Systems IPn4G 1.1.0 contains an undocumented vulnerability that allows authenticated attackers to list and manipulate running system processes. Attackers can send arbitrary signals to kill background processes and system services through a hidden feature, potentially causing service disruption and requiring device restart. | 2025-12-24 | 6.5 | CVE-2018-25146 | ExploitDB-45035 Microhard Systems Product Web Page Zero Science Lab Disclosure (ZSL-2018-5481) |
| Mybb–myBB forums | myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the template management system that allows authenticated administrators to inject malicious scripts when creating new templates. Attackers can exploit this vulnerability by inserting script payloads in the template title field when adding new templates through the ‘Templates and Style’ > ‘Templates’ > ‘Manage Templates’ > ‘Global Templates’ interface, causing arbitrary JavaScript to execute when the template is viewed. | 2025-12-22 | 5.4 | CVE-2023-53976 | ExploitDB-51136 Official myBB Software Version Page VulnCheck Advisory: myBB Forums 1.8.26 Stored Cross-Site Scripting via Template Management |
| Mybb–myBB forums | myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authenticated administrators to inject malicious scripts when creating new forums. Attackers can exploit this vulnerability by inserting script payloads in the forum title field when adding new forums through the ‘Forums and Posts’ > ‘Forum Management’ interface, causing arbitrary JavaScript to execute when the forum listing is viewed. | 2025-12-22 | 5.4 | CVE-2023-53977 | ExploitDB-51136 Official myBB Software Version Page VulnCheck Advisory: myBB Forums 1.8.26 Stored Cross-Site Scripting via Forum Management |
| Mybb–myBB forums | myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the announcement title field when adding announcements through the ‘Forums and Posts’ > ‘Forum Announcements’ interface, causing arbitrary JavaScript to execute when the announcement is displayed on the forum. | 2025-12-22 | 5.4 | CVE-2023-53978 | ExploitDB-51136 Official myBB Software Version Page VulnCheck Advisory: myBB Forums 1.8.26 Stored Cross-Site Scripting via Forum Announcements |
| CmsEasy–CmsEasy | A flaw has been found in CmsEasy up to 7.7.7. Affected is the function savetemp_action in the library /lib/admin/template_admin.php of the component Backend Template Management Page. Executing manipulation of the argument content/tempdata can lead to code injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 4.7 | CVE-2025-15148 | VDB-338525 | CmsEasy Backend Template Management template_admin.php savetemp_action code injection VDB-338525 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716303 | cmseasy 7.7.7 Command Injection https://note-hxlab.wetolink.com/share/msJH69Y06ZlS |
| DedeCMS–DedeCMS | A vulnerability was identified in DedeCMS up to 5.7.118. This impacts an unknown function of the file /freelist_main.php. The manipulation of the argument orderby leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2025-12-22 | 6.3 | CVE-2025-15004 | VDB-337710 | DedeCMS freelist_main.php sql injection VDB-337710 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717316 | dedecms V5.7.118 SQL Injection https://note-hxlab.wetolink.com/share/JPq560c6F6tu |
| EyouCMS–EyouCMS | A security flaw has been discovered in EyouCMS up to 1.7.6. The affected element is an unknown function of the file /application/admin/logic/FilemanagerLogic.php of the component Backend Template Management. The manipulation of the argument content results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 4.7 | CVE-2025-15143 | VDB-338521 | EyouCMS Backend Template Management FilemanagerLogic.php sql injection VDB-338521 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716078 | EyouCMS 1.7.6 Command Injection https://note-hxlab.wetolink.com/share/XfINjg5i25Ud |
| PbootCMS–PbootCMS | A security vulnerability has been detected in PbootCMS up to 3.2.12. The affected element is the function get_user_ip of the file core/function/handle.php of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to use of less trusted source. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-12-28 | 5.3 | CVE-2025-15154 | VDB-338532 | PbootCMS Header handle.php get_user_ip less trusted source VDB-338532 | CTI Indicators (IOB, IOC, IOA) Submit #719818 | PbootCMS 3.2.12 get_user_ip IP Address Spoofing https://note-hxlab.wetolink.com/share/JyBNgF8JagWQ |
| omec-project–UPF | A flaw has been found in omec-project UPF up to 2.1.3-dev. This affects the function handleSessionEstablishmentRequest of the file /pfcpiface/pfcpiface/messages_session.go of the component PFCP Session Establishment Request Handler. This manipulation causes null pointer dereference. The attack may be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-28 | 4.3 | CVE-2025-15156 | VDB-338534 | omec-project UPF PFCP Session Establishment Request messages_session.go handleSessionEstablishmentRequest null pointer dereference VDB-338534 | CTI Indicators (IOB, IOC, IOA) Submit #719824 | Aether SD-Core UPF v2.1.3-dev NULL Pointer Dereference https://github.com/omec-project/upf/issues/979 |
| ONLYOFFICE–Document Server | ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer. | 2025-12-24 | 6.4 | CVE-2025-68917 | https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921 |
| ONLYOFFICE–Document Server | ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer. | 2025-12-25 | 6.4 | CVE-2025-68935 | https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921 |
| ONLYOFFICE–Document Server | ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer. | 2025-12-25 | 6.4 | CVE-2025-68936 | https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921 |
| Orangescrum–orangescrum | Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like ‘projid’, ‘CS_message’, and ‘name’ to execute arbitrary JavaScript code in victim’s browsers by submitting crafted payloads through application endpoints. | 2025-12-23 | 5.4 | CVE-2021-47716 | ExploitDB-50554 Official Orangescrum Product Homepage VulnCheck Advisory: Orangescrum 1.8.0 Cross-Site Scripting via Authenticated Endpoints |
| Pexip–Infinity | Pexip Infinity 32.0 through 37.1 before 37.2, in certain configurations of OTJ (One Touch Join) for Teams SIP Guest Join, has Improper Input Validation in the OTJ service, allowing a remote attacker to trigger a software abort via a crafted calendar invite, leading to a denial of service. | 2025-12-25 | 5.9 | CVE-2025-49088 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip–Infinity | Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy Node. | 2025-12-25 | 5.9 | CVE-2025-66378 | https://docs.pexip.com/admin/security_bulletins.htm |
| PHP Group–PHP | In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. | 2025-12-27 | 6.5 | CVE-2025-14178 | https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2 |
| PluginOps–Feather Login Page | Cross-Site Request Forgery (CSRF) vulnerability in PluginOps Feather Login Page allows Cross Site Request Forgery. This issue affects Feather Login Page: from n/a through 1.1.7. | 2025-12-22 | 4.3 | CVE-2025-62107 | https://vdp.patchstack.com/database/wordpress/plugin/feather-login-page/vulnerability/wordpress-feather-login-page-plugin-1-1-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| prasathmani–TinyFileManager | A flaw has been found in prasathmani TinyFileManager up to 2.6. Affected by this issue is some unknown functionality of the file tinyfilemanager.php. This manipulation of the argument fullpath causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 4.7 | CVE-2025-15138 | VDB-338516 | prasathmani TinyFileManager tinyfilemanager.php path traversal VDB-338516 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714177 | tinyfilemanager 2.6 File Upload(RCE) https://mesquite-dream-86b.notion.site/tinyfilemanager-File-Upload-RCE-Report-2c7512562197800d86b3e68534a56a91 |
| PX4–PX4-Autopilot | A vulnerability was found in PX4 PX4-Autopilot up to 1.16.0. Affected by this issue is the function MavlinkLogHandler::state_listing/MavlinkLogHandler::log_entry_from_id of the file src/modules/mavlink/mavlink_log_handler.cpp. The manipulation results in stack-based buffer overflow. The attack is only possible with local access. The patch is identified as 338595edd1d235efd885fd5e9f45e7f9dcf4013d. It is best practice to apply a patch to resolve this issue. | 2025-12-28 | 5.3 | CVE-2025-15150 | VDB-338527 | PX4 PX4-Autopilot mavlink_log_handler.cpp log_entry_from_id stack-based overflow VDB-338527 | CTI Indicators (IOB, IOC, IOA) Submit #717323 | PX4 Autopilot main branch Stack-based Buffer Overflow https://github.com/PX4/PX4-Autopilot/issues/26118 https://github.com/PX4/PX4-Autopilot/pull/26124 https://github.com/PX4/PX4-Autopilot/pull/26124/commits/338595edd1d235efd885fd5e9f45e7f9dcf4013d |
| Riello–NetMan | Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/login.cgi username SQL Injection. For example, an attacker can delete the LOGINFAILEDTABLE table. | 2025-12-24 | 6.5 | CVE-2025-68914 | https://github.com/gerico-lab/riello-multiple-vulnerabilities-2025 |
| Riello–NetMan | Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/loginbanner_w.cgi XSS via a crafted banner. | 2025-12-24 | 5.5 | CVE-2025-68915 | https://github.com/gerico-lab/riello-multiple-vulnerabilities-2025 |
| shanyu–SyCms | A vulnerability has been found in shanyu SyCms up to a242ef2d194e8bb249dc175e7c49f2c1673ec921. This issue affects the function addPost of the file Application/Admin/Controller/FileManageController.class.php of the component Administrative Panel. The manipulation leads to code injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. This product adopts a rolling release strategy to maintain continuous delivery The project was informed of the problem early through an issue report but has not responded yet. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-28 | 4.7 | CVE-2025-15130 | VDB-338508 | shanyu SyCms Administrative Panel FileManageController.class.php addPost code injection VDB-338508 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #712813 | SyCms 1.0 Unrestricted Upload https://gitee.com/shanyu/SyCms/issues/IDCEWG |
| SOCA Technology Co., Ltd–SOCA Access Control System | SOCA Access Control System 180612 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that submit forged requests to create admin accounts by tricking logged-in users into visiting a malicious site. | 2025-12-24 | 5.3 | CVE-2018-25127 | ExploitDB-46834 SOCA Technology Product Homepage Zero Science Lab Disclosure (ZSL-2019-5520) |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages that submit HTTP requests to the radio processing interface, triggering unintended administrative operations when a logged-in user visits the page. | 2025-12-22 | 5.3 | CVE-2023-53961 | ExploitDB-51168 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5722) VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Cross-Site Request Forgery |
| stellarwp–Membership Plugin Restrict Content | The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘register_form’ and ‘restrict’ shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-23 | 6.4 | CVE-2025-14000 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b6a84d7-9e77-4a2f-b065-872e8650e75e?source=cve https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/shortcodes.php#L26 https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/shortcodes.php#L135 https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/member-forms.php#L126 https://plugins.trac.wordpress.org/changeset/3420370/restrict-content/trunk/core/includes/member-forms.php?old=2642097&old_path=restrict-content%2Ftrunk%2Fcore%2Fincludes%2Fmember-forms.php https://plugins.trac.wordpress.org/changeset/3420370/restrict-content/trunk/core/includes/shortcodes.php?old=2850120&old_path=restrict-content%2Ftrunk%2Fcore%2Fincludes%2Fshortcodes.php |
| sunkaifei–FlyCMS | A security flaw has been discovered in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The affected element is an unknown function of the file src/main/java/com/flycms/web/system/IndexAdminController.java of the component Admin Login. Performing manipulation of the argument redirectUrl results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-26 | 4.3 | CVE-2025-15093 | VDB-338422 | sunkaifei FlyCMS Admin Login IndexAdminController.java cross site scripting VDB-338422 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708996 | sunkaifei FlyCms <=1.0.0 XSS https://github.com/sunkaifei/FlyCms/issues/15 |
| sunkaifei–FlyCMS | A weakness has been identified in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The impacted element is the function userLogin of the file src/main/java/com/flycms/web/front/UserController.java of the component User Login. Executing manipulation of the argument redirectUrl can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-26 | 4.3 | CVE-2025-15094 | VDB-338423 | sunkaifei FlyCMS User Login UserController.java userLogin cross site scripting VDB-338423 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708997 | sunkaifei FlyCms <=1.0.0 XSS https://github.com/sunkaifei/FlyCms/issues/16 |
| Synaccess Networks Inc.–netBooter NP-0801DU | Synaccess netBooter NP-0801DU 7.4 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages with hidden form submissions to add admin users by tricking authenticated administrators into loading a malicious page. | 2025-12-24 | 4.3 | CVE-2018-25133 | ExploitDB-45894 Synaccess Networks Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5501) |
| Teradek, LLC–Cube | Teradek Cube 7.3.6 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page with a hidden form to submit password change requests to the device’s system configuration interface. | 2025-12-24 | 5.3 | CVE-2018-25156 | ExploitDB-44675 Teradek Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5464) |
| Teradek, LLC–Slice | Teradek Slice 7.3.15 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page that automatically submits password change requests to the device when a logged-in user visits the page. | 2025-12-24 | 5.3 | CVE-2018-25155 | ExploitDB-44676 Teradek Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5467) |
| Teradek, LLC–VidiU Pro | Teradek VidiU Pro 3.0.3 contains a server-side request forgery vulnerability in the management interface that allows attackers to manipulate GET parameters ‘url’ and ‘xml_url’. Attackers can exploit this flaw to bypass firewalls, initiate network enumeration, and potentially trigger external HTTP requests to arbitrary destinations. | 2025-12-24 | 5.3 | CVE-2019-25251 | ExploitDB-44672 Teradek Product Homepage Zero Science Lab Disclosure (ZSL-2018-5461) |
| Teradek–VidiU Pro | Teradek VidiU Pro 3.0.3 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft malicious web pages that automatically submit password change requests to the device when a logged-in administrator visits the page. | 2025-12-24 | 5.3 | CVE-2019-25252 | ExploitDB-44671 Teradek Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5460) |
| thehappymonster–Happy Addons for Elementor | The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ha_page_custom_js’ parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, despite the intended role restriction of Custom JS to Administrators. | 2025-12-23 | 6.4 | CVE-2025-14635 | https://www.wordfence.com/threat-intel/vulnerabilities/id/16e7adef-68ab-4dd6-bd80-252622cfe705?source=cve https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.2/extensions/custom-js.php#L76 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.2/extensions/custom-js.php#L60 https://plugins.trac.wordpress.org/changeset/3421733/ |
| TOZED–ZLT M30s | A vulnerability was found in TOZED ZLT M30s up to 1.47. Impacted is an unknown function of the file /reqproc/proc_post of the component Web Management Interface. Performing manipulation of the argument goformId results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 5.3 | CVE-2025-15082 | VDB-338410 | TOZED ZLT M30s Web Management proc_post information disclosure VDB-338410 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707306 | ZLT M30s MTNNGRM30S_1.47, M30S_1.47 (other versions might be vulnerable) Improper Access Control – Critical Information Disclosure https://www.hacklab.eu.org/blogs/zlt_m30s_information_disclosure https://youtu.be/u_H29UdiPOc |
| TRENDnet–TEW-822DRE | A vulnerability has been found in TRENDnet TEW-822DRE 1.00B21/1.01B06. This affects the function sub_43ACF4 of the file /boafrm/formWsc. Such manipulation of the argument peerPin leads to command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 6.3 | CVE-2025-15139 | VDB-338517 | TRENDnet TEW-822DRE formWsc sub_43ACF4 command injection VDB-338517 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715131 | TRENDnet TEW-822DRE v1.01B06 / 1.00B21 Command Injection https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-822DRE-Command-Injection-2c9e5dd4c5a580f190e9c411ad627e9a#2c9e5dd4c5a5801dae7ad20828639d4b |
| Tyche softwares–Product Delivery Date for WooCommerce Lite | Vulnerability in Tyche softwares Product Delivery Date for WooCommerce – Lite. This issue affects Product Delivery Date for WooCommerce – Lite: from n/a through 2.7.0. | 2025-12-23 | 5.3 | CVE-2023-52210 | https://vdp.patchstack.com/database/wordpress/plugin/product-delivery-date-for-woocommerce-lite/vulnerability/wordpress-product-delivery-date-for-woocommerce-lite-plugin-2-7-0-broken-access-control-vulnerability?_s_id=cve |
| VideoFlow Ltd.–Digital Video Protection DVP | VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated ‘ID’ parameters. Attackers can exploit multiple Perl scripts like downloadsys.pl to read sensitive files by manipulating directory path traversal in download requests. | 2025-12-24 | 6.5 | CVE-2019-25256 | ExploitDB-44386 VideoFlow Product Web Page Zero Science Lab Disclosure (ZSL-2018-5454) |
| VideoFlow Ltd.–VideoFlow Digital Video Protection DVP | VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can exploit the vulnerability through a cross-site request forgery (CSRF) mechanism to gain unauthorized system access. | 2025-12-24 | 4.3 | CVE-2019-25255 | ExploitDB-44387 VideoFlow Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5455) |
| Vikas Ratudi–Chakra test | Missing Authorization vulnerability in Vikas Ratudi Chakra test allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Chakra test: from n/a through 1.0.1. | 2025-12-23 | 4.3 | CVE-2025-68557 | https://vdp.patchstack.com/database/wordpress/plugin/chakra-test/vulnerability/wordpress-chakra-test-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| Vikas Ratudi–VPSUForm | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vikas Ratudi VPSUForm allows Retrieve Embedded Sensitive Data. This issue affects VPSUForm: from n/a through 3.2.24. | 2025-12-23 | 6.5 | CVE-2025-68551 | https://vdp.patchstack.com/database/wordpress/plugin/v-form/vulnerability/wordpress-vpsuform-plugin-3-2-24-sensitive-data-exposure-vulnerability?_s_id=cve |
| VillaTheme–HAPPY | Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HAPPY: from n/a through 1.0.9. | 2025-12-23 | 5.3 | CVE-2025-68556 | https://vdp.patchstack.com/database/wordpress/plugin/happy-helpdesk-support-ticket-system/vulnerability/wordpress-happy-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| Voidthemes–Void Elementor WHMCS Elements For Elementor Page Builder | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Voidthemes Void Elementor WHMCS Elements For Elementor Page Builder. This issue affects Void Elementor WHMCS Elements For Elementor Page Builder: from n/a through 2.0.1.2. | 2025-12-22 | 6.5 | CVE-2025-62094 | https://vdp.patchstack.com/database/wordpress/plugin/void-elementor-whmcs-elements/vulnerability/wordpress-void-elementor-whmcs-elements-for-elementor-page-builder-plugin-2-0-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WebCodingPlace–Responsive Posts Carousel Pro | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WebCodingPlace Responsive Posts Carousel Pro allows Stored XSS. This issue affects Responsive Posts Carousel Pro: from n/a through 15.2. | 2025-12-23 | 6.5 | CVE-2025-68548 | https://vdp.patchstack.com/database/wordpress/plugin/responsive-posts-carousel-pro/vulnerability/wordpress-responsive-posts-carousel-pro-plugin-15-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wpshuffle–Frontend Post Submission Manager Lite Frontend Posting WordPress Plugin | The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the ‘media_delete_action’ function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments. | 2025-12-25 | 5.3 | CVE-2025-14913 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19a6b19c-244d-4b30-8db2-b4d06a5f5509?source=cve https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-ajax.php#L91 https://plugins.trac.wordpress.org/changeset/3427082/frontend-post-submission-manager-lite |
| youlaitech–youlai-mall | A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 4.3 | CVE-2025-15085 | VDB-338413 | youlaitech youlai-mall Balance MemberController.java deductBalance improper authorization VDB-338413 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708175 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/26 |
| youlaitech–youlai-mall | A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function getMemberByMobile of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. This manipulation causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 4.3 | CVE-2025-15086 | VDB-338414 | youlaitech youlai-mall MemberController.java getMemberByMobile access control VDB-338414 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708176 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/27 |
| youlaitech–youlai-mall | A security vulnerability has been detected in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function submitOrderPayment of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java. Such manipulation of the argument orderSn leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 4.3 | CVE-2025-15087 | VDB-338415 | youlaitech youlai-mall OrderController.java submitOrderPayment improper authorization VDB-338415 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708180 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/30 |
| YunaiV–yudao-cloud | A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-26 | 6.3 | CVE-2025-15098 | VDB-338429 | YunaiV yudao-cloud Business Process Management BpmSyncHttpRequestTrigger server-side request forgery VDB-338429 | CTI Indicators (IOB, IOC, IOA) Submit #710170 | YunaiV YuDao Cloud <=v2025.11 Server-Side Request Forgery https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md#proof-of-concept |
| ZKTeco–BioTime | A vulnerability was detected in ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2. This affects an unknown part of the file /base/safe_setting/ of the component Endpoint. Performing manipulation of the argument backup_encryption_password_decrypt/export_encryption_password_decrypt results in unprotected storage of credentials. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 5.3 | CVE-2025-15128 | VDB-338506 | ZKTeco BioTime Endpoint safe_setting credentials storage VDB-338506 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711813 | ZkBioTime CMS 9.0.3, 9.0.4, 9.5.2 IDOR https://github.com/ionutluca888/IDOR-POC-ZKBio-Time/tree/main |
| ZSPACE–Z4Pro+ | A vulnerability was found in ZSPACE Z4Pro+ 1.0.0440024. Impacted is the function zfilev2_api_SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation results in command injection. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure. | 2025-12-28 | 6.3 | CVE-2025-15131 | VDB-338509 | ZSPACE Z4Pro+ HTTP POST Request status zfilev2_api_SafeStatus command injection VDB-338509 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713874 | ZSPACE Z4Pro+ v1.0.0440024 Command Injection https://github.com/LX-66-LX/cve/issues/1 |
| ZSPACE–Z4Pro+ | A vulnerability was determined in ZSPACE Z4Pro+ 1.0.0440024. The affected element is the function zfilev2_api_open of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure. | 2025-12-28 | 6.3 | CVE-2025-15132 | VDB-338510 | ZSPACE Z4Pro+ HTTP POST Request open zfilev2_api_open command injection VDB-338510 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713885 | ZSPACE Z4Pro+ v1.0.0440024 Command Injection https://github.com/LX-66-LX/cve/issues/2 |
| ZSPACE–Z4Pro+ | A vulnerability was identified in ZSPACE Z4Pro+ 1.0.0440024. The impacted element is the function zfilev2_api_CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure. | 2025-12-28 | 6.3 | CVE-2025-15133 | VDB-338511 | ZSPACE Z4Pro+ HTTP POST Request close zfilev2_api_CloseSafe command injection VDB-338511 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713887 | ZSPACE Z4Pro+ v1.0.0440024 Command Injection https://github.com/LX-66-LX/cve/issues/3 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| actiontech–sqle | A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack’s complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release. | 2025-12-27 | 3.7 | CVE-2025-15107 | VDB-338478 | actiontech sqle JWT Secret jwt.go hard-coded key VDB-338478 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710380 | https://github.com/actiontech https://github.com/actiontech/sqle ≤4.2511.0 Authentication Bypass by Primary Weakness https://github.com/actiontech/sqle/issues/3186 https://github.com/actiontech/sqle/milestone/53 |
| Axesstmc–Zucchetti Axess CLOKI Access Control | Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control parameters by tricking authenticated users into loading the page. | 2025-12-23 | 3.5 | CVE-2021-47722 | ExploitDB-50595 Product Web Page Zero Science Lab Disclosure (ZSL-2021-5689) VulnCheck Advisory: Zucchetti Axess CLOKI Access Control 1.64 Cross-Site Request Forgery |
| code-projects–Student Information System | A vulnerability was detected in code-projects Student Information System 1.0. This vulnerability affects unknown code of the file /profile.php. Performing manipulation of the argument firstname/lastname results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-12-24 | 3.5 | CVE-2025-15052 | VDB-337858 | code-projects Student Information System profile.php cross site scripting VDB-337858 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #720765 | Fabian Ros Student Information System In PHP With Source Code November 2, 2025 Cross Site Scripting https://github.com/i4G5d/CRITICAL-SECURITY-VULNERABILITY-REPORT-Stored-XSS https://code-projects.org/ |
| Dromara–Sa-Token | A weakness has been identified in Dromara Sa-Token up to 1.44.0. This affects the function ObjectInputStream.readObject of the file SaJdkSerializer.java. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15117 | VDB-338495 | Dromara Sa-Token SaJdkSerializer.java ObjectInputStream.readObject deserialization VDB-338495 | CTI Indicators (IOB, IOC, IOA) Submit #711750 | github.com/dromara/Sa-Token Sa-Token <=1.44.0 Deserialization https://github.com/Yohane-Mashiro/Sa-Token-cve |
| getmaxun–maxun | A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-27 | 3.7 | CVE-2025-15105 | VDB-338476 | getmaxun auth.ts hard-coded key VDB-338476 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710256 | https://github.com/getmaxun https://github.com/getmaxun/maxun ≤ v0.0.28 Authentication Bypass by Primary Weakness https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6 |
| Gitea–Gitea | In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request. | 2025-12-26 | 3.1 | CVE-2025-68940 | https://blog.gitea.com/release-of-1.22.5/ https://github.com/go-gitea/gitea/releases/tag/v1.22.5 https://github.com/go-gitea/gitea/pull/32654 |
| Honor–Magic OS | ADB(Android Debug Bridge) is affected by type privilege bypass, successful exploitation of this vulnerability may affect service availability. | 2025-12-24 | 2.2 | CVE-2025-57840 | https://www.honor.com/global/security/cve-2025-57840 |
| IBM–Aspera Faspex 5 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse. | 2025-12-26 | 3.8 | CVE-2025-36228 | https://www.ibm.com/support/pages/node/7255331 |
| IBM–Aspera Faspex 5 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers. | 2025-12-26 | 3.1 | CVE-2025-36229 | https://www.ibm.com/support/pages/node/7255331 |
| CouchCMS–CouchCMS | A security flaw has been discovered in CouchCMS up to 2.4. Affected is an unknown function of the file couch/config.example.php of the component reCAPTCHA Handler. The manipulation of the argument K_RECAPTCHA_SITE_KEY/K_RECAPTCHA_SECRET_KEY results in use of hard-coded cryptographic key . It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been released to the public and may be exploited. | 2025-12-22 | 3.7 | CVE-2025-15005 | VDB-337711 | CouchCMS reCAPTCHA config.example.php hard-coded key VDB-337711 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718998 | https://github.com/CouchCMS/CouchCMS ≤ 2.4 Use of Hard-coded Cryptographic Key https://note-hxlab.wetolink.com/share/jNNcrdrNyCvl https://note-hxlab.wetolink.com/share/jNNcrdrNyCvl#-span–strong-proof-of-concept—strong—span- |
| Halo–Halo | A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator of the component Configuration Handler. Executing manipulation can lead to information disclosure. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15141 | VDB-338519 | Halo Configuration actuator information disclosure VDB-338519 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715235 | Halo 2.21.10 Exposure of Sensitive Information Due to Incompatible Policies https://github.com/SECWG/cve/issues/9 |
| JeecgBoot–JeecgBoot | A vulnerability was detected in JeecgBoot up to 3.9.0. This issue affects the function queryPageList of the file /sys/sysDepartRole/list. The manipulation of the argument deptId results in improper authorization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15119 | VDB-338497 | JeecgBoot list queryPageList improper authorization VDB-338497 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711771 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/32 |
| JeecgBoot–JeecgBoot | A flaw has been found in JeecgBoot up to 3.9.0. Impacted is the function getDeptRoleList of the file /sys/sysDepartRole/getDeptRoleList. This manipulation of the argument departId causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15120 | VDB-338498 | JeecgBoot getDeptRoleList improper authorization VDB-338498 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711772 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/33 |
| JeecgBoot–JeecgBoot | A vulnerability was found in JeecgBoot up to 3.9.0. The impacted element is the function loadDatarule of the file /sys/sysDepartRole/datarule/. Performing manipulation of the argument departId/roleId results in improper authorization. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15122 | VDB-338500 | JeecgBoot datarule loadDatarule improper authorization VDB-338500 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711774 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/35 |
| JeecgBoot–JeecgBoot | A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15123 | VDB-338501 | JeecgBoot datarule improper authorization VDB-338501 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711775 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/36 |
| JeecgBoot–JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.9.0. This impacts the function getParameterMap of the file /sys/sysDepartPermission/list. The manipulation of the argument departId leads to improper authorization. The attack can be initiated remotely. The attack’s complexity is rated as high. The exploitability is said to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15124 | VDB-338502 | JeecgBoot list getParameterMap improper authorization VDB-338502 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711776 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/37 |
| JeecgBoot–JeecgBoot | A security flaw has been discovered in JeecgBoot up to 3.9.0. Affected is the function queryDepartPermission of the file /sys/permission/queryDepartPermission. The manipulation of the argument departId results in improper authorization. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15125 | VDB-338503 | JeecgBoot queryDepartPermission improper authorization VDB-338503 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711777 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/38 |
| JeecgBoot–JeecgBoot | A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authorization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15126 | VDB-338504 | JeecgBoot getPositionUserList improper authorization VDB-338504 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711782 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/39 |
| JeecgBoot–JeecgBoot | A vulnerability has been found in JeecgBoot up to 3.9.0. The affected element is the function getDeptRoleByUserId of the file /sys/sysDepartRole/getDeptRoleByUserId. Such manipulation of the argument departId leads to information disclosure. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 2.4 | CVE-2025-15121 | VDB-338499 | JeecgBoot getDeptRoleByUserId information disclosure VDB-338499 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711773 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/34 |
| OpenCart–OpenCart | A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing manipulation results in race condition. The attack may be initiated remotely. The attack’s complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.7 | CVE-2025-15116 | VDB-338494 | OpenCart Single-Use Coupon race condition VDB-338494 | CTI Indicators (IOB, IOC) Submit #711745 | OpenCart 4.1.0.3 Time-of-check Time-of-use https://gist.github.com/KhanMarshaI/a55f125a55de1c0d4f41e66236027e01 https://gist.github.com/KhanMarshaI/a55f125a55de1c0d4f41e66236027e01#steps-to-reproduce |
| PbootCMS–PbootCMS | A weakness has been identified in PbootCMS up to 3.2.12. Impacted is an unknown function of the file /data/pbootcms.db of the component SQLite Database. Executing manipulation can lead to files or directories accessible. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been made available to the public and could be exploited. Modifying the configuration settings is advised. | 2025-12-28 | 3.7 | CVE-2025-15153 | VDB-338531 | PbootCMS SQLite Database pbootcms.db file access VDB-338531 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #719814 | PbootCMS 3.2.12 SQLite Database File Disclosure https://note-hxlab.wetolink.com/share/ALC1iSa8J56A |
| PandaXGO–PandaX | A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit is now public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-27 | 3.7 | CVE-2025-15108 | VDB-338479 | PandaXGO PandaX JWT Secret config.yml hard-coded key VDB-338479 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711519 | https://github.com/PandaXGO https://github.com/PandaXGO/PandaX before commit fb8ff40f7ce5dfebdf66306c6d85625061faf7e5 (As of December 10, 2025) Authentication Bypass by Primary Weakness https://github.com/PandaXGO/PandaX/issues/9 |
| postmanlabs–httpbin | A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-26 | 3.5 | CVE-2025-15095 | VDB-338424 | postmanlabs httpbin core.py cross site scripting VDB-338424 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #709002 | postmanlabs httpbin <=0.6.1 XSS https://github.com/postmanlabs/httpbin/issues/735 |
| rawchen–ecms | A vulnerability has been found in rawchen ecms up to b59d7feaa9094234e8aa6c8c6b290621ca575ded. Affected by this vulnerability is the function updateProductServlet of the file src/servlet/product/updateProductServlet.java of the component Add New Product Page. The manipulation of the argument productName leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 2.4 | CVE-2025-15149 | VDB-338526 | rawchen ecms Add New Product updateProductServlet.java updateProductServlet cross site scripting VDB-338526 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716583 | https://github.com/rawchen/ecms?tab=readme-ov-file ecms 1.0 Stored XSS https://github.com/zyhzheng500-maker/cve/blob/main/%E5%AD%98%E5%82%A8%E5%9E%8BXss.md |
| SohuTV–CacheCloud | A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. This affects the function doTotalList of the file src/main/java/com/sohu/cache/web/controller/TotalManageController.java. Such manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-28 | 2.4 | CVE-2025-15145 | VDB-338523 | SohuTV CacheCloud TotalManageController.java doTotalList cross site scripting VDB-338523 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716301 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/365 https://github.com/sohutv/cachecloud/issues/365#issue-3733522215 |
| SohuTV–CacheCloud | A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. This impacts the function doUserList of the file src/main/java/com/sohu/cache/web/controller/UserManageController.java. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-28 | 2.4 | CVE-2025-15146 | VDB-338524 | SohuTV CacheCloud UserManageController.java doUserList cross site scripting VDB-338524 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716302 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/366 https://github.com/sohutv/cachecloud/issues/366#issue-3733542570 |
| TaleLin–Lin-CMS | A vulnerability was determined in TaleLin Lin-CMS up to 0.6.0. This affects an unknown part of the file /tests/config.py of the component Tests Folder. This manipulation of the argument username/password causes password in configuration file. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. | 2025-12-28 | 3.7 | CVE-2025-15151 | VDB-338528 | TaleLin Lin-CMS Tests Folder config.py password in configuration file VDB-338528 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721893 | https://doc.cms.talelin.com/ Lin-CMS 0.6.0 weak password https://github.com/m3ngx1ng/cve/blob/4690d4020a4a642af4c50912f762937292228641/lin-cms.md |
| TOZED–ZLT M30s | A vulnerability was determined in TOZED ZLT M30s up to 1.47. The affected element is an unknown function of the component UART Interface. Executing manipulation can lead to on-chip debug and test interface with improper access control. The physical device can be targeted for the attack. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 2 | CVE-2025-15083 | VDB-338411 | TOZED ZLT M30s UART on-chip debug and test interface with improper access control VDB-338411 | CTI Indicators (IOB, IOC) Submit #707974 | TOZED ZLT M30s 1.47 Improper Access Control in Debug Interface https://hacklab.eu.org/blogs/zlt_m30s_debug_interface |
| youlaitech–youlai-mall | A vulnerability was identified in youlaitech youlai-mall 1.0.0/2.0.0. The impacted element is the function orderService.payOrder of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java of the component Order Payment Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 3.1 | CVE-2025-15084 | VDB-338412 | youlaitech youlai-mall Order Payment OrderController.java orderService.payOrder access control VDB-338412 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708174 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/24 |
| yourmaileyes–MOOC | A security flaw has been discovered in yourmaileyes MOOC up to 1.17. This affects the function subreview of the file mooc/controller/MainController.java of the component Submission Handler. Performing manipulation of the argument review results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-28 | 3.5 | CVE-2025-15134 | VDB-338512 | yourmaileyes MOOC Submission MainController.java subreview cross site scripting VDB-338512 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713955 | yourmaileyes MOOC V1.17 Improper Neutralization of Alternate XSS Syntax https://github.com/yourmaileyes/MOOC/issues/12 https://github.com/yourmaileyes/MOOC/issues/12#issue-3722197285 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10up–Eight Day Week Print Workflow | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in 10up Eight Day Week Print Workflow eight-day-week-print-workflow allows Retrieve Embedded Sensitive Data.This issue affects Eight Day Week Print Workflow: from n/a through <= 1.2.5. | 2025-12-24 | not yet calculated | CVE-2025-67621 | https://vdp.patchstack.com/database/Wordpress/Plugin/eight-day-week-print-workflow/vulnerability/wordpress-eight-day-week-print-workflow-plugin-1-2-5-sensitive-data-exposure-vulnerability?_s_id=cve |
| 6Storage–6Storage Rentals | Server-Side Request Forgery (SSRF) vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Server Side Request Forgery. This issue affects 6Storage Rentals: from n/a through <= 2.19.9. | 2025-12-24 | not yet calculated | CVE-2025-67623 | https://vdp.patchstack.com/database/Wordpress/Plugin/6storage-rentals/vulnerability/wordpress-6storage-rentals-plugin-2-19-9-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| abhinavxd–libredesk | Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta. | 2025-12-27 | not yet calculated | CVE-2025-68927 | https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4 https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb |
| Academy Software Foundation–OpenEXR | Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EXR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27946. | 2025-12-23 | not yet calculated | CVE-2025-12495 | ZDI-25-989 |
| Academy Software Foundation–OpenEXR | Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EXR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27947. | 2025-12-23 | not yet calculated | CVE-2025-12839 | ZDI-25-990 |
| Academy Software Foundation–OpenEXR | Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EXR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27948. | 2025-12-23 | not yet calculated | CVE-2025-12840 | ZDI-25-991 |
| Addonify–Addonify | Missing Authorization vulnerability in Addonify Addonify addonify-quick-view allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify: from n/a through <= 2.0.4. | 2025-12-24 | not yet calculated | CVE-2025-68578 | https://vdp.patchstack.com/database/Wordpress/Plugin/addonify-quick-view/vulnerability/wordpress-addonify-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve |
| Alessandro Piconi–Simple Keyword to Link | Cross-Site Request Forgery (CSRF) vulnerability in Alessandro Piconi Simple Keyword to Link simple-keyword-to-link allows Cross Site Request Forgery. This issue affects Simple Keyword to Link: from n/a through <= 1.5. | 2025-12-24 | not yet calculated | CVE-2025-68573 | https://vdp.patchstack.com/database/Wordpress/Plugin/simple-keyword-to-link/vulnerability/wordpress-simple-keyword-to-link-plugin-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| AMP-MODE–Review Disclaimer | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in AMP-MODE Review Disclaimer review-disclaimer allows Stored XSS.This issue affects Review Disclaimer: from n/a through <= 2.0.3. | 2025-12-24 | not yet calculated | CVE-2025-67628 | https://vdp.patchstack.com/database/Wordpress/Plugin/review-disclaimer/vulnerability/wordpress-review-disclaimer-plugin-2-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| apiDoc–apidoc-core | Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules. | 2025-12-26 | not yet calculated | CVE-2025-13158 | https://www.sonatype.com/security-advisories/cve-2025-13158 |
| Assaf Parag–Poll, Survey & Quiz Maker Plugin by Opinion Stage | Missing Authorization vulnerability in Assaf Parag Poll, Survey & Quiz Maker Plugin by Opinion Stage social-polls-by-opinionstage allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll, Survey & Quiz Maker Plugin by Opinion Stage: from n/a through <= 19.12.1. | 2025-12-24 | not yet calculated | CVE-2025-68594 | https://vdp.patchstack.com/database/Wordpress/Plugin/social-polls-by-opinionstage/vulnerability/wordpress-poll-survey-quiz-maker-plugin-by-opinion-stage-plugin-19-12-1-broken-access-control-vulnerability?_s_id=cve |
| Automattic–WoooCommerce | A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier. | 2025-12-22 | not yet calculated | CVE-2025-15033 | https://wpscan.com/vulnerability/f55fd7d3-7fbe-474f-9406-f47f8aee5e57/ |
| Basticom–Basticom Framework | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Basticom Basticom Framework basticom-framework allows Stored XSS. This issue affects Basticom Framework: from n/a through <= 1.5.2. | 2025-12-24 | not yet calculated | CVE-2025-67629 | https://vdp.patchstack.com/database/Wordpress/Plugin/basticom-framework/vulnerability/wordpress-basticom-framework-plugin-1-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| bdthemes–Prime Slider Addons For Elementor | Server-Side Request Forgery (SSRF) vulnerability in bdthemes Prime Slider – Addons For Elementor bdthemes-prime-slider-lite allows Server Side Request Forgery. This issue affects Prime Slider – Addons For Elementor: from n/a through <= 4.0.10. | 2025-12-24 | not yet calculated | CVE-2025-68500 | https://vdp.patchstack.com/database/Wordpress/Plugin/bdthemes-prime-slider-lite/vulnerability/wordpress-prime-slider-addons-for-elementor-plugin-4-0-10-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Ben Balter–WP Document Revisions | Missing Authorization vulnerability in Ben Balter WP Document Revisions wp-document-revisions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Document Revisions: from n/a through <= 3.7.2. | 2025-12-24 | not yet calculated | CVE-2025-68585 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-document-revisions/vulnerability/wordpress-wp-document-revisions-plugin-3-7-2-broken-access-control-vulnerability?_s_id=cve |
| BeRocket–Brands for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in BeRocket Brands for WooCommerce brands-for-woocommerce allows Blind SQL Injection. This issue affects Brands for WooCommerce: from n/a through <= 3.8.6.3. | 2025-12-24 | not yet calculated | CVE-2025-68519 | https://vdp.patchstack.com/database/Wordpress/Plugin/brands-for-woocommerce/vulnerability/wordpress-brands-for-woocommerce-plugin-3-8-6-3-sql-injection-vulnerability?_s_id=cve |
| Bit Apps–Bit Assist | Missing Authorization vulnerability in Bit Apps Bit Assist bit-assist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bit Assist: from n/a through <= 1.5.11. | 2025-12-24 | not yet calculated | CVE-2025-68596 | https://vdp.patchstack.com/database/Wordpress/Plugin/bit-assist/vulnerability/wordpress-bit-assist-plugin-1-5-11-broken-access-control-vulnerability?_s_id=cve |
| BlueGlass Interactive AG–Jobs for WordPress | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Stored XSS. This issue affects Jobs for WordPress: from n/a through <= 2.7.17. | 2025-12-24 | not yet calculated | CVE-2025-68597 | https://vdp.patchstack.com/database/Wordpress/Plugin/job-postings/vulnerability/wordpress-jobs-for-wordpress-plugin-2-7-17-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Bob–Watu Quiz | Missing Authorization vulnerability in Bob Watu Quiz watu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watu Quiz: from n/a through <= 3.4.5. | 2025-12-24 | not yet calculated | CVE-2025-68587 | https://vdp.patchstack.com/database/Wordpress/Plugin/watu/vulnerability/wordpress-watu-quiz-plugin-3-4-5-broken-access-control-vulnerability-2?_s_id=cve |
| boldthemes–Bold Timeline Lite | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in bold themes Bold Timeline Lite bold-timeline-lite allows Stored XSS. This issue affects Bold Timeline Lite: from n/a through <= 1.2.7. | 2025-12-24 | not yet calculated | CVE-2025-68513 | https://vdp.patchstack.com/database/Wordpress/Plugin/bold-timeline-lite/vulnerability/wordpress-bold-timeline-lite-plugin-1-2-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Brainstorm Force–Astra Widgets | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS. This issue affects Astra Widgets: from n/a through <= 1.2.16. | 2025-12-24 | not yet calculated | CVE-2025-68497 | https://vdp.patchstack.com/database/Wordpress/Plugin/astra-widgets/vulnerability/wordpress-astra-widgets-plugin-1-2-16-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Brave–Brave | Missing Authorization vulnerability in Brave brave-popup-builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Brave: from n/a through <= 0.8.3. | 2025-12-24 | not yet calculated | CVE-2025-68508 | https://vdp.patchstack.com/database/Wordpress/Plugin/brave-popup-builder/vulnerability/wordpress-brave-plugin-0-8-3-broken-access-control-vulnerability?_s_id=cve |
| brownbagmarketing–Greenhouse Job Board | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in brownbagmarketing Greenhouse Job Board greenhouse-job-board allows DOM-Based XSS. This issue affects Greenhouse Job Board: from n/a through <= 2.7.3. | 2025-12-24 | not yet calculated | CVE-2025-67633 | https://vdp.patchstack.com/database/Wordpress/Plugin/greenhouse-job-board/vulnerability/wordpress-greenhouse-job-board-plugin-2-7-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| captivateaudio–Captivate Sync | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in captivateaudio Captivate Sync captivatesync-trade allows Blind SQL Injection. This issue affects Captivate Sync: from n/a through <= 3.2.2. | 2025-12-24 | not yet calculated | CVE-2025-68570 | https://vdp.patchstack.com/database/Wordpress/Plugin/captivatesync-trade/vulnerability/wordpress-captivate-sync-plugin-3-2-2-sql-injection-vulnerability?_s_id=cve |
| codepeople–WP Time Slots Booking Form | Missing Authorization vulnerability in codepeople WP Time Slots Booking Form wp-time-slots-booking-form allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Time Slots Booking Form: from n/a through <= 1.2.38. | 2025-12-24 | not yet calculated | CVE-2025-68569 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-time-slots-booking-form/vulnerability/wordpress-wp-time-slots-booking-form-plugin-1-2-38-broken-access-control-vulnerability?_s_id=cve |
| Constantin Boiangiu–Vimeotheque | Cross-Site Request Forgery (CSRF) vulnerability in Constantin Boiangiu Vimeotheque codeflavors-vimeo-video-post-lite allows Cross Site Request Forgery. This issue affects Vimeotheque: from n/a through <= 2.3.5.2. | 2025-12-24 | not yet calculated | CVE-2025-68584 | https://vdp.patchstack.com/database/Wordpress/Plugin/codeflavors-vimeo-video-post-lite/vulnerability/wordpress-vimeotheque-plugin-2-3-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| continuwuity–continuwuity | Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to version 0.10.10, continuwuity prior to version 0.5.0, Grapevine prior to commit `9a50c244`, and tuwunel prior to version 1.4.8. The flaw exists because the server fails to validate the origin of a signing request, provided the event’s state_key is a valid user ID belonging to the target server. Attackers can forge “leave” events for any user on the target server. This forcibly removes users (including admins and bots) from rooms. This allows denial of service and/or the removal of technical protections for a room (including policy servers, if all users on the policy server are removed). Attackers can forge “invite” events from a victim user to themselves, provided they have an account on a server where there is an account that has the power level to send invites. This allows the attacker to join private or invite-only rooms accessible by the victim, exposing confidential conversation history and room state. Attackers can forge “ban” events from a victim user to any user below the victim user’s power level, provided the victim has the power level to issue bans AND the target of the ban resides on the same server as the victim. This allows the attacker to ban anyone in a room who is on the same server as the vulnerable one, however cannot exploit this to ban users on other servers or the victim themself. Conduit fixes the issue in version 0.10.10. continuwuity fixes the issue in commits `7fa4fa98` and `b2bead67`, released in 0.5.0. tuwunel fixes the issue in commit `dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3`, released in 1.4.8. Grapevine fixes the issue in commit `9a50c2448abba6e2b7d79c64243bb438b351616c`. As a workaround, block access to the `PUT /_matrix/federation/v2/invite/{roomId}/{eventId}` endpoint using your reverse proxy. | 2025-12-23 | not yet calculated | CVE-2025-68667 | https://github.com/continuwuity/continuwuity/security/advisories/GHSA-22fw-4jq7-g8r8 https://github.com/matrix-construct/tuwunel/commit/dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3 https://forgejo.ellis.link/continuwuation/continuwuity/commit/7fa4fa98628593c1a963f5aa8dbc3657d604b047 https://forgejo.ellis.link/continuwuation/continuwuity/commit/b2bead67ac8bc45de9a612578f295e5b7fc6c2b5 https://gitlab.com/famedly/conduit/-/releases/v0.10.10 https://gitlab.computer.surgery/matrix/grapevine/-/commit/9a50c2448abba6e2b7d79c64243bb438b351616c |
| coollabsio–coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in backup operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue. | 2025-12-23 | not yet calculated | CVE-2025-66209 | https://github.com/0xrakan/coolify-cve-2025-66209-66213 https://github.com/coollabsio/coolify/pull/7375 https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 |
| coollabsio–coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in import operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue. | 2025-12-23 | not yet calculated | CVE-2025-66210 | https://github.com/0xrakan/coolify-cve-2025-66209-66213 https://github.com/coollabsio/coolify/pull/7375 https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 |
| coollabsio–coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. PostgreSQL initialization script filenames are passed to shell commands without proper validation, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue. | 2025-12-23 | not yet calculated | CVE-2025-66211 | https://github.com/0xrakan/coolify-cve-2025-66209-66213 https://github.com/coollabsio/coolify/pull/7375 https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 |
| coollabsio–coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Dynamic Proxy Configuration Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Proxy configuration filenames are passed to shell commands without proper escaping, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue. | 2025-12-23 | not yet calculated | CVE-2025-66212 | https://github.com/0xrakan/coolify-cve-2025-66209-66213 https://github.com/coollabsio/coolify/pull/7375 https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 |
| coollabsio–coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The file_storage_directory_source parameter is passed directly to shell commands without proper sanitization, enabling full remote code execution on the host system. Version 4.0.0-beta.451 fixes the issue. | 2025-12-23 | not yet calculated | CVE-2025-66213 | https://github.com/0xrakan/coolify-cve-2025-66209-66213 https://github.com/coollabsio/coolify/pull/7375 https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 |
| creativeinteractivemedia–Real 3D FlipBook | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in creativeinteractivemedia Real 3D FlipBook real3d-flipbook-lite allows Stored XSS. This issue affects Real 3D FlipBook: from n/a through <= 4.11.4. | 2025-12-24 | not yet calculated | CVE-2025-68512 | https://vdp.patchstack.com/database/Wordpress/Plugin/real3d-flipbook-lite/vulnerability/wordpress-real-3d-flipbook-plugin-4-11-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CRM Perks–Integration for Contact Form 7 HubSpot | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Blind SQL Injection. This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.2. | 2025-12-24 | not yet calculated | CVE-2025-68590 | https://vdp.patchstack.com/database/Wordpress/Plugin/cf7-hubspot/vulnerability/wordpress-integration-for-contact-form-7-hubspot-plugin-1-4-2-sql-injection-vulnerability?_s_id=cve |
| Deciso–OPNsense | Deciso OPNsense diag_backup.php filename Directory Traversal Arbitrary File Creation Vulnerability. This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Deciso OPNsense. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of backup configuration files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create files in the context of root. Was ZDI-CAN-28133. | 2025-12-23 | not yet calculated | CVE-2025-13698 | ZDI-25-1022 vendor-provided URL |
| Delta Electronics–DVP-12SE | DVP-12SE – Modbus/TCP Cleartext Transmission of Sensitive Information | 2025-12-26 | not yet calculated | CVE-2025-62578 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00021_DVP-12SE%20ModbusTCP%20Cleartext%20Transmission%20of%20Sensitive%20Info.pdf |
| DeluxeThemes–Userpro | Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Userpro: from n/a through <= 5.1.9. | 2025-12-24 | not yet calculated | CVE-2025-68608 | https://vdp.patchstack.com/database/Wordpress/Plugin/userpro/vulnerability/wordpress-userpro-plugin-5-1-9-broken-access-control-vulnerability?_s_id=cve |
| DreamFactory–DreamFactory | DreamFactory saveZipFile Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of DreamFactory. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the saveZipFile method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26589. | 2025-12-23 | not yet calculated | CVE-2025-13700 | ZDI-25-1024 vendor-provided URL |
| Ecommerce Platforms–Gift Hunt | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Ecommerce Platforms Gift Hunt gift-hunt allows Stored XSS. This issue affects Gift Hunt: from n/a through <= 2.0.2. | 2025-12-24 | not yet calculated | CVE-2025-67631 | https://vdp.patchstack.com/database/Wordpress/Plugin/gift-hunt/vulnerability/wordpress-gift-hunt-plugin-2-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| eigent-ai–eigent | Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution (RCE) vulnerability has been identified in Eigent. This vulnerability allows an attacker to execute arbitrary code on the victim’s machine or server through a specific interaction (1-click). This issue has been patched in version 0.0.61. | 2025-12-27 | not yet calculated | CVE-2025-68952 | https://github.com/eigent-ai/eigent/security/advisories/GHSA-pwcx-28p4-rmq4 |
| Embeds For YouTube Plugin Support–YouTube Embed | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Embeds For YouTube Plugin Support YouTube Embed youtube-embed allows Stored XSS. This issue affects YouTube Embed: from n/a through <= 5.4. | 2025-12-24 | not yet calculated | CVE-2025-68599 | https://vdp.patchstack.com/database/Wordpress/Plugin/youtube-embed/vulnerability/wordpress-youtube-embed-plugin-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| espressif–esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the ESP-IDF Bluetooth host stack (BlueDroid), the function bta_dm_sdp_result() used a fixed-size array uuid_list[32][MAX_UUID_SIZE] to store discovered service UUIDs during the SDP (Service Discovery Protocol) process. On modern Bluetooth devices, it is possible for the number of available services to exceed this fixed limit (32). In such cases, if more than 32 services are discovered, subsequent writes to uuid_list could exceed the bounds of the array, resulting in a potential out-of-bounds write condition. | 2025-12-26 | not yet calculated | CVE-2025-68473 | https://github.com/espressif/esp-idf/security/advisories/GHSA-hmjj-rjvv-w8pq https://github.com/espressif/esp-idf/commit/3286e45349b0b5c2b1422ef7e8d088b95eef895d https://github.com/espressif/esp-idf/commit/4d928f2265c394d2abc85024228e920a5b26bcab https://github.com/espressif/esp-idf/commit/5b3185168dae83d42aa0852689422fffd931f16c https://github.com/espressif/esp-idf/commit/6453f57a954458ad8ffd6e4bf2d9e76b73fac0f1 https://github.com/espressif/esp-idf/commit/6ca6f422dafaffcb88fa56cc458ce92d96be3b2e https://github.com/espressif/esp-idf/commit/9889edd799cf369e082df9d01adba961d64693ed https://github.com/espressif/esp-idf/commit/ecb86d353640cf1375bf97db32e702ba59c551b6 |
| espressif–esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrc_vendor_msg() function of the ESP-IDF BlueDroid AVRCP stack, the allocated buffer size was validated using AVRC_MIN_CMD_LEN (20 bytes). However, the actual fixed header data written before the vendor payload exceeds this value. This totals 29 bytes written before p_msg->p_vendor_data is copied. Using the old AVRC_MIN_CMD_LEN could allow an out-of-bounds write if vendor_len approaches the buffer limit. For commands where vendor_len is large, the original buffer allocation may be insufficient, causing writes beyond the allocated memory. This can lead to memory corruption, crashes, or other undefined behavior. The overflow could be larger when assertions are disabled. | 2025-12-26 | not yet calculated | CVE-2025-68474 | https://github.com/espressif/esp-idf/security/advisories/GHSA-43gh-7r4f-qp57 https://github.com/espressif/esp-idf/commit/0b0b59f2e19cb99dfa1b28c284d1c5c1d276a132 https://github.com/espressif/esp-idf/commit/565fa98d0cfd58102204c1cb636747e17ee59845 https://github.com/espressif/esp-idf/commit/8262ee807d5cd425f66304f703eeb3382fb888c0 https://github.com/espressif/esp-idf/commit/a6c1bc5e3e91ad1cb964ce2c178ee40a5d10a4a0 https://github.com/espressif/esp-idf/commit/aa0e3d75db995b7137b55349fc92ee684b47092d https://github.com/espressif/esp-idf/commit/b9ba1e29b65536ab4b670ac099585d09adce0376 |
| Essekia–Tablesome | Insertion of Sensitive Information Into Sent Data vulnerability in Essekia Tablesome tablesome allows Retrieve Embedded Sensitive Data. This issue affects Tablesome: from n/a through <= 1.1.35.1. | 2025-12-24 | not yet calculated | CVE-2025-68516 | https://vdp.patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-35-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| Essekia–Tablesome | Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tablesome: from n/a through <= 1.1.35.1. | 2025-12-24 | not yet calculated | CVE-2025-68517 | https://vdp.patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-35-1-broken-access-control-vulnerability?_s_id=cve |
| FolioVision–FV Simpler SEO | Missing Authorization vulnerability in FolioVision FV Simpler SEO fv-all-in-one-seo-pack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FV Simpler SEO: from n/a through <= 1.9.6. | 2025-12-24 | not yet calculated | CVE-2025-68579 | https://vdp.patchstack.com/database/Wordpress/Plugin/fv-all-in-one-seo-pack/vulnerability/wordpress-fv-simpler-seo-plugin-1-9-6-broken-access-control-vulnerability?_s_id=cve |
| Forgejo–Forgejo | Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later. | 2025-12-25 | not yet calculated | CVE-2025-68937 | https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.7.md https://codeberg.org/forgejo/forgejo/milestone/29156 https://codeberg.org/forgejo/forgejo/milestone/27340 https://codeberg.org/forgejo/security-announcements/issues/43 https://blog.gitea.com/release-of-1.24.7/ |
| FreshRSS–FreshRSS | FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to account takeover through persistent session hijacking. The remember-me tokens provide permanent authentication and are the sole credential for “keep me logged in” functionality. This issue has been patched in version 1.28.0. | 2025-12-26 | not yet calculated | CVE-2025-68932 | https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j9wc-gwc6-p786 https://github.com/FreshRSS/FreshRSS/pull/8061 https://github.com/FreshRSS/FreshRSS/commit/57e1a375cbd2db9741ff19167813344f8eff5772 |
| Funnelforms–Funnelforms Free | Missing Authorization vulnerability in Funnelforms Funnelforms Free funnelforms-free allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Funnelforms Free: from n/a through <= 3.8. | 2025-12-24 | not yet calculated | CVE-2025-68582 | https://vdp.patchstack.com/database/Wordpress/Plugin/funnelforms-free/vulnerability/wordpress-funnelforms-free-plugin-3-8-broken-access-control-vulnerability?_s_id=cve |
| GIMP–GIMP | GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PNM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28273. | 2025-12-23 | not yet calculated | CVE-2025-14422 | ZDI-25-1136 vendor-provided URL |
| GIMP–GIMP | GIMP LBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of LBM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28311. | 2025-12-23 | not yet calculated | CVE-2025-14423 | ZDI-25-1137 vendor-provided URL |
| GIMP–GIMP | GIMP XCF File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XCF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28376. | 2025-12-23 | not yet calculated | CVE-2025-14424 | ZDI-25-1138 vendor-provided URL |
| GIMP–GIMP | GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28248. | 2025-12-23 | not yet calculated | CVE-2025-14425 | ZDI-25-1139 vendor-provided URL |
| Gora Tech–Cooked | Missing Authorization vulnerability in Gora Tech Cooked cooked allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cooked: from n/a through <= 1.11.2. | 2025-12-24 | not yet calculated | CVE-2025-68586 | https://vdp.patchstack.com/database/Wordpress/Plugin/cooked/vulnerability/wordpress-cooked-plugin-1-11-2-broken-access-control-vulnerability?_s_id=cve |
| Hanwha Vision Co., Ltd.–Device Manager | Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in Device Manager that a hardcoded encryption key for sensitive information. An attacker can use key to decrypt sensitive information. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer’s report for details and workarounds. | 2025-12-26 | not yet calculated | CVE-2025-52601 | https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf |
| Hanwha Vision Co., Ltd.–QNV-C8012 | Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has found a flaw that camera’s client service does not perform certificate validation. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer’s report for details and workarounds. | 2025-12-26 | not yet calculated | CVE-2025-52598 | https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf |
| Hanwha Vision Co., Ltd.–QNV-C8012 | Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered Inadequate of permission management for camera guest account. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer’s report for details and workarounds. | 2025-12-26 | not yet calculated | CVE-2025-52599 | https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf |
| Hanwha Vision Co., Ltd.–QNV-C8012 | Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in camera video analytics that Improper input validation. This vulnerability could allow an attacker to execute specific commands on the user’s host PC.The manufacturer has released patch firmware for the flaw, please refer to the manufacturer’s report for details and workarounds. | 2025-12-26 | not yet calculated | CVE-2025-52600 | https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf |
| Hanwha Vision Co., Ltd.–QNV-C8012 | Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered that validation of incoming XML format request messages is inadequate. This vulnerability could allow an attacker to XSS on the user’s browser. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer’s report for details and workarounds. | 2025-12-26 | not yet calculated | CVE-2025-8075 | https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf |
| HasThemes–WC Builder | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in HasThemes WC Builder wc-builder allows Stored XSS. This issue affects WC Builder: from n/a through <= 1.2.0. | 2025-12-24 | not yet calculated | CVE-2025-68533 | https://vdp.patchstack.com/database/Wordpress/Plugin/wc-builder/vulnerability/wordpress-wc-builder-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Hugging Face–Accelerate | Hugging Face Accelerate Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Accelerate. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27985. | 2025-12-23 | not yet calculated | CVE-2025-14925 | ZDI-25-1140 |
| Hugging Face–Diffusers | Hugging Face Diffusers CogView4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Diffusers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27424. | 2025-12-23 | not yet calculated | CVE-2025-14922 | ZDI-25-1142 |
| Hugging Face–smolagents | Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of pickle data. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28312. | 2025-12-23 | not yet calculated | CVE-2025-14931 | ZDI-25-1143 |
| Hugging Face–Transformers | Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25423. | 2025-12-23 | not yet calculated | CVE-2025-14920 | ZDI-25-1150 |
| Hugging Face–Transformers | Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25424. | 2025-12-23 | not yet calculated | CVE-2025-14921 | ZDI-25-1149 |
| Hugging Face–Transformers | Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27984. | 2025-12-23 | not yet calculated | CVE-2025-14924 | ZDI-25-1141 |
| Hugging Face–Transformers | Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28251. | 2025-12-23 | not yet calculated | CVE-2025-14926 | ZDI-25-1147 |
| Hugging Face–Transformers | Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. . Was ZDI-CAN-28252. | 2025-12-23 | not yet calculated | CVE-2025-14927 | ZDI-25-1148 |
| Hugging Face–Transformers | Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28253. | 2025-12-23 | not yet calculated | CVE-2025-14928 | ZDI-25-1146 |
| Hugging Face–Transformers | Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28308. | 2025-12-23 | not yet calculated | CVE-2025-14929 | ZDI-25-1144 |
| Hugging Face–Transformers | Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309. | 2025-12-23 | not yet calculated | CVE-2025-14930 | ZDI-25-1145 |
| icc0rz–H5P | Missing Authorization vulnerability in icc0rz H5P h5p allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects H5P: from n/a through <= 1.16.1. | 2025-12-24 | not yet calculated | CVE-2025-68505 | https://vdp.patchstack.com/database/Wordpress/Plugin/h5p/vulnerability/wordpress-h5p-plugin-1-16-1-broken-access-control-vulnerability?_s_id=cve |
| Icegram–Icegram Express Pro | Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection. This issue affects Icegram Express Pro: from n/a through <= 5.9.11. | 2025-12-24 | not yet calculated | CVE-2025-68038 | https://vdp.patchstack.com/database/Wordpress/Plugin/email-subscribers-premium/vulnerability/wordpress-icegram-express-pro-plugin-5-9-11-php-object-injection-vulnerability?_s_id=cve |
| IceWarp–IceWarp | IceWarp gmaps Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of IceWarp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of a parameter passed to the gmaps webpage. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25441. | 2025-12-23 | not yet calculated | CVE-2025-14499 | ZDI-25-1071 vendor-provided URL |
| IceWarp–IceWarp | IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the X-File-Operation header. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27394. | 2025-12-23 | not yet calculated | CVE-2025-14500 | ZDI-25-1072 |
| integrationclaspo–Popup Builder: Exit-Intent pop-up, Spin the Wheel, Newsletter signup, Email Capture & Lead Generation forms maker | Missing Authorization vulnerability in integrationclaspo Popup Builder: Exit-Intent pop-up, Spin the Wheel, Newsletter signup, Email Capture & Lead Generation forms maker claspo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Popup Builder: Exit-Intent pop-up, Spin the Wheel, Newsletter signup, Email Capture & Lead Generation forms maker: from n/a through <= 1.0.5. | 2025-12-24 | not yet calculated | CVE-2025-68568 | https://vdp.patchstack.com/database/Wordpress/Plugin/claspo/vulnerability/wordpress-popup-builder-exit-intent-pop-up-spin-the-wheel-newsletter-signup-email-capture-lead-generation-forms-maker-plugin-1-0-5-broken-access-control-vulnerability?_s_id=cve |
| JayBee–Twitch Player | Missing Authorization vulnerability in JayBee Twitch Player ttv-easy-embed-player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Twitch Player: from n/a through <= 2.1.3. | 2025-12-24 | not yet calculated | CVE-2025-68565 | https://vdp.patchstack.com/database/Wordpress/Plugin/ttv-easy-embed-player/vulnerability/wordpress-twitch-player-plugin-2-1-3-broken-access-control-vulnerability?_s_id=cve |
| Jeff Starr–User Submitted Posts | URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Jeff Starr User Submitted Posts user-submitted-posts allows Phishing. This issue affects User Submitted Posts: from n/a through <= 20251121. | 2025-12-24 | not yet calculated | CVE-2025-68509 | https://vdp.patchstack.com/database/Wordpress/Plugin/user-submitted-posts/vulnerability/wordpress-user-submitted-posts-plugin-20251121-open-redirection-vulnerability?_s_id=cve |
| Jegstudio–Gutenverse Form | Missing Authorization vulnerability in Jegstudio Gutenverse Form gutenverse-form allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gutenverse Form: from n/a through <= 2.3.1. | 2025-12-24 | not yet calculated | CVE-2025-68511 | https://vdp.patchstack.com/database/Wordpress/Plugin/gutenverse-form/vulnerability/wordpress-gutenverse-form-plugin-2-3-1-broken-access-control-vulnerability?_s_id=cve |
| jnunemaker–httparty | httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd. | 2025-12-23 | not yet calculated | CVE-2025-68696 | https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4 https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240 |
| Johnson Controls–IQ Panels2, 2+, IQHub, IQPanel 4, PowerG | Use of a weak pseudo-random number generator, which may allow an attacker to read or inject encrypted PowerG packets. | 2025-12-22 | not yet calculated | CVE-2025-26379 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02 |
| Johnson Controls–IQ Panels2, 2+, IQHub, IQPanel 4, PowerG | Due to Nonce reuse, attackers can perform reply attack or decrypt captured packets. | 2025-12-22 | not yet calculated | CVE-2025-61739 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02 |
| Johnson Controls–IQ Panels2, 2+, IQHub, IQPanel 4, PowerG | Authentication issue that does not verify the source of a packet which could allow an attacker to create a denial-of-service condition or modify the configuration of the device. | 2025-12-22 | not yet calculated | CVE-2025-61740 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02 |
| Johnson Controls–IQPanel2, IQHub,IQPanel2+,IQPanel 4,PowerG | Under certain circumstances, attacker can capture the network key, read or write encrypted packets on the PowerG network. | 2025-12-22 | not yet calculated | CVE-2025-61738 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories |
| Johnson Controls–iSTAR Ultra, iSTAR Ultra SE | Under certain circumstances a successful exploitation could result in access to the device. | 2025-12-24 | not yet calculated | CVE-2025-43875 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-01 |
| Johnson Controls–iSTAR Ultra, iSTAR Ultra SE | Under certain circumstances a successful exploitation could result in access to the device. | 2025-12-24 | not yet calculated | CVE-2025-43876 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-01 |
| kedacore–keda | KEDA is a Kubernetes-based Event Driven Autoscaling component. Prior to versions 2.17.3 and 2.18.3, an Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault authentication. The vulnerability stems from an incorrect or insufficient path validation when loading the Service Account Token specified in spec.hashiCorpVault.credential.serviceAccount. An attacker with permissions to create or modify a TriggerAuthentication resource can exfiltrate the content of any file from the node’s filesystem (where the KEDA pod resides) by directing the file’s content to a server under their control, as part of the Vault authentication request. The potential impact includes the exfiltration of sensitive system information, such as secrets, keys, or the content of files like /etc/passwd. This issue has been patched in versions 2.17.3 and 2.18.3. | 2025-12-22 | not yet calculated | CVE-2025-68476 | https://github.com/kedacore/keda/security/advisories/GHSA-c4p6-qg4m-9jmr https://github.com/kedacore/keda/commit/15c5677f65f809b9b6b59a52f4cf793db0a510fd |
| Kodezen LLC–Academy LMS | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Kodezen LLC Academy LMS academy allows Stored XSS. This issue affects Academy LMS: from n/a through <= 3.4.0. | 2025-12-24 | not yet calculated | CVE-2025-68527 | https://vdp.patchstack.com/database/Wordpress/Plugin/academy/vulnerability/wordpress-academy-lms-plugin-3-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Leap13–Premium Addons for Elementor | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Retrieve Embedded Sensitive Data. This issue affects Premium Addons for Elementor: from n/a through <= 4.11.53. | 2025-12-24 | not yet calculated | CVE-2025-68494 | https://vdp.patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-11-53-sensitive-data-exposure-vulnerability?_s_id=cve |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mrp: introduce active flags to prevent UAF when applicant uninit The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful. And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 Write at addr f9ff000024df6058 by task syz-fuzzer/2256 Pointer tag: [f9], memory tag: [fe] CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008- ge01d50cbd6ee #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline] show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x1a8/0x4a0 mm/kasan/report.c:395 kasan_report+0x94/0xb4 mm/kasan/report.c:495 __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320 do_bad_area arch/arm64/mm/fault.c:473 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576 hlist_add_head include/linux/list.h:929 [inline] enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 mod_timer+0x14/0x20 kernel/time/timer.c:1161 mrp_periodic_timer_arm net/802/mrp.c:614 [inline] mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474 expire_timers+0x98/0xc4 kernel/time/timer.c:1519 To fix it, we can introduce a new active flags to make sure the timer will not restart. | 2025-12-24 | not yet calculated | CVE-2022-50697 | https://git.kernel.org/stable/c/98f53e591940e4c3818be358c5dc684d5b30cb56 https://git.kernel.org/stable/c/aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9 https://git.kernel.org/stable/c/78d48bc41f7726113c9f114268d3ab11212814da https://git.kernel.org/stable/c/aadb1507a77b060c529edfeaf67f803e31461f24 https://git.kernel.org/stable/c/755eb0879224ffc2a43de724554aeaf0e51e5a64 https://git.kernel.org/stable/c/5d5a481a7fd0234f617535dc464ea010804a1129 https://git.kernel.org/stable/c/1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6 https://git.kernel.org/stable/c/563e45fd5046045cc194af3ba17f5423e1c98170 https://git.kernel.org/stable/c/ab0377803dafc58f1e22296708c1c28e309414d6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: da7219: Fix an error handling path in da7219_register_dai_clks() If clk_hw_register() fails, the corresponding clk should not be unregistered. To handle errors from loops, clean up partial iterations before doing the goto. So add a clk_hw_unregister(). Then use a while (–i >= 0) loop in the unwind section. | 2025-12-24 | not yet calculated | CVE-2022-50698 | https://git.kernel.org/stable/c/4993c1511d66326f1037bc5156b024a6a96d23ef https://git.kernel.org/stable/c/f5f1f5ee5048cfa7bd07f496b33bd2cfc198a176 https://git.kernel.org/stable/c/ec692f0b51006de1138cd1f82cae625f0d2888d1 https://git.kernel.org/stable/c/cefce8bee0e988f9a005fe40705b98a25cfb7f9d https://git.kernel.org/stable/c/abb4e4349afe7eecdb0499582f1c777031e3a7c8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context() The following warning was triggered on a hardware environment: SELinux: Converting 162 SID table entries… BUG: sleeping function called from invalid context at __might_sleep+0x60/0x74 0x0 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1 Call trace: dump_backtrace+0x0/0x1c8 show_stack+0x18/0x28 dump_stack+0xe8/0x15c ___might_sleep+0x168/0x17c __might_sleep+0x60/0x74 __kmalloc_track_caller+0xa0/0x7dc kstrdup+0x54/0xac convert_context+0x48/0x2e4 sidtab_context_to_sid+0x1c4/0x36c security_context_to_sid_core+0x168/0x238 security_context_to_sid_default+0x14/0x24 inode_doinit_use_xattr+0x164/0x1e4 inode_doinit_with_dentry+0x1c0/0x488 selinux_d_instantiate+0x20/0x34 security_d_instantiate+0x70/0xbc d_splice_alias+0x4c/0x3c0 ext4_lookup+0x1d8/0x200 [ext4] __lookup_slow+0x12c/0x1e4 walk_component+0x100/0x200 path_lookupat+0x88/0x118 filename_lookup+0x98/0x130 user_path_at_empty+0x48/0x60 vfs_statx+0x84/0x140 vfs_fstatat+0x20/0x30 __se_sys_newfstatat+0x30/0x74 __arm64_sys_newfstatat+0x1c/0x2c el0_svc_common.constprop.0+0x100/0x184 do_el0_svc+0x1c/0x2c el0_svc+0x20/0x34 el0_sync_handler+0x80/0x17c el0_sync+0x13c/0x140 SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is not valid (left unmapped). It was found that within a critical section of spin_lock_irqsave in sidtab_context_to_sid(), convert_context() (hooked by sidtab_convert_params.func) might cause the process to sleep via allocating memory with GFP_KERNEL, which is problematic. As Ondrej pointed out [1], convert_context()/sidtab_convert_params.func has another caller sidtab_convert_tree(), which is okay with GFP_KERNEL. Therefore, fix this problem by adding a gfp_t argument for convert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC properly in individual callers. [PM: wrap long BUG() output lines, tweak subject line] | 2025-12-24 | not yet calculated | CVE-2022-50699 | https://git.kernel.org/stable/c/2723875e9d677401d775a03a72abab7e9538c20c https://git.kernel.org/stable/c/3006766d247bc93a25b34e92fff2f75bda597e2e https://git.kernel.org/stable/c/277378631d26477451424cc73982b977961f3d8b https://git.kernel.org/stable/c/abe3c631447dcd1ba7af972fe6f054bee6f136fa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: Delay the unmapping of the buffer On WCN3990, we are seeing a rare scenario where copy engine hardware is sending a copy complete interrupt to the host driver while still processing the buffer that the driver has sent, this is leading into an SMMU fault triggering kernel panic. This is happening on copy engine channel 3 (CE3) where the driver normally enqueues WMI commands to the firmware. Upon receiving a copy complete interrupt, host driver will immediately unmap and frees the buffer presuming that hardware has processed the buffer. In the issue case, upon receiving copy complete interrupt, host driver will unmap and free the buffer but since hardware is still accessing the buffer (which in this case got unmapped in parallel), SMMU hardware will trigger an SMMU fault resulting in a kernel panic. In order to avoid this, as a work around, add a delay before unmapping the copy engine source DMA buffer. This is conditionally done for WCN3990 and only for the CE3 channel where issue is seen. Below is the crash signature: wifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled context fault: fsr=0x402, iova=0x7fdfd8ac0, fsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled context fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003, cbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error received: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091: cmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149 remoteproc remoteproc0: crash detected in 4080000.remoteproc: type fatal error <3> remoteproc remoteproc0: handling crash #1 in 4080000.remoteproc pc : __arm_lpae_unmap+0x500/0x514 lr : __arm_lpae_unmap+0x4bc/0x514 sp : ffffffc011ffb530 x29: ffffffc011ffb590 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000004 x25: 0000000000000003 x24: ffffffc011ffb890 x23: ffffffa762ef9be0 x22: ffffffa77244ef00 x21: 0000000000000009 x20: 00000007fff7c000 x19: 0000000000000003 x18: 0000000000000000 x17: 0000000000000004 x16: ffffffd7a357d9f0 x15: 0000000000000000 x14: 00fd5d4fa7ffffff x13: 000000000000000e x12: 0000000000000000 x11: 00000000ffffffff x10: 00000000fffffe00 x9 : 000000000000017c x8 : 000000000000000c x7 : 0000000000000000 x6 : ffffffa762ef9000 x5 : 0000000000000003 x4 : 0000000000000004 x3 : 0000000000001000 x2 : 00000007fff7c000 x1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace: __arm_lpae_unmap+0x500/0x514 __arm_lpae_unmap+0x4bc/0x514 __arm_lpae_unmap+0x4bc/0x514 arm_lpae_unmap_pages+0x78/0xa4 arm_smmu_unmap_pages+0x78/0x104 __iommu_unmap+0xc8/0x1e4 iommu_unmap_fast+0x38/0x48 __iommu_dma_unmap+0x84/0x104 iommu_dma_free+0x34/0x50 dma_free_attrs+0xa4/0xd0 ath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c [ath10k_core] ath10k_halt+0x11c/0x180 [ath10k_core] ath10k_stop+0x54/0x94 [ath10k_core] drv_stop+0x48/0x1c8 [mac80211] ieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c [mac80211] __dev_open+0xb4/0x174 __dev_change_flags+0xc4/0x1dc dev_change_flags+0x3c/0x7c devinet_ioctl+0x2b4/0x580 inet_ioctl+0xb0/0x1b4 sock_do_ioctl+0x4c/0x16c compat_ifreq_ioctl+0x1cc/0x35c compat_sock_ioctl+0x110/0x2ac __arm64_compat_sys_ioctl+0xf4/0x3e0 el0_svc_common+0xb4/0x17c el0_svc_compat_handler+0x2c/0x58 el0_svc_compat+0x8/0x2c Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1 | 2025-12-24 | not yet calculated | CVE-2022-50700 | https://git.kernel.org/stable/c/c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a https://git.kernel.org/stable/c/79a124b588aadb5a22695542778de14366ff3219 https://git.kernel.org/stable/c/acd4324e5f1f11351630234297f95076f0ac9a2f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host SDIO may need addtional 511 bytes to align bus operation. If the tailroom of this skb is not big enough, we would access invalid memory region. For low level operation, increase skb size to keep valid memory access in SDIO host. Error message: [69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0 [69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u16:7/451 [69.951] CPU: 4 PID: 451 Comm: kworker/u16:7 Tainted: G W OE 6.1.0-rc5 #1 [69.951] Workqueue: kvub300c vub300_cmndwork_thread [vub300] [69.951] Call Trace: [69.951] <TASK> [69.952] dump_stack_lvl+0x49/0x63 [69.952] print_report+0x171/0x4a8 [69.952] kasan_report+0xb4/0x130 [69.952] kasan_check_range+0x149/0x1e0 [69.952] memcpy+0x24/0x70 [69.952] sg_copy_buffer+0xe9/0x1a0 [69.952] sg_copy_to_buffer+0x12/0x20 [69.952] __command_write_data.isra.0+0x23c/0xbf0 [vub300] [69.952] vub300_cmndwork_thread+0x17f3/0x58b0 [vub300] [69.952] process_one_work+0x7ee/0x1320 [69.952] worker_thread+0x53c/0x1240 [69.952] kthread+0x2b8/0x370 [69.952] ret_from_fork+0x1f/0x30 [69.952] </TASK> [69.952] Allocated by task 854: [69.952] kasan_save_stack+0x26/0x50 [69.952] kasan_set_track+0x25/0x30 [69.952] kasan_save_alloc_info+0x1b/0x30 [69.952] __kasan_kmalloc+0x87/0xa0 [69.952] __kmalloc_node_track_caller+0x63/0x150 [69.952] kmalloc_reserve+0x31/0xd0 [69.952] __alloc_skb+0xfc/0x2b0 [69.952] __mt76_mcu_msg_alloc+0xbf/0x230 [mt76] [69.952] mt76_mcu_send_and_get_msg+0xab/0x110 [mt76] [69.952] __mt76_mcu_send_firmware.cold+0x94/0x15d [mt76] [69.952] mt76_connac_mcu_send_ram_firmware+0x415/0x54d [mt76_connac_lib] [69.952] mt76_connac2_load_ram.cold+0x118/0x4bc [mt76_connac_lib] [69.952] mt7921_run_firmware.cold+0x2e9/0x405 [mt7921_common] [69.952] mt7921s_mcu_init+0x45/0x80 [mt7921s] [69.953] mt7921_init_work+0xe1/0x2a0 [mt7921_common] [69.953] process_one_work+0x7ee/0x1320 [69.953] worker_thread+0x53c/0x1240 [69.953] kthread+0x2b8/0x370 [69.953] ret_from_fork+0x1f/0x30 [69.953] The buggy address belongs to the object at ffff88811c9ce800 which belongs to the cache kmalloc-2k of size 2048 [69.953] The buggy address is located 0 bytes to the right of 2048-byte region [ffff88811c9ce800, ffff88811c9cf000) [69.953] Memory state around the buggy address: [69.953] ffff88811c9cef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [69.953] ffff88811c9cef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [69.953] >ffff88811c9cf000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [69.953] ^ [69.953] ffff88811c9cf080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [69.953] ffff88811c9cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | 2025-12-24 | not yet calculated | CVE-2022-50701 | https://git.kernel.org/stable/c/8b5174a7f25d03df0ffa171ff86de383a89e8e89 https://git.kernel.org/stable/c/0b358e36433d2c46a65488a146bf8b4623fc5bbb https://git.kernel.org/stable/c/aec4cf2ea0797e28f18f8dbe01943a56d987fe56 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init() Inject fault while probing module, if device_register() fails in vdpasim_net_init() or vdpasim_blk_init(), but the refcount of kobject is not decreased to 0, the name allocated in dev_set_name() is leaked. Fix this by calling put_device(), so that name can be freed in callback function kobject_cleanup(). (vdpa_sim_net) unreferenced object 0xffff88807eebc370 (size 16): comm “modprobe”, pid 3848, jiffies 4362982860 (age 18.153s) hex dump (first 16 bytes): 76 64 70 61 73 69 6d 5f 6e 65 74 00 6b 6b 6b a5 vdpasim_net.kkk. backtrace: [<ffffffff8174f19e>] __kmalloc_node_track_caller+0x4e/0x150 [<ffffffff81731d53>] kstrdup+0x33/0x60 [<ffffffff83a5d421>] kobject_set_name_vargs+0x41/0x110 [<ffffffff82d87aab>] dev_set_name+0xab/0xe0 [<ffffffff82d91a23>] device_add+0xe3/0x1a80 [<ffffffffa0270013>] 0xffffffffa0270013 [<ffffffff81001c27>] do_one_initcall+0x87/0x2e0 [<ffffffff813739cb>] do_init_module+0x1ab/0x640 [<ffffffff81379d20>] load_module+0x5d00/0x77f0 [<ffffffff8137bc40>] __do_sys_finit_module+0x110/0x1b0 [<ffffffff83c4d505>] do_syscall_64+0x35/0x80 [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 (vdpa_sim_blk) unreferenced object 0xffff8881070c1250 (size 16): comm “modprobe”, pid 6844, jiffies 4364069319 (age 17.572s) hex dump (first 16 bytes): 76 64 70 61 73 69 6d 5f 62 6c 6b 00 6b 6b 6b a5 vdpasim_blk.kkk. backtrace: [<ffffffff8174f19e>] __kmalloc_node_track_caller+0x4e/0x150 [<ffffffff81731d53>] kstrdup+0x33/0x60 [<ffffffff83a5d421>] kobject_set_name_vargs+0x41/0x110 [<ffffffff82d87aab>] dev_set_name+0xab/0xe0 [<ffffffff82d91a23>] device_add+0xe3/0x1a80 [<ffffffffa0220013>] 0xffffffffa0220013 [<ffffffff81001c27>] do_one_initcall+0x87/0x2e0 [<ffffffff813739cb>] do_init_module+0x1ab/0x640 [<ffffffff81379d20>] load_module+0x5d00/0x77f0 [<ffffffff8137bc40>] __do_sys_finit_module+0x110/0x1b0 [<ffffffff83c4d505>] do_syscall_64+0x35/0x80 [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 | 2025-12-24 | not yet calculated | CVE-2022-50702 | https://git.kernel.org/stable/c/586e6fd7d581f987f7d0d2592edf0b26397e783e https://git.kernel.org/stable/c/5be953e353fe421f2983e1fd37f07fba97edbffc https://git.kernel.org/stable/c/337c24d817e28dd454ca22f1063dfad20822426e https://git.kernel.org/stable/c/aeca7ff254843d49a8739f07f7dab1341450111d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() There are two refcount leak bugs in qcom_smsm_probe(): (1) The ‘local_node’ is escaped out from for_each_child_of_node() as the break of iteration, we should call of_node_put() for it in error path or when it is not used anymore. (2) The ‘node’ is escaped out from for_each_available_child_of_node() as the ‘goto’, we should call of_node_put() for it in goto target. | 2025-12-24 | not yet calculated | CVE-2022-50703 | https://git.kernel.org/stable/c/1bbe75d466e5118b7d49ef4a346c3ce5742da4e8 https://git.kernel.org/stable/c/bd4666bf5562fe8e8e5e9bd6fc805d30e1767f43 https://git.kernel.org/stable/c/42df28994eba7b56c762f7bbe7efd5611a1cd15b https://git.kernel.org/stable/c/1e3ed59370c712df436791efed120f0c082aa9bc https://git.kernel.org/stable/c/39781c98ad46b4e85053345dff797240c1ed7935 https://git.kernel.org/stable/c/96e0028debdd07a6d582f0dfadf9a3ec2b5fffff https://git.kernel.org/stable/c/8fb6112bd49c0e49f2cf51604231d85ff00284bb https://git.kernel.org/stable/c/ee7fc83ce0e6986ff9b1c1d7e994fbbf8d43861d https://git.kernel.org/stable/c/af8f6f39b8afd772fda4f8e61823ef8c021bf382 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: USB: gadget: Fix use-after-free during usb config switch In the process of switching USB config from rndis to other config, if the hardware does not support the ->pullup callback, or the hardware encounters a low probability fault, both of them may cause the ->pullup callback to fail, which will then cause a system panic (use after free). The gadget drivers sometimes need to be unloaded regardless of the hardware’s behavior. Analysis as follows: ======================================================================= (1) write /config/usb_gadget/g1/UDC “none” gether_disconnect+0x2c/0x1f8 rndis_disable+0x4c/0x74 composite_disconnect+0x74/0xb0 configfs_composite_disconnect+0x60/0x7c usb_gadget_disconnect+0x70/0x124 usb_gadget_unregister_driver+0xc8/0x1d8 gadget_dev_desc_UDC_store+0xec/0x1e4 (2) rm /config/usb_gadget/g1/configs/b.1/f1 rndis_deregister+0x28/0x54 rndis_free+0x44/0x7c usb_put_function+0x14/0x1c config_usb_cfg_unlink+0xc4/0xe0 configfs_unlink+0x124/0x1c8 vfs_unlink+0x114/0x1dc (3) rmdir /config/usb_gadget/g1/functions/rndis.gs4 panic+0x1fc/0x3d0 do_page_fault+0xa8/0x46c do_mem_abort+0x3c/0xac el1_sync_handler+0x40/0x78 0xffffff801138f880 rndis_close+0x28/0x34 eth_stop+0x74/0x110 dev_close_many+0x48/0x194 rollback_registered_many+0x118/0x814 unregister_netdev+0x20/0x30 gether_cleanup+0x1c/0x38 rndis_attr_release+0xc/0x14 kref_put+0x74/0xb8 configfs_rmdir+0x314/0x374 If gadget->ops->pullup() return an error, function rndis_close() will be called, then it will causes a use-after-free problem. ======================================================================= | 2025-12-24 | not yet calculated | CVE-2022-50704 | https://git.kernel.org/stable/c/30e926aa835ac2e6ad05822e4cb75833feb0d99f https://git.kernel.org/stable/c/99a58ac42d9b6911834b0224b6782aea0c311346 https://git.kernel.org/stable/c/afdc12887f2b2ecf20d065a7d81ad29824155083 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: defer fsnotify calls to task context We can’t call these off the kiocb completion as that might be off soft/hard irq context. Defer the calls to when we process the task_work for this request. That avoids valid complaints like: stack backtrace: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_usage_bug kernel/locking/lockdep.c:3961 [inline] valid_state kernel/locking/lockdep.c:3973 [inline] mark_lock_irq kernel/locking/lockdep.c:4176 [inline] mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632 mark_lock kernel/locking/lockdep.c:4596 [inline] mark_usage kernel/locking/lockdep.c:4527 [inline] __lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007 lock_acquire kernel/locking/lockdep.c:5666 [inline] lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631 __fs_reclaim_acquire mm/page_alloc.c:4674 [inline] fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688 might_alloc include/linux/sched/mm.h:271 [inline] slab_pre_alloc_hook mm/slab.h:700 [inline] slab_alloc mm/slab.c:3278 [inline] __kmem_cache_alloc_lru mm/slab.c:3471 [inline] kmem_cache_alloc+0x39/0x520 mm/slab.c:3491 fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline] fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline] fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948 send_to_group fs/notify/fsnotify.c:360 [inline] fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570 __fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230 fsnotify_parent include/linux/fsnotify.h:77 [inline] fsnotify_file include/linux/fsnotify.h:99 [inline] fsnotify_access include/linux/fsnotify.h:309 [inline] __io_complete_rw_common+0x485/0x720 io_uring/rw.c:195 io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228 iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline] iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178 bio_endio+0x5f9/0x780 block/bio.c:1564 req_bio_endio block/blk-mq.c:695 [inline] blk_update_request+0x3fc/0x1300 block/blk-mq.c:825 scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541 scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971 scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022 __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571 invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240 | 2025-12-24 | not yet calculated | CVE-2022-50705 | https://git.kernel.org/stable/c/89a410dbd0f159ddd308f19d6eb682fc753e4771 https://git.kernel.org/stable/c/2a853c206e553dd9c0a55c22858fd6a446d93e15 https://git.kernel.org/stable/c/b000145e9907809406d8164c3b2b8861d95aecd1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/ieee802154: don’t warn zero-sized raw_sendmsg() syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1], for PF_IEEE802154 socket’s zero-sized raw_sendmsg() request is hitting __dev_queue_xmit() with skb->len == 0. Since PF_IEEE802154 socket’s zero-sized raw_sendmsg() request was able to return 0, don’t call __dev_queue_xmit() if packet length is 0. ———- #include <sys/socket.h> #include <netinet/in.h> int main(int argc, char *argv[]) { struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) }; struct iovec iov = { }; struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 }; sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0); return 0; } ———- Note that this might be a sign that commit fd1894224407c484 (“bpf: Don’t redirect packets with invalid pkt_len”) should be reverted, for skb->len == 0 was acceptable for at least PF_IEEE802154 socket. | 2025-12-24 | not yet calculated | CVE-2022-50706 | https://git.kernel.org/stable/c/4a36de8947794fa21435d1e916e089095f3246a8 https://git.kernel.org/stable/c/791489a5c56396ddfed75fc525066d4738dace46 https://git.kernel.org/stable/c/34f31a2b667914ab701ca725554a0b447809d7ef https://git.kernel.org/stable/c/df0da3fc131132b6c32a15c4da4ffa3a5aea1af2 https://git.kernel.org/stable/c/9974d220c5073d035b5469d1d8ecd71da86c7afd https://git.kernel.org/stable/c/b12e924a2f5b960373459c8f8a514f887adf5cac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session() ‘vc_ctrl_req’ is alloced in virtio_crypto_alg_skcipher_close_session(), and should be freed in the invalid ctrl_status->status error handling case. Otherwise there is a memory leak. | 2025-12-24 | not yet calculated | CVE-2022-50707 | https://git.kernel.org/stable/c/79026a2d0a1b080257773d22a493f9bcab8c65be https://git.kernel.org/stable/c/67fb59ff1384e338679c0eb7a43c83ce8868c9fa https://git.kernel.org/stable/c/0871df190fe6723464efe0f493d476411616f553 https://git.kernel.org/stable/c/b1d65f717cd6305a396a8738e022c6f7c65cfbe8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: fix potential resource leak in ssip_pn_open() ssip_pn_open() claims the HSI client’s port with hsi_claim_port(). When hsi_register_port_event() gets some error and returns a negetive value, the HSI client’s port should be released with hsi_release_port(). Fix it by calling hsi_release_port() when hsi_register_port_event() fails. | 2025-12-24 | not yet calculated | CVE-2022-50708 | https://git.kernel.org/stable/c/78b0ef14896f843c45372f9bbdb6f6070f977eaf https://git.kernel.org/stable/c/e78b45b3eeee1cec77c794fcbf0512537c20b1dc https://git.kernel.org/stable/c/b28dbcb379e6a7f80262c2732a57681b1ee548ca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with pkt_len = 0 but ath9k_hif_usb_rx_stream() uses __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb with uninitialized memory and ath9k_htc_rx_msg() is reading from uninitialized memory. Since bytes accessed by ath9k_htc_rx_msg() is not known until ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid pkt_len at “if (pkt_len > 2 * MAX_RX_BUF_SIZE) {” line in ath9k_hif_usb_rx_stream(). We have two choices. One is to workaround by adding __GFP_ZERO so that ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose the latter. Note that I’m not sure threshold condition is correct, for I can’t find details on possible packet length used by this protocol. | 2025-12-24 | not yet calculated | CVE-2022-50709 | https://git.kernel.org/stable/c/f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a https://git.kernel.org/stable/c/84242f15f911f34aec9b22f99d1e9bff19723dbe https://git.kernel.org/stable/c/2c485f4f2a64258acc5228e78ffb828c68d9e770 https://git.kernel.org/stable/c/9661724f6206bd606ecf13acada676a9975d230b https://git.kernel.org/stable/c/b1b4144508adfc585e43856b31baaf9008a3beb4 https://git.kernel.org/stable/c/0d2649b288b7b9484e3d4380c0d6c4720a17e473 https://git.kernel.org/stable/c/4891a50f5ed8bfcb8f2a4b816b0676f398687783 https://git.kernel.org/stable/c/b383e8abed41cc6ff1a3b34de75df9397fa4878c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ice: set tx_tstamps when creating new Tx rings via ethtool When the user changes the number of queues via ethtool, the driver allocates new rings. This allocation did not initialize tx_tstamps. This results in the tx_tstamps field being zero (due to kcalloc allocation), and would result in a NULL pointer dereference when attempting a transmit timestamp on the new ring. | 2025-12-24 | not yet calculated | CVE-2022-50710 | https://git.kernel.org/stable/c/624f03a027f2b18647cc4f1a7a81920a1e4e0201 https://git.kernel.org/stable/c/13180cb88a7be5ee389f65f6ab9f78e46f7722b2 https://git.kernel.org/stable/c/9eb5fff6b0e78819c758892282da5faa915724d0 https://git.kernel.org/stable/c/b3b173745c8cab1e24d6821488b60abed3acb24d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: fix possible memory leak in mtk_probe() If mtk_wed_add_hw() has been called, mtk_wed_exit() needs be called in error path or removing module to free the memory allocated in mtk_wed_add_hw(). | 2025-12-24 | not yet calculated | CVE-2022-50711 | https://git.kernel.org/stable/c/96bde7c4f5683d8c1c809ddb781ef3fdec9b7215 https://git.kernel.org/stable/c/b3d0d98179d62f9d55635a600679c4fa362baf8d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: devlink: hold region lock when flushing snapshots Netdevsim triggers a splat on reload, when it destroys regions with snapshots pending: WARNING: CPU: 1 PID: 787 at net/core/devlink.c:6291 devlink_region_snapshot_del+0x12e/0x140 CPU: 1 PID: 787 Comm: devlink Not tainted 6.1.0-07460-g7ae9888d6e1c #580 RIP: 0010:devlink_region_snapshot_del+0x12e/0x140 Call Trace: <TASK> devl_region_destroy+0x70/0x140 nsim_dev_reload_down+0x2f/0x60 [netdevsim] devlink_reload+0x1f7/0x360 devlink_nl_cmd_reload+0x6ce/0x860 genl_family_rcv_msg_doit.isra.0+0x145/0x1c0 This is the locking assert in devlink_region_snapshot_del(), we’re supposed to be holding the region->snapshot_lock here. | 2025-12-24 | not yet calculated | CVE-2022-50712 | https://git.kernel.org/stable/c/49383d4e59bb704341aaa1d51440ccce58270e61 https://git.kernel.org/stable/c/6298cab4d80bfdb6fe01fe31fd9f0ba26317fdae https://git.kernel.org/stable/c/b4cafb3d2c740f8d1b1234b43ac4a60e5291c960 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: clk: visconti: Fix memory leak in visconti_register_pll() @pll->rate_table has allocated memory by kmemdup(), if clk_hw_register() fails, it should be freed, otherwise it will cause memory leak issue, this patch fixes it. | 2025-12-24 | not yet calculated | CVE-2022-50713 | https://git.kernel.org/stable/c/70af9bf13be1716eac452c8a29ce6fe6b957a5db https://git.kernel.org/stable/c/f0f1982ddfb418bf7bf05dadebae5c6869a41d41 https://git.kernel.org/stable/c/b55226f8553d255f5002c751c7c6ba9291f34bf2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921e: fix rmmod crash in driver reload test In insmod/rmmod stress test, the following crash dump shows up immediately. The problem is caused by missing mt76_dev in mt7921_pci_remove(). We should make sure the drvdata is ready before probe() finished. [168.862789] ================================================================== [168.862797] BUG: KASAN: user-memory-access in try_to_grab_pending+0x59/0x480 [168.862805] Write of size 8 at addr 0000000000006df0 by task rmmod/5361 [168.862812] CPU: 7 PID: 5361 Comm: rmmod Tainted: G OE 5.19.0-rc6 #1 [168.862816] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, 05/04/2020 [168.862820] Call Trace: [168.862822] <TASK> [168.862825] dump_stack_lvl+0x49/0x63 [168.862832] print_report.cold+0x493/0x6b7 [168.862845] kasan_report+0xa7/0x120 [168.862857] kasan_check_range+0x163/0x200 [168.862861] __kasan_check_write+0x14/0x20 [168.862866] try_to_grab_pending+0x59/0x480 [168.862870] __cancel_work_timer+0xbb/0x340 [168.862898] cancel_work_sync+0x10/0x20 [168.862902] mt7921_pci_remove+0x61/0x1c0 [mt7921e] [168.862909] pci_device_remove+0xa3/0x1d0 [168.862914] device_remove+0xc4/0x170 [168.862920] device_release_driver_internal+0x163/0x300 [168.862925] driver_detach+0xc7/0x1a0 [168.862930] bus_remove_driver+0xeb/0x2d0 [168.862935] driver_unregister+0x71/0xb0 [168.862939] pci_unregister_driver+0x30/0x230 [168.862944] mt7921_pci_driver_exit+0x10/0x1b [mt7921e] [168.862949] __x64_sys_delete_module+0x2f9/0x4b0 [168.862968] do_syscall_64+0x38/0x90 [168.862973] entry_SYSCALL_64_after_hwframe+0x63/0xcd Test steps: 1. insmode 2. do not ifup 3. rmmod quickly (within 1 second) | 2025-12-24 | not yet calculated | CVE-2022-50714 | https://git.kernel.org/stable/c/1034d8e08508830161377f136a060e78fc24f2a5 https://git.kernel.org/stable/c/ccda3ebdae719d348f90563b6719fba4929ae283 https://git.kernel.org/stable/c/b5a62d612b7baf6e09884e4de94decb6391d6a9d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid1: stop mdx_raid1 thread when raid1 array run failed fail run raid1 array when we assemble array with the inactive disk only, but the mdx_raid1 thread were not stop, Even if the associated resources have been released. it will caused a NULL dereference when we do poweroff. This causes the following Oops: [ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070 [ 287.594762] #PF: supervisor read access in kernel mode [ 287.599912] #PF: error_code(0x0000) – not-present page [ 287.605061] PGD 0 P4D 0 [ 287.607612] Oops: 0000 [#1] SMP NOPTI [ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0 [ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022 [ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod] [ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 …… [ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202 [ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000 [ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800 [ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff [ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800 [ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500 [ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000 [ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0 [ 287.713033] Call Trace: [ 287.715498] raid1d+0x6c/0xbbb [raid1] [ 287.719256] ? __schedule+0x1ff/0x760 [ 287.722930] ? schedule+0x3b/0xb0 [ 287.726260] ? schedule_timeout+0x1ed/0x290 [ 287.730456] ? __switch_to+0x11f/0x400 [ 287.734219] md_thread+0xe9/0x140 [md_mod] [ 287.738328] ? md_thread+0xe9/0x140 [md_mod] [ 287.742601] ? wait_woken+0x80/0x80 [ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod] [ 287.751064] kthread+0x11a/0x140 [ 287.754300] ? kthread_park+0x90/0x90 [ 287.757974] ret_from_fork+0x1f/0x30 In fact, when raid1 array run fail, we need to do md_unregister_thread() before raid1_free(). | 2025-12-24 | not yet calculated | CVE-2022-50715 | https://git.kernel.org/stable/c/d684ceb77311410aeaf5189d321f9f564838c49a https://git.kernel.org/stable/c/110f14a7b2eb5b8aa9df5af2d629524f2a07d543 https://git.kernel.org/stable/c/0c7c7468c3ae222e297b7dc74d6ccb69c4d0183c https://git.kernel.org/stable/c/19d5a0e17aba92b10d895e40ec782768cf00da23 https://git.kernel.org/stable/c/10d713532ffc67b13df61ed9c138a8ce0a186236 https://git.kernel.org/stable/c/a3cc41e05e8af340a2a759b168c29fffdb9194eb https://git.kernel.org/stable/c/22be44212cad8be96860346882d8e694b0b437b6 https://git.kernel.org/stable/c/d26364596db8f8b55277b2afb3952e05a4057a21 https://git.kernel.org/stable/c/b611ad14006e5be2170d9e8e611bf49dff288911 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out syzkaller reported use-after-free with the stack trace like below [1]: [ 38.960489][ C3] ================================================================== [ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 [ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0 [ 38.966363][ C3] [ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18 [ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 [ 38.969959][ C3] Call Trace: [ 38.970841][ C3] <IRQ> [ 38.971663][ C3] dump_stack_lvl+0xfc/0x174 [ 38.972620][ C3] print_report.cold+0x2c3/0x752 [ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.974644][ C3] kasan_report+0xb1/0x1d0 [ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240 [ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0 [ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430 [ 38.981266][ C3] dummy_timer+0x140c/0x34e0 [ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0 [ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.986242][ C3] ? lock_release+0x51c/0x790 [ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70 [ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130 [ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 38.990777][ C3] ? lock_acquire+0x472/0x550 [ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.993138][ C3] ? lock_acquire+0x472/0x550 [ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230 [ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0 [ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0 [ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0 [ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0 [ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0 [ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10 [ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40 [ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0 [ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0 [ 39.016196][ C3] __do_softirq+0x1d2/0x9be [ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190 [ 39.019004][ C3] irq_exit_rcu+0x5/0x20 [ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0 [ 39.021965][ C3] </IRQ> [ 39.023237][ C3] <TASK> In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below (there are other functions which finally call ar5523_cmd()): ar5523_probe() -> ar5523_host_available() -> ar5523_cmd_read() -> ar5523_cmd() If ar5523_cmd() timed out, then ar5523_host_available() failed and ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb() might touch the freed structure. This patch fixes this issue by canceling in-flight tx cmd if submitted urb timed out. | 2025-12-24 | not yet calculated | CVE-2022-50716 | https://git.kernel.org/stable/c/c9ba3fbf6a488da6cad1d304c5234bd8d729eba3 https://git.kernel.org/stable/c/340524ae7b53a72cf5d9e7bd7790433422b3b12f https://git.kernel.org/stable/c/6447beefd21326a3f4719ec2ea511df797f6c820 https://git.kernel.org/stable/c/7360b323e0343ea099091d4ae09576dbe1f09516 https://git.kernel.org/stable/c/8af52492717e3538eba3f81d012b1476af8a89a6 https://git.kernel.org/stable/c/3eca9697c2f3905dea3ad2fc536ebaa1fbd735bd https://git.kernel.org/stable/c/601ae89375033ac4870c086e24ba03f235d38e55 https://git.kernel.org/stable/c/9aef34e1ae35a87e5f6a22278c17823b7ce64c88 https://git.kernel.org/stable/c/b6702a942a069c2a975478d719e98d83cdae1797 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds check on Transfer Tag ttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(), add a bounds check to avoid out-of-bounds access. | 2025-12-24 | not yet calculated | CVE-2022-50717 | https://git.kernel.org/stable/c/0d150ccd55dbfad36f55855b40b381884c98456e https://git.kernel.org/stable/c/d5bb45f47b37d10f010355686b28c9ebacb361d4 https://git.kernel.org/stable/c/ec8adf767e1cfa7031f853b8c71ba1963f07df15 https://git.kernel.org/stable/c/fcf82e4553db911d10234ff2390cfd0e2aa854e4 https://git.kernel.org/stable/c/752593d04637ebdc87fd29cba81897f21ae053f0 https://git.kernel.org/stable/c/b6a545ffa2c192b1e6da4a7924edac5ba9f4ea2b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix pci device refcount leak As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So before returning from amdgpu_device_resume|suspend_display_audio(), pci_dev_put() is called to avoid refcount leak. | 2025-12-24 | not yet calculated | CVE-2022-50718 | https://git.kernel.org/stable/c/3725a8f26bdbc38dfdf545836117f1e069277c91 https://git.kernel.org/stable/c/02105f0b3021ee5853b2fa50853c42f35fc01cfd https://git.kernel.org/stable/c/f13661b72a61708cecb06562f8acff068a4f31f7 https://git.kernel.org/stable/c/d7352b410471cbebf6350b2990bae82bb0d59a76 https://git.kernel.org/stable/c/b85e285e3d6352b02947fc1b72303673dfacb0aa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: line6: fix stack overflow in line6_midi_transmit Correctly calculate available space including the size of the chunk buffer. This fixes a buffer overflow when multiple MIDI sysex messages are sent to a PODxt device. | 2025-12-24 | not yet calculated | CVE-2022-50719 | https://git.kernel.org/stable/c/b026af92b2cea907c780f7168c730c816cd33311 https://git.kernel.org/stable/c/49cb7737e733013ec86aa77ed2e19b94a68eaa05 https://git.kernel.org/stable/c/0c76087449ee4ed45a88b10017d02c6694caedb1 https://git.kernel.org/stable/c/25e8c6ecb46843a955f254b8f0d77894e4a53dc4 https://git.kernel.org/stable/c/66f359ad66d49f75d39ac729f9114dabf90b81bb https://git.kernel.org/stable/c/0c9118e381ff538874e00fd4e66a768273c150fb https://git.kernel.org/stable/c/61e4be4a60cc6de723f8c574ddbcb3025eb44cac https://git.kernel.org/stable/c/389d34c2a8b52acc351fd932ed4bea41fee5a39b https://git.kernel.org/stable/c/b8800d324abb50160560c636bfafe2c81001b66c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/apic: Don’t disable x2APIC if locked The APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC (or x2APIC). X2APIC mode is mostly compatible with legacy APIC, but it disables the memory-mapped APIC interface in favor of one that uses MSRs. The APIC mode is controlled by the EXT bit in the APIC MSR. The MMIO/xAPIC interface has some problems, most notably the APIC LEAK [1]. This bug allows an attacker to use the APIC MMIO interface to extract data from the SGX enclave. Introduce support for a new feature that will allow the BIOS to lock the APIC in x2APIC mode. If the APIC is locked in x2APIC mode and the kernel tries to disable the APIC or revert to legacy APIC mode a GP fault will occur. Introduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle the new locked mode when the LEGACY_XAPIC_DISABLED bit is set by preventing the kernel from trying to disable the x2APIC. On platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are enabled the LEGACY_XAPIC_DISABLED will be set by the BIOS. If legacy APIC is required, then it SGX and TDX need to be disabled in the BIOS. [1]: https://aepicleak.com/aepicleak.pdf | 2025-12-24 | not yet calculated | CVE-2022-50720 | https://git.kernel.org/stable/c/05785ba834f23272f9d23427ae4a80ac505a5296 https://git.kernel.org/stable/c/dd1241e00addbf0b95f6cd6ce32152692820657e https://git.kernel.org/stable/c/b8d1d163604bd1e600b062fb00de5dc42baa355f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom-adm: fix wrong calling convention for prep_slave_sg The calling convention for pre_slave_sg is to return NULL on error and provide an error log to the system. Qcom-adm instead provide error pointer when an error occur. This indirectly cause kernel panic for example for the nandc driver that checks only if the pointer returned by device_prep_slave_sg is not NULL. Returning an error pointer makes nandc think the device_prep_slave_sg function correctly completed and makes the kernel panics later in the code. While nandc is the one that makes the kernel crash, it was pointed out that the real problem is qcom-adm not following calling convention for that function. To fix this, drop returning error pointer and return NULL with an error log. | 2025-12-24 | not yet calculated | CVE-2022-50721 | https://git.kernel.org/stable/c/5653bd0200944e5803fa8e32dc36aa49931312f9 https://git.kernel.org/stable/c/9a041174c58a226e713f6cebd41eccec7a5cfa72 https://git.kernel.org/stable/c/b9d2140c3badf4107973ad77c5a0ec3075705c85 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: ipu3-imgu: Fix NULL pointer dereference in active selection access What the IMGU driver did was that it first acquired the pointers to active and try V4L2 subdev state, and only then figured out which one to use. The problem with that approach and a later patch (see Fixes: tag) is that as sd_state argument to v4l2_subdev_get_try_crop() et al is NULL, there is now an attempt to dereference that. Fix this. Also rewrap lines a little. | 2025-12-24 | not yet calculated | CVE-2022-50722 | https://git.kernel.org/stable/c/5265cc1202a31f7097691c3483a0d60d624424a5 https://git.kernel.org/stable/c/740717b756c17190dc2d2ad4c6de1e63f214e0c9 https://git.kernel.org/stable/c/b9eb3ab6f30bf32f7326909f17949ccb11bab514 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: fix memory leak in bnxt_nvm_test() Free the kzalloc’ed buffer before returning in the success path. | 2025-12-24 | not yet calculated | CVE-2022-50723 | https://git.kernel.org/stable/c/be083d97031712a2e16fd915ddb8fe1a6cb1fbc5 https://git.kernel.org/stable/c/ba077d683d45190afc993c1ce45bcdbfda741a40 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix resource leak in regulator_register() I got some resource leak reports while doing fault injection test: OF: ERROR: memory leak, expected refcount 1 instead of 100, of_node_get()/of_node_put() unbalanced – destroy cset entry: attach overlay node /i2c/pmic@64/regulators/buck1 unreferenced object 0xffff88810deea000 (size 512): comm “490-i2c-rt5190a”, pid 253, jiffies 4294859840 (age 5061.046s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 …..N………. ff ff ff ff ff ff ff ff a0 1e 00 a1 ff ff ff ff ……………. backtrace: [<00000000d78541e2>] kmalloc_trace+0x21/0x110 [<00000000b343d153>] device_private_init+0x32/0xd0 [<00000000be1f0c70>] device_add+0xb2d/0x1030 [<00000000e3e6344d>] regulator_register+0xaf2/0x12a0 [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0 [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator] unreferenced object 0xffff88810b617b80 (size 32): comm “490-i2c-rt5190a”, pid 253, jiffies 4294859904 (age 5060.983s) hex dump (first 32 bytes): 72 65 67 75 6c 61 74 6f 72 2e 32 38 36 38 2d 53 regulator.2868-S 55 50 50 4c 59 00 ff ff 29 00 00 00 2b 00 00 00 UPPLY…)…+… backtrace: [<000000009da9280d>] __kmalloc_node_track_caller+0x44/0x1b0 [<0000000025c6a4e5>] kstrdup+0x3a/0x70 [<00000000790efb69>] create_regulator+0xc0/0x4e0 [<0000000005ed203a>] regulator_resolve_supply+0x2d4/0x440 [<0000000045796214>] regulator_register+0x10b3/0x12a0 [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0 [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator] After calling regulator_resolve_supply(), the ‘rdev->supply’ is set by set_supply(), after this set, in the error path, the resources need be released, so call regulator_put() to avoid the leaks. | 2025-12-24 | not yet calculated | CVE-2022-50724 | https://git.kernel.org/stable/c/35593d60b1622834984c43add7646d4069671aa9 https://git.kernel.org/stable/c/6a03c31d08f95dca9633a552de167b9e625833a8 https://git.kernel.org/stable/c/c4c64d8abd656b9807b63178750fa91454602b86 https://git.kernel.org/stable/c/90b713aadc1240bf2dd03d610d6c1d016a9123a2 https://git.kernel.org/stable/c/f86b2f216636790d5922458578825e4628fb570f https://git.kernel.org/stable/c/ba62319a42c50e6254e98b3f316464fac8e77968 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init() KASAN reports a use-after-free: BUG: KASAN: use-after-free in dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core] Call Trace: … dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core] vidtv_bridge_probe+0x7bf/0xa40 [dvb_vidtv_bridge] platform_probe+0xb6/0x170 … Allocated by task 1238: … dvb_register_device+0x1a7/0xa70 [dvb_core] dvb_dmxdev_init+0x2af/0x4a0 [dvb_core] vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge] … Freed by task 1238: dvb_register_device+0x6d2/0xa70 [dvb_core] dvb_dmxdev_init+0x2af/0x4a0 [dvb_core] vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge] … It is because the error handling in vidtv_bridge_dvb_init() is wrong. First, vidtv_bridge_dmx(dev)_init() will clean themselves when fail, but goto fail_dmx(_dev): calls release functions again, which causes use-after-free. Also, in fail_fe, fail_tuner_probe and fail_demod_probe, j = i will cause out-of-bound when i finished its loop (i == NUM_FE). And the loop releasing is wrong, although now NUM_FE is 1 so it won’t cause problem. Fix this by correctly releasing everything. | 2025-12-24 | not yet calculated | CVE-2022-50725 | https://git.kernel.org/stable/c/0369af6fe33d4053899b121b32e91f870b2cf0ae https://git.kernel.org/stable/c/c290aa527fd832d278c6388a3ba53a9890fbd74a https://git.kernel.org/stable/c/06398ce69571a43a8a0dd0f1bfe35d221f726a6a https://git.kernel.org/stable/c/8a204a0b4a0d105229735222c515759ea2b126c1 https://git.kernel.org/stable/c/ba8d9405935097e296bcf7a942c3a01df0edb865 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix possible use-after-free in async command interface mlx5_cmd_cleanup_async_ctx should return only after all its callback handlers were completed. Before this patch, the below race between mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and lead to a use-after-free: 1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e. elevated by 1, a single inflight callback). 2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1. 3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and is about to call wake_up(). 4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns immediately as the condition (num_inflight == 0) holds. 5. mlx5_cmd_cleanup_async_ctx returns. 6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx object. 7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed object. Fix it by syncing using a completion object. Mark it completed when num_inflight reaches 0. Trace: BUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270 Read of size 4 at addr ffff888139cd12f4 by task swapper/5/0 CPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x57/0x7d print_report.cold+0x2d5/0x684 ? do_raw_spin_lock+0x23d/0x270 kasan_report+0xb1/0x1a0 ? do_raw_spin_lock+0x23d/0x270 do_raw_spin_lock+0x23d/0x270 ? rwlock_bug.part.0+0x90/0x90 ? __delete_object+0xb8/0x100 ? lock_downgrade+0x6e0/0x6e0 _raw_spin_lock_irqsave+0x43/0x60 ? __wake_up_common_lock+0xb9/0x140 __wake_up_common_lock+0xb9/0x140 ? __wake_up_common+0x650/0x650 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kasan_set_track+0x21/0x30 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kfree+0x1ba/0x520 ? do_raw_spin_unlock+0x54/0x220 mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core] ? dump_command+0xcc0/0xcc0 [mlx5_core] ? lockdep_hardirqs_on_prepare+0x400/0x400 ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core] cmd_comp_notifier+0x7e/0xb0 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 ? irq_release+0x140/0x140 [mlx5_core] irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x1f2/0x620 handle_irq_event+0xb2/0x1d0 handle_edge_irq+0x21e/0xb00 __common_interrupt+0x79/0x1a0 common_interrupt+0x78/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 RIP: 0010:default_idle+0x42/0x60 Code: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 <c3> 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00 RSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242 RAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110 RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc RBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3 R10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005 R13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000 ? default_idle_call+0xcc/0x450 default_idle_call+0xec/0x450 do_idle+0x394/0x450 ? arch_cpu_idle_exit+0x40/0x40 ? do_idle+0x17/0x450 cpu_startup_entry+0x19/0x20 start_secondary+0x221/0x2b0 ? set_cpu_sibling_map+0x2070/0x2070 secondary_startup_64_no_verify+0xcd/0xdb </TASK> Allocated by task 49502: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 kvmalloc_node+0x48/0xe0 mlx5e_bulk_async_init+0x35/0x110 [mlx5_core] mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core] mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core] mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core] mlx5e_detach_netdev+0x1c —truncated— | 2025-12-24 | not yet calculated | CVE-2022-50726 | https://git.kernel.org/stable/c/69dd3ad406c49aa69ce4852c15231ac56af8caf9 https://git.kernel.org/stable/c/bbcc06933f35651294ea1e963757502312c2171f https://git.kernel.org/stable/c/ab3de780c176bb91995c6166a576b370d9726e17 https://git.kernel.org/stable/c/0aa3ee1e4e5c9ed5dda11249450d609c3072c54e https://git.kernel.org/stable/c/bacd22df95147ed673bec4692ab2d4d585935241 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: efct: Fix possible memleak in efct_device_init() In efct_device_init(), when efct_scsi_reg_fc_transport() fails, efct_scsi_tgt_driver_exit() is not called to release memory for efct_scsi_tgt_driver_init() and causes memleak: unreferenced object 0xffff8881020ce000 (size 2048): comm “modprobe”, pid 465, jiffies 4294928222 (age 55.872s) backtrace: [<0000000021a1ef1b>] kmalloc_trace+0x27/0x110 [<000000004c3ed51c>] target_register_template+0x4fd/0x7b0 [target_core_mod] [<00000000f3393296>] efct_scsi_tgt_driver_init+0x18/0x50 [efct] [<00000000115de533>] 0xffffffffc0d90011 [<00000000d608f646>] do_one_initcall+0xd0/0x4e0 [<0000000067828cf1>] do_init_module+0x1cc/0x6a0 … | 2025-12-24 | not yet calculated | CVE-2022-50727 | https://git.kernel.org/stable/c/038359eeccffaf0de4c1c9c51ee19cc5649619a1 https://git.kernel.org/stable/c/0c6e6bb30229b1297ac0fd7ede2941d2322fc736 https://git.kernel.org/stable/c/c7e96168a8ca3be96c4959475164bef31115f07e https://git.kernel.org/stable/c/bb0cd225dd37df1f4a22e36dad59ff33178ecdfc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: s390/lcs: Fix return type of lcs_start_xmit() With clang’s kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/s390/net/lcs.c:2090:21: error: incompatible function pointer types initializing ‘netdev_tx_t (*)(struct sk_buff *, struct net_device *)’ (aka ‘enum netdev_tx (*)(struct sk_buff *, struct net_device *)’) with an expression of type ‘int (struct sk_buff *, struct net_device *)’ [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = lcs_start_xmit, ^~~~~~~~~~~~~~ drivers/s390/net/lcs.c:2097:21: error: incompatible function pointer types initializing ‘netdev_tx_t (*)(struct sk_buff *, struct net_device *)’ (aka ‘enum netdev_tx (*)(struct sk_buff *, struct net_device *)’) with an expression of type ‘int (struct sk_buff *, struct net_device *)’ [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = lcs_start_xmit, ^~~~~~~~~~~~~~ ->ndo_start_xmit() in ‘struct net_device_ops’ expects a return type of ‘netdev_tx_t’, not ‘int’. Adjust the return type of lcs_start_xmit() to match the prototype’s to resolve the warning and potential CFI failure, should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. | 2025-12-24 | not yet calculated | CVE-2022-50728 | https://git.kernel.org/stable/c/7b4da3fcd513b8e67823eb80da37aad99b3339c1 https://git.kernel.org/stable/c/d49cc2b705711fb8fb849e7c660929b2100360b7 https://git.kernel.org/stable/c/e684215d8a903752e2b0cc946517fb61e57a880a https://git.kernel.org/stable/c/20022d551f2064a194d8e0acb6cd7a85094a17b2 https://git.kernel.org/stable/c/ebc3c77785dc8b5b626309c0032a38fbb139287a https://git.kernel.org/stable/c/5ad774fb823c24bbeb21a15a67103ea7a6f5b928 https://git.kernel.org/stable/c/69669820844f81a77b6db24b86581320ae4d17af https://git.kernel.org/stable/c/cda74cdc280ba35c8993e7517bac5c257ff36f18 https://git.kernel.org/stable/c/bb16db8393658e0978c3f0d30ae069e878264fa3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix resource leak in ksmbd_session_rpc_open() When ksmbd_rpc_open() fails then it must call ksmbd_rpc_id_free() to undo the result of ksmbd_ipc_id_alloc(). | 2025-12-24 | not yet calculated | CVE-2022-50729 | https://git.kernel.org/stable/c/31c1b5d3000cdff70b98d5af045271e09079bec1 https://git.kernel.org/stable/c/9cb49b95c05df09b369d1ec1f378b5c92109433c https://git.kernel.org/stable/c/f9ed133381eba883c5e0059063d5b3ca7cac6d41 https://git.kernel.org/stable/c/bc044414fa0326a4e5c3c509c00b1fcaf621b5f4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: silence the warning when evicting inode with dioread_nolock When evicting an inode with default dioread_nolock, it could be raced by the unwritten extents converting kworker after writeback some new allocated dirty blocks. It convert unwritten extents to written, the extents could be merged to upper level and free extent blocks, so it could mark the inode dirty again even this inode has been marked I_FREEING. But the inode->i_io_list check and warning in ext4_evict_inode() missing this corner case. Fortunately, ext4_evict_inode() will wait all extents converting finished before this check, so it will not lead to inode use-after-free problem, every thing is OK besides this warning. The WARN_ON_ONCE was originally designed for finding inode use-after-free issues in advance, but if we add current dioread_nolock case in, it will become not quite useful, so fix this warning by just remove this check. ====== WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227 ext4_evict_inode+0x875/0xc60 … RIP: 0010:ext4_evict_inode+0x875/0xc60 … Call Trace: <TASK> evict+0x11c/0x2b0 iput+0x236/0x3a0 do_unlinkat+0x1b4/0x490 __x64_sys_unlinkat+0x4c/0xb0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa933c1115b ====== rm kworker ext4_end_io_end() vfs_unlink() ext4_unlink() ext4_convert_unwritten_io_end_vec() ext4_convert_unwritten_extents() ext4_map_blocks() ext4_ext_map_blocks() ext4_ext_try_to_merge_up() __mark_inode_dirty() check !I_FREEING locked_inode_to_wb_and_lock_list() iput() iput_final() evict() ext4_evict_inode() truncate_inode_pages_final() //wait release io_end inode_io_list_move_locked() ext4_release_io_end() trigger WARN_ON_ONCE() | 2025-12-24 | not yet calculated | CVE-2022-50730 | https://git.kernel.org/stable/c/bdc698ce91f232fd5eb11d2373e9f82f687314b8 https://git.kernel.org/stable/c/0d041b7251c13679a0f6c7926751ce1d8a7237c1 https://git.kernel.org/stable/c/3b893cc9a8d8b4e486a6639f5e107b56b7197d2e https://git.kernel.org/stable/c/b085fb43feede48ebf80ab7e2dd150c8d9902932 https://git.kernel.org/stable/c/bc12ac98ea2e1b70adc6478c8b473a0003b659d3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: akcipher – default implementation for setting a private key Changes from v1: * removed the default implementation from set_pub_key: it is assumed that an implementation must always have this callback defined as there are no use case for an algorithm, which doesn’t need a public key Many akcipher implementations (like ECDSA) support only signature verifications, so they don’t have all callbacks defined. Commit 78a0324f4a53 (“crypto: akcipher – default implementations for request callbacks”) introduced default callbacks for sign/verify operations, which just return an error code. However, these are not enough, because before calling sign the caller would likely call set_priv_key first on the instantiated transform (as the in-kernel testmgr does). This function does not have a default stub, so the kernel crashes, when trying to set a private key on an akcipher, which doesn’t support signature generation. I’ve noticed this, when trying to add a KAT vector for ECDSA signature to the testmgr. With this patch the testmgr returns an error in dmesg (as it should) instead of crashing the kernel NULL ptr dereference. | 2025-12-24 | not yet calculated | CVE-2022-50731 | https://git.kernel.org/stable/c/95c4e20adc3ea00d1594a2a05d9b187ed12ffa8e https://git.kernel.org/stable/c/a1354bdd191d533211b7cb723aa76a66f516f197 https://git.kernel.org/stable/c/779a9930f3e152c82699feb389a0e6d6644e747e https://git.kernel.org/stable/c/85bc736a18b872f54912e8bb70682d11770aece0 https://git.kernel.org/stable/c/f9058178597059d6307efe96a7916600f8ede08c https://git.kernel.org/stable/c/bc155c6c188c2f0c5749993b1405673d25a80389 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8192u: Fix use after free in ieee80211_rx() We cannot dereference the “skb” pointer after calling ieee80211_monitor_rx(), because it is a use after free. | 2025-12-24 | not yet calculated | CVE-2022-50732 | https://git.kernel.org/stable/c/9c03db0ec84b7964a11b20706665c99a5fead332 https://git.kernel.org/stable/c/fdc62d31d50e4ce5d8f363fcb8299ba0e00ee6fd https://git.kernel.org/stable/c/a0df8d44b555ae09729d6533fd4532977563c7b9 https://git.kernel.org/stable/c/288ada16a93aab5aa2ebea8190aafdb35b716854 https://git.kernel.org/stable/c/daa8045a991363ccdae5615d170f35aa1135e7a7 https://git.kernel.org/stable/c/b0aaec894a909c88117c8bda6c7c9b26cf7c744b https://git.kernel.org/stable/c/de174163c0d319ff06d622e79130a0017c8f5a6e https://git.kernel.org/stable/c/73df1172bbcc8d45cd28e3b1a9ca2edb2f9f7ce6 https://git.kernel.org/stable/c/bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: idmouse: fix an uninit-value in idmouse_open In idmouse_create_image, if any ftip_command fails, it will go to the reset label. However, this leads to the data in bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check for valid image incurs an uninitialized dereference. Fix this by moving the check before reset label since this check only be valid if the data after bulk_in_buffer[HEADER] has concrete data. Note that this is found by KMSAN, so only kernel compilation is tested. | 2025-12-24 | not yet calculated | CVE-2022-50733 | https://git.kernel.org/stable/c/b3304a6df957cc89a0590cb505388d659bf3db4c https://git.kernel.org/stable/c/7dad42032f68718259590b0cc7654e9a95ff9762 https://git.kernel.org/stable/c/f589b667567fde4f81d6e6c40f42b9f2224690ea https://git.kernel.org/stable/c/1eae30c0113dde7522088231584d62415011a035 https://git.kernel.org/stable/c/b8bbae3236ab7dccc66c42bc3f7cdbcfc0786e54 https://git.kernel.org/stable/c/20b8c456df584ebb2387dc23d40ebe4ff334417c https://git.kernel.org/stable/c/6163a5ae097bc78fa26c243fb384537e25610fd7 https://git.kernel.org/stable/c/adad163d1cff248a5df9f7cec50158e6ca89f33b https://git.kernel.org/stable/c/bce2b0539933e485d22d6f6f076c0fcd6f185c4c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvmem: core: Fix memleak in nvmem_register() dev_set_name will alloc memory for nvmem->dev.kobj.name in nvmem_register, when nvmem_validate_keepouts failed, nvmem’s memory will be freed and return, but nobody will free memory for nvmem->dev.kobj.name, there will be memleak, so moving nvmem_validate_keepouts() after device_register() and let the device core deal with cleaning name in error cases. | 2025-12-24 | not yet calculated | CVE-2022-50734 | https://git.kernel.org/stable/c/9391cc3a787a58aa224a6440d7f244d780ba2896 https://git.kernel.org/stable/c/2bd2774df0ce37920b23819a860a66fdbdd90823 https://git.kernel.org/stable/c/b6054b9b239a493672f853b034570cca93ba7a88 https://git.kernel.org/stable/c/bd1244561fa2a4531ded40dbf09c9599084f8b29 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: do not run mt76u_status_worker if the device is not running Fix the following NULL pointer dereference avoiding to run mt76u_status_worker thread if the device is not running yet. KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 98 Comm: kworker/u2:2 Not tainted 5.14.0+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: mt76 mt76u_tx_status_data RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0 Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7 RSP: 0018:ffffc900005af988 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8 R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: mt76x02_send_tx_status+0x1d2/0xeb0 mt76x02_tx_status_data+0x8e/0xd0 mt76u_tx_status_data+0xe1/0x240 process_one_work+0x92b/0x1460 worker_thread+0x95/0xe00 kthread+0x3a1/0x480 ret_from_fork+0x1f/0x30 Modules linked in: –[ end trace 8df5d20fc5040f65 ]– RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0 Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7 RSP: 0018:ffffc900005af988 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8 R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0 PKRU: 55555554 Moreover move stat_work schedule out of the for loop. | 2025-12-24 | not yet calculated | CVE-2022-50735 | https://git.kernel.org/stable/c/69346de0eb956fb92949b9473de4647d9c34a54f https://git.kernel.org/stable/c/58fdd84a89b121b761dbfb8a196356e007376ca4 https://git.kernel.org/stable/c/f5ac749a0b21beee55d87d0b05de36976b22dff9 https://git.kernel.org/stable/c/bd5dac7ced5a7c9faa4dc468ac9560c3256df845 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix immediate work request flush to completion queue Correctly set send queue element opcode during immediate work request flushing in post sendqueue operation, if the QP is in ERROR state. An undefined ocode value results in out-of-bounds access to an array for mapping the opcode between siw internal and RDMA core representation in work completion generation. It resulted in a KASAN BUG report of type ‘global-out-of-bounds’ during NFSoRDMA testing. This patch further fixes a potential case of a malicious user which may write undefined values for completion queue elements status or opcode, if the CQ is memory mapped to user land. It avoids the same out-of-bounds access to arrays for status and opcode mapping as described above. | 2025-12-24 | not yet calculated | CVE-2022-50736 | https://git.kernel.org/stable/c/6af043089d3f1210776d19b6fdabea610d4c7699 https://git.kernel.org/stable/c/75af03fdf35acf15a3977f7115f6b8d10dff4bc7 https://git.kernel.org/stable/c/f8d8fbd3b6d6cc3f25790cca5cffe8ded512fef6 https://git.kernel.org/stable/c/355d2eca68c10d713a42f68e62044b3d1c300471 https://git.kernel.org/stable/c/f3d26a8589dfdeff328779b511f71fb90b10005e https://git.kernel.org/stable/c/bdf1da5df9da680589a7f74448dd0a94dd3e1446 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Validate index root when initialize NTFS security This enhances the sanity check for $SDH and $SII while initializing NTFS security, guarantees these index root are legit. [ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320 [ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243 [ 162.460851] [ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42 [ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 162.462609] Call Trace: [ 162.462954] <TASK> [ 162.463276] dump_stack_lvl+0x49/0x63 [ 162.463822] print_report.cold+0xf5/0x689 [ 162.464608] ? unwind_get_return_address+0x3a/0x60 [ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320 [ 162.466975] kasan_report+0xa7/0x130 [ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0 [ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320 [ 162.468536] __asan_load2+0x68/0x90 [ 162.468923] hdr_find_e.isra.0+0x10c/0x320 [ 162.469282] ? cmp_uints+0xe0/0xe0 [ 162.469557] ? cmp_sdh+0x90/0x90 [ 162.469864] ? ni_find_attr+0x214/0x300 [ 162.470217] ? ni_load_mi+0x80/0x80 [ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 162.470931] ? ntfs_bread_run+0x190/0x190 [ 162.471307] ? indx_get_root+0xe4/0x190 [ 162.471556] ? indx_get_root+0x140/0x190 [ 162.471833] ? indx_init+0x1e0/0x1e0 [ 162.472069] ? fnd_clear+0x115/0x140 [ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100 [ 162.472731] indx_find+0x184/0x470 [ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0 [ 162.474429] ? indx_find_buffer+0x2d0/0x2d0 [ 162.474704] ? do_syscall_64+0x3b/0x90 [ 162.474962] dir_search_u+0x196/0x2f0 [ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450 [ 162.475661] ? ntfs_security_init+0x3d6/0x440 [ 162.475906] ? is_sd_valid+0x180/0x180 [ 162.476191] ntfs_extend_init+0x13f/0x2c0 [ 162.476496] ? ntfs_fix_post_read+0x130/0x130 [ 162.476861] ? iput.part.0+0x286/0x320 [ 162.477325] ntfs_fill_super+0x11e0/0x1b50 [ 162.477709] ? put_ntfs+0x1d0/0x1d0 [ 162.477970] ? vsprintf+0x20/0x20 [ 162.478258] ? set_blocksize+0x95/0x150 [ 162.478538] get_tree_bdev+0x232/0x370 [ 162.478789] ? put_ntfs+0x1d0/0x1d0 [ 162.479038] ntfs_fs_get_tree+0x15/0x20 [ 162.479374] vfs_get_tree+0x4c/0x130 [ 162.479729] path_mount+0x654/0xfe0 [ 162.480124] ? putname+0x80/0xa0 [ 162.480484] ? finish_automount+0x2e0/0x2e0 [ 162.480894] ? putname+0x80/0xa0 [ 162.481467] ? kmem_cache_free+0x1c4/0x440 [ 162.482280] ? putname+0x80/0xa0 [ 162.482714] do_mount+0xd6/0xf0 [ 162.483264] ? path_mount+0xfe0/0xfe0 [ 162.484782] ? __kasan_check_write+0x14/0x20 [ 162.485593] __x64_sys_mount+0xca/0x110 [ 162.486024] do_syscall_64+0x3b/0x90 [ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 162.487141] RIP: 0033:0x7f9d374e948a [ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a [ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0 [ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020 [ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0 [ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff [ 162.493644] </TASK> [ 162.493908] [ 162.494214] The buggy address belongs to the physical page: [ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc [ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) [ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000 [ 162.498928] raw: 0000000000000000 0000000000240000 0 —truncated— | 2025-12-24 | not yet calculated | CVE-2022-50737 | https://git.kernel.org/stable/c/d7ce7bb6881aae186e50f57eea935cff8d504751 https://git.kernel.org/stable/c/24ee53c6bce15500db22f2a7aee9dd830e806c90 https://git.kernel.org/stable/c/d6379ce242960a8e9ecd6ff76f476d9336c21f16 https://git.kernel.org/stable/c/bfcdbae0523bd95eb75a739ffb6221a37109881e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vhost-vdpa: fix an iotlb memory leak Before commit 3d5698793897 (“vhost-vdpa: introduce asid based IOTLB”) we called vhost_vdpa_iotlb_unmap(v, iotlb, 0ULL, 0ULL – 1) during release to free all the resources allocated when processing user IOTLB messages through vhost_vdpa_process_iotlb_update(). That commit changed the handling of IOTLB a bit, and we accidentally removed some code called during the release. We partially fixed this with commit 037d4305569a (“vhost-vdpa: call vhost_vdpa_cleanup during the release”) but a potential memory leak is still there as showed by kmemleak if the application does not send VHOST_IOTLB_INVALIDATE or crashes: unreferenced object 0xffff888007fbaa30 (size 16): comm “blkio-bench”, pid 914, jiffies 4294993521 (age 885.500s) hex dump (first 16 bytes): 40 73 41 07 80 88 ff ff 00 00 00 00 00 00 00 00 @sA…………. backtrace: [<0000000087736d2a>] kmem_cache_alloc_trace+0x142/0x1c0 [<0000000060740f50>] vhost_vdpa_process_iotlb_msg+0x68c/0x901 [vhost_vdpa] [<0000000083e8e205>] vhost_chr_write_iter+0xc0/0x4a0 [vhost] [<000000008f2f414a>] vhost_vdpa_chr_write_iter+0x18/0x20 [vhost_vdpa] [<00000000de1cd4a0>] vfs_write+0x216/0x4b0 [<00000000a2850200>] ksys_write+0x71/0xf0 [<00000000de8e720b>] __x64_sys_write+0x19/0x20 [<0000000018b12cbb>] do_syscall_64+0x3f/0x90 [<00000000986ec465>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Let’s fix this calling vhost_vdpa_iotlb_unmap() on the whole range in vhost_vdpa_remove_as(). We move that call before vhost_dev_cleanup() since we need a valid v->vdev.mm in vhost_vdpa_pa_unmap(). vhost_iotlb_reset() call can be removed, since vhost_vdpa_iotlb_unmap() on the whole range removes all the entries. The kmemleak log reported was observed with a vDPA device that has `use_va` set to true (e.g. VDUSE). This patch has been tested with both types of devices. | 2025-12-24 | not yet calculated | CVE-2022-50738 | https://git.kernel.org/stable/c/4e92cb33bfb51eee5f28bb10846c46f266a4bb67 https://git.kernel.org/stable/c/a2907867e2c86067accd2f011d6f23ee5533aa6c https://git.kernel.org/stable/c/c070c1912a83432530cbb4271d5b9b11fa36b67a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add null pointer check for inode operations This adds a sanity check for the i_op pointer of the inode which is returned after reading Root directory MFT record. We should check the i_op is valid before trying to create the root dentry, otherwise we may encounter a NPD while mounting a image with a funny Root directory MFT record. [ 114.484325] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 114.484811] #PF: supervisor read access in kernel mode [ 114.485084] #PF: error_code(0x0000) – not-present page [ 114.485606] PGD 0 P4D 0 [ 114.485975] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 114.486570] CPU: 0 PID: 237 Comm: mount Tainted: G B 6.0.0-rc4 #28 [ 114.486977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 114.488169] RIP: 0010:d_flags_for_inode+0xe0/0x110 [ 114.488816] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241 [ 114.490326] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296 [ 114.490695] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea [ 114.490986] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020 [ 114.491364] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05 [ 114.491675] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000 [ 114.491954] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750 [ 114.492397] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 [ 114.492797] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 114.493150] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0 [ 114.493671] Call Trace: [ 114.493890] <TASK> [ 114.494075] __d_instantiate+0x24/0x1c0 [ 114.494505] d_instantiate.part.0+0x35/0x50 [ 114.494754] d_make_root+0x53/0x80 [ 114.494998] ntfs_fill_super+0x1232/0x1b50 [ 114.495260] ? put_ntfs+0x1d0/0x1d0 [ 114.495499] ? vsprintf+0x20/0x20 [ 114.495723] ? set_blocksize+0x95/0x150 [ 114.495964] get_tree_bdev+0x232/0x370 [ 114.496272] ? put_ntfs+0x1d0/0x1d0 [ 114.496502] ntfs_fs_get_tree+0x15/0x20 [ 114.496859] vfs_get_tree+0x4c/0x130 [ 114.497099] path_mount+0x654/0xfe0 [ 114.497507] ? putname+0x80/0xa0 [ 114.497933] ? finish_automount+0x2e0/0x2e0 [ 114.498362] ? putname+0x80/0xa0 [ 114.498571] ? kmem_cache_free+0x1c4/0x440 [ 114.498819] ? putname+0x80/0xa0 [ 114.499069] do_mount+0xd6/0xf0 [ 114.499343] ? path_mount+0xfe0/0xfe0 [ 114.499683] ? __kasan_check_write+0x14/0x20 [ 114.500133] __x64_sys_mount+0xca/0x110 [ 114.500592] do_syscall_64+0x3b/0x90 [ 114.500930] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 114.501294] RIP: 0033:0x7fdc898e948a [ 114.501542] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 114.502716] RSP: 002b:00007ffd793e58f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 114.503175] RAX: ffffffffffffffda RBX: 0000564b2228f060 RCX: 00007fdc898e948a [ 114.503588] RDX: 0000564b2228f260 RSI: 0000564b2228f2e0 RDI: 0000564b22297ce0 [ 114.504925] RBP: 0000000000000000 R08: 0000564b2228f280 R09: 0000000000000020 [ 114.505484] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564b22297ce0 [ 114.505823] R13: 0000564b2228f260 R14: 0000000000000000 R15: 00000000ffffffff [ 114.506562] </TASK> [ 114.506887] Modules linked in: [ 114.507648] CR2: 0000000000000008 [ 114.508884] —[ end trace 0000000000000000 ]— [ 114.509675] RIP: 0010:d_flags_for_inode+0xe0/0x110 [ 114.510140] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241 [ 114.511762] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296 [ 114.512401] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea [ 114.51 —truncated— | 2025-12-24 | not yet calculated | CVE-2022-50739 | https://git.kernel.org/stable/c/f62506f5e45afbb01c84c3f28a2878b320a0b0f7 https://git.kernel.org/stable/c/9f24743ddcdd3683b0a6b16e1439ad091dc3489b https://git.kernel.org/stable/c/a7b23037b38b577d9a4372e0c6b7c9fe808070c1 https://git.kernel.org/stable/c/c1ca8ef0262b25493631ecbd9cb8c9893e1481a1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() Syzkaller reports a long-known leak of urbs in ath9k_hif_usb_dealloc_tx_urbs(). The cause of the leak is that usb_get_urb() is called but usb_free_urb() (or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or urb->ep fields have not been initialized and usb_kill_urb() returns immediately. The patch removes trying to kill urbs located in hif_dev->tx.tx_buf because hif_dev->tx.tx_buf is not supposed to contain urbs which are in pending state (the pending urbs are stored in hif_dev->tx.tx_pending). The tx.tx_lock is acquired so there should not be any changes in the list. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-12-24 | not yet calculated | CVE-2022-50740 | https://git.kernel.org/stable/c/134ae5eba41294eff76e4be20d6001b8f0192207 https://git.kernel.org/stable/c/472312fef2b9eccaa03bd59e0ab2527da945e736 https://git.kernel.org/stable/c/eddbb8f7620f9f8008b090a6e10c460074ca575a https://git.kernel.org/stable/c/9850791d389b342ae6e573fe8198db0b4d338352 https://git.kernel.org/stable/c/c3fb3e9a2c0c1a0fa492d90eb19bcfa92a5f884d https://git.kernel.org/stable/c/d856f7574bcc1d81de565a857caf32f122cd7ce0 https://git.kernel.org/stable/c/c05189a429fdb371dd455c3c466d67ac2ebff152 https://git.kernel.org/stable/c/08aa0537ec8cf29ceccae98acc1a534fc12598c1 https://git.kernel.org/stable/c/c2a94de38c74e86f49124ac14f093d6a5c377a90 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Disable useless interrupt to avoid kernel panic There is a hardware bug that the interrupt STMBUF_HALF may be triggered after or when disable interrupt. It may led to unexpected kernel panic. And interrupt STMBUF_HALF and STMBUF_RTND have no other effect. So disable them and the unused interrupts. meanwhile clear the interrupt status when disable interrupt. | 2025-12-24 | not yet calculated | CVE-2022-50741 | https://git.kernel.org/stable/c/ad31bc146f0e4521805695f4f99d8a3c3b2761f6 https://git.kernel.org/stable/c/f1257fc8fc988bdc4b26277f58bbf7b694b531f0 https://git.kernel.org/stable/c/35591c2469953d59abdb16cb7beac834052cdb4f https://git.kernel.org/stable/c/c3720e65c9013a7b2a5dbb63e6bf6d74a35dd894 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: misc: ocxl: fix possible refcount leak in afu_ioctl() eventfd_ctx_put need to be called to put the refcount that gotten by eventfd_ctx_fdget when ocxl_irq_set_handler fails. | 2025-12-24 | not yet calculated | CVE-2022-50742 | https://git.kernel.org/stable/c/fc797285c40a9cc441357abb3521d3e51c743f67 https://git.kernel.org/stable/c/7ba19a60c74fb0057d4daef2fa2cbfc9522f3ba1 https://git.kernel.org/stable/c/11bd8bbdf8f6f5c1145bb158793107a57e3a1f07 https://git.kernel.org/stable/c/843433a02e344d30fbb62dfd834c60631baaa527 https://git.kernel.org/stable/c/66032c43291672bae8b93184d2806f05be3e16df https://git.kernel.org/stable/c/c3b69ba5114c860d730870c03ab4ee45276e5e35 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: Fix pcluster memleak when its block address is zero syzkaller reported a memleak: https://syzkaller.appspot.com/bug?id=62f37ff612f0021641eda5b17f056f1668aa9aed unreferenced object 0xffff88811009c7f8 (size 136): … backtrace: [<ffffffff821db19b>] z_erofs_do_read_page+0x99b/0x1740 [<ffffffff821dee9e>] z_erofs_readahead+0x24e/0x580 [<ffffffff814bc0d6>] read_pages+0x86/0x3d0 … syzkaller constructed a case: in z_erofs_register_pcluster(), ztailpacking = false and map->m_pa = zero. This makes pcl->obj.index be zero although pcl is not a inline pcluster. Then following path adds refcount for grp, but the refcount won’t be put because pcl is inline. z_erofs_readahead() z_erofs_do_read_page() # for another page z_erofs_collector_begin() erofs_find_workgroup() erofs_workgroup_get() Since it’s illegal for the block address of a non-inlined pcluster to be zero, add check here to avoid registering the pcluster which would be leaked. | 2025-12-24 | not yet calculated | CVE-2022-50743 | https://git.kernel.org/stable/c/ac54c1f7b288d83b6ba1e320efff24ecc21309cd https://git.kernel.org/stable/c/618e712b99c78d1004b70a1a9ab0a4830d0b2673 https://git.kernel.org/stable/c/c42c0ffe81176940bd5dead474216b7198d77675 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs During I/O and simultaneous cat of /sys/kernel/debug/lpfc/fnX/rx_monitor, a hard lockup similar to the call trace below may occur. The spin_lock_bh in lpfc_rx_monitor_report is not protecting from timer interrupts as expected, so change the strength of the spin lock to _irq. Kernel panic – not syncing: Hard LOCKUP CPU: 3 PID: 110402 Comm: cat Kdump: loaded exception RIP: native_queued_spin_lock_slowpath+91 [IRQ stack] native_queued_spin_lock_slowpath at ffffffffb814e30b _raw_spin_lock at ffffffffb89a667a lpfc_rx_monitor_record at ffffffffc0a73a36 [lpfc] lpfc_cmf_timer at ffffffffc0abbc67 [lpfc] __hrtimer_run_queues at ffffffffb8184250 hrtimer_interrupt at ffffffffb8184ab0 smp_apic_timer_interrupt at ffffffffb8a026ba apic_timer_interrupt at ffffffffb8a01c4f [End of IRQ stack] apic_timer_interrupt at ffffffffb8a01c4f lpfc_rx_monitor_report at ffffffffc0a73c80 [lpfc] lpfc_rx_monitor_read at ffffffffc0addde1 [lpfc] full_proxy_read at ffffffffb83e7fc3 vfs_read at ffffffffb833fe71 ksys_read at ffffffffb83402af do_syscall_64 at ffffffffb800430b entry_SYSCALL_64_after_hwframe at ffffffffb8a000ad | 2025-12-24 | not yet calculated | CVE-2022-50744 | https://git.kernel.org/stable/c/2cf66428a2545bb33beb9624124a2377468bb478 https://git.kernel.org/stable/c/cd542900ee5147028bbe603b238efcab8d720838 https://git.kernel.org/stable/c/39761417ea7b654217d6d9085afbf7c87ba3675d https://git.kernel.org/stable/c/c44e50f4a0ec00c2298f31f91bc2c3e9bbd81c7e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: media: tegra-video: fix device_node use after free At probe time this code path is followed: * tegra_csi_init * tegra_csi_channels_alloc * for_each_child_of_node(node, channel) — iterates over channels * automatically gets ‘channel’ * tegra_csi_channel_alloc() * saves into chan->of_node a pointer to the channel OF node * automatically gets and puts ‘channel’ * now the node saved in chan->of_node has refcount 0, can disappear * tegra_csi_channels_init * iterates over channels * tegra_csi_channel_init — uses chan->of_node After that, chan->of_node keeps storing the node until the device is removed. of_node_get() the node and of_node_put() it during teardown to avoid any risk. | 2025-12-24 | not yet calculated | CVE-2022-50745 | https://git.kernel.org/stable/c/5451efb2ca30f3c42b9efb8327ce35b62870dbd3 https://git.kernel.org/stable/c/ce50c612458091d926ccb05d7db11d9f93532db2 https://git.kernel.org/stable/c/6512c9498fcb97e7c760e3ef86b2272f2c0f765f https://git.kernel.org/stable/c/0fd003d3c708c80350a815eaf37b8e1114b976cf https://git.kernel.org/stable/c/c4d344163c3a7f90712525f931a6c016bbb35e18 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: validate the extent length for uncompressed pclusters syzkaller reported a KASAN use-after-free: https://syzkaller.appspot.com/bug?extid=2ae90e873e97f1faf6f2 The referenced fuzzed image actually has two issues: – m_pa == 0 as a non-inlined pcluster; – The logical length is longer than its physical length. The first issue has already been addressed. This patch addresses the second issue by checking the extent length validity. | 2025-12-24 | not yet calculated | CVE-2022-50746 | https://git.kernel.org/stable/c/dc8b6bd587b13b85aff6e9d36cdfcd3f955cac9e https://git.kernel.org/stable/c/40c73b2ea9611b5388807be406f30f5e4e1162da https://git.kernel.org/stable/c/c505feba4c0d76084e56ec498ce819f02a7043ae |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: Fix OOB Write in hfs_asc2mac Syzbot reported a OOB Write bug: loop0: detected capacity change from 0 to 64 ================================================================== BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 lookup_open fs/namei.c:3391 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740 If in->len is much larger than HFS_NAMELEN(31) which is the maximum length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In that case, when the dst reaches the boundary, the srclen is still greater than 0, which causes a OOB write. Fix this by adding a check on dstlen in while() before writing to dst address. | 2025-12-24 | not yet calculated | CVE-2022-50747 | https://git.kernel.org/stable/c/8399318b13dc9e0569dee07ba2994098926d4fb2 https://git.kernel.org/stable/c/95040de81c629cd8d3c6ab5b50a8bd5088068303 https://git.kernel.org/stable/c/ba8f0ca386dd15acf5a93cbac932392c7818eab4 https://git.kernel.org/stable/c/6a95b17e4d4cd2d8278559f930b447f8c9c8cff9 https://git.kernel.org/stable/c/cff9fefdfbf5744afbb6d70bff2b49ec2065d23d https://git.kernel.org/stable/c/7af9cb8cbb81308ce4b06cc7164267faccbf75dd https://git.kernel.org/stable/c/ae21b03f904736eb2aa9bd119d2a14e741f1681f https://git.kernel.org/stable/c/88579c158e026860c61c4192531e8bc42f4bc642 https://git.kernel.org/stable/c/c53ed55cb275344086e32a7080a6b19cb183650b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipc: mqueue: fix possible memory leak in init_mqueue_fs() commit db7cfc380900 (“ipc: Free mq_sysctls if ipc namespace creation failed”) Here’s a similar memory leak to the one fixed by the patch above. retire_mq_sysctls need to be called when init_mqueue_fs fails after setup_mq_sysctls. | 2025-12-24 | not yet calculated | CVE-2022-50748 | https://git.kernel.org/stable/c/a1f321051e0dcf2415fb94f81fdc5044cad4c1d6 https://git.kernel.org/stable/c/55b3709c6d68e32cd3fdd2a630b1f4c97d51b17c https://git.kernel.org/stable/c/c579d60f0d0cd87552f64fdebe68b5d941d20309 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: acct: fix potential integer overflow in encode_comp_t() The integer overflow is descripted with following codes: > 317 static comp_t encode_comp_t(u64 value) > 318 { > 319 int exp, rnd; …… > 341 exp <<= MANTSIZE; > 342 exp += value; > 343 return exp; > 344 } Currently comp_t is defined as type of ‘__u16’, but the variable ‘exp’ is type of ‘int’, so overflow would happen when variable ‘exp’ in line 343 is greater than 65535. | 2025-12-24 | not yet calculated | CVE-2022-50749 | https://git.kernel.org/stable/c/e93f995a591c352d35d89c518c54f790e1537754 https://git.kernel.org/stable/c/cf60bbca1b83a7e0927e36dbf178328982927886 https://git.kernel.org/stable/c/1750a0983c455a9b3badd848471fc8d58cb61f67 https://git.kernel.org/stable/c/a815a3e019456c94b03bd183e7ac22fd29e9e6fd https://git.kernel.org/stable/c/6edd0cdee5780fd5f43356b72b29a2a6d48ef6da https://git.kernel.org/stable/c/ebe16676e1dcaa4556ec4d36ca40c82e99e88cfa https://git.kernel.org/stable/c/2224897d8187dc22a83e05d9361efcccf67bcf12 https://git.kernel.org/stable/c/0aac6e60c464a5f942f995428e67f8ae1c422250 https://git.kernel.org/stable/c/c5f31c655bcc01b6da53b836ac951c1556245305 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure In case mipi_dsi_attach() fails, call drm_panel_remove() to avoid memory leak. | 2025-12-24 | not yet calculated | CVE-2022-50750 | https://git.kernel.org/stable/c/0b7c47b7f358f932159a9d5beec9616ef8a0c6b4 https://git.kernel.org/stable/c/576828e59a0e03bbc763872912b04f3e3a1b3311 https://git.kernel.org/stable/c/13fc167e1645c43c631d7752d98e377f0e4cbb15 https://git.kernel.org/stable/c/23fddf78eac8d79c56f93ab69b6c47a0816967c9 https://git.kernel.org/stable/c/465611e812587e72bf235034edce0e51be3d6809 https://git.kernel.org/stable/c/c62102165dd79284d42383d2f7ed17301bd8e629 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: configfs: fix possible memory leak in configfs_create_dir() kmemleak reported memory leaks in configfs_create_dir(): unreferenced object 0xffff888009f6af00 (size 192): comm “modprobe”, pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163) configfs_register_subsystem (fs/configfs/dir.c:1857) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) … unreferenced object 0xffff888003ba7180 (size 96): comm “modprobe”, pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194) configfs_make_dirent (fs/configfs/dir.c:248) configfs_create_dir (fs/configfs/dir.c:296) configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852) configfs_register_subsystem (fs/configfs/dir.c:1881) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) … This is because the refcount is not correct in configfs_make_dirent(). For normal stage, the refcount is changing as: configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() configfs_new_dirent() # set s_count = 1 dentry->d_fsdata = configfs_get(sd); # s_count = 2 … configfs_unregister_subsystem() configfs_remove_dir() remove_dir() configfs_remove_dirent() # s_count = 1 dput() … *dentry_unlink_inode()* configfs_d_iput() # s_count = 0, release However, if we failed in configfs_create(): configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() # s_count = 2 … configfs_create() # fail ->out_remove: configfs_remove_dirent(dentry) configfs_put(sd) # s_count = 1 return PTR_ERR(inode); There is no inode in the error path, so the configfs_d_iput() is lost and makes sd and fragment memory leaked. To fix this, when we failed in configfs_create(), manually call configfs_put(sd) to keep the refcount correct. | 2025-12-24 | not yet calculated | CVE-2022-50751 | https://git.kernel.org/stable/c/90c38f57a821499391526b15cc944c265bd24e48 https://git.kernel.org/stable/c/74ac7c9ee2d486c501e7864c903f5098fc477acd https://git.kernel.org/stable/c/07f82dca112262b169bec0001378126439cab776 https://git.kernel.org/stable/c/8bc77754224a2c8581727ffe2e958119b4e27c8f https://git.kernel.org/stable/c/c72eb6e6e49a71f7598740786568fafdd013a227 https://git.kernel.org/stable/c/c65234b283a65cfbfc94619655e820a5e55199eb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk() When running chunk-sized reads on disks with badblocks duplicate bio free/puts are observed: ============================================================================= BUG bio-200 (Not tainted): Object already free —————————————————————————– Allocated in mempool_alloc_slab+0x17/0x20 age=3 cpu=2 pid=7504 __slab_alloc.constprop.0+0x5a/0xb0 kmem_cache_alloc+0x31e/0x330 mempool_alloc_slab+0x17/0x20 mempool_alloc+0x100/0x2b0 bio_alloc_bioset+0x181/0x460 do_mpage_readpage+0x776/0xd00 mpage_readahead+0x166/0x320 blkdev_readahead+0x15/0x20 read_pages+0x13f/0x5f0 page_cache_ra_unbounded+0x18d/0x220 force_page_cache_ra+0x181/0x1c0 page_cache_sync_ra+0x65/0xb0 filemap_get_pages+0x1df/0xaf0 filemap_read+0x1e1/0x700 blkdev_read_iter+0x1e5/0x330 vfs_read+0x42a/0x570 Freed in mempool_free_slab+0x17/0x20 age=3 cpu=2 pid=7504 kmem_cache_free+0x46d/0x490 mempool_free_slab+0x17/0x20 mempool_free+0x66/0x190 bio_free+0x78/0x90 bio_put+0x100/0x1a0 raid5_make_request+0x2259/0x2450 md_handle_request+0x402/0x600 md_submit_bio+0xd9/0x120 __submit_bio+0x11f/0x1b0 submit_bio_noacct_nocheck+0x204/0x480 submit_bio_noacct+0x32e/0xc70 submit_bio+0x98/0x1a0 mpage_readahead+0x250/0x320 blkdev_readahead+0x15/0x20 read_pages+0x13f/0x5f0 page_cache_ra_unbounded+0x18d/0x220 Slab 0xffffea000481b600 objects=21 used=0 fp=0xffff8881206d8940 flags=0x17ffffc0010201(locked|slab|head|node=0|zone=2|lastcpupid=0x1fffff) CPU: 0 PID: 34525 Comm: kworker/u24:2 Not tainted 6.0.0-rc2-localyes-265166-gf11c5343fa3f #143 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: raid5wq raid5_do_work Call Trace: <TASK> dump_stack_lvl+0x5a/0x78 dump_stack+0x10/0x16 print_trailer+0x158/0x165 object_err+0x35/0x50 free_debug_processing.cold+0xb7/0xbe __slab_free+0x1ae/0x330 kmem_cache_free+0x46d/0x490 mempool_free_slab+0x17/0x20 mempool_free+0x66/0x190 bio_free+0x78/0x90 bio_put+0x100/0x1a0 mpage_end_io+0x36/0x150 bio_endio+0x2fd/0x360 md_end_io_acct+0x7e/0x90 bio_endio+0x2fd/0x360 handle_failed_stripe+0x960/0xb80 handle_stripe+0x1348/0x3760 handle_active_stripes.constprop.0+0x72a/0xaf0 raid5_do_work+0x177/0x330 process_one_work+0x616/0xb20 worker_thread+0x2bd/0x6f0 kthread+0x179/0x1b0 ret_from_fork+0x22/0x30 </TASK> The double free is caused by an unnecessary bio_put() in the if(is_badblock(…)) error path in raid5_read_one_chunk(). The error path was moved ahead of bio_alloc_clone() in c82aa1b76787c (“md/raid5: move checking badblock before clone bio in raid5_read_one_chunk”). The previous code checked and freed align_bio which required a bio_put. After the move that is no longer needed as raid_bio is returned to the control of the common io path which performs its own endio resulting in a double free on bad device blocks. | 2025-12-24 | not yet calculated | CVE-2022-50752 | https://git.kernel.org/stable/c/7a37c58ee72e1fadd22c4ee990cb74c2ca2280e7 https://git.kernel.org/stable/c/c0fd5d4d8fd7b1a50306d7a23c720cf808f41fdf https://git.kernel.org/stable/c/21a9c7354aa59e97e26ece5f0a609c8bfa43020d https://git.kernel.org/stable/c/c66a6f41e09ad386fd2cce22b9cded837bbbc704 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on summary info As Wenqing Liu reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216456 BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs] Read of size 4 at addr ffff8881464dcd80 by task mount/1013 CPU: 3 PID: 1013 Comm: mount Tainted: G W 6.0.0-rc4 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Call Trace: dump_stack_lvl+0x45/0x5e print_report.cold+0xf3/0x68d kasan_report+0xa8/0x130 recover_data+0x63ae/0x6ae0 [f2fs] f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs] f2fs_fill_super+0x4665/0x61e0 [f2fs] mount_bdev+0x2cf/0x3b0 legacy_get_tree+0xed/0x1d0 vfs_get_tree+0x81/0x2b0 path_mount+0x47e/0x19d0 do_mount+0xce/0xf0 __x64_sys_mount+0x12c/0x1a0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is: in fuzzed image, SSA table is corrupted: ofs_in_node is larger than ADDRS_PER_PAGE(), result in out-of-range access on 4k-size page. – recover_data – do_recover_data – check_index_in_prev_nodes – f2fs_data_blkaddr This patch adds sanity check on summary info in recovery and GC flow in where the flows rely on them. After patch: [ 29.310883] F2FS-fs (loop0): Inconsistent ofs_in_node:65286 in summary, ino:0, nid:6, max:1018 | 2025-12-24 | not yet calculated | CVE-2022-50753 | https://git.kernel.org/stable/c/c99860f9a75079f339ed7670425b1ac58f26e2ff https://git.kernel.org/stable/c/4a8e8bf280703e04e0b9d91f101e1fdd9a5bd09e https://git.kernel.org/stable/c/73687c53919f49dff3852155621dab7a35c52854 https://git.kernel.org/stable/c/e168f819bfa42459b14f479e55ebd550bcc78899 https://git.kernel.org/stable/c/0922ad64ccefa3e483e84355942b86e13c8fea68 https://git.kernel.org/stable/c/c6ad7fd16657ebd34a87a97d9588195aae87597d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix a memleak in multi_transaction_new() In multi_transaction_new(), the variable t is not freed or passed out on the failure of copy_from_user(t->data, buf, size), which could lead to a memleak. Fix this bug by adding a put_multi_transaction(t) in the error path. | 2025-12-24 | not yet calculated | CVE-2022-50754 | https://git.kernel.org/stable/c/11d5fe7da67c3334cefc981297fd5defb78df15c https://git.kernel.org/stable/c/95e6adc6a7a4761ddf69ad713e55a06a3206309d https://git.kernel.org/stable/c/eb0f78e28cbc8f97439c0a4c80ee5160c1df5ce6 https://git.kernel.org/stable/c/935d86b29093e75b6c547d90b3979c2c2d23f1c4 https://git.kernel.org/stable/c/775a37ffa9f4681c4ad84c8634a7eec8af7098d4 https://git.kernel.org/stable/c/88989932c2269ea66074f52a6213598838f8b9e7 https://git.kernel.org/stable/c/3d27a436e294ac5d7a51bd5348ca63a42a468b35 https://git.kernel.org/stable/c/c73275cf6834787ca090317f1d20dbfa3b7f05aa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: udf: Avoid double brelse() in udf_rename() syzbot reported a warning like below [1]: VFS: brelse: Trying to free free buffer WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0 … Call Trace: <TASK> invalidate_bh_lru+0x99/0x150 smp_call_function_many_cond+0xe2a/0x10c0 ? generic_remap_file_range_prep+0x50/0x50 ? __brelse+0xa0/0xa0 ? __mutex_lock+0x21c/0x12d0 ? smp_call_on_cpu+0x250/0x250 ? rcu_read_lock_sched_held+0xb/0x60 ? lock_release+0x587/0x810 ? __brelse+0xa0/0xa0 ? generic_remap_file_range_prep+0x50/0x50 on_each_cpu_cond_mask+0x3c/0x80 blkdev_flush_mapping+0x13a/0x2f0 blkdev_put_whole+0xd3/0xf0 blkdev_put+0x222/0x760 deactivate_locked_super+0x96/0x160 deactivate_super+0xda/0x100 cleanup_mnt+0x222/0x3d0 task_work_run+0x149/0x240 ? task_work_cancel+0x30/0x30 do_exit+0xb29/0x2a40 ? reacquire_held_locks+0x4a0/0x4a0 ? do_raw_spin_lock+0x12a/0x2b0 ? mm_update_next_owner+0x7c0/0x7c0 ? rwlock_bug.part.0+0x90/0x90 ? zap_other_threads+0x234/0x2d0 do_group_exit+0xd0/0x2a0 __x64_sys_exit_group+0x3a/0x50 do_syscall_64+0x34/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that brelse() is called on both ofibh.sbh and ofibh.ebh by udf_find_entry() when it returns NULL. However, brelse() is called by udf_rename(), too. So, b_count on buffer_head becomes unbalanced. This patch fixes the issue by not calling brelse() by udf_rename() when udf_find_entry() returns NULL. | 2025-12-24 | not yet calculated | CVE-2022-50755 | https://git.kernel.org/stable/c/78eba2778ae10fb2a9d450e14d26eb6f6bf1f906 https://git.kernel.org/stable/c/9d2cad69547abea961fa80426d600b861de1952b https://git.kernel.org/stable/c/d6da7ec0f94f5208c848e0e94b70f54a0bd9c587 https://git.kernel.org/stable/c/156d440dea97deada629bb51cb17887abd862605 https://git.kernel.org/stable/c/40dba68d418237b1ae2beaa06d46a94dd946278e https://git.kernel.org/stable/c/e7a6a53c871460727be09f4414ccb29fb8697526 https://git.kernel.org/stable/c/4fca09045509f5bde8fc28e68fbca38cb4bdcf2e https://git.kernel.org/stable/c/090bf49833c51da297ec74f98ad2bf44daea9311 https://git.kernel.org/stable/c/c791730f2554a9ebb8f18df9368dc27d4ebc38c2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix mempool alloc size Convert the max size to bytes to match the units of the divisor that calculates the worst-case number of PRP entries. The result is used to determine how many PRP Lists are required. The code was previously rounding this to 1 list, but we can require 2 in the worst case. In that scenario, the driver would corrupt memory beyond the size provided by the mempool. While unlikely to occur (you’d need a 4MB in exactly 127 phys segments on a queue that doesn’t support SGLs), this memory corruption has been observed by kfence. | 2025-12-24 | not yet calculated | CVE-2022-50756 | https://git.kernel.org/stable/c/dfb6d54893d544151e7f480bc44cfe7823f5ad23 https://git.kernel.org/stable/c/9141144b37f30e3e7fa024bcfa0a13011e546ba9 https://git.kernel.org/stable/c/e1777b4286e526c58b4ee699344b0ad85aaf83a0 https://git.kernel.org/stable/c/b1814724e0d7162bdf4799f2d565381bc2251c63 https://git.kernel.org/stable/c/c89a529e823d51dd23c7ec0c047c7a454a428541 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: camss: Clean up received buffers on failed start of streaming It is required to return the received buffers, if streaming can not be started. For instance media_pipeline_start() may fail with EPIPE, if a link validation between entities is not passed, and in such a case a user gets a kernel warning: WARNING: CPU: 1 PID: 520 at drivers/media/common/videobuf2/videobuf2-core.c:1592 vb2_start_streaming+0xec/0x160 <snip> Call trace: vb2_start_streaming+0xec/0x160 vb2_core_streamon+0x9c/0x1a0 vb2_ioctl_streamon+0x68/0xbc v4l_streamon+0x30/0x3c __video_do_ioctl+0x184/0x3e0 video_usercopy+0x37c/0x7b0 video_ioctl2+0x24/0x40 v4l2_ioctl+0x4c/0x70 The fix is to correct the error path in video_start_streaming() of camss. | 2025-12-24 | not yet calculated | CVE-2022-50757 | https://git.kernel.org/stable/c/75954cde8a5ca84003b24b6bf83197240935bd74 https://git.kernel.org/stable/c/04c734c716a97f1493b1edac41316aaed1d2a9d9 https://git.kernel.org/stable/c/fe443b3fe36cd23d4f5dc6d825d34322e7c89f0c https://git.kernel.org/stable/c/3d5cab726e3b370fea1b6e67183f0e13c409ce5c https://git.kernel.org/stable/c/d1c44928bb3ca0ec88e7ad5937a2a26a259aede6 https://git.kernel.org/stable/c/f05326a440dc31b91b688b2f3f15b7347894a50b https://git.kernel.org/stable/c/24df4fa3e795fb4b15fd4d3c036596e0978d265a https://git.kernel.org/stable/c/c8f3582345e6a69da65ab588f7c4c2d1685b0e80 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: vt6655: fix potential memory leak In function device_init_td0_ring, memory is allocated for member td_info of priv->apTD0Rings[i], with i increasing from 0. In case of allocation failure, the memory is freed in reversed order, with i decreasing to 0. However, the case i=0 is left out and thus memory is leaked. Modify the memory freeing loop to include the case i=0. | 2025-12-24 | not yet calculated | CVE-2022-50758 | https://git.kernel.org/stable/c/e741e38aa98704fbb959650ecd270b71b2670680 https://git.kernel.org/stable/c/16a45e78a687eb6c69acc4e62b94b6508b0bfbda https://git.kernel.org/stable/c/1b3cebeca99e8e0aa4fa57faac8dbf41e967317a https://git.kernel.org/stable/c/ff8551d411f12b5abc5ca929ab87643afa8a9588 https://git.kernel.org/stable/c/fb5f569bcda8f87bd47d8030bfae343d757fa3ea https://git.kernel.org/stable/c/cfdf139258614ef65b0f68b857ada5328fb7c0e5 https://git.kernel.org/stable/c/c8ff91535880d41b49699b3829fb6151942de29e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5648: Free V4L2 fwnode data on unbind The V4L2 fwnode data structure doesn’t get freed on unbind, which leads to a memleak. | 2025-12-24 | not yet calculated | CVE-2022-50759 | https://git.kernel.org/stable/c/4a34fd4d9b548789d4a2018940edbec86282ed3b https://git.kernel.org/stable/c/3a54b72868930f07935accaf95ec4df639324940 https://git.kernel.org/stable/c/c95770e4fc172696dcb1450893cda7d6324d96fc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() As comment of pci_get_class() says, it returns a pci_device with its refcount increased and decreased the refcount for the input parameter @from if it is not NULL. If we break the loop in amdgpu_atrm_get_bios() with ‘pdev’ not NULL, we need to call pci_dev_put() to decrease the refcount. Add the missing pci_dev_put() to avoid refcount leak. | 2025-12-24 | not yet calculated | CVE-2022-50760 | https://git.kernel.org/stable/c/6611feef35c0c8c4d297b28a7fc6ab3a2c47eca7 https://git.kernel.org/stable/c/da7c78ea9e62bb65273d3ff19a3866ec205bfe18 https://git.kernel.org/stable/c/3360125d721c91d697c71201f18f042ff743e936 https://git.kernel.org/stable/c/981024abf5fe605c94d4f906f65d1b3408d628be https://git.kernel.org/stable/c/7c1ddf7c664b5bc91f14b1bdeaa45520ef1760e4 https://git.kernel.org/stable/c/8f2d2badf8ca5e7e7c30d88840b695c8af7286f3 https://git.kernel.org/stable/c/9d4057d0452243917e12eb19f1599c96f2f05b14 https://git.kernel.org/stable/c/a8b54ad7106c0604c4adc4933138b3557739bce0 https://git.kernel.org/stable/c/ca54639c7752edf1304d92ff4d0c049d4efc9ba0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/xen: Fix memory leak in xen_init_lock_cpu() In xen_init_lock_cpu(), the @name has allocated new string by kasprintf(), if bind_ipi_to_irqhandler() fails, it should be freed, otherwise may lead to a memory leak issue, fix it. | 2025-12-24 | not yet calculated | CVE-2022-50761 | https://git.kernel.org/stable/c/9278bdbb566656b3704704f8dd6cbc24a6fcc569 https://git.kernel.org/stable/c/07764d00c869a3390bd4f80412cc8b0e669e6c58 https://git.kernel.org/stable/c/53ff99c76be611acea37d33133c9136969914865 https://git.kernel.org/stable/c/29198f667f4486f9e227e11faf1411fcf4c82a66 https://git.kernel.org/stable/c/70e7f308d7a8e915c7fbc0f1d959968eab8000cd https://git.kernel.org/stable/c/70966d6b0f59f795b08a70adf5e4478348ecbfbb https://git.kernel.org/stable/c/798fc3cf98ca07e448956f39295c5d686ab4b054 https://git.kernel.org/stable/c/b44457b83a034efef58ffa5f3131d4615f1a9837 https://git.kernel.org/stable/c/ca84ce153d887b1dc8b118029976cc9faf2a9b40 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Avoid UBSAN error on true_sectors_per_clst() syzbot reported UBSAN error as below: [ 76.901829][ T6677] ================================================================================ [ 76.903908][ T6677] UBSAN: shift-out-of-bounds in fs/ntfs3/super.c:675:13 [ 76.905363][ T6677] shift exponent -247 is negative This patch avoid this error. | 2025-12-24 | not yet calculated | CVE-2022-50762 | https://git.kernel.org/stable/c/4b51f27d4448c84957bce190292f75d4896d56b3 https://git.kernel.org/stable/c/8fe280ae85177c2323ae8c9849ff27a3a6b69506 https://git.kernel.org/stable/c/95afb464c86c6e9e95ea9e595282fa6f693072e8 https://git.kernel.org/stable/c/caad9dd8792a2622737b7273cb34835fd9536cd2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/octeontx – prevent integer overflows The “code_length” value comes from the firmware file. If your firmware is untrusted realistically there is probably very little you can do to protect yourself. Still we try to limit the damage as much as possible. Also Smatch marks any data read from the filesystem as untrusted and prints warnings if it not capped correctly. The “code_length * 2” can overflow. The round_up(ucode_size, 16) + sizeof() expression can overflow too. Prevent these overflows. | 2025-12-24 | not yet calculated | CVE-2022-50763 | https://git.kernel.org/stable/c/7bfa7d67735381715c98091194e81e7685f9b7db https://git.kernel.org/stable/c/12acfa1059ad69aa352ddb2bf23ba1b831aff15f https://git.kernel.org/stable/c/8f5eee162e55175d9dac98b5e9b8da76449d2257 https://git.kernel.org/stable/c/e7ff7a46baafd38d7ed45604397e650d61f5db8d https://git.kernel.org/stable/c/caca37cf6c749ff0303f68418cfe7b757a4e0697 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6/sit: use DEV_STATS_INC() to avoid data-races syzbot/KCSAN reported that multiple cpus are updating dev->stats.tx_error concurrently. This is because sit tunnels are NETIF_F_LLTX, meaning their ndo_start_xmit() is not protected by a spinlock. While original KCSAN report was about tx path, rx path has the same issue. | 2025-12-24 | not yet calculated | CVE-2022-50764 | https://git.kernel.org/stable/c/222cc04356984f3f98acfa756a69d4bed7c501ac https://git.kernel.org/stable/c/4eed93bb3e57b8cc78d17166a14e40a73276015a https://git.kernel.org/stable/c/207501a986831174df09a36a8cb62a28f92f0dc8 https://git.kernel.org/stable/c/cb34b7cf17ecf33499c9298943f85af247abc1e9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RISC-V: kexec: Fix memory leak of elf header buffer This is reported by kmemleak detector: unreferenced object 0xff2000000403d000 (size 4096): comm “kexec”, pid 146, jiffies 4294900633 (age 64.792s) hex dump (first 32 bytes): 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF………… 04 00 f3 00 01 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: [<00000000566ca97c>] kmemleak_vmalloc+0x3c/0xbe [<00000000979283d8>] __vmalloc_node_range+0x3ac/0x560 [<00000000b4b3712a>] __vmalloc_node+0x56/0x62 [<00000000854f75e2>] vzalloc+0x2c/0x34 [<00000000e9a00db9>] crash_prepare_elf64_headers+0x80/0x30c [<0000000067e8bf48>] elf_kexec_load+0x3e8/0x4ec [<0000000036548e09>] kexec_image_load_default+0x40/0x4c [<0000000079fbe1b4>] sys_kexec_file_load+0x1c4/0x322 [<0000000040c62c03>] ret_from_syscall+0x0/0x2 In elf_kexec_load(), a buffer is allocated via vzalloc() to store elf headers. While it’s not freed back to system when kdump kernel is reloaded or unloaded, or when image->elf_header is successfully set and then fails to load kdump kernel for some reason. Fix it by freeing the buffer in arch_kimage_file_post_load_cleanup(). | 2025-12-24 | not yet calculated | CVE-2022-50765 | https://git.kernel.org/stable/c/090bfcfc9f14d05154893c67eeaecc56e894fbae https://git.kernel.org/stable/c/cdea2da6787583ecca43594132533a2ac8d7cd21 https://git.kernel.org/stable/c/cbc32023ddbdf4baa3d9dc513a2184a84080a5a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer syzbot is reporting uninit-value in btrfs_clean_tree_block() [1], for commit bc877d285ca3dba2 (“btrfs: Deduplicate extent_buffer init code”) missed that btrfs_set_header_generation() in btrfs_init_new_buffer() must not be moved to after clean_tree_block() because clean_tree_block() is calling btrfs_header_generation() since commit 55c69072d6bd5be1 (“Btrfs: Fix extent_buffer usage when nodesize != leafsize”). Since memzero_extent_buffer() will reset “struct btrfs_header” part, we can’t move btrfs_set_header_generation() to before memzero_extent_buffer(). Just re-add btrfs_set_header_generation() before btrfs_clean_tree_block(). | 2025-12-24 | not yet calculated | CVE-2022-50766 | https://git.kernel.org/stable/c/0a408c6212c16b9a2a1141d3c531247582ef8101 https://git.kernel.org/stable/c/a687c2890fe4a2acaac6941fa4097a1264d8f3eb https://git.kernel.org/stable/c/89bc41c92d10b905c60f6ec13c9ef664a3555c54 https://git.kernel.org/stable/c/cbddcc4fa3443fe8cfb2ff8e210deb1f6a0eea38 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: Fix several use-after-free bugs Several types of UAFs can occur when physically removing a USB device. Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and in this function, there is kref_put() that finally calls ufx_free(). This fix prevents multiple UAFs. | 2025-12-24 | not yet calculated | CVE-2022-50767 | https://git.kernel.org/stable/c/6f2075ea883e5d7730d0c9ebb1bb8e7a1a7e953f https://git.kernel.org/stable/c/3f40852d671072836fb7ae331a1f28a24223c4e8 https://git.kernel.org/stable/c/70faf9d9b6cc74418716bbf76fe75bd2da10ad4a https://git.kernel.org/stable/c/5385af2f89bc352fb70753ab41b2bb036190141f https://git.kernel.org/stable/c/d9ddfeb01fb95ffbbc7031d46a5ee2a5e45cbb86 https://git.kernel.org/stable/c/cc6a7249842fceda7574ceb63275a2d5e99d2862 https://git.kernel.org/stable/c/8d924b262f3178a9b17c17d4306a9f426c508bd9 https://git.kernel.org/stable/c/cc67482c9e5f2c80d62f623bcc347c29f9f648e1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Correct device removal for multi-actuator devices Correct device count for multi-actuator drives which can cause kernel panics. | 2025-12-24 | not yet calculated | CVE-2022-50768 | https://git.kernel.org/stable/c/e8e9e0c28901d34beb193b5ece52eb7c656f4042 https://git.kernel.org/stable/c/d1c8b86b4ab7e8588a8cfadbdd6f20adbb15c938 https://git.kernel.org/stable/c/cc9befcbbb5ebce77726f938508700d913530035 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: mxcmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(). | 2025-12-24 | not yet calculated | CVE-2022-50769 | https://git.kernel.org/stable/c/5f35c038c9f4d258b3cf77885a2730f1417d63e7 https://git.kernel.org/stable/c/1cf0c1e58738b97e2de207846105b6a5d46622ee https://git.kernel.org/stable/c/b8bdb3fd13d5cd1e86d22fd3f803a742fd88af89 https://git.kernel.org/stable/c/32eb502c972dfc34413c9147418b3d94d870c2b8 https://git.kernel.org/stable/c/3904eb97bb78fdca3e16d30a38ce5697b9686110 https://git.kernel.org/stable/c/2d496050ded83b13b16f05e1fc0329b0210d2493 https://git.kernel.org/stable/c/d37474ab9a79149075f0823315c6d45dd983a78c https://git.kernel.org/stable/c/d2ead18bc7cc166220cab5a744a05c5b69431a12 https://git.kernel.org/stable/c/cde600af7b413c9fe03e85c58c4279df90e91d13 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix memory leak in ocfs2_mount_volume() There is a memory leak reported by kmemleak: unreferenced object 0xffff88810cc65e60 (size 32): comm “mount.ocfs2”, pid 23753, jiffies 4302528942 (age 34735.105s) hex dump (first 32 bytes): 10 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 ……………. 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 ……………. backtrace: [<ffffffff8170f73d>] __kmalloc+0x4d/0x150 [<ffffffffa0ac3f51>] ocfs2_compute_replay_slots+0x121/0x330 [ocfs2] [<ffffffffa0b65165>] ocfs2_check_volume+0x485/0x900 [ocfs2] [<ffffffffa0b68129>] ocfs2_mount_volume.isra.0+0x1e9/0x650 [ocfs2] [<ffffffffa0b7160b>] ocfs2_fill_super+0xe0b/0x1740 [ocfs2] [<ffffffff818e1fe2>] mount_bdev+0x312/0x400 [<ffffffff819a086d>] legacy_get_tree+0xed/0x1d0 [<ffffffff818de82d>] vfs_get_tree+0x7d/0x230 [<ffffffff81957f92>] path_mount+0xd62/0x1760 [<ffffffff81958a5a>] do_mount+0xca/0xe0 [<ffffffff81958d3c>] __x64_sys_mount+0x12c/0x1a0 [<ffffffff82f26f15>] do_syscall_64+0x35/0x80 [<ffffffff8300006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 This call stack is related to two problems. Firstly, the ocfs2 super uses “replay_map” to trace online/offline slots, in order to recover offline slots during recovery and mount. But when ocfs2_truncate_log_init() returns an error in ocfs2_mount_volume(), the memory of “replay_map” will not be freed in error handling path. Secondly, the memory of “replay_map” will not be freed if d_make_root() returns an error in ocfs2_fill_super(). But the memory of “replay_map” will be freed normally when completing recovery and mount in ocfs2_complete_mount_recovery(). Fix the first problem by adding error handling path to free “replay_map” when ocfs2_truncate_log_init() fails. And fix the second problem by calling ocfs2_free_replay_slots(osb) in the error handling path “out_dismount”. In addition, since ocfs2_free_replay_slots() is static, it is necessary to remove its static attribute and declare it in header file. | 2025-12-24 | not yet calculated | CVE-2022-50770 | https://git.kernel.org/stable/c/7ef516888c4d30ae41bfcd79e7077d86d92794c5 https://git.kernel.org/stable/c/2b7e59ed2e77136e9360274f8f0fc208a003e95c https://git.kernel.org/stable/c/8059e200259e9c483d715fc2df6340c227c3e196 https://git.kernel.org/stable/c/4efe1d2db731bad19891e2fb9b338724b1f598cc https://git.kernel.org/stable/c/50ab0ca3aff4da26037113d69f5a756d8c1a92cd https://git.kernel.org/stable/c/ce2fcf1516d674a174d9b34d1e1024d64de9fba3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state() Running rcutorture with non-zero fqs_duration module parameter in a kernel built with CONFIG_PREEMPTION=y results in the following splat: BUG: using __this_cpu_read() in preemptible [00000000] code: rcu_torture_fqs/398 caller is __this_cpu_preempt_check+0x13/0x20 CPU: 3 PID: 398 Comm: rcu_torture_fqs Not tainted 6.0.0-rc1-yoctodev-standard+ Call Trace: <TASK> dump_stack_lvl+0x5b/0x86 dump_stack+0x10/0x16 check_preemption_disabled+0xe5/0xf0 __this_cpu_preempt_check+0x13/0x20 rcu_force_quiescent_state.part.0+0x1c/0x170 rcu_force_quiescent_state+0x1e/0x30 rcu_torture_fqs+0xca/0x160 ? rcu_torture_boost+0x430/0x430 kthread+0x192/0x1d0 ? kthread_complete_and_exit+0x30/0x30 ret_from_fork+0x22/0x30 </TASK> The problem is that rcu_force_quiescent_state() uses __this_cpu_read() in preemptible code instead of the proper raw_cpu_read(). This commit therefore changes __this_cpu_read() to raw_cpu_read(). | 2025-12-24 | not yet calculated | CVE-2022-50771 | https://git.kernel.org/stable/c/3d92527a919edd1aa381bdd6c299dd75a8167396 https://git.kernel.org/stable/c/5a52380b8193cf8be6c4a6b94b86ef64ed80c0dc https://git.kernel.org/stable/c/98a5b1265a36e9d843a51ddd6c9fa02da50d2c57 https://git.kernel.org/stable/c/a74af9b937707b42c3fd041aae1ed4ce2f337307 https://git.kernel.org/stable/c/80a3e7ab477b3655615fc1627c88c248d4ad28d9 https://git.kernel.org/stable/c/ceb1c8c9b8aa9199da46a0f29d2d5f08d9b44c15 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netdevsim: fix memory leak in nsim_bus_dev_new() If device_register() failed in nsim_bus_dev_new(), the value of reference in nsim_bus_dev->dev is 1. obj->name in nsim_bus_dev->dev will not be released. unreferenced object 0xffff88810352c480 (size 16): comm “echo”, pid 5691, jiffies 4294945921 (age 133.270s) hex dump (first 16 bytes): 6e 65 74 64 65 76 73 69 6d 31 00 00 00 00 00 00 netdevsim1…… backtrace: [<000000005e2e5e26>] __kmalloc_node_track_caller+0x3a/0xb0 [<0000000094ca4fc8>] kvasprintf+0xc3/0x160 [<00000000aad09bcc>] kvasprintf_const+0x55/0x180 [<000000009bac868d>] kobject_set_name_vargs+0x56/0x150 [<000000007c1a5d70>] dev_set_name+0xbb/0xf0 [<00000000ad0d126b>] device_add+0x1f8/0x1cb0 [<00000000c222ae24>] new_device_store+0x3b6/0x5e0 [<0000000043593421>] bus_attr_store+0x72/0xa0 [<00000000cbb1833a>] sysfs_kf_write+0x106/0x160 [<00000000d0dedb8a>] kernfs_fop_write_iter+0x3a8/0x5a0 [<00000000770b66e2>] vfs_write+0x8f0/0xc80 [<0000000078bb39be>] ksys_write+0x106/0x210 [<00000000005e55a4>] do_syscall_64+0x35/0x80 [<00000000eaa40bbc>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 | 2025-12-24 | not yet calculated | CVE-2022-50772 | https://git.kernel.org/stable/c/77579e4065295071fbd9662f03430dca5b50b086 https://git.kernel.org/stable/c/cf2010aa1c739bab067cbc90b690d28eaa0b47da |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt I got a null-ptr-defer error report when I do the following tests on the qemu platform: make defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m, CONFIG_SND_MTS64=m Then making test scripts: cat>test_mod1.sh<<EOF modprobe snd-mts64 modprobe snd-mts64 EOF Executing the script, perhaps several times, we will get a null-ptr-defer report, as follow: syzkaller:~# ./test_mod.sh snd_mts64: probe of snd_mts64.0 failed with error -5 modprobe: ERROR: could not insert ‘snd_mts64’: No such device BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) – not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 0 PID: 205 Comm: modprobe Not tainted 6.1.0-rc8-00588-g76dcd734eca2 #6 Call Trace: <IRQ> snd_mts64_interrupt+0x24/0xa0 [snd_mts64] parport_irq_handler+0x37/0x50 [parport] __handle_irq_event_percpu+0x39/0x190 handle_irq_event_percpu+0xa/0x30 handle_irq_event+0x2f/0x50 handle_edge_irq+0x99/0x1b0 __common_interrupt+0x5d/0x100 common_interrupt+0xa0/0xc0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 RIP: 0010:_raw_write_unlock_irqrestore+0x11/0x30 parport_claim+0xbd/0x230 [parport] snd_mts64_probe+0x14a/0x465 [snd_mts64] platform_probe+0x3f/0xa0 really_probe+0x129/0x2c0 __driver_probe_device+0x6d/0xc0 driver_probe_device+0x1a/0xa0 __device_attach_driver+0x7a/0xb0 bus_for_each_drv+0x62/0xb0 __device_attach+0xe4/0x180 bus_probe_device+0x82/0xa0 device_add+0x550/0x920 platform_device_add+0x106/0x220 snd_mts64_attach+0x2e/0x80 [snd_mts64] port_check+0x14/0x20 [parport] bus_for_each_dev+0x6e/0xc0 __parport_register_driver+0x7c/0xb0 [parport] snd_mts64_module_init+0x31/0x1000 [snd_mts64] do_one_initcall+0x3c/0x1f0 do_init_module+0x46/0x1c6 load_module+0x1d8d/0x1e10 __do_sys_finit_module+0xa2/0xf0 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> Kernel panic – not syncing: Fatal exception in interrupt Rebooting in 1 seconds.. The mts wa not initialized during interrupt, we add check for mts to fix this bug. | 2025-12-24 | not yet calculated | CVE-2022-50773 | https://git.kernel.org/stable/c/06ec592389f2be3199779ab823c4323dcfd2121f https://git.kernel.org/stable/c/b471fe61da523a15e4cb60fa81f5a2377e4bad98 https://git.kernel.org/stable/c/7e91667db38abb056da5a496d40fbd044c66bed2 https://git.kernel.org/stable/c/c7e9624d90bf20f1eed6b228949396d614b94020 https://git.kernel.org/stable/c/0649129359219ce6ff380ec401f87308485c6ae3 https://git.kernel.org/stable/c/cba633b24a98d957e8190ef8bc4d4cdb4f6e9313 https://git.kernel.org/stable/c/1a763c748acd5540ccc43306c57c9c6c5fb60884 https://git.kernel.org/stable/c/250eed7b9994d79f9c409f954dbd08e88f5afd83 https://git.kernel.org/stable/c/cf2ea3c86ad90d63d1c572b43e1ca9276b0357ad |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: qat – fix DMA transfer direction When CONFIG_DMA_API_DEBUG is selected, while running the crypto self test on the QAT crypto algorithms, the function add_dma_entry() reports a warning similar to the one below, saying that overlapping mappings are not supported. This occurs in tests where the input and the output scatter list point to the same buffers (i.e. two different scatter lists which point to the same chunks of memory). The logic that implements the mapping uses the flag DMA_BIDIRECTIONAL for both the input and the output scatter lists which leads to overlapped write mappings. These are not supported by the DMA layer. Fix by specifying the correct DMA transfer directions when mapping buffers. For in-place operations where the input scatter list matches the output scatter list, buffers are mapped once with DMA_BIDIRECTIONAL, otherwise input buffers are mapped using the flag DMA_TO_DEVICE and output buffers are mapped with DMA_FROM_DEVICE. Overlapping a read mapping with a write mapping is a valid case in dma-coherent devices like QAT. The function that frees and unmaps the buffers, qat_alg_free_bufl() has been changed accordingly to the changes to the mapping function. DMA-API: 4xxx 0000:06:00.0: cacheline tracking EEXIST, overlapping mappings aren’t supported WARNING: CPU: 53 PID: 4362 at kernel/dma/debug.c:570 add_dma_entry+0x1e9/0x270 … Call Trace: dma_map_page_attrs+0x82/0x2d0 ? preempt_count_add+0x6a/0xa0 qat_alg_sgl_to_bufl+0x45b/0x990 [intel_qat] qat_alg_aead_dec+0x71/0x250 [intel_qat] crypto_aead_decrypt+0x3d/0x70 test_aead_vec_cfg+0x649/0x810 ? number+0x310/0x3a0 ? vsnprintf+0x2a3/0x550 ? scnprintf+0x42/0x70 ? valid_sg_divisions.constprop.0+0x86/0xa0 ? test_aead_vec+0xdf/0x120 test_aead_vec+0xdf/0x120 alg_test_aead+0x185/0x400 alg_test+0x3d8/0x500 ? crypto_acomp_scomp_free_ctx+0x30/0x30 ? __schedule+0x32a/0x12a0 ? ttwu_queue_wakelist+0xbf/0x110 ? _raw_spin_unlock_irqrestore+0x23/0x40 ? try_to_wake_up+0x83/0x570 ? _raw_spin_unlock_irqrestore+0x23/0x40 ? __set_cpus_allowed_ptr_locked+0xea/0x1b0 ? crypto_acomp_scomp_free_ctx+0x30/0x30 cryptomgr_test+0x27/0x50 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 | 2025-12-24 | not yet calculated | CVE-2022-50774 | https://git.kernel.org/stable/c/426d5bc089e7731e36b514d1beca19e777a2d653 https://git.kernel.org/stable/c/1f1ab76e251521bd2fa5244473efcf663792745d https://git.kernel.org/stable/c/429348d4f675e9eb418d0829064c4d7d06bd66a3 https://git.kernel.org/stable/c/c4c9d9edf4848aed89516b23b88950b194beff6a https://git.kernel.org/stable/c/cf5bb835b7c8a5fee7f26455099cca7feb57f5e9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix refcount leak in hns_roce_mmap rdma_user_mmap_entry_get_pgoff() takes the reference. Add missing rdma_user_mmap_entry_put() to release the reference. Acked-by Haoyue Xu <xuhaoyue1@hisilicon.com> | 2025-12-24 | not yet calculated | CVE-2022-50775 | https://git.kernel.org/stable/c/fa87cf2e756efe809ee8683d4f282f4de962dab6 https://git.kernel.org/stable/c/8abd2ff2256a2a99c11c7ecdcb5512429933620f https://git.kernel.org/stable/c/cf6a05c8494a8ae7fec8e5f1229b45ca5b4bcd30 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: clk: st: Fix memory leak in st_of_quadfs_setup() If st_clk_register_quadfs_pll() fails, @lock should be freed before goto @err_exit, otherwise will cause meory leak issue, fix it. | 2025-12-24 | not yet calculated | CVE-2022-50776 | https://git.kernel.org/stable/c/081538ae5817631a2b99e8e75cce981060aab29f https://git.kernel.org/stable/c/f0295209de457049a4a5f3e3985528391bd1ab34 https://git.kernel.org/stable/c/be03875007621fcee96e6f9fd7b9e59c8dfcf6fa https://git.kernel.org/stable/c/713ad301c2d49e88fe586b57ebac8f220a98e162 https://git.kernel.org/stable/c/efd025f32fce27a8ada9bcb4731e8a84476e5b3d https://git.kernel.org/stable/c/adf6a00859d014cecf046dc91f75c0e65a544360 https://git.kernel.org/stable/c/335ef7546c77e63154d6ea4d603b11274a85900e https://git.kernel.org/stable/c/f4731395d6db850127634197863aede188d8e9de https://git.kernel.org/stable/c/cfd3ffb36f0d566846163118651d868e607300ba |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe of_phy_find_device() return device node with refcount incremented. Call put_device() to relese it when not needed anymore. | 2025-12-24 | not yet calculated | CVE-2022-50777 | https://git.kernel.org/stable/c/53526dbc8aa6b95e9fc2ab1e29b1a9145721da24 https://git.kernel.org/stable/c/78b0b1ff525d9be4babf5a148a4de0d50042d95d https://git.kernel.org/stable/c/00616bd1913a4f879679e02dc08c2f501ca2bd4c https://git.kernel.org/stable/c/106d0d33c9d1ec4ddeeffc1fdc717ff09953d4ed https://git.kernel.org/stable/c/4d112f001612c79927c1ecf29522b34c4fa292e0 https://git.kernel.org/stable/c/52841e71253e6ace72751c72560950474a57d04c https://git.kernel.org/stable/c/ee84d37a5f08ed1121cdd16f8f3ed87552087a21 https://git.kernel.org/stable/c/d039535850ee47079d59527e96be18d8e0daa84b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe a runtime panic while running Android’s Compatibility Test Suite’s (CTS) android.hardware.input.cts.tests. This is stemming from a strlen() call in hidinput_allocate(). __compiletime_strlen() is implemented in terms of __builtin_object_size(), then does an array access to check for NUL-termination. A quirk of __builtin_object_size() is that for strings whose values are runtime dependent, __builtin_object_size(str, 1 or 0) returns the maximum size of possible values when those sizes are determinable at compile time. Example: static const char *v = “FOO BAR”; static const char *y = “FOO BA”; unsigned long x (int z) { // Returns 8, which is: // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1)) return __builtin_object_size(z ? v : y, 1); } So when FORTIFY_SOURCE is enabled, the current implementation of __compiletime_strlen() will try to access beyond the end of y at runtime using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault. hidinput_allocate() has a local C string whose value is control flow dependent on a switch statement, so __builtin_object_size(str, 1) evaluates to the maximum string length, making all other cases fault on the last character check. hidinput_allocate() could be cleaned up to avoid runtime calls to strlen() since the local variable can only have literal values, so there’s no benefit to trying to fortify the strlen call site there. Perform a __builtin_constant_p() check against index 0 earlier in the macro to filter out the control-flow-dependant case. Add a KUnit test for checking the expected behavioral characteristics of FORTIFY_SOURCE internals. | 2025-12-24 | not yet calculated | CVE-2022-50778 | https://git.kernel.org/stable/c/ed42391164e6839a48aaf4c53eefda516835e799 https://git.kernel.org/stable/c/5d59ad2bfb35fccfe2ad5e8bb8801f6224d3f7d4 https://git.kernel.org/stable/c/d07c0acb4f41cc42a0d97530946965b3e4fa68c1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() When insert and remove the orangefs module, then debug_help_string will be leaked: unreferenced object 0xffff8881652ba000 (size 4096): comm “insmod”, pid 1701, jiffies 4294893639 (age 13218.530s) hex dump (first 32 bytes): 43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key 77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow backtrace: [<0000000004e6f8e3>] kmalloc_trace+0x27/0xa0 [<0000000006f75d85>] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs] [<0000000091270a2a>] _sub_I_65535_1+0x57/0xf70 [crc_itu_t] [<000000004b1ee1a3>] do_one_initcall+0x87/0x2a0 [<000000001d0614ae>] do_init_module+0xdf/0x320 [<00000000efef068c>] load_module+0x2f98/0x3330 [<000000006533b44d>] __do_sys_finit_module+0x113/0x1b0 [<00000000a0da6f99>] do_syscall_64+0x35/0x80 [<000000007790b19b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 When remove the module, should always free debug_help_string. Should always free the allocated buffer when change the free_debug_help_string. | 2025-12-24 | not yet calculated | CVE-2022-50779 | https://git.kernel.org/stable/c/44d3eac26a5e5268d11cc342dc202b0d31505c0a https://git.kernel.org/stable/c/f2b8a6aac561a49fe02c99683c40a8b87a9f68fc https://git.kernel.org/stable/c/ba9d3b9cec20957fd86bb1bf525b4ea8b64b2dea https://git.kernel.org/stable/c/2e7c09121064df93c58bbc49d3d0f608d3f584bd https://git.kernel.org/stable/c/b8affa0c6405ee968dcb6030bee2cf719a464752 https://git.kernel.org/stable/c/39529b79b023713d4f2d3479dc0ca43ba99df726 https://git.kernel.org/stable/c/3fc221d9a16339a913a0341d3efc7fef339073e1 https://git.kernel.org/stable/c/19be31668552a198e887762e25bdcc560800ecb4 https://git.kernel.org/stable/c/d23417a5bf3a3afc55de5442eb46e1e60458b0a1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed When the ops_init() interface is invoked to initialize the net, but ops->init() fails, data is released. However, the ptr pointer in net->gen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked to release the net, invalid address access occurs. The process is as follows: setup_net() ops_init() data = kzalloc(…) —> alloc “data” net_assign_generic() —> assign “date” to ptr in net->gen … ops->init() —> failed … kfree(data); —> ptr in net->gen is invalid … ops_exit_list() … nfqnl_nf_hook_drop() *q = nfnl_queue_pernet(net) —> q is invalid The following is the Call Trace information: BUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280 Read of size 8 at addr ffff88810396b240 by task ip/15855 Call Trace: <TASK> dump_stack_lvl+0x8e/0xd1 print_report+0x155/0x454 kasan_report+0xba/0x1f0 nfqnl_nf_hook_drop+0x264/0x280 nf_queue_nf_hook_drop+0x8b/0x1b0 __nf_unregister_net_hook+0x1ae/0x5a0 nf_unregister_net_hooks+0xde/0x130 ops_exit_list+0xb0/0x170 setup_net+0x7ac/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 </TASK> Allocated by task 15855: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0xa1/0xb0 __kmalloc+0x49/0xb0 ops_init+0xe7/0x410 setup_net+0x5aa/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 15855: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x155/0x1b0 slab_free_freelist_hook+0x11b/0x220 __kmem_cache_free+0xa4/0x360 ops_init+0xb9/0x410 setup_net+0x5aa/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 | 2025-12-24 | not yet calculated | CVE-2022-50780 | https://git.kernel.org/stable/c/5a2ea549be94924364f6911227d99be86e8cf34a https://git.kernel.org/stable/c/97ad240fd9aa9214497d14af2b91608e20856cac https://git.kernel.org/stable/c/c3edc6e808209aa705185f732e682a370981ced1 https://git.kernel.org/stable/c/a1e18acb0246bfb001b08b8b1b830b5ec92a0f13 https://git.kernel.org/stable/c/4a4df5e78712de39d6f90d6a64b5eb48dca03bd5 https://git.kernel.org/stable/c/d266935ac43d57586e311a087510fe6a084af742 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table() In the PP_OD_EDIT_VDDC_CURVE case the “input_index” variable is capped at 2 but not checked for negative values so it results in an out of bounds read. This value comes from the user via sysfs. | 2025-12-24 | not yet calculated | CVE-2022-50781 | https://git.kernel.org/stable/c/4d3dc0de9c46d9f73be6bac026e40b893e37ea21 https://git.kernel.org/stable/c/85273b4a7076ed5328c8ace02234e4e7e10972d5 https://git.kernel.org/stable/c/f289a38df0da4cfe4b50d04b1b9c3bc646fecd57 https://git.kernel.org/stable/c/a03625ad11b50429930f4c491d6c97e70f2ba89a https://git.kernel.org/stable/c/8084bd0a64e278314b733993f388d83a86aa1183 https://git.kernel.org/stable/c/d27252b5706e51188aed7647126e44dcf9e940c1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug_on in __es_tree_search caused by bad quota inode We got a issue as fllows: ================================================================== kernel BUG at fs/ext4/extents_status.c:202! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352 RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0 RSP: 0018:ffffc90001227900 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8 RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001 R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10 R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000 FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ext4_es_cache_extent+0xe2/0x210 ext4_cache_extents+0xd2/0x110 ext4_find_extent+0x5d5/0x8c0 ext4_ext_map_blocks+0x9c/0x1d30 ext4_map_blocks+0x431/0xa50 ext4_getblk+0x82/0x340 ext4_bread+0x14/0x110 ext4_quota_read+0xf0/0x180 v2_read_header+0x24/0x90 v2_check_quota_file+0x2f/0xa0 dquot_load_quota_sb+0x26c/0x760 dquot_load_quota_inode+0xa5/0x190 ext4_enable_quotas+0x14c/0x300 __ext4_fill_super+0x31cc/0x32c0 ext4_fill_super+0x115/0x2d0 get_tree_bdev+0x1d2/0x360 ext4_get_tree+0x19/0x30 vfs_get_tree+0x26/0xe0 path_mount+0x81d/0xfc0 do_mount+0x8d/0xc0 __x64_sys_mount+0xc0/0x160 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> ================================================================== Above issue may happen as follows: ————————————- ext4_fill_super ext4_orphan_cleanup ext4_enable_quotas ext4_quota_enable ext4_iget –> get error inode <5> ext4_ext_check_inode –> Wrong imode makes it escape inspection make_bad_inode(inode) –> EXT4_BOOT_LOADER_INO set imode dquot_load_quota_inode vfs_setup_quota_inode –> check pass dquot_load_quota_sb v2_check_quota_file v2_read_header ext4_quota_read ext4_bread ext4_getblk ext4_map_blocks ext4_ext_map_blocks ext4_find_extent ext4_cache_extents ext4_es_cache_extent __es_tree_search.isra.0 ext4_es_end –> Wrong extents trigger BUG_ON In the above issue, s_usr_quota_inum is set to 5, but inode<5> contains incorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO, the ext4_ext_check_inode check in the ext4_iget function can be bypassed, finally, the extents that are not checked trigger the BUG_ON in the __es_tree_search function. To solve this issue, check whether the inode is bad_inode in vfs_setup_quota_inode(). | 2025-12-24 | not yet calculated | CVE-2022-50782 | https://git.kernel.org/stable/c/fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3 https://git.kernel.org/stable/c/1d5524832ff204b8a8cd54ae1628b2122f6e9a8d https://git.kernel.org/stable/c/98004f926d27eaccdd2d336b7916a42e07392da1 https://git.kernel.org/stable/c/0dcbf4dc3d54aab5990952cfd832042fb300dbe3 https://git.kernel.org/stable/c/794c9175db1f2e5d2a28c326f10bd024dbd944f8 https://git.kernel.org/stable/c/1daff79463d7d76096c84c57cddc30c5d4be2226 https://git.kernel.org/stable/c/d323877484765aaacbb2769b06e355c2041ed115 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: use proper req destructor for IPv6 Before, only the destructor from TCP request sock in IPv4 was called even if the subflow was IPv6. It is important to use the right destructor to avoid memory leaks with some advanced IPv6 features, e.g. when the request socks contain specific IPv6 options. | 2025-12-24 | not yet calculated | CVE-2022-50783 | https://git.kernel.org/stable/c/6eb02c596ec02e5897ae377e065cb7df55337a96 https://git.kernel.org/stable/c/bd5dc96fea4edd16d2e22f41b4dd50a4cfbeb919 https://git.kernel.org/stable/c/092953f3c4cd65f88b27b87a922f6c725f34ee04 https://git.kernel.org/stable/c/1922ea6b0ae2ea0c9a09be0eafafe1cd1069d259 https://git.kernel.org/stable/c/d3295fee3c756ece33ac0d935e172e68c0a4161b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix potential use-after-free bug when trimming caps When trimming the caps and just after the ‘session->s_cap_lock’ is released in ceph_iterate_session_caps() the cap maybe removed by another thread, and when using the stale cap memory in the callbacks it will trigger use-after-free crash. We need to check the existence of the cap just after the ‘ci->i_ceph_lock’ being acquired. And do nothing if it’s already removed. | 2025-12-24 | not yet calculated | CVE-2023-53867 | https://git.kernel.org/stable/c/2b2515b8095cf2149bef44383a99d5b5677f1831 https://git.kernel.org/stable/c/448875a73e16ba7d81dec9274ce9d33a12d092fb https://git.kernel.org/stable/c/ae6e935618d99cdba11eab4714092e7e5f13cf7e https://git.kernel.org/stable/c/aaf67de78807c59c35bafb5003d4fb457c764800 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mips: bmips: BCM6358: disable RAC flush for TP1 RAC flush causes kernel panics on BCM6358 with EHCI/OHCI when booting from TP1: [ 3.881739] usb 1-1: new high-speed USB device number 2 using ehci-platform [ 3.895011] Reserved instruction in kernel code[#1]: [ 3.900113] CPU: 0 PID: 1 Comm: init Not tainted 5.10.16 #0 [ 3.905829] $ 0 : 00000000 10008700 00000000 77d94060 [ 3.911238] $ 4 : 7fd1f088 00000000 81431cac 81431ca0 [ 3.916641] $ 8 : 00000000 ffffefff 8075cd34 00000000 [ 3.922043] $12 : 806f8d40 f3e812b7 00000000 000d9aaa [ 3.927446] $16 : 7fd1f068 7fd1f080 7ff559b8 81428470 [ 3.932848] $20 : 00000000 00000000 55590000 77d70000 [ 3.938251] $24 : 00000018 00000010 [ 3.943655] $28 : 81430000 81431e60 81431f28 800157fc [ 3.949058] Hi : 00000000 [ 3.952013] Lo : 00000000 [ 3.955019] epc : 80015808 setup_sigcontext+0x54/0x24c [ 3.960464] ra : 800157fc setup_sigcontext+0x48/0x24c [ 3.965913] Status: 10008703 KERNEL EXL IE [ 3.970216] Cause : 00800028 (ExcCode 0a) [ 3.974340] PrId : 0002a010 (Broadcom BMIPS4350) [ 3.979170] Modules linked in: ohci_platform ohci_hcd fsl_mph_dr_of ehci_platform ehci_fsl ehci_hcd gpio_button_hotplug usbcore nls_base usb_common [ 3.992907] Process init (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=77e22ec8) [ 4.000776] Stack : 81431ef4 7fd1f080 81431f28 81428470 7fd1f068 81431edc 7ff559b8 81428470 [ 4.009467] 81431f28 7fd1f080 55590000 77d70000 77d5498c 80015c70 806f0000 8063ae74 [ 4.018149] 08100002 81431f28 0000000a 08100002 81431f28 0000000a 77d6b418 00000003 [ 4.026831] ffffffff 80016414 80080734 81431ecc 81431ecc 00000001 00000000 04000000 [ 4.035512] 77d54874 00000000 00000000 00000000 00000000 00000012 00000002 00000000 [ 4.044196] … [ 4.046706] Call Trace: [ 4.049238] [<80015808>] setup_sigcontext+0x54/0x24c [ 4.054356] [<80015c70>] setup_frame+0xdc/0x124 [ 4.059015] [<80016414>] do_notify_resume+0x1dc/0x288 [ 4.064207] [<80011b50>] work_notifysig+0x10/0x18 [ 4.069036] [ 4.070538] Code: 8fc300b4 00001025 26240008 <ac820000> ac830004 3c048063 0c0228aa 24846a00 26240010 [ 4.080686] [ 4.082517] —[ end trace 22a8edb41f5f983b ]— [ 4.087374] Kernel panic – not syncing: Fatal exception [ 4.092753] Rebooting in 1 seconds.. Because the bootloader (CFE) is not initializing the Read-ahead cache properly on the second thread (TP1). Since the RAC was not initialized properly, we should avoid flushing it at the risk of corrupting the instruction stream as seen in the trace above. | 2025-12-24 | not yet calculated | CVE-2023-53986 | https://git.kernel.org/stable/c/d65de5ee8b72868fbbbd39ca73017d0e526fa13a https://git.kernel.org/stable/c/47a449ec09b4479b89dcc6b27ec3829fc82ffafb https://git.kernel.org/stable/c/65b723644294f1d79770704162c0e8d1f700b6f1 https://git.kernel.org/stable/c/2cdbcff99f15db86a10672fb220379a1ae46ccae https://git.kernel.org/stable/c/288c96aa5b5526cd4a946e84ef85e165857693b5 https://git.kernel.org/stable/c/ab327f8acdf8d06601fbf058859a539a9422afff |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ping: Fix potentail NULL deref for /proc/net/icmp. After commit dbca1596bbb0 (“ping: convert to RCU lookups, get rid of rwlock”), we use RCU for ping sockets, but we should use spinlock for /proc/net/icmp to avoid a potential NULL deref mentioned in the previous patch. Let’s go back to using spinlock there. Note we can convert ping sockets to use hlist instead of hlist_nulls because we do not use SLAB_TYPESAFE_BY_RCU for ping sockets. | 2025-12-24 | not yet calculated | CVE-2023-53987 | https://git.kernel.org/stable/c/5a08a32e624908890aa0a2eb442bb6a7669891a8 https://git.kernel.org/stable/c/176cbb6da28f36506cc60a4bec4ab8df0c16713a https://git.kernel.org/stable/c/ab5fb73ffa01072b4d8031cc05801fa1cb653bee |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds read in hdr_delete_de() Here is a BUG report from syzbot: BUG: KASAN: slab-out-of-bounds in hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806 Read of size 16842960 at addr ffff888079cc0600 by task syz-executor934/3631 Call Trace: memmove+0x25/0x60 mm/kasan/shadow.c:54 hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806 indx_delete_entry+0x74f/0x3670 fs/ntfs3/index.c:2193 ni_remove_name+0x27a/0x980 fs/ntfs3/frecord.c:2910 ntfs_unlink_inode+0x3d4/0x720 fs/ntfs3/inode.c:1712 ntfs_rename+0x41a/0xcb0 fs/ntfs3/namei.c:276 Before using the meta-data in struct INDEX_HDR, we need to check index header valid or not. Otherwise, the corruptedi (or malicious) fs image can cause out-of-bounds access which could make kernel panic. | 2025-12-24 | not yet calculated | CVE-2023-53988 | https://git.kernel.org/stable/c/c58ea97aa94f033ee64a8cb6587d84a9849b6216 https://git.kernel.org/stable/c/9163a5b4ed290da4a7d23fa92533e0e81fd0166e https://git.kernel.org/stable/c/114204d25e1dffdd3a0c1cfbba219afd344f4b4f https://git.kernel.org/stable/c/4a034ece7e2877673d9085d6e7ed45e6ee40b761 https://git.kernel.org/stable/c/ab84eee4c7ab929996602eda7832854c35a6dda2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: mm: fix VA-range sanity check Both create_mapping_noalloc() and update_mapping_prot() sanity-check their ‘virt’ parameter, but the check itself doesn’t make much sense. The condition used today appears to be a historical accident. The sanity-check condition: if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { [ … warning here … ] return; } … can only be true for the KASAN shadow region or the module region, and there’s no reason to exclude these specifically for creating and updateing mappings. When arm64 support was first upstreamed in commit: c1cc1552616d0f35 (“arm64: MMU initialisation”) … the condition was: if (virt < VMALLOC_START) { [ … warning here … ] return; } At the time, VMALLOC_START was the lowest kernel address, and this was checking whether ‘virt’ would be translated via TTBR1. Subsequently in commit: 14c127c957c1c607 (“arm64: mm: Flip kernel VA space”) … the condition was changed to: if ((virt >= VA_START) && (virt < VMALLOC_START)) { [ … warning here … ] return; } This appear to have been a thinko. The commit moved the linear map to the bottom of the kernel address space, with VMALLOC_START being at the halfway point. The old condition would warn for changes to the linear map below this, and at the time VA_START was the end of the linear map. Subsequently we cleaned up the naming of VA_START in commit: 77ad4ce69321abbe (“arm64: memory: rename VA_START to PAGE_END”) … keeping the erroneous condition as: if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { [ … warning here … ] return; } Correct the condition to check against the start of the TTBR1 address space, which is currently PAGE_OFFSET. This simplifies the logic, and more clearly matches the “outside kernel range” message in the warning. | 2025-12-24 | not yet calculated | CVE-2023-53989 | https://git.kernel.org/stable/c/9d8d3df71516ec3236d8d93ff029d251377ba4b1 https://git.kernel.org/stable/c/32020fc2a8373d3de35ae6d029d5969a42651e7a https://git.kernel.org/stable/c/621619f626cbe702ddbdc54117f3868b8ebd8129 https://git.kernel.org/stable/c/b03c7fcc5ed854d0e1b27e9abf12428bfa751a37 https://git.kernel.org/stable/c/ab9b4008092c86dc12497af155a0901cc1156999 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: SMB3: Add missing locks to protect deferred close file list cifs_del_deferred_close function has a critical section which modifies the deferred close file list. We must acquire deferred_lock before calling cifs_del_deferred_close function. | 2025-12-24 | not yet calculated | CVE-2023-53990 | https://git.kernel.org/stable/c/0f87e18203bd30f71eb1a65259e28e291b6cc43a https://git.kernel.org/stable/c/3aa9d065b0685b4e6052f3f2a2462966fdc44fd2 https://git.kernel.org/stable/c/cb36365dac25d546ca4af0eb22acb43c9b4ddfdf https://git.kernel.org/stable/c/32a046ccaeea6c19965c04a4c521e703f6607924 https://git.kernel.org/stable/c/ab9ddc87a9055c4bebd6524d5d761d605d52e557 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Disallow unallocated resources to be returned In the event that the topology requests resources that have not been created by the system (because they are typically not represented in dpu_mdss_cfg ^1), the resource(s) in global_state (in this case DSC blocks, until their allocation/assignment is being sanity-checked in “drm/msm/dpu: Reject topologies for which no DSC blocks are available”) remain NULL but will still be returned out of dpu_rm_get_assigned_resources, where the caller expects to get an array containing num_blks valid pointers (but instead gets these NULLs). To prevent this from happening, where null-pointer dereferences typically result in a hard-to-debug platform lockup, num_blks shouldn’t increase past NULL blocks and will print an error and break instead. After all, max_blks represents the static size of the maximum number of blocks whereas the actual amount varies per platform. ^1: which can happen after a git rebase ended up moving additions to _dpu_cfg to a different struct which has the same patch context. Patchwork: https://patchwork.freedesktop.org/patch/517636/ | 2025-12-24 | not yet calculated | CVE-2023-53991 | https://git.kernel.org/stable/c/8dbd54d679e3ab37be43bc1ed9f463dbf83a2259 https://git.kernel.org/stable/c/bf661c5e3bc48973acb363c76e3db965d9ed26d0 https://git.kernel.org/stable/c/9e1e236acdc42b5c43ec8d7f03a39537e70cc309 https://git.kernel.org/stable/c/9fe3644c720ac87d150f0bba5a4ae86cae55afaf https://git.kernel.org/stable/c/abc40122d9a69f56c04efb5a7485795f5ac799d1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: ocb: don’t leave if not joined If there’s no OCB state, don’t ask the driver/mac80211 to leave, since that’s just confusing. Since set/clear the chandef state, that’s a simple check. | 2025-12-24 | not yet calculated | CVE-2023-53992 | https://git.kernel.org/stable/c/d7b0fe3487d203c04ee1bda91a63bd4dd398c350 https://git.kernel.org/stable/c/94332210902967b7d63294b43428c8ed075b20e6 https://git.kernel.org/stable/c/abc76cf552e13cfa88a204b362a86b0e08e95228 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/DOE: Fix memory leak with CONFIG_DEBUG_OBJECTS=y After a pci_doe_task completes, its work_struct needs to be destroyed to avoid a memory leak with CONFIG_DEBUG_OBJECTS=y. | 2025-12-24 | not yet calculated | CVE-2023-53993 | https://git.kernel.org/stable/c/2a0e0f4773fe8032fb17e56f897bee32ce3cdc2b https://git.kernel.org/stable/c/95628b830952943631d3d74f73f431f501c5d6f5 https://git.kernel.org/stable/c/abf04be0e7071f2bcd39bf97ba407e7d4439785e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ionic: remove WARN_ON to prevent panic_on_warn Remove unnecessary early code development check and the WARN_ON that it uses. The irq alloc and free paths have long been cleaned up and this check shouldn’t have stuck around so long. | 2025-12-24 | not yet calculated | CVE-2023-53994 | https://git.kernel.org/stable/c/4c7276a6daf7e13a6dd30b0347b3f2c7df4d40bb https://git.kernel.org/stable/c/f8cc4fd99a325505e15c3da95d6de266efd3d9b5 https://git.kernel.org/stable/c/1417dd787a5e55b410a00a28231b0dcb19172457 https://git.kernel.org/stable/c/dc470466753ad0dd3a8c48aaefa05a992c119b9c https://git.kernel.org/stable/c/daeaad114cb163ec51bcf14326cb7fe37d368459 https://git.kernel.org/stable/c/abfb2a58a5377ebab717d4362d6180f901b6e5c1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix one memleak in __inet_del_ifa() I got the below warning when do fuzzing test: unregister_netdevice: waiting for bond0 to become free. Usage count = 2 It can be repoduced via: ip link add bond0 type bond sysctl -w net.ipv4.conf.bond0.promote_secondaries=1 ip addr add 4.117.174.103/0 scope 0x40 dev bond0 ip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0 ip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0 ip addr del 4.117.174.103/0 scope 0x40 dev bond0 ip link delete bond0 type bond In this reproduction test case, an incorrect ‘last_prim’ is found in __inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40) is lost. The memory of the secondary address is leaked and the reference of in_device and net_device is leaked. Fix this problem: Look for ‘last_prim’ starting at location of the deleted IP and inserting the promoted IP into the location of ‘last_prim’. | 2025-12-24 | not yet calculated | CVE-2023-53995 | https://git.kernel.org/stable/c/5624f26a3574500ce23929cb2c9976a0dec9920a https://git.kernel.org/stable/c/7c8ddcdab1b900bed69cad6beef477fff116289e https://git.kernel.org/stable/c/2f1e86014d0cc084886c36a2d77bc620e2d42618 https://git.kernel.org/stable/c/980f8445479814509a3cd55a8eabaae1c9030a4c https://git.kernel.org/stable/c/42652af5360d30b43b06057c193739e7dfb18f42 https://git.kernel.org/stable/c/ac28b1ec6135649b5d78b028e47264cb3ebca5ea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/sev: Make enc_dec_hypercall() accept a size instead of npages enc_dec_hypercall() accepted a page count instead of a size, which forced its callers to round up. As a result, non-page aligned vaddrs caused pages to be spuriously marked as decrypted via the encryption status hypercall, which in turn caused consistent corruption of pages during live migration. Live migration requires accurate encryption status information to avoid migrating pages from the wrong perspective. | 2025-12-24 | not yet calculated | CVE-2023-53996 | https://git.kernel.org/stable/c/ba50e7773a99a109a1ea6f753b766a080d3b21cc https://git.kernel.org/stable/c/6615212d8e131b45bd9705b0d69cc0d2f624666f https://git.kernel.org/stable/c/8ae7457e71a320867d868f2622d7c643596e4f43 https://git.kernel.org/stable/c/ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: thermal: of: fix double-free on unregistration Since commit 3d439b1a2ad3 (“thermal/core: Alloc-copy-free the thermal zone parameters structure”), thermal_zone_device_register() allocates a copy of the tzp argument and frees it when unregistering, so thermal_of_zone_register() now ends up leaking its original tzp and double-freeing the tzp copy. Fix this by locating tzp on stack instead. | 2025-12-24 | not yet calculated | CVE-2023-53997 | https://git.kernel.org/stable/c/adce49089412a9ae28f5c666e0bb12fbcd86b3f7 https://git.kernel.org/stable/c/ac4436a5b20e0ef1f608a9ef46c08d5d142f8da6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwrng: virtio – Fix race on data_avail and actual data The virtio rng device kicks off a new entropy request whenever the data available reaches zero. When a new request occurs at the end of a read operation, that is, when the result of that request is only needed by the next reader, then there is a race between the writing of the new data and the next reader. This is because there is no synchronisation whatsoever between the writer and the reader. Fix this by writing data_avail with smp_store_release and reading it with smp_load_acquire when we first enter read. The subsequent reads are safe because they’re either protected by the first load acquire, or by the completion mechanism. Also remove the redundant zeroing of data_idx in random_recv_done (data_idx must already be zero at this point) and data_avail in request_entropy (ditto). | 2025-12-24 | not yet calculated | CVE-2023-53998 | https://git.kernel.org/stable/c/241ef15776a7c8505008db689175b320d345ecd3 https://git.kernel.org/stable/c/a43bcb0b661cbbf3ad797d2aee6b6fd06b8fc69d https://git.kernel.org/stable/c/77471e4912d3960dafe141e268c44be8024fe4dc https://git.kernel.org/stable/c/c76d991b6f01a5d931e7053a73bc9524975a5215 https://git.kernel.org/stable/c/22c30022cde6e2c88612b3a499223cfa912f1bc7 https://git.kernel.org/stable/c/318657b4c2077289659f1cd9e2a34f6a3b208e3e https://git.kernel.org/stable/c/2fc91f156b3f3446a1bce80cf4adedcbf41271c2 https://git.kernel.org/stable/c/ac52578d6e8d300dd50f790f29a24169b1edd26c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, Fix internal port memory leak The flow rule can be splited, and the extra post_act rules are added to post_act table. It’s possible to trigger memleak when the rule forwards packets from internal port and over tunnel, in the case that, for example, CT ‘new’ state offload is allowed. As int_port object is assigned to the flow attribute of post_act rule, and its refcnt is incremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is not called, the refcnt is never decremented, then int_port is never freed. The kmemleak reports the following error: unreferenced object 0xffff888128204b80 (size 64): comm “handler20”, pid 50121, jiffies 4296973009 (age 642.932s) hex dump (first 32 bytes): 01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ……………. 98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA…..wgA…. backtrace: [<00000000e992680d>] kmalloc_trace+0x27/0x120 [<000000009e945a98>] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core] [<0000000035a537f0>] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core] [<0000000070c2cec6>] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core] [<000000005cc84048>] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core] [<000000004f8a2031>] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core] [<000000007df797dc>] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core] [<0000000016c15cc3>] tc_setup_cb_add+0x1cf/0x410 [<00000000a63305b4>] fl_hw_replace_filter+0x38f/0x670 [cls_flower] [<000000008bc9e77c>] fl_change+0x1fd5/0x4430 [cls_flower] [<00000000e7f766e4>] tc_new_tfilter+0x867/0x2010 [<00000000e101c0ef>] rtnetlink_rcv_msg+0x6fc/0x9f0 [<00000000e1111d44>] netlink_rcv_skb+0x12c/0x360 [<0000000082dd6c8b>] netlink_unicast+0x438/0x710 [<00000000fc568f70>] netlink_sendmsg+0x794/0xc50 [<0000000016e92590>] sock_sendmsg+0xc5/0x190 So fix this by moving int_port cleanup code to the flow attribute free helper, which is used by all the attribute free cases. | 2025-12-24 | not yet calculated | CVE-2023-53999 | https://git.kernel.org/stable/c/bc1918bac0f30e3f551ef5649b53062917db55fa https://git.kernel.org/stable/c/ac5da544a3c2047cbfd715acd9cec8380d7fe5c6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix deadlock issue when externel_lb and reset are executed together When externel_lb and reset are executed together, a deadlock may occur: [ 3147.217009] INFO: task kworker/u321:0:7 blocked for more than 120 seconds. [ 3147.230483] “echo 0 > /proc/sys/kernel/hung_task_timeout_secs” disables this message. [ 3147.238999] task:kworker/u321:0 state:D stack: 0 pid: 7 ppid: 2 flags:0x00000008 [ 3147.248045] Workqueue: hclge hclge_service_task [hclge] [ 3147.253957] Call trace: [ 3147.257093] __switch_to+0x7c/0xbc [ 3147.261183] __schedule+0x338/0x6f0 [ 3147.265357] schedule+0x50/0xe0 [ 3147.269185] schedule_preempt_disabled+0x18/0x24 [ 3147.274488] __mutex_lock.constprop.0+0x1d4/0x5dc [ 3147.279880] __mutex_lock_slowpath+0x1c/0x30 [ 3147.284839] mutex_lock+0x50/0x60 [ 3147.288841] rtnl_lock+0x20/0x2c [ 3147.292759] hclge_reset_prepare+0x68/0x90 [hclge] [ 3147.298239] hclge_reset_subtask+0x88/0xe0 [hclge] [ 3147.303718] hclge_reset_service_task+0x84/0x120 [hclge] [ 3147.309718] hclge_service_task+0x2c/0x70 [hclge] [ 3147.315109] process_one_work+0x1d0/0x490 [ 3147.319805] worker_thread+0x158/0x3d0 [ 3147.324240] kthread+0x108/0x13c [ 3147.328154] ret_from_fork+0x10/0x18 In externel_lb process, the hns3 driver call napi_disable() first, then the reset happen, then the restore process of the externel_lb will fail, and will not call napi_enable(). When doing externel_lb again, napi_disable() will be double call, cause a deadlock of rtnl_lock(). This patch use the HNS3_NIC_STATE_DOWN state to protect the calling of napi_disable() and napi_enable() in externel_lb process, just as the usage in ndo_stop() and ndo_start(). | 2025-12-24 | not yet calculated | CVE-2023-54000 | https://git.kernel.org/stable/c/d9f609cb50ebab4aa6341112f406bf9d3928ac81 https://git.kernel.org/stable/c/743f7c1762e098048ede8cdf8c89a118f8d12391 https://git.kernel.org/stable/c/ef2d6bf9695669d31ece9f2ef39dec84874a87c7 https://git.kernel.org/stable/c/ac6257a3ae5db5193b1f19c268e4f72d274ddb88 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: staging: r8712: Fix memory leak in _r8712_init_xmit_priv() In the above mentioned routine, memory is allocated in several places. If the first succeeds and a later one fails, the routine will leak memory. This patch fixes commit 2865d42c78a9 (“staging: r8712u: Add the new driver to the mainline kernel”). A potential memory leak in r8712_xmit_resource_alloc() is also addressed. | 2025-12-24 | not yet calculated | CVE-2023-54001 | https://git.kernel.org/stable/c/fc511ae405f7ba29fbcb0246061ec15c272386e1 https://git.kernel.org/stable/c/acacdbe0f740ca8c5d5da73d50870903a3ded677 https://git.kernel.org/stable/c/41e05572e871b10dbdc168c76175c97982daf4a4 https://git.kernel.org/stable/c/874555472c736813ba1f4baf0b4c09c8e26d81ea https://git.kernel.org/stable/c/ac83631230f77dda94154ed0ebfd368fc81c70a3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion of exclop condition when starting balance Balance as exclusive state is compatible with paused balance and device add, which makes some things more complicated. The assertion of valid states when starting from paused balance needs to take into account two more states, the combinations can be hit when there are several threads racing to start balance and device add. This won’t typically happen when the commands are started from command line. Scenario 1: With exclusive_operation state == BTRFS_EXCLOP_NONE. Concurrently adding multiple devices to the same mount point and btrfs_exclop_finish executed finishes before assertion in btrfs_exclop_balance, exclusive_operation will changed to BTRFS_EXCLOP_NONE state which lead to assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE || fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD, in fs/btrfs/ioctl.c:456 Call Trace: <TASK> btrfs_exclop_balance+0x13c/0x310 ? memdup_user+0xab/0xc0 ? PTR_ERR+0x17/0x20 btrfs_ioctl_add_dev+0x2ee/0x320 btrfs_ioctl+0x9d5/0x10d0 ? btrfs_ioctl_encoded_write+0xb80/0xb80 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x3c/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Scenario 2: With exclusive_operation state == BTRFS_EXCLOP_BALANCE_PAUSED. Concurrently adding multiple devices to the same mount point and btrfs_exclop_balance executed finish before the latter thread execute assertion in btrfs_exclop_balance, exclusive_operation will changed to BTRFS_EXCLOP_BALANCE_PAUSED state which lead to assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE || fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD || fs_info->exclusive_operation == BTRFS_EXCLOP_NONE, fs/btrfs/ioctl.c:458 Call Trace: <TASK> btrfs_exclop_balance+0x240/0x410 ? memdup_user+0xab/0xc0 ? PTR_ERR+0x17/0x20 btrfs_ioctl_add_dev+0x2ee/0x320 btrfs_ioctl+0x9d5/0x10d0 ? btrfs_ioctl_encoded_write+0xb80/0xb80 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x3c/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd An example of the failed assertion is below, which shows that the paused balance is also needed to be checked. root@syzkaller:/home/xsk# ./repro Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 [ 416.611428][ T7970] BTRFS info (device loop0): fs_info exclusive_operation: 0 Failed to add device /dev/vda, errno 14 [ 416.613973][ T7971] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.615456][ T7972] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.617528][ T7973] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.618359][ T7974] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.622589][ T7975] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.624034][ T7976] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.626420][ T7977] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.627643][ T7978] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.629006][ T7979] BTRFS info (device loop0): fs_info exclusive_operation: 3 [ 416.630298][ T7980] BTRFS info (device loop0): fs_info exclusive_operation: 3 Fai —truncated— | 2025-12-24 | not yet calculated | CVE-2023-54002 | https://git.kernel.org/stable/c/17eaeee4c5f24946aad0298d51f32981c3161d13 https://git.kernel.org/stable/c/7877dc1136ada770622d22041be306539902951b https://git.kernel.org/stable/c/6062e9e335a3bf409b5118bfe4cc10aff4b6adb1 https://git.kernel.org/stable/c/ac868bc9d136cde6e3eb5de77019a63d57a540ff |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix GID entry ref leak when create_ah fails If AH create request fails, release sgid_attr to avoid GID entry referrence leak reported while releasing GID table | 2025-12-24 | not yet calculated | CVE-2023-54003 | https://git.kernel.org/stable/c/9c46c49ad3ffe84121715d392b5a0a94f9f10669 https://git.kernel.org/stable/c/d1b9b3191697a80aca8e247320eba46f24d41d18 https://git.kernel.org/stable/c/e97ff11b396c320d2cc025b09741ba432fcb20a2 https://git.kernel.org/stable/c/370280c65c28a515b841c9f2c08524f06182510c https://git.kernel.org/stable/c/632d6baf8884d803e598bf5164008d23fd9b736c https://git.kernel.org/stable/c/aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). syzbot reported [0] a null-ptr-deref in sk_get_rmem0() while using IPPROTO_UDPLITE (0x88): 14:25:52 executing program 1: r0 = socket$inet6(0xa, 0x80002, 0x88) We had a similar report [1] for probably sk_memory_allocated_add() in __sk_mem_raise_allocated(), and commit c915fe13cbaa (“udplite: fix NULL pointer dereference”) fixed it by setting .memory_allocated for udplite_prot and udplitev6_prot. To fix the variant, we need to set either .sysctl_wmem_offset or .sysctl_rmem. Now UDP and UDPLITE share the same value for .memory_allocated, so we use the same .sysctl_wmem_offset for UDP and UDPLITE. [0]: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 6829 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 RIP: 0010:sk_get_rmem0 include/net/sock.h:2907 [inline] RIP: 0010:__sk_mem_raise_allocated+0x806/0x17a0 net/core/sock.c:3006 Code: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b RSP: 0018:ffffc90005d7f450 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000 RDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8 RBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000 R13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0 Call Trace: <TASK> __sk_mem_schedule+0x6c/0xe0 net/core/sock.c:3077 udp_rmem_schedule net/ipv4/udp.c:1539 [inline] __udp_enqueue_schedule_skb+0x776/0xb30 net/ipv4/udp.c:1581 __udpv6_queue_rcv_skb net/ipv6/udp.c:666 [inline] udpv6_queue_rcv_one_skb+0xc39/0x16c0 net/ipv6/udp.c:775 udpv6_queue_rcv_skb+0x194/0xa10 net/ipv6/udp.c:793 __udp6_lib_mcast_deliver net/ipv6/udp.c:906 [inline] __udp6_lib_rcv+0x1bda/0x2bd0 net/ipv6/udp.c:1013 ip6_protocol_deliver_rcu+0x2e7/0x1250 net/ipv6/ip6_input.c:437 ip6_input_finish+0x150/0x2f0 net/ipv6/ip6_input.c:482 NF_HOOK include/linux/netfilter.h:303 [inline] NF_HOOK include/linux/netfilter.h:297 [inline] ip6_input+0xa0/0xd0 net/ipv6/ip6_input.c:491 ip6_mc_input+0x40b/0xf50 net/ipv6/ip6_input.c:585 dst_input include/net/dst.h:468 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:303 [inline] NF_HOOK include/linux/netfilter.h:297 [inline] ipv6_rcv+0x250/0x380 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605 netif_receive_skb_internal net/core/dev.c:5691 [inline] netif_receive_skb+0x133/0x7a0 net/core/dev.c:5750 tun_rx_batched+0x4b3/0x7a0 drivers/net/tun.c:1553 tun_get_user+0x2452/0x39c0 drivers/net/tun.c:1989 tun_chr_write_iter+0xdf/0x200 drivers/net/tun.c:2035 call_write_iter include/linux/fs.h:1868 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x945/0xd50 fs/read_write.c:584 ksys_write+0x12b/0x250 fs/read_write.c:637 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 RIP: 0023:0xf7f21579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 —truncated— | 2025-12-24 | not yet calculated | CVE-2023-54004 | https://git.kernel.org/stable/c/cc56de054d828935aa37734b479f82fa34b5f9bd https://git.kernel.org/stable/c/7e3ae83371a4809da6fa3f10ccc430eecef3034a https://git.kernel.org/stable/c/5014b64e369bdf997935b132a1ac4d64b6e47ad4 https://git.kernel.org/stable/c/387bd0a3af3bdd2b16f8dbef0c9fcccac63000a4 https://git.kernel.org/stable/c/2a112f04629f7839e7cb509b27b8d3b735afe255 https://git.kernel.org/stable/c/f04c8eaf45e7dcdfccba936506b1ec592a369fb9 https://git.kernel.org/stable/c/ad42a35bdfc6d3c0fc4cb4027d7b2757ce665665 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: binder: fix memory leak in binder_init() In binder_init(), the destruction of binder_alloc_shrinker_init() is not performed in the wrong path, which will cause memory leaks. So this commit introduces binder_alloc_shrinker_exit() and calls it in the wrong path to fix that. | 2025-12-24 | not yet calculated | CVE-2023-54005 | https://git.kernel.org/stable/c/486dd742ba186ea333664c517d6775b06b1448ca https://git.kernel.org/stable/c/ceb0f8cc987fb3d25c06b9662e08a42f99651207 https://git.kernel.org/stable/c/b97dad01c12169991f895de3d4f61b8115d12bab https://git.kernel.org/stable/c/d7e5e2b87f5d27469075b6326b6b358e38cd9dcb https://git.kernel.org/stable/c/03eebad96233397f951d8e9fafd82a1674a77284 https://git.kernel.org/stable/c/f11a26633eb6d3bb24a10b1bacc4e4a9b0c6389f https://git.kernel.org/stable/c/ee95051c0c1928051f86198bf5e554277a53b26b https://git.kernel.org/stable/c/adb9743d6a08778b78d62d16b4230346d3508986 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix data-race around unix_tot_inflight. unix_tot_inflight is changed under spin_lock(unix_gc_lock), but unix_release_sock() reads it locklessly. Let’s use READ_ONCE() for unix_tot_inflight. Note that the writer side was marked by commit 9d6d7f1cb67c (“af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress”) BUG: KCSAN: data-race in unix_inflight / unix_release_sock write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1: unix_inflight+0x130/0x180 net/unix/scm.c:64 unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123 unix_scm_to_skb net/unix/af_unix.c:1832 [inline] unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x148/0x160 net/socket.c:747 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493 ___sys_sendmsg+0xc6/0x140 net/socket.c:2547 __sys_sendmsg+0x94/0x140 net/socket.c:2576 __do_sys_sendmsg net/socket.c:2585 [inline] __se_sys_sendmsg net/socket.c:2583 [inline] __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0: unix_release_sock+0x608/0x910 net/unix/af_unix.c:671 unix_release+0x59/0x80 net/unix/af_unix.c:1058 __sock_release+0x7d/0x170 net/socket.c:653 sock_close+0x19/0x30 net/socket.c:1385 __fput+0x179/0x5e0 fs/file_table.c:321 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x116/0x1a0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0x00000000 -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 | 2025-12-24 | not yet calculated | CVE-2023-54006 | https://git.kernel.org/stable/c/31b46d5e7c4e295bd112960614a66a177a057dca https://git.kernel.org/stable/c/20aa8325464d8905450089eed96ca102a074d853 https://git.kernel.org/stable/c/5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840 https://git.kernel.org/stable/c/cf29b42766ad4af2ae6a449f583796951551b48d https://git.kernel.org/stable/c/e5edc6e44a882c0458878ab10eaddfe60ac34e57 https://git.kernel.org/stable/c/2d8933ca863e252fb09ad0be483255e3dfeb1f54 https://git.kernel.org/stable/c/afc284a4a781defbb12b2a40427fae34c3d20e17 https://git.kernel.org/stable/c/ade32bd8a738d7497ffe9743c46728db26740f78 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vmci_host: fix a race condition in vmci_host_poll() causing GPF During fuzzing, a general protection fault is observed in vmci_host_poll(). general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf] RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926 <- omitting registers -> Call Trace: <TASK> lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162 add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22 poll_wait include/linux/poll.h:49 [inline] vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174 vfs_poll include/linux/poll.h:88 [inline] do_pollfd fs/select.c:873 [inline] do_poll fs/select.c:921 [inline] do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015 __do_sys_ppoll fs/select.c:1121 [inline] __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Example thread interleaving that causes the general protection fault is as follows: CPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context) —– —– // Read uninitialized context context = vmci_host_dev->context; // Initialize context vmci_host_dev->context = vmci_ctx_create(); vmci_host_dev->ct_type = VMCIOBJ_CONTEXT; if (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) { // Dereferencing the wrong pointer poll_wait(…, &context->host_context); } In this scenario, vmci_host_poll() reads vmci_host_dev->context first, and then reads vmci_host_dev->ct_type to check that vmci_host_dev->context is initialized. However, since these two reads are not atomically executed, there is a chance of a race condition as described above. To fix this race condition, read vmci_host_dev->context after checking the value of vmci_host_dev->ct_type so that vmci_host_poll() always reads an initialized context. | 2025-12-24 | not yet calculated | CVE-2023-54007 | https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3 https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9 https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92 https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448 https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: virtio_vdpa: build affinity masks conditionally We try to build affinity mask via create_affinity_masks() unconditionally which may lead several issues: – the affinity mask is not used for parent without affinity support (only VDUSE support the affinity now) – the logic of create_affinity_masks() might not work for devices other than block. For example it’s not rare in the networking device where the number of queues could exceed the number of CPUs. Such case breaks the current affinity logic which is based on group_cpus_evenly() who assumes the number of CPUs are not less than the number of groups. This can trigger a warning[1]: if (ret >= 0) WARN_ON(nr_present + nr_others < numgrps); Fixing this by only build the affinity masks only when – Driver passes affinity descriptor, driver like virtio-blk can make sure to limit the number of queues when it exceeds the number of CPUs – Parent support affinity setting config ops This help to avoid the warning. More optimizations could be done on top. [1] [ 682.146655] WARNING: CPU: 6 PID: 1550 at lib/group_cpus.c:400 group_cpus_evenly+0x1aa/0x1c0 [ 682.146668] CPU: 6 PID: 1550 Comm: vdpa Not tainted 6.5.0-rc5jason+ #79 [ 682.146671] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [ 682.146673] RIP: 0010:group_cpus_evenly+0x1aa/0x1c0 [ 682.146676] Code: 4c 89 e0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc e8 1b c4 74 ff 48 89 ef e8 13 ac 98 ff 4c 89 e7 45 31 e4 e8 08 ac 98 ff eb c2 <0f> 0b eb b6 e8 fd 05 c3 00 45 31 e4 eb e5 cc cc cc cc cc cc cc cc [ 682.146679] RSP: 0018:ffffc9000215f498 EFLAGS: 00010293 [ 682.146682] RAX: 000000000001f1e0 RBX: 0000000000000041 RCX: 0000000000000000 [ 682.146684] RDX: ffff888109922058 RSI: 0000000000000041 RDI: 0000000000000030 [ 682.146686] RBP: ffff888109922058 R08: ffffc9000215f498 R09: ffffc9000215f4a0 [ 682.146687] R10: 00000000000198d0 R11: 0000000000000030 R12: ffff888107e02800 [ 682.146689] R13: 0000000000000030 R14: 0000000000000030 R15: 0000000000000041 [ 682.146692] FS: 00007fef52315740(0000) GS:ffff888237380000(0000) knlGS:0000000000000000 [ 682.146695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 682.146696] CR2: 00007fef52509000 CR3: 0000000110dbc004 CR4: 0000000000370ee0 [ 682.146698] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 682.146700] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 682.146701] Call Trace: [ 682.146703] <TASK> [ 682.146705] ? __warn+0x7b/0x130 [ 682.146709] ? group_cpus_evenly+0x1aa/0x1c0 [ 682.146712] ? report_bug+0x1c8/0x1e0 [ 682.146717] ? handle_bug+0x3c/0x70 [ 682.146721] ? exc_invalid_op+0x14/0x70 [ 682.146723] ? asm_exc_invalid_op+0x16/0x20 [ 682.146727] ? group_cpus_evenly+0x1aa/0x1c0 [ 682.146729] ? group_cpus_evenly+0x15c/0x1c0 [ 682.146731] create_affinity_masks+0xaf/0x1a0 [ 682.146735] virtio_vdpa_find_vqs+0x83/0x1d0 [ 682.146738] ? __pfx_default_calc_sets+0x10/0x10 [ 682.146742] virtnet_find_vqs+0x1f0/0x370 [ 682.146747] virtnet_probe+0x501/0xcd0 [ 682.146749] ? vp_modern_get_status+0x12/0x20 [ 682.146751] ? get_cap_addr.isra.0+0x10/0xc0 [ 682.146754] virtio_dev_probe+0x1af/0x260 [ 682.146759] really_probe+0x1a5/0x410 | 2025-12-24 | not yet calculated | CVE-2023-54008 | https://git.kernel.org/stable/c/5f2592243ccd5bb5341f59be409ccfdd586841f3 https://git.kernel.org/stable/c/628b53fc66ca1910a3cb53c3c7e44e59750c3668 https://git.kernel.org/stable/c/ae15aceaa98ad9499763923f7890e345d9f46b60 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path The cdns_i2c_master_xfer() function gets a runtime PM reference when the function is entered. This reference is released when the function is exited. There is currently one error path where the function exits directly, which leads to a leak of the runtime PM reference. Make sure that this error path also releases the runtime PM reference. | 2025-12-24 | not yet calculated | CVE-2023-54009 | https://git.kernel.org/stable/c/fd7bf900c3215c77f6d779d1532faa22b79f2430 https://git.kernel.org/stable/c/2d65599ad1e4f195bbb80752cd5cbc2f1a018dba https://git.kernel.org/stable/c/a712b5a95270e62209f5c2201c774f708f75234e https://git.kernel.org/stable/c/d0dc6553b5f2b1272c01b0eba5fe2fd89cc59f44 https://git.kernel.org/stable/c/5b14d7c6ba0ba5d167f5ef588ca6dfe1af6dd0aa https://git.kernel.org/stable/c/ae1664f04f504a998737f5bb563f16b44357bcca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects ACPICA commit 0d5f467d6a0ba852ea3aad68663cbcbd43300fd4 ACPI_ALLOCATE_ZEROED may fails, object_info might be null and will cause null pointer dereference later. | 2025-12-24 | not yet calculated | CVE-2023-54010 | https://git.kernel.org/stable/c/c9fcb2cfcbd4d7018d9f659f5b670f5b727d1968 https://git.kernel.org/stable/c/35d67ffad6f5d78dbd800d354f5334c7b71a19e0 https://git.kernel.org/stable/c/c409eb45f5ddae2e3b3faa76cefc87f3cd0d0e88 https://git.kernel.org/stable/c/978e0d05547ae707d51a942fc7e85a34e181ee6f https://git.kernel.org/stable/c/d997c920a5305b37f0b8a40501b5aca10d099ecd https://git.kernel.org/stable/c/fee6133490091492dc66bcf71479bd53bd17a7d2 https://git.kernel.org/stable/c/ed2e1e85644ca3d351324e9927a538c8af4df654 https://git.kernel.org/stable/c/ae5a0eccc85fc960834dd66e3befc2728284b86c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix an issue found by KASAN Write only correct size (32 instead of 64 bytes). | 2025-12-24 | not yet calculated | CVE-2023-54011 | https://git.kernel.org/stable/c/abfe73c16b295f2213e9bfc0a1df232056032448 https://git.kernel.org/stable/c/c8755f913a2fc9c168d108ea8c5af04716e8c4a5 https://git.kernel.org/stable/c/ae7d45f5283d30274039b95d3e6d53d33c66e991 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: fix stack overflow when LRO is disabled for virtual interfaces When the virtual interface’s feature is updated, it synchronizes the updated feature for its own lower interface. This propagation logic should be worked as the iteration, not recursively. But it works recursively due to the netdev notification unexpectedly. This problem occurs when it disables LRO only for the team and bonding interface type. team0 | +——+——+—–+—–+ | | | | | team1 team2 team3 … team200 If team0’s LRO feature is updated, it generates the NETDEV_FEAT_CHANGE event to its own lower interfaces(team1 ~ team200). It is worked by netdev_sync_lower_features(). So, the NETDEV_FEAT_CHANGE notification logic of each lower interface work iteratively. But generated NETDEV_FEAT_CHANGE event is also sent to the upper interface too. upper interface(team0) generates the NETDEV_FEAT_CHANGE event for its own lower interfaces again. lower and upper interfaces receive this event and generate this event again and again. So, the stack overflow occurs. But it is not the infinite loop issue. Because the netdev_sync_lower_features() updates features before generating the NETDEV_FEAT_CHANGE event. Already synchronized lower interfaces skip notification logic. So, it is just the problem that iteration logic is changed to the recursive unexpectedly due to the notification mechanism. Reproducer: ip link add team0 type team ethtool -K team0 lro on for i in {1..200} do ip link add team$i master team0 type team ethtool -K team$i lro on done ethtool -K team0 lro off In order to fix it, the notifier_ctx member of bonding/team is introduced. | 2025-12-24 | not yet calculated | CVE-2023-54012 | https://git.kernel.org/stable/c/9ea0c5f90a27b5b884d880e146e0f65f3052e401 https://git.kernel.org/stable/c/4bb955c4d2830a58c08e2a48ab75d75368e3ff36 https://git.kernel.org/stable/c/cf3b5cd7127cc10c5b12400c545f263f0e5e715c https://git.kernel.org/stable/c/ed66e6327a69fec95034cda2ac5b6a57b8b3b622 https://git.kernel.org/stable/c/6bf00bb3dc7e5b9fb05488e11616e65d64e975fa https://git.kernel.org/stable/c/ae9b15fbe63447bc1d3bba3769f409d17ca6fdf6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: interconnect: Fix locking for runpm vs reclaim For cases where icc_bw_set() can be called in callbaths that could deadlock against shrinker/reclaim, such as runpm resume, we need to decouple the icc locking. Introduce a new icc_bw_lock for cases where we need to serialize bw aggregation and update to decouple that from paths that require memory allocation such as node/link creation/ destruction. Fixes this lockdep splat: ====================================================== WARNING: possible circular locking dependency detected 6.2.0-rc8-debug+ #554 Not tainted —————————————————— ring0/132 is trying to acquire lock: ffffff80871916d0 (&gmu->lock){+.+.}-{3:3}, at: a6xx_pm_resume+0xf0/0x234 but task is already holding lock: ffffffdb5aee57e8 (dma_fence_map){++++}-{0:0}, at: msm_job_run+0x68/0x150 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 (dma_fence_map){++++}-{0:0}: __dma_fence_might_wait+0x74/0xc0 dma_resv_lockdep+0x1f4/0x2f4 do_one_initcall+0x104/0x2bc kernel_init_freeable+0x344/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}: fs_reclaim_acquire+0x80/0xa8 slab_pre_alloc_hook.constprop.0+0x40/0x25c __kmem_cache_alloc_node+0x60/0x1cc __kmalloc+0xd8/0x100 topology_parse_cpu_capacity+0x8c/0x178 get_cpu_for_node+0x88/0xc4 parse_cluster+0x1b0/0x28c parse_cluster+0x8c/0x28c init_cpu_topology+0x168/0x188 smp_prepare_cpus+0x24/0xf8 kernel_init_freeable+0x18c/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #2 (fs_reclaim){+.+.}-{0:0}: __fs_reclaim_acquire+0x3c/0x48 fs_reclaim_acquire+0x54/0xa8 slab_pre_alloc_hook.constprop.0+0x40/0x25c __kmem_cache_alloc_node+0x60/0x1cc __kmalloc+0xd8/0x100 kzalloc.constprop.0+0x14/0x20 icc_node_create_nolock+0x4c/0xc4 icc_node_create+0x38/0x58 qcom_icc_rpmh_probe+0x1b8/0x248 platform_probe+0x70/0xc4 really_probe+0x158/0x290 __driver_probe_device+0xc8/0xe0 driver_probe_device+0x44/0x100 __driver_attach+0xf8/0x108 bus_for_each_dev+0x78/0xc4 driver_attach+0x2c/0x38 bus_add_driver+0xd0/0x1d8 driver_register+0xbc/0xf8 __platform_driver_register+0x30/0x3c qnoc_driver_init+0x24/0x30 do_one_initcall+0x104/0x2bc kernel_init_freeable+0x344/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #1 (icc_lock){+.+.}-{3:3}: __mutex_lock+0xcc/0x3c8 mutex_lock_nested+0x30/0x44 icc_set_bw+0x88/0x2b4 _set_opp_bw+0x8c/0xd8 _set_opp+0x19c/0x300 dev_pm_opp_set_opp+0x84/0x94 a6xx_gmu_resume+0x18c/0x804 a6xx_pm_resume+0xf8/0x234 adreno_runtime_resume+0x2c/0x38 pm_generic_runtime_resume+0x30/0x44 __rpm_callback+0x15c/0x174 rpm_callback+0x78/0x7c rpm_resume+0x318/0x524 __pm_runtime_resume+0x78/0xbc adreno_load_gpu+0xc4/0x17c msm_open+0x50/0x120 drm_file_alloc+0x17c/0x228 drm_open_helper+0x74/0x118 drm_open+0xa0/0x144 drm_stub_open+0xd4/0xe4 chrdev_open+0x1b8/0x1e4 do_dentry_open+0x2f8/0x38c vfs_open+0x34/0x40 path_openat+0x64c/0x7b4 do_filp_open+0x54/0xc4 do_sys_openat2+0x9c/0x100 do_sys_open+0x50/0x7c __arm64_sys_openat+0x28/0x34 invoke_syscall+0x8c/0x128 el0_svc_common.constprop.0+0xa0/0x11c do_el0_ —truncated— | 2025-12-24 | not yet calculated | CVE-2023-54013 | https://git.kernel.org/stable/c/2f3a124696d43de3c837f87a9f767c56ee86cf2a https://git.kernel.org/stable/c/af42269c3523492d71ebbe11fefae2653e9cdc78 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() Klocwork reported warning of rport maybe NULL and will be dereferenced. rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced. Check valid rport returned by fc_bsg_to_rport(). | 2025-12-24 | not yet calculated | CVE-2023-54014 | https://git.kernel.org/stable/c/f35bd94b4e11c41de90cd0fa72c9062e8196822f https://git.kernel.org/stable/c/ccd3bc595bda67db5a347b9050c2df28f292d3fb https://git.kernel.org/stable/c/1b7e5bdf2be22ae8c61bdca5a5f96ec2746e9639 https://git.kernel.org/stable/c/921d6844625527a92d1178262a633cc88a8e61bd https://git.kernel.org/stable/c/1ccd52b790a66b8b5f75c87eab8c3a37f941a2bf https://git.kernel.org/stable/c/e466930717ef18c112585a39fc6174d8eb441df5 https://git.kernel.org/stable/c/ced5460eae772e847debbc0b65ef93aedab92d3f https://git.kernel.org/stable/c/af73f23a27206ffb3c477cac75b5fcf03410556e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device In case devcom allocation is failed, mlx5 is always freeing the priv. However, this priv might have been allocated by a different thread, and freeing it might lead to use-after-free bugs. Fix it by freeing the priv only in case it was allocated by the running thread. | 2025-12-24 | not yet calculated | CVE-2023-54015 | https://git.kernel.org/stable/c/3dfc1004d9afbf689087ae1eafd88f55481984c7 https://git.kernel.org/stable/c/d4d10a6df1529b3f446cdada5c25e065f4712756 https://git.kernel.org/stable/c/1e755065368000205e6683fa924b2654e99f573b https://git.kernel.org/stable/c/eaa365c10459052cbe3e44caa4ad760cb93bd435 https://git.kernel.org/stable/c/a3a516caef2c5be2f4d171890a8b3415bfab4e5e https://git.kernel.org/stable/c/af87194352cad882d787d06fb7efa714acd95427 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix memory leak in rx_desc and tx_desc Currently when ath12k_dp_cc_desc_init() is called we allocate memory to rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), during descriptor cleanup rx_descs and tx_descs memory is not freed. This is cause of memory leak. These allocated memory should be freed in ath12k_dp_cc_cleanup. In ath12k_dp_cc_desc_init(), we can save base address of rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), we can free rx_descs and tx_descs memory using their base address. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 | 2025-12-24 | not yet calculated | CVE-2023-54016 | https://git.kernel.org/stable/c/e16be2d34883eecfe7fd888fcdb76c7a5db5d187 https://git.kernel.org/stable/c/afb522b36e76acaa9f8fc06d0a9742d841c47c16 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: fix possible memory leak in ibmebus_bus_init() If device_register() returns error in ibmebus_bus_init(), name of kobject which is allocated in dev_set_name() called in device_add() is leaked. As comment of device_add() says, it should call put_device() to drop the reference count that was set in device_initialize() when it fails, so the name can be freed in kobject_cleanup(). | 2025-12-24 | not yet calculated | CVE-2023-54017 | https://git.kernel.org/stable/c/e4ff88548defafb1ef84facd9856ec252da7b008 https://git.kernel.org/stable/c/3cc4c2f6c266fe5b33a7fa797f31e8b3f06ce58c https://git.kernel.org/stable/c/7ffe14fce7425c32e735bdc44bce425f18976a49 https://git.kernel.org/stable/c/9f3b2b666833ebef6d0ce5a40e189f38e70342a1 https://git.kernel.org/stable/c/d35e7ae10eb8917883da2a0b1823c620a1be42d6 https://git.kernel.org/stable/c/96f27ff732208dce6468016e7a7d5032bd1bfc23 https://git.kernel.org/stable/c/ebd8dc974fcc59e2851a0d89ee7935b55142dc8e https://git.kernel.org/stable/c/afda85b963c12947e298ad85d757e333aa40fd74 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/hdmi: Add missing check for alloc_ordered_workqueue Add check for the return value of alloc_ordered_workqueue as it may return NULL pointer and cause NULL pointer dereference in `hdmi_hdcp.c` and `hdmi_hpd.c`. Patchwork: https://patchwork.freedesktop.org/patch/517211/ | 2025-12-24 | not yet calculated | CVE-2023-54018 | https://git.kernel.org/stable/c/b479485b24da1d572a0ce875537af31b02d2f915 https://git.kernel.org/stable/c/392f7eb3946ab3780b931af723033e19f82c9134 https://git.kernel.org/stable/c/fc34608fa275fe6b3b17e171b63b8ca3aa1cbf09 https://git.kernel.org/stable/c/1bab31a0969ca4ac90907a5d3b44af104229eafd https://git.kernel.org/stable/c/9a01ecc312e764ec4527ad49105a3ca799f1860c https://git.kernel.org/stable/c/e55f93d674314f2fb69eba0dc24acfdf72805611 https://git.kernel.org/stable/c/ae5ca116a0c0ba9fc4123b1f1ec3c4f4d0d01b3f https://git.kernel.org/stable/c/afe4cb96153a0d8003e4e4ebd91b5c543e10df84 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched/psi: use kernfs polling functions for PSI trigger polling Destroying psi trigger in cgroup_file_release causes UAF issues when a cgroup is removed from under a polling process. This is happening because cgroup removal causes a call to cgroup_file_release while the actual file is still alive. Destroying the trigger at this point would also destroy its waitqueue head and if there is still a polling process on that file accessing the waitqueue, it will step on the freed pointer: do_select vfs_poll do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy wake_up_pollfree(&t->event_wait) // vfs_poll is unblocked synchronize_rcu kfree(t) poll_freewait -> UAF access to the trigger’s waitqueue head Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), however the same issue exists for synchronous poll() case. The root cause of this issue is that the lifecycles of the psi trigger’s waitqueue and of the file associated with the trigger are different. Fix this by using kernfs_generic_poll function when polling on cgroup-specific psi triggers. It internally uses kernfs_open_node->poll waitqueue head with its lifecycle tied to the file’s lifecycle. This also renders the fix in [1] obsolete, so revert it. [1] commit c2dbe32d5db5 (“sched/psi: Fix use-after-free in ep_remove_wait_queue()”) | 2025-12-24 | not yet calculated | CVE-2023-54019 | https://git.kernel.org/stable/c/92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a https://git.kernel.org/stable/c/d124ab17024cc85a1079b7810a018a497ebc13da https://git.kernel.org/stable/c/aff037078ecaecf34a7c2afab1341815f90fba5e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: sf-pdma: pdma_desc memory leak fix Commit b2cc5c465c2c (“dmaengine: sf-pdma: Add multithread support for a DMA channel”) changed sf_pdma_prep_dma_memcpy() to unconditionally allocate a new sf_pdma_desc each time it is called. The driver previously recycled descs, by checking the in_use flag, only allocating additional descs if the existing one was in use. This logic was removed in commit b2cc5c465c2c (“dmaengine: sf-pdma: Add multithread support for a DMA channel”), but sf_pdma_free_desc() was not changed to handle the new behaviour. As a result, each time sf_pdma_prep_dma_memcpy() is called, the previous descriptor is leaked, over time leading to memory starvation: unreferenced object 0xffffffe008447300 (size 192): comm “irq/39-mchp_dsc”, pid 343, jiffies 4294906910 (age 981.200s) hex dump (first 32 bytes): 00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ……………. 00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p…………. backtrace: [<00000000064a04f4>] kmemleak_alloc+0x1e/0x28 [<00000000018927a7>] kmem_cache_alloc+0x11e/0x178 [<000000002aea8d16>] sf_pdma_prep_dma_memcpy+0x40/0x112 Add the missing kfree() to sf_pdma_free_desc(), and remove the redundant in_use flag. | 2025-12-24 | not yet calculated | CVE-2023-54020 | https://git.kernel.org/stable/c/ad222c9af25e3f074c180e389b3477dce42afc4f https://git.kernel.org/stable/c/03fece43fa109beba7cc9948c02f5e2d1205d607 https://git.kernel.org/stable/c/8bd5040bd43f2b5ba3c898b09a3197a0c7ace126 https://git.kernel.org/stable/c/b02e07015a5ac7bbc029da931ae17914b8ae0339 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: set goal start correctly in ext4_mb_normalize_request We need to set ac_g_ex to notify the goal start used in ext4_mb_find_by_goal. Set ac_g_ex instead of ac_f_ex in ext4_mb_normalize_request. Besides we should assure goal start is in range [first_data_block, blocks_count) as ext4_mb_initialize_context does. [ Added a check to make sure size is less than ar->pright; otherwise we could end up passing an underflowed value of ar->pright – size to ext4_get_group_no_and_offset(), which will trigger a BUG_ON later on. – TYT ] | 2025-12-24 | not yet calculated | CVE-2023-54021 | https://git.kernel.org/stable/c/2479bb6cbdb4d56b807bbe5229e3e26a6f1f4530 https://git.kernel.org/stable/c/390eee955d4de4662db5e3e9e9a9eae020432cb7 https://git.kernel.org/stable/c/cee78217a7ae72d11c2e21e1a5263b8044489823 https://git.kernel.org/stable/c/3ca3005b502ca8ea87d6a344323b179b48c4e4a3 https://git.kernel.org/stable/c/bc4a3e1d07a86ae5845321d371190244acacb2f2 https://git.kernel.org/stable/c/c6bee8970075b256fc1b07bf4873049219380818 https://git.kernel.org/stable/c/abb330ffaa3a0ae7ce632e28c9260b461c01f19f https://git.kernel.org/stable/c/b07ffe6927c75d99af534d685282ea188d9f71a6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential memory leaks at error path for UMP open The allocation and initialization errors at alloc_midi_urbs() that is called at MIDI 2.0 / UMP device are supposed to be handled at the caller side by invoking free_midi_urbs(). However, free_midi_urbs() loops only for ep->num_urbs entries, and since ep->num_entries wasn’t updated yet at the allocation / init error in alloc_midi_urbs(), this entry won’t be released. The intention of free_midi_urbs() is to release the whole elements, so change the loop size to NUM_URBS to scan over all elements for fixing the missed releases. Also, the call of free_midi_urbs() is missing at snd_usb_midi_v2_open(). Although it’ll be released later at reopen/close or disconnection, it’s better to release immediately at the error path. | 2025-12-24 | not yet calculated | CVE-2023-54022 | https://git.kernel.org/stable/c/f819b343aa95d24d5f7d6e06660c7f62591abc5f https://git.kernel.org/stable/c/b1757fa30ef14f254f4719bf6f7d54a4c8207216 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between balance and cancel/pause Syzbot reported a panic that looks like this: assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465 ————[ cut here ]———— kernel BUG at fs/btrfs/messages.c:259! RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259 Call Trace: <TASK> btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline] btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline] btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The reproducer is running a balance and a cancel or pause in parallel. The way balance finishes is a bit wonky, if we were paused we need to save the balance_ctl in the fs_info, but clear it otherwise and cleanup. However we rely on the return values being specific errors, or having a cancel request or no pause request. If balance completes and returns 0, but we have a pause or cancel request we won’t do the appropriate cleanup, and then the next time we try to start a balance we’ll trip this ASSERT. The error handling is just wrong here, we always want to clean up, unless we got -ECANCELLED and we set the appropriate pause flag in the exclusive op. With this patch the reproducer ran for an hour without tripping, previously it would trip in less than a few minutes. | 2025-12-24 | not yet calculated | CVE-2023-54023 | https://git.kernel.org/stable/c/ddf7e8984c83aee9122552529f4e77291903f8d9 https://git.kernel.org/stable/c/72efe5d44821e38540888a5fe3ff3d0faab6acad https://git.kernel.org/stable/c/b19c98f237cd76981aaded52c258ce93f7daa8cb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: Destroy target device if coalesced MMIO unregistration fails Destroy and free the target coalesced MMIO device if unregistering said device fails. As clearly noted in the code, kvm_io_bus_unregister_dev() does not destroy the target device. BUG: memory leak unreferenced object 0xffff888112a54880 (size 64): comm “syz-executor.2”, pid 5258, jiffies 4297861402 (age 14.129s) hex dump (first 32 bytes): 38 c7 67 15 00 c9 ff ff 38 c7 67 15 00 c9 ff ff 8.g…..8.g….. e0 c7 e1 83 ff ff ff ff 00 30 67 15 00 c9 ff ff ………0g….. backtrace: [<0000000006995a8a>] kmalloc include/linux/slab.h:556 [inline] [<0000000006995a8a>] kzalloc include/linux/slab.h:690 [inline] [<0000000006995a8a>] kvm_vm_ioctl_register_coalesced_mmio+0x8e/0x3d0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:150 [<00000000022550c2>] kvm_vm_ioctl+0x47d/0x1600 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3323 [<000000008a75102f>] vfs_ioctl fs/ioctl.c:46 [inline] [<000000008a75102f>] file_ioctl fs/ioctl.c:509 [inline] [<000000008a75102f>] do_vfs_ioctl+0xbab/0x1160 fs/ioctl.c:696 [<0000000080e3f669>] ksys_ioctl+0x76/0xa0 fs/ioctl.c:713 [<0000000059ef4888>] __do_sys_ioctl fs/ioctl.c:720 [inline] [<0000000059ef4888>] __se_sys_ioctl fs/ioctl.c:718 [inline] [<0000000059ef4888>] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 [<000000006444fa05>] do_syscall_64+0x9f/0x4e0 arch/x86/entry/common.c:290 [<000000009a4ed50b>] entry_SYSCALL_64_after_hwframe+0x49/0xbe BUG: leak checking failed | 2025-12-24 | not yet calculated | CVE-2023-54024 | https://git.kernel.org/stable/c/10c2a20d73e99463e69b7e92706791656adc16d7 https://git.kernel.org/stable/c/76a9886e1b61ce5592df5ae78a19ed30399ae189 https://git.kernel.org/stable/c/999439fd5da5a76253e2f2c37b94204f47d75491 https://git.kernel.org/stable/c/ccf6a7fb1aedb1472e1241ee55e4d26b68f8d066 https://git.kernel.org/stable/c/fb436dd6914325075f07d19851ab277b7a693ae7 https://git.kernel.org/stable/c/b1cb1fac22abf102ffeb29dd3eeca208a3869d54 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled In case WoWlan was never configured during the operation of the system, the hw->wiphy->wowlan_config will be NULL. rsi_config_wowlan() checks whether wowlan_config is non-NULL and if it is not, then WARNs about it. The warning is valid, as during normal operation the rsi_config_wowlan() should only ever be called with non-NULL wowlan_config. In shutdown this rsi_config_wowlan() should only ever be called if WoWlan was configured before by the user. Add checks for non-NULL wowlan_config into the shutdown hook. While at it, check whether the wiphy is also non-NULL before accessing wowlan_config . Drop the single-use wowlan_config variable, just inline it into function call. | 2025-12-24 | not yet calculated | CVE-2023-54025 | https://git.kernel.org/stable/c/b2aeb97fd470206e67f7b3b4a3e68212a13f747b https://git.kernel.org/stable/c/4391fa180856ff84a2cef4a92694a689eebb855e https://git.kernel.org/stable/c/eb205a06908122f50b1dd1baa43f7c8036bfc7dc https://git.kernel.org/stable/c/1b51236aa49a0564280bd45c94118cab6d9b0fbd https://git.kernel.org/stable/c/b601468539c1d97539097bfc87ad11f1704b7eb7 https://git.kernel.org/stable/c/b241e260820b68c09586e8a0ae0fc23c0e3215bd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: opp: Fix use-after-free in lazy_opp_tables after probe deferral When dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns -EPROBE_DEFER, the opp_table is freed again, to wait until all the interconnect paths are available. However, if the OPP table is using required-opps then it may already have been added to the global lazy_opp_tables list. The error path does not remove the opp_table from the list again. This can cause crashes later when the provider of the required-opps is added, since we will iterate over OPP tables that have already been freed. E.g.: Unable to handle kernel NULL pointer dereference when read CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3 PC is at _of_add_opp_table_v2 (include/linux/of.h:949 drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404 drivers/opp/of.c:1032) -> lazy_link_required_opp_table() Fix this by calling _of_clear_opp_table() to remove the opp_table from the list and clear other allocated resources. While at it, also add the missing mutex_destroy() calls in the error path. | 2025-12-24 | not yet calculated | CVE-2023-54026 | https://git.kernel.org/stable/c/39a0e723d3502f6dc4c603f57ebe8dc7bcc4a4bc https://git.kernel.org/stable/c/76ab057de777723ec924654502d1a260ba7d7d54 https://git.kernel.org/stable/c/c05e76d6b249e5254c31994eedd06dd3cc90dee0 https://git.kernel.org/stable/c/b2a2ab039bd58f51355e33d7d3fc64605d7f870d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iio: core: Prevent invalid memory access when there is no parent Commit 813665564b3d (“iio: core: Convert to use firmware node handle instead of OF node”) switched the kind of nodes to use for label retrieval in device registration. Probably an unwanted change in that commit was that if the device has no parent then NULL pointer is accessed. This is what happens in the stock IIO dummy driver when a new entry is created in configfs: # mkdir /sys/kernel/config/iio/devices/dummy/foo BUG: kernel NULL pointer dereference, address: … … Call Trace: __iio_device_register iio_dummy_probe Since there seems to be no reason to make a parent device of an IIO dummy device mandatory, let’s prevent the invalid memory access in __iio_device_register when the parent device is NULL. With this change, the IIO dummy driver works fine with configfs. | 2025-12-24 | not yet calculated | CVE-2023-54027 | https://git.kernel.org/stable/c/312f04ede209f0a186799fe8e64a19b49700d5dc https://git.kernel.org/stable/c/a4b34cccff14ce74bb7d77fbfd56e7c9d7c28a97 https://git.kernel.org/stable/c/b2a69969908fcaf68596dfc04369af0fe2e1d2f7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix the error “trying to register non-static key in rxe_cleanup_task” In the function rxe_create_qp(), rxe_qp_from_init() is called to initialize qp, internally things like rxe_init_task are not setup until rxe_qp_init_req(). If an error occurred before this point then the unwind will call rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() which will oops when trying to access the uninitialized spinlock. If rxe_init_task is not executed, rxe_cleanup_task will not be called. | 2025-12-24 | not yet calculated | CVE-2023-54028 | https://git.kernel.org/stable/c/3236221bb8e4de8e3d0c8385f634064fb26b8e38 https://git.kernel.org/stable/c/c8473cd5b301279a41dc75e5afb26b3d5223b6c7 https://git.kernel.org/stable/c/0d938264fcfe4927e54f0e519da05af1d5d720b4 https://git.kernel.org/stable/c/b2b1ddc457458fecd1c6f385baa9fbda5f0c63ad |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO For MLO, we cannot use vif->bss_conf.chandef.chan->band, since that will lead to a NULL-ptr dereference as bss_conf isn’t used. However, in case of real MLO, we also need to take both LMACs into account if they exist, since the station might be active on both LMACs at the same time. | 2025-12-24 | not yet calculated | CVE-2023-54029 | https://git.kernel.org/stable/c/63e2d06adf6b0842132ba89efdf8fada5f7ff1ac https://git.kernel.org/stable/c/4489aa868bc6343afdaf5ef324af5b1f64962b25 https://git.kernel.org/stable/c/b2bc600cced23762d4e97db8989b18772145604f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/net: don’t overflow multishot recv Don’t allow overflowing multishot recv CQEs, it might get out of hand, hurt performance, and in the worst case scenario OOM the task. | 2025-12-24 | not yet calculated | CVE-2023-54030 | https://git.kernel.org/stable/c/1e2db9837be7d24a2a74eb3f3906d0872bee8907 https://git.kernel.org/stable/c/b2e74db55dd93d6db22a813c9a775b5dbf87c560 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check The vdpa_nl_policy structure is used to validate the nlattr when parsing the incoming nlmsg. It will ensure the attribute being described produces a valid nlattr pointer in info->attrs before entering into each handler in vdpa_nl_ops. That is to say, the missing part in vdpa_nl_policy may lead to illegal nlattr after parsing, which could lead to OOB read just like CVE-2023-3773. This patch adds the missing nla_policy for vdpa queue index attr to avoid such bugs. | 2025-12-24 | not yet calculated | CVE-2023-54031 | https://git.kernel.org/stable/c/8ad9bc25cbdcec72e7ca43dd8281decb69ea9a70 https://git.kernel.org/stable/c/ccb533b7070aeeb65c66ea5d590e9c62421dcd61 https://git.kernel.org/stable/c/b3003e1b54e057f5f3124e437b80c3bef26ed3fe |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when deleting quota root from the dirty cow roots list When disabling quotas we are deleting the quota root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there’s another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can result in all sorts of weird failures caused by a race, such as the following crash: [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (…) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] <TASK> [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b So fix this by locking struct btrfs_fs_info::trans_lock before deleting the quota root from that list. | 2025-12-24 | not yet calculated | CVE-2023-54032 | https://git.kernel.org/stable/c/365f318da7384cbac5de6b9c098914888a4d63e7 https://git.kernel.org/stable/c/6da229754099518cfa27cbfcd0fd042618785fad https://git.kernel.org/stable/c/679c34821ab7cd93c8ccb96fbf57fc44848a78bc https://git.kernel.org/stable/c/6819bb0b8552dcc5f82ca606c8911b8c67e0628f https://git.kernel.org/stable/c/7ba0da31dd4a8fd24d416016c538a95a5664ff02 https://git.kernel.org/stable/c/a53d78d9a8551e72c46ded23e8b0a56e55d32032 https://git.kernel.org/stable/c/a5cdc4012efa808e07d073c11dc2f366b5394ad3 https://git.kernel.org/stable/c/b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps The LRU and LRU_PERCPU maps allocate a new element on update before locking the target hash table bucket. Right after that the maps try to lock the bucket. If this fails, then maps return -EBUSY to the caller without releasing the allocated element. This makes the element untracked: it doesn’t belong to either of free lists, and it doesn’t belong to the hash table, so can’t be re-used; this eventually leads to the permanent -ENOMEM on LRU map updates, which is unexpected. Fix this by returning the element to the local free list if bucket locking fails. | 2025-12-24 | not yet calculated | CVE-2023-54033 | https://git.kernel.org/stable/c/79ea1a12fb9a8275b6e19d4ca625dd872dedcbb9 https://git.kernel.org/stable/c/1a9e80f757bbb1562d82e350afce2bb2f712cc3d https://git.kernel.org/stable/c/965e9cccbe6b9c7b379908cebcb5e3a47f20dd5e https://git.kernel.org/stable/c/b34ffb0c6d23583830f9327864b9c1f486003305 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd: Make sure to zero vfio_iommu_type1_info before copying to user Missed a zero initialization here. Most of the struct is filled with a copy_from_user(), however minsz for that copy is smaller than the actual struct by 8 bytes, thus we don’t fill the padding. | 2025-12-24 | not yet calculated | CVE-2023-54034 | https://git.kernel.org/stable/c/7adcec686e4d699c169d34c722132b2bce5232cb https://git.kernel.org/stable/c/b3551ead616318ea155558cdbe7e91495b8d9b33 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix underflow in chain reference counter Set element addition error path decrements reference counter on chains twice: once on element release and again via nft_data_release(). Then, d6b478666ffa (“netfilter: nf_tables: fix underflow in object reference counter”) incorrectly fixed this by removing the stateful object reference count decrement. Restore the stateful object decrement as in b91d90368837 (“netfilter: nf_tables: fix leaking object reference count”) and let nft_data_release() decrement the chain reference counter, so this is done only once. | 2025-12-24 | not yet calculated | CVE-2023-54035 | https://git.kernel.org/stable/c/b068314fd8ce751a7f906e55bb90f3551815f1a0 https://git.kernel.org/stable/c/9c959671abc7d4ffdf34eed10c64492d43cb6a3c https://git.kernel.org/stable/c/b389139f12f287b8ed2e2628b72df89a081f0b59 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU The wifi + bluetooth combo chip RTL8723BU can leak memory (especially?) when it’s connected to a bluetooth audio device. The busy bluetooth traffic generates lots of C2H (card to host) messages, which are not freed correctly. To fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback() inside the loop where skb_dequeue() is called. The RTL8192EU leaks memory because the C2H messages are added to the queue and left there forever. (This was fine in the past because it probably wasn’t sending any C2H messages until commit e542e66b7c2e (“wifi: rtl8xxxu: gen2: Turn on the rate control”). Since that commit it sends a C2H message when the TX rate changes.) To fix this, delete the check for rf_paths > 1 and the goto. Let the function process the C2H messages from RTL8192EU like the ones from the other chips. Theoretically the RTL8188FU could also leak like RTL8723BU, but it most likely doesn’t send C2H messages frequently enough. This change was tested with RTL8723BU by Erhard F. I tested it with RTL8188FU and RTL8192EU. | 2025-12-24 | not yet calculated | CVE-2023-54036 | https://git.kernel.org/stable/c/430f9f9bec53a75f9ccc53e156a66f13fc098b83 https://git.kernel.org/stable/c/35fb0e275af1aa1ca0a9784417e90f988aaf8e78 https://git.kernel.org/stable/c/93c3f34ec02fc81188d328287d4fddd498ccddea https://git.kernel.org/stable/c/f39a86b4efd270947ee252cc32a30b0aef492d65 https://git.kernel.org/stable/c/b39f662ce1648db0b9de32e6a849b098480793cb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ice: prevent NULL pointer deref during reload Calling ethtool during reload can lead to call trace, because VSI isn’t configured for some time, but netdev is alive. To fix it add rtnl lock for VSI deconfig and config. Set ::num_q_vectors to 0 after freeing and add a check for ::tx/rx_rings in ring related ethtool ops. Add proper unroll of filters in ice_start_eth(). Reproduction: $watch -n 0.1 -d ‘ethtool -g enp24s0f0np0’ $devlink dev reload pci/0000:18:00.0 action driver_reinit Call trace before fix: [66303.926205] BUG: kernel NULL pointer dereference, address: 0000000000000000 [66303.926259] #PF: supervisor read access in kernel mode [66303.926286] #PF: error_code(0x0000) – not-present page [66303.926311] PGD 0 P4D 0 [66303.926332] Oops: 0000 [#1] PREEMPT SMP PTI [66303.926358] CPU: 4 PID: 933821 Comm: ethtool Kdump: loaded Tainted: G OE 6.4.0-rc5+ #1 [66303.926400] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018 [66303.926446] RIP: 0010:ice_get_ringparam+0x22/0x50 [ice] [66303.926649] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 87 c0 09 00 00 c7 46 04 e0 1f 00 00 c7 46 10 e0 1f 00 00 48 8b 50 20 <48> 8b 12 0f b7 52 3a 89 56 14 48 8b 40 28 48 8b 00 0f b7 40 58 48 [66303.926722] RSP: 0018:ffffad40472f39c8 EFLAGS: 00010246 [66303.926749] RAX: ffff98a8ada05828 RBX: ffff98a8c46dd060 RCX: ffffad40472f3b48 [66303.926781] RDX: 0000000000000000 RSI: ffff98a8c46dd068 RDI: ffff98a8b23c4000 [66303.926811] RBP: ffffad40472f3b48 R08: 00000000000337b0 R09: 0000000000000000 [66303.926843] R10: 0000000000000001 R11: 0000000000000100 R12: ffff98a8b23c4000 [66303.926874] R13: ffff98a8c46dd060 R14: 000000000000000f R15: ffffad40472f3a50 [66303.926906] FS: 00007f6397966740(0000) GS:ffff98b390900000(0000) knlGS:0000000000000000 [66303.926941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [66303.926967] CR2: 0000000000000000 CR3: 000000011ac20002 CR4: 00000000007706e0 [66303.926999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [66303.927029] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [66303.927060] PKRU: 55555554 [66303.927075] Call Trace: [66303.927094] <TASK> [66303.927111] ? __die+0x23/0x70 [66303.927140] ? page_fault_oops+0x171/0x4e0 [66303.927176] ? exc_page_fault+0x7f/0x180 [66303.927209] ? asm_exc_page_fault+0x26/0x30 [66303.927244] ? ice_get_ringparam+0x22/0x50 [ice] [66303.927433] rings_prepare_data+0x62/0x80 [66303.927469] ethnl_default_doit+0xe2/0x350 [66303.927501] genl_family_rcv_msg_doit.isra.0+0xe3/0x140 [66303.927538] genl_rcv_msg+0x1b1/0x2c0 [66303.927561] ? __pfx_ethnl_default_doit+0x10/0x10 [66303.927590] ? __pfx_genl_rcv_msg+0x10/0x10 [66303.927615] netlink_rcv_skb+0x58/0x110 [66303.927644] genl_rcv+0x28/0x40 [66303.927665] netlink_unicast+0x19e/0x290 [66303.927691] netlink_sendmsg+0x254/0x4d0 [66303.927717] sock_sendmsg+0x93/0xa0 [66303.927743] __sys_sendto+0x126/0x170 [66303.927780] __x64_sys_sendto+0x24/0x30 [66303.928593] do_syscall_64+0x5d/0x90 [66303.929370] ? __count_memcg_events+0x60/0xa0 [66303.930146] ? count_memcg_events.constprop.0+0x1a/0x30 [66303.930920] ? handle_mm_fault+0x9e/0x350 [66303.931688] ? do_user_addr_fault+0x258/0x740 [66303.932452] ? exc_page_fault+0x7f/0x180 [66303.933193] entry_SYSCALL_64_after_hwframe+0x72/0xdc | 2025-12-24 | not yet calculated | CVE-2023-54037 | https://git.kernel.org/stable/c/ca03b327224ed6be2d07f42ee6ee1cdd586cfd5b https://git.kernel.org/stable/c/b3e7b3a6ee92ab927f750a6b19615ce88ece808f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link hci_connect_sco currently returns NULL when there is no link (i.e. when hci_conn_link() returns NULL). sco_connect() expects an ERR_PTR in case of any error (see line 266 in sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which tries to get hcon->hdev, resulting in dereferencing a NULL pointer as reported by syzkaller. The same issue exists for iso_connect_cis() calling hci_connect_cis(). Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR instead of NULL. | 2025-12-24 | not yet calculated | CVE-2023-54038 | https://git.kernel.org/stable/c/357ab53c83a5322437fa434e9a9e3e0bafe6b383 https://git.kernel.org/stable/c/b4066eb04bb67e7ff66e5aaab0db4a753f37eaad |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access could occur during the memcpy() operation if the size of skb->cb is larger than the size of struct j1939_sk_buff_cb. This is because the memcpy() operation uses the size of skb->cb, leading to a read beyond the struct j1939_sk_buff_cb. Updated the memcpy() operation to use the size of struct j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the memcpy() operation only reads the memory within the bounds of struct j1939_sk_buff_cb, preventing out-of-bounds memory access. Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb is greater than or equal to the size of struct j1939_sk_buff_cb. This ensures that the skb->cb buffer is large enough to hold the j1939_sk_buff_cb structure. [mkl: rephrase commit message] | 2025-12-24 | not yet calculated | CVE-2023-54039 | https://git.kernel.org/stable/c/d2136f05690c272dfc9f9d6efcc51d5f53494b33 https://git.kernel.org/stable/c/70caa596d158a5d84b117f722d58f3ea503a5ba9 https://git.kernel.org/stable/c/4fe1d9b6231a68ffc91318f57fd8e4982f028cf7 https://git.kernel.org/stable/c/4c3fb22a6ec68258ee129a2e6b720f43dffc562f https://git.kernel.org/stable/c/36befc9aed6202b4a9b906529aea13eacd7e34ff https://git.kernel.org/stable/c/b45193cb4df556fe6251b285a5ce44046dd36b4a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ice: fix wrong fallback logic for FDIR When adding a FDIR filter, if ice_vc_fdir_set_irq_ctx returns failure, the inserted fdir entry will not be removed and if ice_vc_fdir_write_fltr returns failure, the fdir context info for irq handler will not be cleared which may lead to inconsistent or memory leak issue. This patch refines failure cases to resolve this issue. | 2025-12-24 | not yet calculated | CVE-2023-54040 | https://git.kernel.org/stable/c/391d28c0e38c0e5b11a4240a2b4976cf63e87f45 https://git.kernel.org/stable/c/aad3b871efe26f36f45f8b4649653b5d3fd9c35e https://git.kernel.org/stable/c/cbfed5f114b5310f221979fc8190f55c6abc3400 https://git.kernel.org/stable/c/b4a01ace20f5c93c724abffc0a83ec84f514b98d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix memory leak when removing provided buffers When removing provided buffers, io_buffer structs are not being disposed of, leading to a memory leak. They can’t be freed individually, because they are allocated in page-sized groups. They need to be added to some free list instead, such as io_buffers_cache. All callers already hold the lock protecting it, apart from when destroying buffers, so had to extend the lock there. | 2025-12-24 | not yet calculated | CVE-2023-54041 | https://git.kernel.org/stable/c/ac48787f58d1068f4e06d627c1135784d64b4c72 https://git.kernel.org/stable/c/c117c15927772d1624c29c092b6bd3f47c7faa48 https://git.kernel.org/stable/c/b4a72c0589fdea6259720375426179888969d6a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix VAS mm use after free The refcount on mm is dropped before the coprocessor is detached. | 2025-12-24 | not yet calculated | CVE-2023-54042 | https://git.kernel.org/stable/c/f7d92313002b2d543500cc417d8079aaed1fb0a8 https://git.kernel.org/stable/c/4e82f92c349ea603736ade1e814861c0182a55ad https://git.kernel.org/stable/c/db8657fdd53c5e3069149d7f957cb60e63027bb2 https://git.kernel.org/stable/c/421cd1544480f2458042fe7f4913a2069c4d7251 https://git.kernel.org/stable/c/b4bda59b47879cce38a6ec5a01cd3cac702b5331 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd: Do not add the same hwpt to the ioas->hwpt_list twice The hwpt is added to the hwpt_list only during its creation, it is never added again. This hunk is some missed leftover from rework. Adding it twice will corrupt the linked list in some cases. It effects HWPT specific attachment, which is something the test suite cannot cover until we can create a legitimate struct device with a non-system iommu “driver” (ie we need the bus removed from the iommu code) | 2025-12-24 | not yet calculated | CVE-2023-54043 | https://git.kernel.org/stable/c/c44adefdcf472f946f0632f4e0ddcbf3e00b8516 https://git.kernel.org/stable/c/b4ff830eca097df51af10a9be29e8cc817327919 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spmi: Add a check for remove callback when removing a SPMI driver When removing a SPMI driver, there can be a crash due to NULL pointer dereference if it does not have a remove callback defined. This is one such call trace observed when removing the QCOM SPMI PMIC driver: dump_backtrace.cfi_jt+0x0/0x8 dump_stack_lvl+0xd8/0x16c panic+0x188/0x498 __cfi_slowpath+0x0/0x214 __cfi_slowpath+0x1dc/0x214 spmi_drv_remove+0x16c/0x1e0 device_release_driver_internal+0x468/0x79c driver_detach+0x11c/0x1a0 bus_remove_driver+0xc4/0x124 driver_unregister+0x58/0x84 cleanup_module+0x1c/0xc24 [qcom_spmi_pmic] __do_sys_delete_module+0x3ec/0x53c __arm64_sys_delete_module+0x18/0x28 el0_svc_common+0xdc/0x294 el0_svc+0x38/0x9c el0_sync_handler+0x8c/0xf0 el0_sync+0x1b4/0x1c0 If a driver has all its resources allocated through devm_() APIs and does not need any other explicit cleanup, it would not require a remove callback to be defined. Hence, add a check for remove callback presence before calling it when removing a SPMI driver. | 2025-12-24 | not yet calculated | CVE-2023-54044 | https://git.kernel.org/stable/c/b95a69214daea4aab1c8bad96571d988a62e2c97 https://git.kernel.org/stable/c/699949219e35fe29fd42ccf8cd92c989c3d15109 https://git.kernel.org/stable/c/54dda732225555dc6d660e95793c54a0a44b612c https://git.kernel.org/stable/c/c45ab3ab9c371c9ac22bbe1217e5abb2e55a3d4b https://git.kernel.org/stable/c/ee0b6146317a98bfec848d7bde5586beb245a38f https://git.kernel.org/stable/c/428cc252701d6864151f3a296ffc23e1e49a7408 https://git.kernel.org/stable/c/af763c29b9e7040fedd0077bca053b101438a3a4 https://git.kernel.org/stable/c/0f3ef30c1c05502f5de3b73b3715d5994845c1b4 https://git.kernel.org/stable/c/b56eef3e16d888883fefab47425036de80dd38fc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: audit: fix possible soft lockup in __audit_inode_child() Tracefs or debugfs maybe cause hundreds to thousands of PATH records, too many PATH records maybe cause soft lockup. For example: 1. CONFIG_KASAN=y && CONFIG_PREEMPTION=n 2. auditctl -a exit,always -S open -k key 3. sysctl -w kernel.watchdog_thresh=5 4. mkdir /sys/kernel/debug/tracing/instances/test There may be a soft lockup as follows: watchdog: BUG: soft lockup – CPU#45 stuck for 7s! [mkdir:15498] Kernel panic – not syncing: softlockup: hung tasks Call trace: dump_backtrace+0x0/0x30c show_stack+0x20/0x30 dump_stack+0x11c/0x174 panic+0x27c/0x494 watchdog_timer_fn+0x2bc/0x390 __run_hrtimer+0x148/0x4fc __hrtimer_run_queues+0x154/0x210 hrtimer_interrupt+0x2c4/0x760 arch_timer_handler_phys+0x48/0x60 handle_percpu_devid_irq+0xe0/0x340 __handle_domain_irq+0xbc/0x130 gic_handle_irq+0x78/0x460 el1_irq+0xb8/0x140 __audit_inode_child+0x240/0x7bc tracefs_create_file+0x1b8/0x2a0 trace_create_file+0x18/0x50 event_create_dir+0x204/0x30c __trace_add_new_event+0xac/0x100 event_trace_add_tracer+0xa0/0x130 trace_array_create_dir+0x60/0x140 trace_array_create+0x1e0/0x370 instance_mkdir+0x90/0xd0 tracefs_syscall_mkdir+0x68/0xa0 vfs_mkdir+0x21c/0x34c do_mkdirat+0x1b4/0x1d4 __arm64_sys_mkdirat+0x4c/0x60 el0_svc_common.constprop.0+0xa8/0x240 do_el0_svc+0x8c/0xc0 el0_svc+0x20/0x30 el0_sync_handler+0xb0/0xb4 el0_sync+0x160/0x180 Therefore, we add cond_resched() to __audit_inode_child() to fix it. | 2025-12-24 | not yet calculated | CVE-2023-54045 | https://git.kernel.org/stable/c/d061e2bfc20f2914656385816e0d20566213c54c https://git.kernel.org/stable/c/1640c7bd4eddec6c72f3a99cbb74e333a2ce9f5d https://git.kernel.org/stable/c/f6364fa751d7486502c777f124a14d4d543fc5eb https://git.kernel.org/stable/c/98ef243d5900d75a64539a2165745bffbb155d43 https://git.kernel.org/stable/c/0152e7758cc4e9f8bfba8dbea4438d8e488d6c08 https://git.kernel.org/stable/c/9ca08adb75fb40a8f742c371927ee73f9dc753bf https://git.kernel.org/stable/c/8a40b491372966ba5426e138a53460985565d5a6 https://git.kernel.org/stable/c/8e76b944a7b9bddef190ffe2e29c9ae342ab91ed https://git.kernel.org/stable/c/b59bc6e37237e37eadf50cd5de369e913f524463 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: essiv – Handle EBUSY correctly As it is essiv only handles the special return value of EINPROGERSS, which means that in all other cases it will free data related to the request. However, as the caller of essiv may specify MAY_BACKLOG, we also need to expect EBUSY and treat it in the same way. Otherwise backlogged requests will trigger a use-after-free. | 2025-12-24 | not yet calculated | CVE-2023-54046 | https://git.kernel.org/stable/c/c61e7d182ee3f3f5ecf18a2964e303d49c539b52 https://git.kernel.org/stable/c/796e02cca30a67322161f0745e5ce994bbe75605 https://git.kernel.org/stable/c/840a1d3b77c1b062bd62b4733969a5b1efc274ce https://git.kernel.org/stable/c/a006aa3eedb8bfd6fe317c3cfe9c86ffe76b2385 https://git.kernel.org/stable/c/69c67d451fc19d88e54f7d97e8e7c093e08357e1 https://git.kernel.org/stable/c/b5a772adf45a32c68bef28e60621f12617161556 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/rockchip: dw_hdmi: cleanup drm encoder during unbind This fixes a use-after-free crash during rmmod. The DRM encoder is embedded inside the larger rockchip_hdmi, which is allocated with the component. The component memory gets freed before the main drm device is destroyed. Fix it by running encoder cleanup before tearing down its container. [moved encoder cleanup above clk_disable, similar to bind-error-path] | 2025-12-24 | not yet calculated | CVE-2023-54047 | https://git.kernel.org/stable/c/110d4202522373d629d14597af9bac97eb58bd67 https://git.kernel.org/stable/c/218fe9b624545f4bcfb16cdb35ac3d60c8b0d8c7 https://git.kernel.org/stable/c/b5af48eedcb53491c02ded55d5991e03d6da6dbf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Prevent handling any completions after qp destroy HW may generate completions that indicates QP is destroyed. Driver should not be scheduling any more completion handlers for this QP, after the QP is destroyed. Since CQs are active during the QP destroy, driver may still schedule completion handlers. This can cause a race where the destroy_cq and poll_cq running simultaneously. Snippet of kernel panic while doing bnxt_re driver load unload in loop. This indicates a poll after the CQ is freed. [77786.481636] Call Trace: [77786.481640] <TASK> [77786.481644] bnxt_re_poll_cq+0x14a/0x620 [bnxt_re] [77786.481658] ? kvm_clock_read+0x14/0x30 [77786.481693] __ib_process_cq+0x57/0x190 [ib_core] [77786.481728] ib_cq_poll_work+0x26/0x80 [ib_core] [77786.481761] process_one_work+0x1e5/0x3f0 [77786.481768] worker_thread+0x50/0x3a0 [77786.481785] ? __pfx_worker_thread+0x10/0x10 [77786.481790] kthread+0xe2/0x110 [77786.481794] ? __pfx_kthread+0x10/0x10 [77786.481797] ret_from_fork+0x2c/0x50 To avoid this, complete all completion handlers before returning the destroy QP. If free_cq is called soon after destroy_qp, IB stack will cancel the CQ work before invoking the destroy_cq verb and this will prevent any race mentioned. | 2025-12-24 | not yet calculated | CVE-2023-54048 | https://git.kernel.org/stable/c/b79a0e71d6e8692e0b6da05f8aaa7d69191cf7e7 https://git.kernel.org/stable/c/b8500538b8f5b2cd86b02754c8de83eaa7a2d6ba https://git.kernel.org/stable/c/7faa6097694164380ed19600c7a7993d071270b9 https://git.kernel.org/stable/c/b5bbc6551297447d3cca55cf907079e206e9cd82 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rpmsg: glink: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. | 2025-12-24 | not yet calculated | CVE-2023-54049 | https://git.kernel.org/stable/c/5197498c902502127a47abda5359dd7f1d41946f https://git.kernel.org/stable/c/13928a837e0f014dac0322dd9f8a67c486e7f232 https://git.kernel.org/stable/c/efa7f31669f04084ed5996ed467ba529f4c90467 https://git.kernel.org/stable/c/71ac2ffd7f80fdd350486f6645dc48456e55a59b https://git.kernel.org/stable/c/abd740db896b3c588dced175af98b95852c1854b https://git.kernel.org/stable/c/cae0787e408c30a575760a531ccb69a6b48bbfaf https://git.kernel.org/stable/c/174cf8853857c190a3c4f1f1d2d06cfd095fe859 https://git.kernel.org/stable/c/e3734a9558afac91df3c655a6f2376b9d14933b7 https://git.kernel.org/stable/c/b5c9ee8296a3760760c7b5d2e305f91412adc795 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix memleak when insert_old_idx() failed Following process will cause a memleak for copied up znode: dirty_cow_znode zn = copy_znode(c, znode); err = insert_old_idx(c, zbr->lnum, zbr->offs); if (unlikely(err)) return ERR_PTR(err); // No one refers to zn. Fetch a reproducer in [Link]. Function copy_znode() is split into 2 parts: resource allocation and znode replacement, insert_old_idx() is split in similar way, so resource cleanup could be done in error handling path without corrupting metadata(mem & disk). It’s okay that old index inserting is put behind of add_idx_dirt(), old index is used in layout_leb_in_gaps(), so the two processes do not depend on each other. | 2025-12-24 | not yet calculated | CVE-2023-54050 | https://git.kernel.org/stable/c/cc29c7216d7f057eb0613b97dc38c7e1962a88d2 https://git.kernel.org/stable/c/6f2eee5457bc48b0426dedfd78cdbdea241a6edb https://git.kernel.org/stable/c/66e9f2fb3e753f820bec2a98e8c6387029988320 https://git.kernel.org/stable/c/3ae75f82c33fa1b4ca2006b55c84f4ef4a428d4d https://git.kernel.org/stable/c/ef9aac603659e9ffe7d69ae16e3f0fc0991a965b https://git.kernel.org/stable/c/79079cebbeed624b9d01cfcf1e3254ae1a1f6e14 https://git.kernel.org/stable/c/a6da0ab9847779e05a7416c7a98148b549de69ef https://git.kernel.org/stable/c/b5fda08ef213352ac2df7447611eb4d383cce929 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: do not allow gso_size to be set to GSO_BY_FRAGS One missing check in virtio_net_hdr_to_skb() allowed syzbot to crash kernels again [1] Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff), because this magic value is used by the kernel. [1] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500 Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01 RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000 RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070 RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6 R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109 ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120 skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53 __skb_gso_segment+0x339/0x710 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625 __dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329 dev_queue_xmit include/linux/netdevice.h:3082 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:727 [inline] sock_sendmsg+0xd9/0x180 net/socket.c:750 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2496 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2550 __sys_sendmsg+0x117/0x1e0 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ff27cdb34d9 | 2025-12-24 | not yet calculated | CVE-2023-54051 | https://git.kernel.org/stable/c/a5f9e5804d239d288d983db36bbed45ed10729a0 https://git.kernel.org/stable/c/4c9bfadb4301daaceb6c575fa6ad3bc82c152e79 https://git.kernel.org/stable/c/210ff31342ade546d8d9d0ec4d3cf9cb50ae632d https://git.kernel.org/stable/c/0a593e8a9d24360fbc469c5897d0791aa2f20ed3 https://git.kernel.org/stable/c/578371ce0d7f67ea1e65817c04478aaab0d36b68 https://git.kernel.org/stable/c/2e03a92b241102aaf490439aa1b00239f84f530f https://git.kernel.org/stable/c/e3636862f5595b3d2f02650f7b21d39043a34f3e https://git.kernel.org/stable/c/b616be6b97688f2f2bd7c4a47ab32f27f94fb2a9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU txs may be dropped if the frame is aggregated in AMSDU. When the problem shows up, some SKBs would be hold in driver to cause network stopped temporarily. Even if the problem can be recovered by txs timeout handling, mt7921 still need to disable txs in AMSDU to avoid this issue. | 2025-12-24 | not yet calculated | CVE-2023-54052 | https://git.kernel.org/stable/c/1cd102aaedb277fbe81dd08cd9f5cae951de2bff https://git.kernel.org/stable/c/e74778e91fedc3b2a0143264887bbb32508c5000 https://git.kernel.org/stable/c/bf5d3fad7219b8de7d3a9cb59f0ea5243b018f07 https://git.kernel.org/stable/c/b642f4c5f3de0a8f47808d32b1ebd9c427a42a66 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: pcie: fix possible NULL pointer dereference It is possible that iwl_pci_probe() will fail and free the trans, then afterwards iwl_pci_remove() will be called and crash by trying to access trans which is already freed, fix it. iwlwifi 0000:01:00.0: Detected crf-id 0xa5a5a5a2, cnv-id 0xa5a5a5a2 wfpm id 0xa5a5a5a2 iwlwifi 0000:01:00.0: Can’t find a correct rfid for crf id 0x5a2 … BUG: kernel NULL pointer dereference, address: 0000000000000028 … RIP: 0010:iwl_pci_remove+0x12/0x30 [iwlwifi] pci_device_remove+0x3e/0xb0 device_release_driver_internal+0x103/0x1f0 driver_detach+0x4c/0x90 bus_remove_driver+0x5c/0xd0 driver_unregister+0x31/0x50 pci_unregister_driver+0x40/0x90 iwl_pci_unregister_driver+0x15/0x20 [iwlwifi] __exit_compat+0x9/0x98 [iwlwifi] __x64_sys_delete_module+0x147/0x260 | 2025-12-24 | not yet calculated | CVE-2023-54053 | https://git.kernel.org/stable/c/f6f2d16c77f936041b8ac495fceabded4ec6c83c https://git.kernel.org/stable/c/0fc0d287c1e7dcb39a3b9bb0f8679cd68c2156c7 https://git.kernel.org/stable/c/7545f21eee1356ec98581125c4dba9c4c0cc7397 https://git.kernel.org/stable/c/0f9a1bcb94016d3a3c455a77b01f6bb06e15f6eb https://git.kernel.org/stable/c/dcd23aa6cc0ded7950b60ce1badb80b84045c6c0 https://git.kernel.org/stable/c/b655b9a9f8467684cfa8906713d33b71ea8c8f54 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix buffer overrun Klocwork warning: Buffer Overflow – Array Index Out of Bounds Driver uses fc_els_flogi to calculate size of buffer. The actual buffer is nested inside of fc_els_flogi which is smaller. Replace structure name to allow proper size calculation. | 2025-12-24 | not yet calculated | CVE-2023-54054 | https://git.kernel.org/stable/c/eecb8a491c824a9376155d26ec95b6d0054c059c https://git.kernel.org/stable/c/89250e775dcc4482d8e970ed92ad2c9458b14a8a https://git.kernel.org/stable/c/2dddbf8de128289a3fb7ae38d9bc4b2217205ec1 https://git.kernel.org/stable/c/d5e7c9cd56e987c8687859a0bf38fd86aa8f3cec https://git.kernel.org/stable/c/b68710a8094fdffe8dd4f7a82c82649f479bb453 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix memory leak of PBLE objects On rmmod of irdma, the PBLE object memory is not being freed. PBLE object memory are not statically pre-allocated at function initialization time unlike other HMC objects. PBLEs objects and the Segment Descriptors (SD) for it can be dynamically allocated during scale up and SD’s remain allocated till function deinitialization. Fix this leak by adding IRDMA_HMC_IW_PBLE to the iw_hmc_obj_types[] table and skip pbles in irdma_create_hmc_obj but not in irdma_del_hmc_objects(). | 2025-12-24 | not yet calculated | CVE-2023-54055 | https://git.kernel.org/stable/c/810250c9c6616fe131099c0e51c61f2110ed07bf https://git.kernel.org/stable/c/ee02fa4a71bdb95a444124e5c11eaa22f1f44738 https://git.kernel.org/stable/c/adf58bd4018fbcd990c62e840afd2f178eefad60 https://git.kernel.org/stable/c/b69a6979dbaa2453675fe9c71bdc2497fedb11f9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: kheaders: Use array declaration instead of char Under CONFIG_FORTIFY_SOURCE, memcpy() will check the size of destination and source buffers. Defining kernel_headers_data as “char” would trip this check. Since these addresses are treated as byte arrays, define them as arrays (as done everywhere else). This was seen with: $ cat /sys/kernel/kheaders.tar.xz >> /dev/null detected buffer overflow in memcpy kernel BUG at lib/string_helpers.c:1027! … RIP: 0010:fortify_panic+0xf/0x20 […] Call Trace: <TASK> ikheaders_read+0x45/0x50 [kheaders] kernfs_fop_read_iter+0x1a4/0x2f0 … | 2025-12-24 | not yet calculated | CVE-2023-54056 | https://git.kernel.org/stable/c/719459877d58c8aced5845c1e5b98d8d87d09197 https://git.kernel.org/stable/c/fcd2da2e6bf2640a31a2a5b118b50dc3635c707b https://git.kernel.org/stable/c/4a07d2d511e2703efd4387891d49e0326f1157f3 https://git.kernel.org/stable/c/b9f6845a492de20679b84bda6b08be347c5819da https://git.kernel.org/stable/c/d6d1af6b8611801b585c53c0cc63626c8d339e96 https://git.kernel.org/stable/c/82d2e01b95c439fe55fab5e04fc83387c42d3a48 https://git.kernel.org/stable/c/b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter The ‘acpiid’ buffer in the parse_ivrs_acpihid function may overflow, because the string specifier in the format string sscanf() has no width limitation. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. | 2025-12-24 | not yet calculated | CVE-2023-54057 | https://git.kernel.org/stable/c/5e97dc748d13fad582136ba0c8cec215c7aeeb17 https://git.kernel.org/stable/c/f2a5ec7f7b28f9b9cd5fac232ff51019a7f7b9e9 https://git.kernel.org/stable/c/c513043e0afe6a8ba79d00af358655afabb576d2 https://git.kernel.org/stable/c/2ae19ac3ea82a5b87a81c10adbb497c9e58bdd60 https://git.kernel.org/stable/c/63cd11165e5e0ea2012254c764003eda1f9adb7d https://git.kernel.org/stable/c/b6b26d86c61c441144c72f842f7469bb686e1211 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Check if ffa_driver remove is present before executing Currently ffa_drv->remove() is called unconditionally from ffa_device_remove(). Since the driver registration doesn’t check for it and allows it to be registered without .remove callback, we need to check for the presence of it before executing it from ffa_device_remove() to above a NULL pointer dereference like the one below: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000086000004 | EC = 0x21: IABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881cc8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP | CPU: 3 PID: 130 Comm: rmmod Not tainted 6.3.0-rc7 #6 | Hardware name: FVP Base RevC (DT) | pstate: 63402809 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=-c) | pc : 0x0 | lr : ffa_device_remove+0x20/0x2c | Call trace: | 0x0 | device_release_driver_internal+0x16c/0x260 | driver_detach+0x90/0xd0 | bus_remove_driver+0xdc/0x11c | driver_unregister+0x30/0x54 | ffa_driver_unregister+0x14/0x20 | cleanup_module+0x18/0xeec | __arm64_sys_delete_module+0x234/0x378 | invoke_syscall+0x40/0x108 | el0_svc_common+0xb4/0xf0 | do_el0_svc+0x30/0xa4 | el0_svc+0x2c/0x7c | el0t_64_sync_handler+0x84/0xf0 | el0t_64_sync+0x190/0x194 | 2025-12-24 | not yet calculated | CVE-2023-54058 | https://git.kernel.org/stable/c/6a26c62625c59b8dd7f52c518cb4f60a63470a0e https://git.kernel.org/stable/c/ad73dc7263ea90302d6c7eeb7e9f7cbcfa0b0617 https://git.kernel.org/stable/c/48399c297c46b4c8e77ebcf071bb586a42d0ca4e https://git.kernel.org/stable/c/b71b55248a580e9c9befc4ae060539f1f8e477da |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: soc: mediatek: mtk-svs: Enable the IRQ later If the system does not come from reset (like when is booted via kexec()), the peripheral might triger an IRQ before the data structures are initialised. [ 0.227710] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000f08 [ 0.227913] Call trace: [ 0.227918] svs_isr+0x8c/0x538 | 2025-12-24 | not yet calculated | CVE-2023-54059 | https://git.kernel.org/stable/c/6b99ebd30d65ee5ab8e8dd1d378550911eff5e4f https://git.kernel.org/stable/c/66ea96629bbccf1b483be506f3daff754069cdd3 https://git.kernel.org/stable/c/b74952aba6c3f47e7f2c5165abaeefa44c377140 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd: Set end correctly when doing batch carry Even though the test suite covers this it somehow became obscured that this wasn’t working. The test iommufd_ioas.mock_domain.access_domain_destory would blow up rarely. end should be set to 1 because this just pushed an item, the carry, to the pfns list. Sometimes the test would blow up with: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 5 PID: 584 Comm: iommufd Not tainted 6.5.0-rc1-dirty #1236 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:batch_unpin+0xa2/0x100 [iommufd] Code: 17 48 81 fe ff ff 07 00 77 70 48 8b 15 b7 be 97 e2 48 85 d2 74 14 48 8b 14 fa 48 85 d2 74 0b 40 0f b6 f6 48 c1 e6 04 48 01 f2 <48> 8b 3a 48 c1 e0 06 89 ca 48 89 de 48 83 e7 f0 48 01 c7 e8 96 dc RSP: 0018:ffffc90001677a58 EFLAGS: 00010246 RAX: 00007f7e2646f000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 00000000fefc4c8d RDI: 0000000000fefc4c RBP: ffffc90001677a80 R08: 0000000000000048 R09: 0000000000000200 R10: 0000000000030b98 R11: ffffffff81f3bb40 R12: 0000000000000001 R13: ffff888101f75800 R14: ffffc90001677ad0 R15: 00000000000001fe FS: 00007f9323679740(0000) GS:ffff8881ba540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105ede003 CR4: 00000000003706a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0x5c/0x70 ? __die+0x1f/0x60 ? page_fault_oops+0x15d/0x440 ? lock_release+0xbc/0x240 ? exc_page_fault+0x4a4/0x970 ? asm_exc_page_fault+0x27/0x30 ? batch_unpin+0xa2/0x100 [iommufd] ? batch_unpin+0xba/0x100 [iommufd] __iopt_area_unfill_domain+0x198/0x430 [iommufd] ? __mutex_lock+0x8c/0xb80 ? __mutex_lock+0x6aa/0xb80 ? xa_erase+0x28/0x30 ? iopt_table_remove_domain+0x162/0x320 [iommufd] ? lock_release+0xbc/0x240 iopt_area_unfill_domain+0xd/0x10 [iommufd] iopt_table_remove_domain+0x195/0x320 [iommufd] iommufd_hw_pagetable_destroy+0xb3/0x110 [iommufd] iommufd_object_destroy_user+0x8e/0xf0 [iommufd] iommufd_device_detach+0xc5/0x140 [iommufd] iommufd_selftest_destroy+0x1f/0x70 [iommufd] iommufd_object_destroy_user+0x8e/0xf0 [iommufd] iommufd_destroy+0x3a/0x50 [iommufd] iommufd_fops_ioctl+0xfb/0x170 [iommufd] __x64_sys_ioctl+0x40d/0x9a0 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 | 2025-12-24 | not yet calculated | CVE-2023-54060 | https://git.kernel.org/stable/c/176f36a376c417b58d19f79edfce20db9317eaa2 https://git.kernel.org/stable/c/b7c822fa6b7701b17e139f1c562fc24135880ed4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86: fix clear_user_rep_good() exception handling annotation This code no longer exists in mainline, because it was removed in commit d2c95f9d6802 (“x86: don’t use REP_GOOD or ERMS for user memory clearing”) upstream. However, rather than backport the full range of x86 memory clearing and copying cleanups, fix the exception table annotation placement for the final ‘rep movsb’ in clear_user_rep_good(): rather than pointing at the actual instruction that did the user space access, it pointed to the register move just before it. That made sense from a code flow standpoint, but not from an actual usage standpoint: it means that if user access takes an exception, the exception handler won’t actually find the instruction in the exception tables. As a result, rather than fixing it up and returning -EFAULT, it would then turn it into a kernel oops report instead, something like: BUG: unable to handle page fault for address: 0000000020081000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) – not-present page … RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147 … Call Trace: __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline] clear_user arch/x86/include/asm/uaccess_64.h:124 [inline] iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800 iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline] iomap_dio_iter fs/iomap/direct-io.c:440 [inline] __iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601 iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689 ext4_dio_read_iter fs/ext4/file.c:94 [inline] ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145 call_read_iter include/linux/fs.h:2183 [inline] do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733 do_iter_read+0x2f2/0x750 fs/read_write.c:796 vfs_readv+0xe5/0x150 fs/read_write.c:916 do_preadv+0x1b6/0x270 fs/read_write.c:1008 __do_sys_preadv2 fs/read_write.c:1070 [inline] __se_sys_preadv2 fs/read_write.c:1061 [inline] __x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd which then looks like a filesystem bug rather than the incorrect exception annotation that it is. [ The alternative to this one-liner fix is to take the upstream series that cleans this all up: 68674f94ffc9 (“x86: don’t use REP_GOOD or ERMS for small memory copies”) 20f3337d350c (“x86: don’t use REP_GOOD or ERMS for small memory clearing”) adfcf4231b8c (“x86: don’t use REP_GOOD or ERMS for user memory copies”) * d2c95f9d6802 (“x86: don’t use REP_GOOD or ERMS for user memory clearing”) 3639a535587d (“x86: move stac/clac from user copy routines into callers”) 577e6a7fd50d (“x86: inline the ‘rep movs’ in user copies for the FSRM case”) 8c9b6a88b7e2 (“x86: improve on the non-rep ‘clear_user’ function”) 427fda2c8a49 (“x86: improve on the non-rep ‘copy_user’ function”) * e046fe5a36a9 (“x86: set FSRS automatically on AMD CPUs that have FSRM”) e1f2750edc4a (“x86: remove ‘zerorest’ argument from __copy_user_nocache()”) 034ff37d3407 (“x86: rewrite ‘__copy_user_nocache’ function”) with either the whole series or at a minimum the two marked commits being needed to fix this issue ] | 2025-12-24 | not yet calculated | CVE-2023-54061 | https://git.kernel.org/stable/c/b805d212c394f291f116b12c53401e7ba0c4d408 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix invalid free tracking in ext4_xattr_move_to_block() In ext4_xattr_move_to_block(), the value of the extended attribute which we need to move to an external block may be allocated by kvmalloc() if the value is stored in an external inode. So at the end of the function the code tried to check if this was the case by testing entry->e_value_inum. However, at this point, the pointer to the xattr entry is no longer valid, because it was removed from the original location where it had been stored. So we could end up calling kvfree() on a pointer which was not allocated by kvmalloc(); or we could also potentially leak memory by not freeing the buffer when it should be freed. Fix this by storing whether it should be freed in a separate variable. | 2025-12-24 | not yet calculated | CVE-2023-54062 | https://git.kernel.org/stable/c/76887be2a96193cd11be818551b8934ecdb3123f https://git.kernel.org/stable/c/f30f3391d089dc91aef91d08f4b04a6c0df2b067 https://git.kernel.org/stable/c/ba04d6af5ac440a6d5a2d35dc1d8e2cb0323550a https://git.kernel.org/stable/c/1a8822343e67432b658145d2760a524c884da9d4 https://git.kernel.org/stable/c/8beaa3cb293a8f7bacf711cf52201d59859dbc40 https://git.kernel.org/stable/c/c5fa4eedddd1c8342ce533cb401c0e693e55b4e3 https://git.kernel.org/stable/c/a18670395e5f28acddeca037c5e4bd2ea961b70a https://git.kernel.org/stable/c/b2fab1807d26acd1c6115b95b5eddd697d84751b https://git.kernel.org/stable/c/b87c7cdf2bed4928b899e1ce91ef0d147017ba45 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix OOB read in indx_insert_into_buffer Syzbot reported a OOB read bug: BUG: KASAN: slab-out-of-bounds in indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755 Read of size 17168 at addr ffff8880255e06c0 by task syz-executor308/3630 Call Trace: <TASK> memmove+0x25/0x60 mm/kasan/shadow.c:54 indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755 indx_insert_entry+0x446/0x6b0 fs/ntfs3/index.c:1863 ntfs_create_inode+0x1d3f/0x35c0 fs/ntfs3/inode.c:1548 ntfs_create+0x3e/0x60 fs/ntfs3/namei.c:100 lookup_open fs/namei.c:3413 [inline] If the member struct INDEX_BUFFER *index of struct indx_node is incorrect, that is, the value of __le32 used is greater than the value of __le32 total in struct INDEX_HDR. Therefore, OOB read occurs when memmove is called in indx_insert_into_buffer(). Fix this by adding a check in hdr_find_e(). | 2025-12-24 | not yet calculated | CVE-2023-54063 | https://git.kernel.org/stable/c/cd7e1d67924081717c5c96ead758a1a77867689a https://git.kernel.org/stable/c/17048287ac79abd33b275ac3b5738285d406481b https://git.kernel.org/stable/c/a7e5dba10ba1402dd6c2f961a70320770865c4a5 https://git.kernel.org/stable/c/4bf3b564e27a518f158a83d5e1a50064ed6136a0 https://git.kernel.org/stable/c/b8c44949044e5f7f864525fdffe8e95135ce9ce5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi:ssif: Fix a memory leak when scanning for an adapter The adapter scan ssif_info_find() sets info->adapter_name if the adapter info came from SMBIOS, as it’s not set in that case. However, this function can be called more than once, and it will leak the adapter name if it had already been set. So check for NULL before setting it. | 2025-12-24 | not yet calculated | CVE-2023-54064 | https://git.kernel.org/stable/c/de677f4379fa67f650e367c188a0f80bee9b6732 https://git.kernel.org/stable/c/13623b966bb6d36ba61646b69cd49cdac6e4978a https://git.kernel.org/stable/c/3ad53071fe8547eb8d8813971844cc43246008ee https://git.kernel.org/stable/c/74a1194cce60a90723d0fe148863c18931a31153 https://git.kernel.org/stable/c/7db16d2e791bf2ec3e0249f56b7ec81c35bba6e6 https://git.kernel.org/stable/c/b870caeb18041f856893066ded81c560db3d56cc https://git.kernel.org/stable/c/b8d72e32e1453d37ee5c8a219f24e7eeadc471ef |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: realtek: fix out-of-bounds access The probe function sets priv->chip_data to (void *)priv + sizeof(*priv) with the expectation that priv has enough trailing space. However, only realtek-smi actually allocated this chip_data space. Do likewise in realtek-mdio to fix out-of-bounds accesses. These accesses likely went unnoticed so far, because of an (unused) buf[4096] member in struct realtek_priv, which caused kmalloc to round up the allocated buffer to a big enough size, so nothing of value was overwritten. With a different allocator (like in the barebox bootloader port of the driver) or with KASAN, the memory corruption becomes quickly apparent. | 2025-12-24 | not yet calculated | CVE-2023-54065 | https://git.kernel.org/stable/c/cc0f9bb99735d2b68fac68f37b585d615728ce5b https://git.kernel.org/stable/c/fe668aa499b4b95425044ba11af9609db6ecf466 https://git.kernel.org/stable/c/b93eb564869321d0dffaf23fcc5c88112ed62466 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer In gl861_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach gl861_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a (“media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()”) | 2025-12-24 | not yet calculated | CVE-2023-54066 | https://git.kernel.org/stable/c/578b67614ae0e4fba3945b66a4c8f9ae77115bcb https://git.kernel.org/stable/c/2a33fc57133d6f39d62285df6706aeb1714967f1 https://git.kernel.org/stable/c/dfcd3c010209927b9f45b860f046635dc32e32e1 https://git.kernel.org/stable/c/72af676551efe820e309a6c7681c2c4372f37376 https://git.kernel.org/stable/c/b97719a66970601cd3151a3e2020f4454a1c4ff6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when deleting free space root from the dirty cow roots list When deleting the free space tree we are deleting the free space root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there’s another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can result in all sorts of weird failures caused by a race, such as the following crash: [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (…) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] <TASK> [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b So fix this by locking struct btrfs_fs_info::trans_lock before deleting the free space root from that list. | 2025-12-24 | not yet calculated | CVE-2023-54067 | https://git.kernel.org/stable/c/6f1c81886b0b56cb88b311e5d2f203625474d892 https://git.kernel.org/stable/c/8ce9139aea5e60a247bde5af804312f54975f443 https://git.kernel.org/stable/c/babebf023e661b90b1c78b2baa384fb03a226879 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages() BUG_ON() will be triggered when writing files concurrently, because the same page is writtenback multiple times. 1597 void folio_end_writeback(struct folio *folio) 1598 { …… 1618 if (!__folio_end_writeback(folio)) 1619 BUG(); …… 1625 } kernel BUG at mm/filemap.c:1619! Call Trace: <TASK> f2fs_write_end_io+0x1a0/0x370 blk_update_request+0x6c/0x410 blk_mq_end_request+0x15/0x130 blk_complete_reqs+0x3c/0x50 __do_softirq+0xb8/0x29b ? sort_range+0x20/0x20 run_ksoftirqd+0x19/0x20 smpboot_thread_fn+0x10b/0x1d0 kthread+0xde/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK> Below is the concurrency scenario: [Process A] [Process B] [Process C] f2fs_write_raw_pages() – redirty_page_for_writepage() – unlock page() f2fs_do_write_data_page() – lock_page() – clear_page_dirty_for_io() – set_page_writeback() [1st writeback] ….. – unlock page() generic_perform_write() – f2fs_write_begin() – wait_for_stable_page() – f2fs_write_end() – set_page_dirty() – lock_page() – f2fs_do_write_data_page() – set_page_writeback() [2st writeback] This problem was introduced by the previous commit 7377e853967b (“f2fs: compress: fix potential deadlock of compress file”). All pagelocks were released in f2fs_write_raw_pages(), but whether the page was in the writeback state was ignored in the subsequent writing process. Let’s fix it by waiting for the page to writeback before writing. | 2025-12-24 | not yet calculated | CVE-2023-54068 | https://git.kernel.org/stable/c/a8226a45b2a9ce83ba7a167a387a00fecc319e71 https://git.kernel.org/stable/c/169134da419cb8ffbe3b0743bc24573e16952ea9 https://git.kernel.org/stable/c/6604df2a9d07ba8f8fb1ac14046c2c83776faa4f https://git.kernel.org/stable/c/9940877c4fe752923a53f0f7372f2f152b6eccf0 https://git.kernel.org/stable/c/ad31eed06c3b4d63b2d38322a271d4009aee4bb3 https://git.kernel.org/stable/c/babedcbac164cec970872b8097401ca913a80e61 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow When we calculate the end position of ext4_free_extent, this position may be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not the first case of adjusting the best extent, that is, new_bex_end > 0, the following BUG_ON will be triggered: ========================================================= kernel BUG at fs/ext4/mballoc.c:5116! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279 RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430 Call Trace: <TASK> ext4_mb_use_best_found+0x203/0x2f0 ext4_mb_try_best_found+0x163/0x240 ext4_mb_regular_allocator+0x158/0x1550 ext4_mb_new_blocks+0x86a/0xe10 ext4_ext_map_blocks+0xb0c/0x13a0 ext4_map_blocks+0x2cd/0x8f0 ext4_iomap_begin+0x27b/0x400 iomap_iter+0x222/0x3d0 __iomap_dio_rw+0x243/0xcb0 iomap_dio_rw+0x16/0x80 ========================================================= A simple reproducer demonstrating the problem: mkfs.ext4 -F /dev/sda -b 4096 100M mount /dev/sda /tmp/test fallocate -l1M /tmp/test/tmp fallocate -l10M /tmp/test/file fallocate -i -o 1M -l16777203M /tmp/test/file fsstress -d /tmp/test -l 0 -n 100000 -p 8 & sleep 10 && killall -9 fsstress rm -f /tmp/test/tmp xfs_io -c “open -ad /tmp/test/file” -c “pwrite -S 0xff 0 8192” We simply refactor the logic for adjusting the best extent by adding a temporary ext4_free_extent ex and use extent_logical_end() to avoid overflow, which also simplifies the code. | 2025-12-24 | not yet calculated | CVE-2023-54069 | https://git.kernel.org/stable/c/83ecffd40c65844a73c2e93d7c841455786605ac https://git.kernel.org/stable/c/58fe961c606c446f5612f6897827b1cac42c2e89 https://git.kernel.org/stable/c/f2c3a3aa6f11ad9878dbc3a067b0633e07b586c1 https://git.kernel.org/stable/c/fcefddf3a151b2c416b20120c06bb1ba9ad676fb https://git.kernel.org/stable/c/b7e9ec38b6a0beb5a49cd1e76be0a9a07c218e90 https://git.kernel.org/stable/c/bc056e7163ac7db945366de219745cf94f32a3e6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: igb: clean up in all error paths when enabling SR-IOV After commit 50f303496d92 (“igb: Enable SR-IOV after reinit”), removing the igb module could hang or crash (depending on the machine) when the module has been loaded with the max_vfs parameter set to some value != 0. In case of one test machine with a dual port 82580, this hang occurred: [ 232.480687] igb 0000:41:00.1: removed PHC on enp65s0f1 [ 233.093257] igb 0000:41:00.1: IOV Disabled [ 233.329969] pcieport 0000:40:01.0: AER: Multiple Uncorrected (Non-Fatal) err0 [ 233.340302] igb 0000:41:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fata) [ 233.352248] igb 0000:41:00.0: device [8086:1516] error status/mask=00100000 [ 233.361088] igb 0000:41:00.0: [20] UnsupReq (First) [ 233.368183] igb 0000:41:00.0: AER: TLP Header: 40000001 0000040f cdbfc00c c [ 233.376846] igb 0000:41:00.1: PCIe Bus Error: severity=Uncorrected (Non-Fata) [ 233.388779] igb 0000:41:00.1: device [8086:1516] error status/mask=00100000 [ 233.397629] igb 0000:41:00.1: [20] UnsupReq (First) [ 233.404736] igb 0000:41:00.1: AER: TLP Header: 40000001 0000040f cdbfc00c c [ 233.538214] pci 0000:41:00.1: AER: can’t recover (no error_detected callback) [ 233.538401] igb 0000:41:00.0: removed PHC on enp65s0f0 [ 233.546197] pcieport 0000:40:01.0: AER: device recovery failed [ 234.157244] igb 0000:41:00.0: IOV Disabled [ 371.619705] INFO: task irq/35-aerdrv:257 blocked for more than 122 seconds. [ 371.627489] Not tainted 6.4.0-dirty #2 [ 371.632257] “echo 0 > /proc/sys/kernel/hung_task_timeout_secs” disables this. [ 371.641000] task:irq/35-aerdrv state:D stack:0 pid:257 ppid:2 f0 [ 371.650330] Call Trace: [ 371.653061] <TASK> [ 371.655407] __schedule+0x20e/0x660 [ 371.659313] schedule+0x5a/0xd0 [ 371.662824] schedule_preempt_disabled+0x11/0x20 [ 371.667983] __mutex_lock.constprop.0+0x372/0x6c0 [ 371.673237] ? __pfx_aer_root_reset+0x10/0x10 [ 371.678105] report_error_detected+0x25/0x1c0 [ 371.682974] ? __pfx_report_normal_detected+0x10/0x10 [ 371.688618] pci_walk_bus+0x72/0x90 [ 371.692519] pcie_do_recovery+0xb2/0x330 [ 371.696899] aer_process_err_devices+0x117/0x170 [ 371.702055] aer_isr+0x1c0/0x1e0 [ 371.705661] ? __set_cpus_allowed_ptr+0x54/0xa0 [ 371.710723] ? __pfx_irq_thread_fn+0x10/0x10 [ 371.715496] irq_thread_fn+0x20/0x60 [ 371.719491] irq_thread+0xe6/0x1b0 [ 371.723291] ? __pfx_irq_thread_dtor+0x10/0x10 [ 371.728255] ? __pfx_irq_thread+0x10/0x10 [ 371.732731] kthread+0xe2/0x110 [ 371.736243] ? __pfx_kthread+0x10/0x10 [ 371.740430] ret_from_fork+0x2c/0x50 [ 371.744428] </TASK> The reproducer was a simple script: #!/bin/sh for i in `seq 1 5`; do modprobe -rv igb modprobe -v igb max_vfs=1 sleep 1 modprobe -rv igb done It turned out that this could only be reproduce on 82580 (quad and dual-port), but not on 82576, i350 and i210. Further debugging showed that igb_enable_sriov()’s call to pci_enable_sriov() is failing, because dev->is_physfn is 0 on 82580. Prior to commit 50f303496d92 (“igb: Enable SR-IOV after reinit”), igb_enable_sriov() jumped into the “err_out” cleanup branch. After this commit it only returned the error code. So the cleanup didn’t take place, and the incorrect VF setup in the igb_adapter structure fooled the igb driver into assuming that VFs have been set up where no VF actually existed. Fix this problem by cleaning up again if pci_enable_sriov() fails. | 2025-12-24 | not yet calculated | CVE-2023-54070 | https://git.kernel.org/stable/c/0e3ea7e82a06014b9baf1b84ba579c38cbff3558 https://git.kernel.org/stable/c/bc6ed2fa24b14e40e1005488bbe11268ce7108fa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: use work to update rate to avoid RCU warning The ieee80211_ops::sta_rc_update must be atomic, because ieee80211_chan_bw_change() holds rcu_read lock while calling drv_sta_rc_update(), so create a work to do original things. Voluntary context switch within RCU read-side critical section! WARNING: CPU: 0 PID: 4621 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x571/0x5d0 CPU: 0 PID: 4621 Comm: kworker/u16:2 Tainted: G W OE Workqueue: phy3 ieee80211_chswitch_work [mac80211] RIP: 0010:rcu_note_context_switch+0x571/0x5d0 Call Trace: <TASK> __schedule+0xb0/0x1460 ? __mod_timer+0x116/0x360 schedule+0x5a/0xc0 schedule_timeout+0x87/0x150 ? trace_raw_output_tick_stop+0x60/0x60 wait_for_completion_timeout+0x7b/0x140 usb_start_wait_urb+0x82/0x160 [usbcore usb_control_msg+0xe3/0x140 [usbcore rtw_usb_read+0x88/0xe0 [rtw_usb rtw_usb_read8+0xf/0x10 [rtw_usb rtw_fw_send_h2c_command+0xa0/0x170 [rtw_core rtw_fw_send_ra_info+0xc9/0xf0 [rtw_core drv_sta_rc_update+0x7c/0x160 [mac80211 ieee80211_chan_bw_change+0xfb/0x110 [mac80211 ieee80211_change_chanctx+0x38/0x130 [mac80211 ieee80211_vif_use_reserved_switch+0x34e/0x900 [mac80211 ieee80211_link_use_reserved_context+0x88/0xe0 [mac80211 ieee80211_chswitch_work+0x95/0x170 [mac80211 process_one_work+0x201/0x410 worker_thread+0x4a/0x3b0 ? process_one_work+0x410/0x410 kthread+0xe1/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> | 2025-12-24 | not yet calculated | CVE-2023-54071 | https://git.kernel.org/stable/c/107677a8f43521e33e4a653e50fdf55ba622a4ce https://git.kernel.org/stable/c/dd3af22323e79a2ffabed366db20aab83716fe6f https://git.kernel.org/stable/c/bcafcb959a57a6890e900199690c5fc47da1a304 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix potential data race at PCM memory allocation helpers The PCM memory allocation helpers have a sanity check against too many buffer allocations. However, the check is performed without a proper lock and the allocation isn’t serialized; this allows user to allocate more memories than predefined max size. Practically seen, this isn’t really a big problem, as it’s more or less some “soft limit” as a sanity check, and it’s not possible to allocate unlimitedly. But it’s still better to address this for more consistent behavior. The patch covers the size check in do_alloc_pages() with the card->memory_mutex, and increases the allocated size there for preventing the further overflow. When the actual allocation fails, the size is decreased accordingly. | 2025-12-24 | not yet calculated | CVE-2023-54072 | https://git.kernel.org/stable/c/7e1d1456c8db9949459c5a24e8845cfe92430b0f https://git.kernel.org/stable/c/7e11c58b2620a22c67a5ae28d64ce383890ee9f4 https://git.kernel.org/stable/c/a0ab49e7a758b488b2090171a75d50735c0876f6 https://git.kernel.org/stable/c/3eb4e47a94e3f76521d7d344696db61e6a9619c7 https://git.kernel.org/stable/c/773ccad902f67583a58b5650a2f8d8daf2e76fac https://git.kernel.org/stable/c/bd55842ed998a622ba6611fe59b3358c9f76773d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: Add !tpm_amd_is_rng_defective() to the hwrng_unregister() call site The following crash was reported: [ 1950.279393] list_del corruption, ffff99560d485790->next is NULL [ 1950.279400] ————[ cut here ]———— [ 1950.279401] kernel BUG at lib/list_debug.c:49! [ 1950.279405] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 1950.279407] CPU: 11 PID: 5886 Comm: modprobe Tainted: G O 6.2.8_1 #1 [ 1950.279409] Hardware name: Gigabyte Technology Co., Ltd. B550M AORUS PRO-P/B550M AORUS PRO-P, BIOS F15c 05/11/2022 [ 1950.279410] RIP: 0010:__list_del_entry_valid+0x59/0xc0 [ 1950.279415] Code: 48 8b 01 48 39 f8 75 5a 48 8b 72 08 48 39 c6 75 65 b8 01 00 00 00 c3 cc cc cc cc 48 89 fe 48 c7 c7 08 a8 13 9e e8 b7 0a bc ff <0f> 0b 48 89 fe 48 c7 c7 38 a8 13 9e e8 a6 0a bc ff 0f 0b 48 89 fe [ 1950.279416] RSP: 0018:ffffa96d05647e08 EFLAGS: 00010246 [ 1950.279418] RAX: 0000000000000033 RBX: ffff99560d485750 RCX: 0000000000000000 [ 1950.279419] RDX: 0000000000000000 RSI: ffffffff9e107c59 RDI: 00000000ffffffff [ 1950.279420] RBP: ffffffffc19c5168 R08: 0000000000000000 R09: ffffa96d05647cc8 [ 1950.279421] R10: 0000000000000003 R11: ffffffff9ea2a568 R12: 0000000000000000 [ 1950.279422] R13: ffff99560140a2e0 R14: ffff99560127d2e0 R15: 0000000000000000 [ 1950.279422] FS: 00007f67da795380(0000) GS:ffff995d1f0c0000(0000) knlGS:0000000000000000 [ 1950.279424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1950.279424] CR2: 00007f67da7e65c0 CR3: 00000001feed2000 CR4: 0000000000750ee0 [ 1950.279426] PKRU: 55555554 [ 1950.279426] Call Trace: [ 1950.279428] <TASK> [ 1950.279430] hwrng_unregister+0x28/0xe0 [rng_core] [ 1950.279436] tpm_chip_unregister+0xd5/0xf0 [tpm] Add the forgotten !tpm_amd_is_rng_defective() invariant to the hwrng_unregister() call site inside tpm_chip_unregister(). | 2025-12-24 | not yet calculated | CVE-2023-54073 | https://git.kernel.org/stable/c/1408d27f25c7b73ece7545cb6434965eedc49ddb https://git.kernel.org/stable/c/8da5ba044ea74105f3cfa182603b2f2d766fb22d https://git.kernel.org/stable/c/0af0a989e747248e05640980661225e5b94cdb9e https://git.kernel.org/stable/c/bd8621ca1510e6e802df9855bdc35a04a3cfa932 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Use correct encap attribute during invalidation With introduction of post action infrastructure most of the users of encap attribute had been modified in order to obtain the correct attribute by calling mlx5e_tc_get_encap_attr() helper instead of assuming encap action is always on default attribute. However, the cited commit didn’t modify mlx5e_invalidate_encap() which prevents it from destroying correct modify header action which leads to a warning [0]. Fix the issue by using correct attribute. [0]: Feb 21 09:47:35 c-237-177-40-045 kernel: WARNING: CPU: 17 PID: 654 at drivers/net/ethernet/mellanox/mlx5/core/en_tc.c:684 mlx5e_tc_attach_mod_hdr+0x1cc/0x230 [mlx5_core] Feb 21 09:47:35 c-237-177-40-045 kernel: RIP: 0010:mlx5e_tc_attach_mod_hdr+0x1cc/0x230 [mlx5_core] Feb 21 09:47:35 c-237-177-40-045 kernel: Call Trace: Feb 21 09:47:35 c-237-177-40-045 kernel: <TASK> Feb 21 09:47:35 c-237-177-40-045 kernel: mlx5e_tc_fib_event_work+0x8e3/0x1f60 [mlx5_core] Feb 21 09:47:35 c-237-177-40-045 kernel: ? mlx5e_take_all_encap_flows+0xe0/0xe0 [mlx5_core] Feb 21 09:47:35 c-237-177-40-045 kernel: ? lock_downgrade+0x6d0/0x6d0 Feb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x273/0x3f0 Feb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x273/0x3f0 Feb 21 09:47:35 c-237-177-40-045 kernel: process_one_work+0x7c2/0x1310 Feb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x3f0/0x3f0 Feb 21 09:47:35 c-237-177-40-045 kernel: ? pwq_dec_nr_in_flight+0x230/0x230 Feb 21 09:47:35 c-237-177-40-045 kernel: ? rwlock_bug.part.0+0x90/0x90 Feb 21 09:47:35 c-237-177-40-045 kernel: worker_thread+0x59d/0xec0 Feb 21 09:47:35 c-237-177-40-045 kernel: ? __kthread_parkme+0xd9/0x1d0 | 2025-12-24 | not yet calculated | CVE-2023-54074 | https://git.kernel.org/stable/c/00959a1bad58e4b6c14a2729f84d354255073609 https://git.kernel.org/stable/c/b8b4292fdd8818ab43b943b6717811651f51e39f https://git.kernel.org/stable/c/be071cdb167fc3e25fe81922166b3d499d23e8ac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: common: Fix refcount leak in parse_dai_link_info Add missing of_node_put()s before the returns to balance of_node_get()s and of_node_put()s, which may get unbalanced in case the for loop ‘for_each_available_child_of_node’ returns early. | 2025-12-24 | not yet calculated | CVE-2023-54075 | https://git.kernel.org/stable/c/3e40722d55805584dc04d8594d912820cafb2432 https://git.kernel.org/stable/c/beed115c2ce78f990222a29abed042582df4e87c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix missed ses refcounting Use new cifs_smb_ses_inc_refcount() helper to get an active reference of @ses and @ses->dfs_root_ses (if set). This will prevent @ses->dfs_root_ses of being put in the next call to cifs_put_smb_ses() and thus potentially causing an use-after-free bug. | 2025-12-24 | not yet calculated | CVE-2023-54076 | https://git.kernel.org/stable/c/eb382196e6f6e05cfafdab797840e5a96c6e7bf0 https://git.kernel.org/stable/c/bf99f6be2d20146942bce6f9e90a0ceef12cbc1e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix memory leak if ntfs_read_mft failed Label ATTR_ROOT in ntfs_read_mft() sets is_root = true and ni->ni_flags |= NI_FLAG_DIR, then next attr will goto label ATTR_ALLOC and alloc ni->dir.alloc_run. However two states are not always consistent and can make memory leak. 1) attr_name in ATTR_ROOT does not fit the condition it will set is_root = true but NI_FLAG_DIR is not set. 2) next attr_name in ATTR_ALLOC fits the condition and alloc ni->dir.alloc_run 3) in cleanup function ni_clear(), when NI_FLAG_DIR is set, it frees ni->dir.alloc_run, otherwise it frees ni->file.run 4) because NI_FLAG_DIR is not set in this case, ni->dir.alloc_run is leaked as kmemleak reported: unreferenced object 0xffff888003bc5480 (size 64): backtrace: [<000000003d42e6b0>] __kmalloc_node+0x4e/0x1c0 [<00000000d8e19b8a>] kvmalloc_node+0x39/0x1f0 [<00000000fc3eb5b8>] run_add_entry+0x18a/0xa40 [ntfs3] [<0000000011c9f978>] run_unpack+0x75d/0x8e0 [ntfs3] [<00000000e7cf1819>] run_unpack_ex+0xbc/0x500 [ntfs3] [<00000000bbf0a43d>] ntfs_iget5+0xb25/0x2dd0 [ntfs3] [<00000000a6e50693>] ntfs_fill_super+0x218d/0x3580 [ntfs3] [<00000000b9170608>] get_tree_bdev+0x3fb/0x710 [<000000004833798a>] vfs_get_tree+0x8e/0x280 [<000000006e20b8e6>] path_mount+0xf3c/0x1930 [<000000007bf15a5f>] do_mount+0xf3/0x110 … Fix this by always setting is_root and NI_FLAG_DIR together. | 2025-12-24 | not yet calculated | CVE-2023-54077 | https://git.kernel.org/stable/c/3030f2b9b3329db3948c1a145a5493ca6f617d50 https://git.kernel.org/stable/c/1bc6bb657dfb0ab3b94ef6d477ca241bf7b6ec06 https://git.kernel.org/stable/c/93bf79f989688852deade1550fb478b0a4d8daa8 https://git.kernel.org/stable/c/3bb0d3eb475f01744ce6d6e998dfbd80220852a1 https://git.kernel.org/stable/c/bfa434c60157c9793e9b12c9b68ade02aff9f803 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: max9286: Free control handler The control handler is leaked in some probe-time error paths, as well as in the remove path. Fix it. | 2025-12-24 | not yet calculated | CVE-2023-54078 | https://git.kernel.org/stable/c/9a3a907cf69f804eb41ece5c079720d1a6a15aa1 https://git.kernel.org/stable/c/1ad4b8c4552b4096dfc86531462dc1899f96af94 https://git.kernel.org/stable/c/1e9fc6c473210138eff3425a6136f0a9bf4eb0ae https://git.kernel.org/stable/c/0f25f99dacc72bce7d4128f7a254b23f1a343cc7 https://git.kernel.org/stable/c/19f36204dbe28bf4ec0149e87e9996a56af4e654 https://git.kernel.org/stable/c/bfce6a12e5ba1edde95126aa06778027f16115d4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: bq27xxx: Fix poll_interval handling and races on remove Before this patch bq27xxx_battery_teardown() was setting poll_interval = 0 to avoid bq27xxx_battery_update() requeuing the delayed_work item. There are 2 problems with this: 1. If the driver is unbound through sysfs, rather then the module being rmmod-ed, this changes poll_interval unexpectedly 2. This is racy, after it being set poll_interval could be changed before bq27xxx_battery_update() checks it through /sys/module/bq27xxx_battery/parameters/poll_interval Fix this by added a removed attribute to struct bq27xxx_device_info and using that instead of setting poll_interval to 0. There also is another poll_interval related race on remove(), writing /sys/module/bq27xxx_battery/parameters/poll_interval will requeue the delayed_work item for all devices on the bq27xxx_battery_devices list and the device being removed was only removed from that list after cancelling the delayed_work item. Fix this by moving the removal from the bq27xxx_battery_devices list to before cancelling the delayed_work item. | 2025-12-24 | not yet calculated | CVE-2023-54079 | https://git.kernel.org/stable/c/4c9615474fb0a41cfad658d78db3c9ec70912969 https://git.kernel.org/stable/c/465d919151a1e8d40daf366b868914f59d073211 https://git.kernel.org/stable/c/0c5f4cec759679c290720fbcf6bb81768e21c95b https://git.kernel.org/stable/c/e85757da9091998276ff21a13915ac25229cc232 https://git.kernel.org/stable/c/e98e5bebfcafc75a7b41192a607dfea5c1268afa https://git.kernel.org/stable/c/d952a1eaafcc5f0351caad5dbe9b5b3300d1d529 https://git.kernel.org/stable/c/b12faeca0e819ea09051a705fef9df7ea7e9e18c https://git.kernel.org/stable/c/c00bc80462afc7963f449d7f21d896d2f629cacc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: skip splitting and logical rewriting on pre-alloc write When doing a relocation, there is a chance that at the time of btrfs_reloc_clone_csums(), there is no checksum for the corresponding region. In this case, btrfs_finish_ordered_zoned()’s sum points to an invalid item and so ordered_extent’s logical is set to some invalid value. Then, btrfs_lookup_block_group() in btrfs_zone_finish_endio() failed to find a block group and will hit an assert or a null pointer dereference as following. This can be reprodcued by running btrfs/028 several times (e.g, 4 to 16 times) with a null_blk setup. The device’s zone size and capacity is set to 32 MB and the storage size is set to 5 GB on my setup. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 6 PID: 3105720 Comm: kworker/u16:13 Tainted: G W 6.5.0-rc6-kts+ #1 Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015 Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] Code: 41 54 49 89 fc 55 48 89 f5 53 e8 57 7d fc ff 48 8d b8 88 00 00 00 48 89 c3 48 b8 00 00 00 00 00 > 3c 02 00 0f 85 02 01 00 00 f6 83 88 00 00 00 01 0f 84 a8 00 00 RSP: 0018:ffff88833cf87b08 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088 RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed102877b827 R10: ffff888143bdc13b R11: ffff888125b1cbc0 R12: ffff888143bdc000 R13: 0000000000007000 R14: ffff888125b1cba8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88881e500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3ed85223d5 CR3: 00000001519b4005 CR4: 00000000001706e0 Call Trace: <TASK> ? die_addr+0x3c/0xa0 ? exc_general_protection+0x148/0x220 ? asm_exc_general_protection+0x22/0x30 ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] ? btrfs_zone_finish_endio.part.0+0x19/0x160 [btrfs] btrfs_finish_one_ordered+0x7b8/0x1de0 [btrfs] ? rcu_is_watching+0x11/0xb0 ? lock_release+0x47a/0x620 ? btrfs_finish_ordered_zoned+0x59b/0x800 [btrfs] ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs] ? btrfs_finish_ordered_zoned+0x358/0x800 [btrfs] ? __smp_call_single_queue+0x124/0x350 ? rcu_is_watching+0x11/0xb0 btrfs_work_helper+0x19f/0xc60 [btrfs] ? __pfx_try_to_wake_up+0x10/0x10 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 process_one_work+0x8c1/0x1430 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0x52/0x60 worker_thread+0x100/0x12c0 ? __kthread_parkme+0xc1/0x1f0 ? __pfx_worker_thread+0x10/0x10 kthread+0x2ea/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> On the zoned mode, writing to pre-allocated region means data relocation write. Such write always uses WRITE command so there is no need of splitting and rewriting logical address. Thus, we can just skip the function for the case. | 2025-12-24 | not yet calculated | CVE-2023-54080 | https://git.kernel.org/stable/c/d3cfa44164688a076e8b476cafb5df87d07cfa63 https://git.kernel.org/stable/c/c02d35d89b317994bd713ba82e160c5e7f22d9c8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xen: speed up grant-table reclaim When a grant entry is still in use by the remote domain, Linux must put it on a deferred list. Normally, this list is very short, because the PV network and block protocols expect the backend to unmap the grant first. However, Qubes OS’s GUI protocol is subject to the constraints of the X Window System, and as such winds up with the frontend unmapping the window first. As a result, the list can grow very large, resulting in a massive memory leak and eventual VM freeze. To partially solve this problem, make the number of entries that the VM will attempt to free at each iteration tunable. The default is still 10, but it can be overridden via a module parameter. This is Cc: stable because (when combined with appropriate userspace changes) it fixes a severe performance and stability problem for Qubes OS users. | 2025-12-24 | not yet calculated | CVE-2023-54081 | https://git.kernel.org/stable/c/cd1a8952ff529adc210e62306849fd6f256608c0 https://git.kernel.org/stable/c/c76d96c555895ac602c1587b001e5cf656abc371 https://git.kernel.org/stable/c/c04e9894846c663f3278a414f34416e6e45bbe68 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix null-ptr-deref in unix_stream_sendpage(). Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage() with detailed analysis and a nice repro. unix_stream_sendpage() tries to add data to the last skb in the peer’s recv queue without locking the queue. If the peer’s FD is passed to another socket and the socket’s FD is passed to the peer, there is a loop between them. If we close both sockets without receiving FD, the sockets will be cleaned up by garbage collection. The garbage collection iterates such sockets and unlinks skb with FD from the socket’s receive queue under the queue’s lock. So, there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. To avoid the issue, unix_stream_sendpage() must lock the peer’s recv queue. Note the issue does not exist in 6.5+ thanks to the recent sendpage() refactoring. This patch is originally written by Linus Torvalds. BUG: unable to handle page fault for address: ffff988004dd6870 PF: supervisor read access in kernel mode PF: error_code(0x0000) – not-present page PGD 0 P4D 0 PREEMPT SMP PTI CPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0 Code: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 <49> 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44 RSP: 0018:ffffc9000079fac0 EFLAGS: 00000246 RAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284 RDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0 RBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00 R13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8 FS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x1a/0x1f ? page_fault_oops+0xa9/0x1e0 ? fixup_exception+0x1d/0x310 ? exc_page_fault+0xa8/0x150 ? asm_exc_page_fault+0x22/0x30 ? kmem_cache_alloc_node+0xa2/0x1e0 ? __alloc_skb+0x16c/0x1e0 __alloc_skb+0x16c/0x1e0 alloc_skb_with_frags+0x48/0x1e0 sock_alloc_send_pskb+0x234/0x270 unix_stream_sendmsg+0x1f5/0x690 sock_sendmsg+0x5d/0x60 ____sys_sendmsg+0x210/0x260 ___sys_sendmsg+0x83/0xd0 ? kmem_cache_alloc+0xc6/0x1c0 ? avc_disable+0x20/0x20 ? percpu_counter_add_batch+0x53/0xc0 ? alloc_empty_file+0x5d/0xb0 ? alloc_file+0x91/0x170 ? alloc_file_pseudo+0x94/0x100 ? __fget_light+0x9f/0x120 __sys_sendmsg+0x54/0xa0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x69/0xd3 RIP: 0033:0x7f174d639a7d Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48 RSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d RDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007 RBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff R10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28 R13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000 </TASK> | 2025-12-24 | not yet calculated | CVE-2023-54082 | https://git.kernel.org/stable/c/c080cee930303124624fe64fc504f66c815ee6b9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Clear the driver reference in usb-phy dev For the dual-role port, it will assign the phy dev to usb-phy dev and use the port dev driver as the dev driver of usb-phy. When we try to destroy the port dev, it will destroy its dev driver as well. But we did not remove the reference from usb-phy dev. This might cause the use-after-free issue in KASAN. | 2025-12-24 | not yet calculated | CVE-2023-54083 | https://git.kernel.org/stable/c/b6a107c52073496d2e5d2837915f59fb3103832f https://git.kernel.org/stable/c/b84998a407a882991916b1a61d987c400d8a0ce6 https://git.kernel.org/stable/c/238edc04ddb9d272b38f5419bcd419ad3b92b91b https://git.kernel.org/stable/c/82187460347ad58fd6b06d2883da73c3f2df9631 https://git.kernel.org/stable/c/c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-digi00x: prevent potential use after free This code was supposed to return an error code if init_stream() failed, but it instead freed dg00x->rx_stream and returned success. This potentially leads to a use after free. | 2025-12-24 | not yet calculated | CVE-2023-54084 | https://git.kernel.org/stable/c/5009aead17f060753428e249eb0246eb1c2f8b86 https://git.kernel.org/stable/c/13c5fa1248bf06e95a25907c1be83948b8c44c50 https://git.kernel.org/stable/c/bbb5ac533ca6c4e2775a95388c9c0c610bb442b7 https://git.kernel.org/stable/c/ee1a221d947809c0308f27567c07a3ac93406057 https://git.kernel.org/stable/c/67148395efa2c1fb20e98fca359b20e7a6c81fe4 https://git.kernel.org/stable/c/c0e72058d5e21982e61a29de6b098f7c1f0db498 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer dereference on fastopen early fallback In case of early fallback to TCP, subflow_syn_recv_sock() deletes the subflow context before returning the newly allocated sock to the caller. The fastopen path does not cope with the above unconditionally dereferencing the subflow context. | 2025-12-24 | not yet calculated | CVE-2023-54085 | https://git.kernel.org/stable/c/95135835519b0ab931c39908b2c99e9fb3c9068b https://git.kernel.org/stable/c/c0ff6f6da66a7791a32c0234388b1bdc00244917 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Add preempt_count_{sub,add} into btf id deny list The recursion check in __bpf_prog_enter* and __bpf_prog_exit* leave preempt_count_{sub,add} unprotected. When attaching trampoline to them we get panic as follows, [ 867.843050] BUG: TASK stack guard page was hit at 0000000009d325cf (stack is 0000000046a46a15..00000000537e7b28) [ 867.843064] stack guard page: 0000 [#1] PREEMPT SMP NOPTI [ 867.843067] CPU: 8 PID: 11009 Comm: trace Kdump: loaded Not tainted 6.2.0+ #4 [ 867.843100] Call Trace: [ 867.843101] <TASK> [ 867.843104] asm_exc_int3+0x3a/0x40 [ 867.843108] RIP: 0010:preempt_count_sub+0x1/0xa0 [ 867.843135] __bpf_prog_enter_recur+0x17/0x90 [ 867.843148] bpf_trampoline_6442468108_0+0x2e/0x1000 [ 867.843154] ? preempt_count_sub+0x1/0xa0 [ 867.843157] preempt_count_sub+0x5/0xa0 [ 867.843159] ? migrate_enable+0xac/0xf0 [ 867.843164] __bpf_prog_exit_recur+0x2d/0x40 [ 867.843168] bpf_trampoline_6442468108_0+0x55/0x1000 … [ 867.843788] preempt_count_sub+0x5/0xa0 [ 867.843793] ? migrate_enable+0xac/0xf0 [ 867.843829] __bpf_prog_exit_recur+0x2d/0x40 [ 867.843837] BUG: IRQ stack guard page was hit at 0000000099bd8228 (stack is 00000000b23e2bc4..000000006d95af35) [ 867.843841] BUG: IRQ stack guard page was hit at 000000005ae07924 (stack is 00000000ffd69623..0000000014eb594c) [ 867.843843] BUG: IRQ stack guard page was hit at 00000000028320f0 (stack is 00000000034b6438..0000000078d1bcec) [ 867.843842] bpf_trampoline_6442468108_0+0x55/0x1000 … That is because in __bpf_prog_exit_recur, the preempt_count_{sub,add} are called after prog->active is decreased. Fixing this by adding these two functions into btf ids deny list. | 2025-12-24 | not yet calculated | CVE-2023-54086 | https://git.kernel.org/stable/c/095018267c87b8bfbbb12eeb1c0ebf2359e1782c https://git.kernel.org/stable/c/60039bf72f81638baa28652a11a68e9b0b7b5b2d https://git.kernel.org/stable/c/b9168d41b83d182f34ba927ee822edaee18d5fc8 https://git.kernel.org/stable/c/c11bd046485d7bf1ca200db0e7d0bdc4bafdd395 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ubi: Fix possible null-ptr-deref in ubi_free_volume() It willl cause null-ptr-deref in the following case: uif_init() ubi_add_volume() cdev_add() -> if it fails, call kill_volumes() device_register() kill_volumes() -> if ubi_add_volume() fails call this function ubi_free_volume() cdev_del() device_unregister() -> trying to delete a not added device, it causes null-ptr-deref So in ubi_free_volume(), it delete devices whether they are added or not, it will causes null-ptr-deref. Handle the error case whlie calling ubi_add_volume() to fix this problem. If add volume fails, set the corresponding vol to null, so it can not be accessed in kill_volumes() and release the resource in ubi_add_volume() error path. | 2025-12-24 | not yet calculated | CVE-2023-54087 | https://git.kernel.org/stable/c/5558bcf1c58720ca6e9d6198d921cb3aa337f038 https://git.kernel.org/stable/c/45b2c5ca4d2edae70f19fdb086bd927840c4c309 https://git.kernel.org/stable/c/234c53e57424992e657e6f4acc00d3df0983176f https://git.kernel.org/stable/c/fcbc795abe7897da4b5d2a6ab5010e36774b00c2 https://git.kernel.org/stable/c/5ec4c8aca5a221756a9007deadfea92795319fee https://git.kernel.org/stable/c/2ea7195b195009ecf0046e55361f393ba96d02db https://git.kernel.org/stable/c/9eccdb0760cbcb4427b5303a83a3007de998af51 https://git.kernel.org/stable/c/c15859bfd326c10230f09cb48a17f8a35f190342 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: hold queue_lock when removing blkg->q_node When blkg is removed from q->blkg_list from blkg_free_workfn(), queue_lock has to be held, otherwise, all kinds of bugs(list corruption, hard lockup, ..) can be triggered from blkg_destroy_all(). | 2025-12-24 | not yet calculated | CVE-2023-54088 | https://git.kernel.org/stable/c/b5dae1cd0d8368b4338430ff93403df67f0b8bcc https://git.kernel.org/stable/c/083b58373463a6e5ee60ecb135269348f68ad7df https://git.kernel.org/stable/c/cd4ffdf56791eec95af01f06bee1ec7665ca75c4 https://git.kernel.org/stable/c/c164c7bc9775be7bcc68754bb3431fce5823822e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: virtio_pmem: add the missing REQ_OP_WRITE for flush bio When doing mkfs.xfs on a pmem device, the following warning was ————[ cut here ]———— WARNING: CPU: 2 PID: 384 at block/blk-core.c:751 submit_bio_noacct Modules linked in: CPU: 2 PID: 384 Comm: mkfs.xfs Not tainted 6.4.0-rc7+ #154 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:submit_bio_noacct+0x340/0x520 …… Call Trace: <TASK> ? submit_bio_noacct+0xd5/0x520 submit_bio+0x37/0x60 async_pmem_flush+0x79/0xa0 nvdimm_flush+0x17/0x40 pmem_submit_bio+0x370/0x390 __submit_bio+0xbc/0x190 submit_bio_noacct_nocheck+0x14d/0x370 submit_bio_noacct+0x1ef/0x520 submit_bio+0x55/0x60 submit_bio_wait+0x5a/0xc0 blkdev_issue_flush+0x44/0x60 The root cause is that submit_bio_noacct() needs bio_op() is either WRITE or ZONE_APPEND for flush bio and async_pmem_flush() doesn’t assign REQ_OP_WRITE when allocating flush bio, so submit_bio_noacct just fail the flush bio. Simply fix it by adding the missing REQ_OP_WRITE for flush bio. And we could fix the flush order issue and do flush optimization later. | 2025-12-24 | not yet calculated | CVE-2023-54089 | https://git.kernel.org/stable/c/e39e870e1e683a71d3d2e63e661a5695f60931a7 https://git.kernel.org/stable/c/c7ab7e45ccef209809f8c2b00f497deec06b29c0 https://git.kernel.org/stable/c/c1dbd8a849183b9c12d257ad3043ecec50db50b3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ixgbe: Fix panic during XDP_TX with > 64 CPUs Commit 4fe815850bdc (“ixgbe: let the xdpdrv work with more than 64 cpus”) adds support to allow XDP programs to run on systems with more than 64 CPUs by locking the XDP TX rings and indexing them using cpu % 64 (IXGBE_MAX_XDP_QS). Upon trying this out patch on a system with more than 64 cores, the kernel paniced with an array-index-out-of-bounds at the return in ixgbe_determine_xdp_ring in ixgbe.h, which means ixgbe_determine_xdp_q_idx was just returning the cpu instead of cpu % IXGBE_MAX_XDP_QS. An example splat: ========================================================================== UBSAN: array-index-out-of-bounds in /var/lib/dkms/ixgbe/5.18.6+focal-1/build/src/ixgbe.h:1147:26 index 65 is out of range for type ‘ixgbe_ring *[64]’ ========================================================================== BUG: kernel NULL pointer dereference, address: 0000000000000058 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 65 PID: 408 Comm: ksoftirqd/65 Tainted: G IOE 5.15.0-48-generic #54~20.04.1-Ubuntu Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.5.4 01/13/2020 RIP: 0010:ixgbe_xmit_xdp_ring+0x1b/0x1c0 [ixgbe] Code: 3b 52 d4 cf e9 42 f2 ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 55 b9 00 00 00 00 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 <44> 0f b7 47 58 0f b7 47 5a 0f b7 57 54 44 0f b7 76 08 66 41 39 c0 RSP: 0018:ffffbc3fcd88fcb0 EFLAGS: 00010282 RAX: ffff92a253260980 RBX: ffffbc3fe68b00a0 RCX: 0000000000000000 RDX: ffff928b5f659000 RSI: ffff928b5f659000 RDI: 0000000000000000 RBP: ffffbc3fcd88fce0 R08: ffff92b9dfc20580 R09: 0000000000000001 R10: 3d3d3d3d3d3d3d3d R11: 3d3d3d3d3d3d3d3d R12: 0000000000000000 R13: ffff928b2f0fa8c0 R14: ffff928b9be20050 R15: 000000000000003c FS: 0000000000000000(0000) GS:ffff92b9dfc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000058 CR3: 000000011dd6a002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ixgbe_poll+0x103e/0x1280 [ixgbe] ? sched_clock_cpu+0x12/0xe0 __napi_poll+0x30/0x160 net_rx_action+0x11c/0x270 __do_softirq+0xda/0x2ee run_ksoftirqd+0x2f/0x50 smpboot_thread_fn+0xb7/0x150 ? sort_range+0x30/0x30 kthread+0x127/0x150 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x1f/0x30 </TASK> I think this is how it happens: Upon loading the first XDP program on a system with more than 64 CPUs, ixgbe_xdp_locking_key is incremented in ixgbe_xdp_setup. However, immediately after this, the rings are reconfigured by ixgbe_setup_tc. ixgbe_setup_tc calls ixgbe_clear_interrupt_scheme which calls ixgbe_free_q_vectors which calls ixgbe_free_q_vector in a loop. ixgbe_free_q_vector decrements ixgbe_xdp_locking_key once per call if it is non-zero. Commenting out the decrement in ixgbe_free_q_vector stopped my system from panicing. I suspect to make the original patch work, I would need to load an XDP program and then replace it in order to get ixgbe_xdp_locking_key back above 0 since ixgbe_setup_tc is only called when transitioning between XDP and non-XDP ring configurations, while ixgbe_xdp_locking_key is incremented every time ixgbe_xdp_setup is called. Also, ixgbe_setup_tc can be called via ethtool –set-channels, so this becomes another path to decrement ixgbe_xdp_locking_key to 0 on systems with more than 64 CPUs. Since ixgbe_xdp_locking_key only protects the XDP_TX path and is tied to the number of CPUs present, there is no reason to disable it upon unloading an XDP program. To avoid confusion, I have moved enabling ixgbe_xdp_locking_key into ixgbe_sw_init, which is part of the probe path. | 2025-12-24 | not yet calculated | CVE-2023-54090 | https://git.kernel.org/stable/c/1924450175349e64f8dfc3689efcb653dba0418e https://git.kernel.org/stable/c/785b2b5b47b1aa4c31862948b312ea845401c5ec https://git.kernel.org/stable/c/4cd43a19900d0b98c1ec4bb6984763369d2e19ec https://git.kernel.org/stable/c/c23ae5091a8b3e50fe755257df020907e7c029bb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/client: Fix memory leak in drm_client_target_cloned dmt_mode is allocated and never freed in this function. It was found with the ast driver, but most drivers using generic fbdev setup are probably affected. This fixes the following kmemleak report: backtrace: [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] [<00000000987f19bb>] local_pci_probe+0xdc/0x180 [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 [<0000000000b85301>] process_one_work+0x8b7/0x1540 [<000000003375b17c>] worker_thread+0x70a/0xed0 [<00000000b0d43cd9>] kthread+0x29f/0x340 [<000000008d770833>] ret_from_fork+0x1f/0x30 unreferenced object 0xff11000333089a00 (size 128): | 2025-12-24 | not yet calculated | CVE-2023-54091 | https://git.kernel.org/stable/c/d3009700f48602b557eade1f22c98b6bc20247e8 https://git.kernel.org/stable/c/a4b978249e8fa94956fce8b70a709f7797716f62 https://git.kernel.org/stable/c/52daf6ba2e0d201640cb1ce42049c5c4426b4d6e https://git.kernel.org/stable/c/105275879a80503686a8108af2f5c579a1c5aef4 https://git.kernel.org/stable/c/a85e23a1ef63e45a18f0a30d7816fcb4a865ca95 https://git.kernel.org/stable/c/b5359d7a5087ac398fc429da6833133b4784c268 https://git.kernel.org/stable/c/4b596a6e2d2e0f9c14e4122506dd715f43fcd727 https://git.kernel.org/stable/c/c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: s390: pv: fix index value of replaced ASCE The index field of the struct page corresponding to a guest ASCE should be 0. When replacing the ASCE in s390_replace_asce(), the index of the new ASCE should also be set to 0. Having the wrong index might lead to the wrong addresses being passed around when notifying pte invalidations, and eventually to validity intercepts (VM crash) if the prefix gets unmapped and the notifier gets called with the wrong address. | 2025-12-24 | not yet calculated | CVE-2023-54092 | https://git.kernel.org/stable/c/8e635da0e0d3cb45e32fa79b36218fb98281bc10 https://git.kernel.org/stable/c/49a2686adddebe1ae76b4d368383208656ef6606 https://git.kernel.org/stable/c/017f686bcb536ff23d49c143fdf9d1fd89a9a924 https://git.kernel.org/stable/c/f1c7a776338f2ac5e34da40e58fe9f33ea390a5e https://git.kernel.org/stable/c/c2fceb59bbda16468bda82b002383bff59de89ab |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: anysee: fix null-ptr-deref in anysee_master_xfer In anysee_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach anysee_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a (“media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()”) [hverkuil: add spaces around +] | 2025-12-24 | not yet calculated | CVE-2023-54093 | https://git.kernel.org/stable/c/73c0b224ceeba12dee2a7a8cbc147648da0b2e63 https://git.kernel.org/stable/c/e04affec2506ff5c12a18d78d7e694b3556a8982 https://git.kernel.org/stable/c/8dc5b370254abc10f0cb4141d90cecf7ce465472 https://git.kernel.org/stable/c/4a9763d2bc4a6d6fab42555b9c0b2eefa32585ac https://git.kernel.org/stable/c/3dd5846a873938ec7b6d404ec27662942cd8f2ef https://git.kernel.org/stable/c/14b94154a72388b57221a2a73795c0ea61a95373 https://git.kernel.org/stable/c/5975dbbb7ad0767eaabd15d2c37a739ac76acb00 https://git.kernel.org/stable/c/c30411266fd67ea3c02a05c157231654d5a3bdc9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: prevent skb corruption on frag list segmentation Ian reported several skb corruptions triggered by rx-gro-list, collecting different oops alike: [ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0 [ 62.631083] #PF: supervisor read access in kernel mode [ 62.636312] #PF: error_code(0x0000) – not-present page [ 62.641541] PGD 0 P4D 0 [ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364 [ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022 [ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858 ./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261 net/ipv4/udp_offload.c:277) [ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246 [ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000 [ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4 [ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9 [ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2 [ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9 [ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000) knlGS:0000000000000000 [ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0 [ 62.749948] Call Trace: [ 62.752498] <TASK> [ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398) [ 62.787605] skb_mac_gso_segment (net/core/gro.c:141) [ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2)) [ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862 net/core/dev.c:3659) [ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710) [ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330) [ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210) net/netfilter/core.c:626) [ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55) [ 62.825652] maybe_deliver (net/bridge/br_forward.c:193) [ 62.829420] br_flood (net/bridge/br_forward.c:233) [ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215) [ 62.837403] br_handle_frame (net/bridge/br_input.c:298 net/bridge/br_input.c:416) [ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387) [ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570) [ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638 net/core/dev.c:5727) [ 62.876795] napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067) [ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191) [ 62.893534] __napi_poll (net/core/dev.c:6498) [ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89 net/core/dev.c:6640) [ 62.905276] kthread (kernel/kthread.c:379) [ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314) [ 62.917119] </TASK> In the critical scenario, rx-gro-list GRO-ed packets are fed, via a bridge, both to the local input path and to an egress device (tun). The segmentation of such packets unsafely writes to the cloned skbs with shared heads. This change addresses the issue by uncloning as needed the to-be-segmented skbs. | 2025-12-24 | not yet calculated | CVE-2023-54094 | https://git.kernel.org/stable/c/bc3ab5d2ab69823f5cff89cf74ef78ffa0386c9a https://git.kernel.org/stable/c/ea438eed94ac0fe69b93ac034738823c0e989a12 https://git.kernel.org/stable/c/1731234e8b60063eae858c77b55c7a88f5084353 https://git.kernel.org/stable/c/7a59f29961cf97b98b02acaadf5a0b1f8dde938c https://git.kernel.org/stable/c/c329b261afe71197d9da83c1f18eb45a7e97e089 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/iommu: Fix notifiers being shared by PCI and VIO buses fail_iommu_setup() registers the fail_iommu_bus_notifier struct to both PCI and VIO buses. struct notifier_block is a linked list node, so this causes any notifiers later registered to either bus type to also be registered to the other since they share the same node. This causes issues in (at least) the vgaarb code, which registers a notifier for PCI buses. pci_notify() ends up being called on a vio device, converted with to_pci_dev() even though it’s not a PCI device, and finally makes a bad access in vga_arbiter_add_pci_device() as discovered with KASAN: BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00 Read of size 4 at addr c000000264c26fdc by task swapper/0/1 Call Trace: dump_stack_lvl+0x1bc/0x2b8 (unreliable) print_report+0x3f4/0xc60 kasan_report+0x244/0x698 __asan_load4+0xe8/0x250 vga_arbiter_add_pci_device+0x60/0xe00 pci_notify+0x88/0x444 notifier_call_chain+0x104/0x320 blocking_notifier_call_chain+0xa0/0x140 device_add+0xac8/0x1d30 device_register+0x58/0x80 vio_register_device_node+0x9ac/0xce0 vio_bus_scan_register_devices+0xc4/0x13c __machine_initcall_pseries_vio_device_init+0x94/0xf0 do_one_initcall+0x12c/0xaa8 kernel_init_freeable+0xa48/0xba8 kernel_init+0x64/0x400 ret_from_kernel_thread+0x5c/0x64 Fix this by creating separate notifier_block structs for each bus type. [mpe: Add #ifdef to fix CONFIG_IBMVIO=n build] | 2025-12-24 | not yet calculated | CVE-2023-54095 | https://git.kernel.org/stable/c/dc0d107e624ca96aef6dd8722eb33ba3a6d157b0 https://git.kernel.org/stable/c/075a4dcdbc9a5ea793cb8ec8b78a6c0b7636fd52 https://git.kernel.org/stable/c/65bf8a196ba25cf65a858b5bb8de80f0aad76691 https://git.kernel.org/stable/c/f08944e3c6962b00827de7263a9e20688e79ad84 https://git.kernel.org/stable/c/a9ddbfed53465bc7c411231db32a488066c0c1be https://git.kernel.org/stable/c/f17d5efaafba3d5f02f0373f7c5f44711d676f3e https://git.kernel.org/stable/c/c46af58588253e5e4063bb5ddc78cd12fdf9e55d https://git.kernel.org/stable/c/6670c65bf863cd0d44ca24d4c10ef6755b8d9529 https://git.kernel.org/stable/c/c37b6908f7b2bd24dcaaf14a180e28c9132b9c58 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: soundwire: fix enumeration completion The soundwire subsystem uses two completion structures that allow drivers to wait for soundwire device to become enumerated on the bus and initialised by their drivers, respectively. The code implementing the signalling is currently broken as it does not signal all current and future waiters and also uses the wrong reinitialisation function, which can potentially lead to memory corruption if there are still waiters on the queue. Not signalling future waiters specifically breaks sound card probe deferrals as codec drivers can not tell that the soundwire device is already attached when being reprobed. Some codec runtime PM implementations suffer from similar problems as waiting for enumeration during resume can also timeout despite the device already having been enumerated. | 2025-12-24 | not yet calculated | CVE-2023-54096 | https://git.kernel.org/stable/c/48d1d0ce0782f995fda678508fdae35c5e9593f0 https://git.kernel.org/stable/c/a36b522767f3a72688893a472e80c9aa03e67eda https://git.kernel.org/stable/c/e1d54962a63b6ec04ed0204a3ecca942fde3a6fe https://git.kernel.org/stable/c/c5265691cd065464d795de5666dcfb89c26b9bc1 https://git.kernel.org/stable/c/c40d6b3249b11d60e09d81530588f56233d9aa44 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: stm32-pwr: fix of_iomap leak Smatch reports: drivers/regulator/stm32-pwr.c:166 stm32_pwr_regulator_probe() warn: ‘base’ from of_iomap() not released on lines: 151,166. In stm32_pwr_regulator_probe(), base is not released when devm_kzalloc() fails to allocate memory or devm_regulator_register() fails to register a new regulator device, which may cause a leak. To fix this issue, replace of_iomap() with devm_platform_ioremap_resource(). devm_platform_ioremap_resource() is a specialized function for platform devices. It allows ‘base’ to be automatically released whether the probe function succeeds or fails. Besides, use IS_ERR(base) instead of !base as the return value of devm_platform_ioremap_resource() can either be a pointer to the remapped memory or an ERR_PTR() encoded error code if the operation fails. | 2025-12-24 | not yet calculated | CVE-2023-54097 | https://git.kernel.org/stable/c/824683dbec234a01bd49a0589ee3323594a6f4cf https://git.kernel.org/stable/c/dfce9bb3517a78507cf96f9b83948d0b81338afa https://git.kernel.org/stable/c/ad6481f49fb2c703efa3a929643934f24b666d6a https://git.kernel.org/stable/c/f25994f7a9ad53eb756bc4869497c3ebe281ad5e https://git.kernel.org/stable/c/c091bb49b3233307c7af73dae888f0799752af3d https://git.kernel.org/stable/c/0ad07e02be0d3f0d554653382ffe53ae4879378d https://git.kernel.org/stable/c/c4a413e56d16a2ae84e6d8992f215c4dcc7fac20 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915/gvt: fix gvt debugfs destroy When gvt debug fs is destroyed, need to have a sane check if drm minor’s debugfs root is still available or not, otherwise in case like device remove through unbinding, drm minor’s debugfs directory has already been removed, then intel_gvt_debugfs_clean() would act upon dangling pointer like below oops. i915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2 i915 0000:00:02.0: MDEV: Registered Console: switching to colour dummy device 80×25 i915 0000:00:02.0: MDEV: Unregistering BUG: kernel NULL pointer dereference, address: 00000000000000a0 PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15 Hardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020 RIP: 0010:down_write+0x1f/0x90 Code: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01 RSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000 RDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8 RBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0 R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000 R13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0 FS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0 Call Trace: <TASK> simple_recursive_removal+0x9f/0x2a0 ? start_creating.part.0+0x120/0x120 ? _raw_spin_lock+0x13/0x40 debugfs_remove+0x40/0x60 intel_gvt_debugfs_clean+0x15/0x30 [kvmgt] intel_gvt_clean_device+0x49/0xe0 [kvmgt] intel_gvt_driver_remove+0x2f/0xb0 i915_driver_remove+0xa4/0xf0 i915_pci_remove+0x1a/0x30 pci_device_remove+0x33/0xa0 device_release_driver_internal+0x1b2/0x230 unbind_store+0xe0/0x110 kernfs_fop_write_iter+0x11b/0x1f0 vfs_write+0x203/0x3d0 ksys_write+0x63/0xe0 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f6947cb5190 Code: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89 RSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190 RDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001 RBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001 R13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0 </TASK> Modules linked in: kvmgt CR2: 00000000000000a0 —[ end trace 0000000000000000 ]— | 2025-12-24 | not yet calculated | CVE-2023-54098 | https://git.kernel.org/stable/c/bb7c7b2c89d2feb347b6f9bffc1c75987adb1048 https://git.kernel.org/stable/c/ae9a61511736cc71a99f01e8b7b90f6fb6128ed8 https://git.kernel.org/stable/c/b85c8536fda3d1ed07c6d87a661ffe18d6eb214b https://git.kernel.org/stable/c/fe340500baf84b6531c9fc508b167525b9bf6446 https://git.kernel.org/stable/c/c4b850d1f448a901fbf4f7f36dec38c84009b489 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs: Protect reconfiguration of sb read-write from racing writes The reconfigure / remount code takes a lot of effort to protect filesystem’s reconfiguration code from racing writes on remounting read-only. However during remounting read-only filesystem to read-write mode userspace writes can start immediately once we clear SB_RDONLY flag. This is inconvenient for example for ext4 because we need to do some writes to the filesystem (such as preparation of quota files) before we can take userspace writes so we are clearing SB_RDONLY flag before we are fully ready to accept userpace writes and syzbot has found a way to exploit this [1]. Also as far as I’m reading the code the filesystem remount code was protected from racing writes in the legacy mount path by the mount’s MNT_READONLY flag so this is relatively new problem. It is actually fairly easy to protect remount read-write from racing writes using sb->s_readonly_remount flag so let’s just do that instead of having to workaround these races in the filesystem code. [1] https://lore.kernel.org/all/00000000000006a0df05f6667499@google.com/T/ | 2025-12-24 | not yet calculated | CVE-2023-54099 | https://git.kernel.org/stable/c/0336b42456e485fda1006b5b411e7372e20fbf03 https://git.kernel.org/stable/c/7e4e87ec56aa6d008c64eab31b340a7c452b26cc https://git.kernel.org/stable/c/0ccfe21949bc9f706a86ee7351b74375c0745757 https://git.kernel.org/stable/c/295ef44a2abaf97d7a594b1d4c60d4be3738191f https://git.kernel.org/stable/c/4abda85197ba5d695e6040d580b4b409ce0d3733 https://git.kernel.org/stable/c/c541dce86c537714b6761a79a969c1623dfa222b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qedi: Fix use after free bug in qedi_remove() In qedi_probe() we call __qedi_probe() which initializes &qedi->recovery_work with qedi_recovery_handler() and &qedi->board_disable_work with qedi_board_disable_work(). When qedi_schedule_recovery_handler() is called, schedule_delayed_work() will finally start the work. In qedi_remove(), which is called to remove the driver, the following sequence may be observed: Fix this by finishing the work before cleanup in qedi_remove(). CPU0 CPU1 |qedi_recovery_handler qedi_remove | __qedi_remove | iscsi_host_free | scsi_host_put | //free shost | |iscsi_host_for_each_session |//use qedi->shost Cancel recovery_work and board_disable_work in __qedi_remove(). | 2025-12-24 | not yet calculated | CVE-2023-54100 | https://git.kernel.org/stable/c/fa19c533ab19161298f0780bcc6523af88f6fd20 https://git.kernel.org/stable/c/5e756a59cee6a8a79b9059c5bdf0ecbf5bb8d151 https://git.kernel.org/stable/c/3738a230831e861503119ee2691c4a7dc56ed60a https://git.kernel.org/stable/c/89f6023fc321c958a0fb11f143a6eb4544ae3940 https://git.kernel.org/stable/c/124027cd1a624ce0347adcd59241a9966a726b22 https://git.kernel.org/stable/c/c5749639f2d0a1f6cbe187d05f70c2e7c544d748 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: driver: soc: xilinx: use _safe loop iterator to avoid a use after free The hash_for_each_possible() loop dereferences “eve_data” to get the next item on the list. However the loop frees eve_data so it leads to a use after free. Use hash_for_each_possible_safe() instead. | 2025-12-24 | not yet calculated | CVE-2023-54101 | https://git.kernel.org/stable/c/49fca83f6f3f0cafe5bf5b43e8ee81cf73c2d5e0 https://git.kernel.org/stable/c/f16599e638073ef0b2828bb64f5e99138e9381b5 https://git.kernel.org/stable/c/256aace3a5d8c987183ba4832dffb36f48ea7d3b https://git.kernel.org/stable/c/c58da0ba3e5c86e51e2c1557afaf6f71e00c4533 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow A static code analysis tool flagged the possibility of buffer overflow when using copy_from_user() for a debugfs entry. Currently, it is possible that copy_from_user() copies more bytes than what would fit in the mybuf char array. Add a min() restriction check between sizeof(mybuf) – 1 and nbytes passed from the userspace buffer to protect against buffer overflow. | 2025-12-24 | not yet calculated | CVE-2023-54102 | https://git.kernel.org/stable/c/644a9d5e22761a41d5005a26996a643da96de962 https://git.kernel.org/stable/c/e0e7faee3a7dd6f51350cda64997116a247eb045 https://git.kernel.org/stable/c/f91037487036e2d2f18d3c2481be6b9a366bde7f https://git.kernel.org/stable/c/a9df88cb31dcbd72104ec5883f35cbc1fb587e47 https://git.kernel.org/stable/c/ad050f6cf681ebb850a9d4bc19474d3896476301 https://git.kernel.org/stable/c/c6087b82a9146826564a55c5ca0164cac40348f5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to uncanceled work In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in the mtk_jpeg_remove CPU0 CPU1 |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use | 2025-12-24 | not yet calculated | CVE-2023-54103 | https://git.kernel.org/stable/c/d346a2ef6b1ebb77d740890cfaf8478c5b286380 https://git.kernel.org/stable/c/d56dbfe750a8f96789cc86a911864f663e63bc5d https://git.kernel.org/stable/c/715c0200b4809396998e562ce5cd0284e7314cc1 https://git.kernel.org/stable/c/8977d9924843823f46696d7d9432ea4b2499ed14 https://git.kernel.org/stable/c/2fc20f8bcc2b4d31c808a5320506c31aa2cf3834 https://git.kernel.org/stable/c/c677d7ae83141d390d1253abebafa49c962afb52 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op() ‘op-cs’ is copied in ‘fun->mchip_number’ which is used to access the ‘mchip_offsets’ and the ‘rnb_gpio’ arrays. These arrays have NAND_MAX_CHIPS elements, so the index must be below this limit. Fix the sanity check in order to avoid the NAND_MAX_CHIPS value. This would lead to out-of-bound accesses. | 2025-12-24 | not yet calculated | CVE-2023-54104 | https://git.kernel.org/stable/c/1f09d67d390647f83f8f9d26382b0daa43756e6f https://git.kernel.org/stable/c/eb7a5e4d14c8659cb97db6863316280e15f67209 https://git.kernel.org/stable/c/f4b700c71802c81e6f9dce362ee7a0312c8377ba https://git.kernel.org/stable/c/49e57caf967a969f6b955c88805f2d160910aa12 https://git.kernel.org/stable/c/c6abce60338aa2080973cd95be0aedad528bb41f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: isotp: check CAN address family in isotp_bind() Add missing check to block non-AF_CAN binds. Syzbot created some code which matched the right sockaddr struct size but used AF_XDP (0x2C) instead of AF_CAN (0x1D) in the address family field: bind$xdp(r2, &(0x7f0000000540)={0x2c, 0x0, r4, 0x0, r2}, 0x10) ^^^^ This has no funtional impact but the userspace should be notified about the wrong address family field content. | 2025-12-24 | not yet calculated | CVE-2023-54105 | https://git.kernel.org/stable/c/de3c02383aa678f6799402ac47fdd89cf4bfcaa9 https://git.kernel.org/stable/c/2fc6f337257f4f7c21ecff429241f7acaa6df4e8 https://git.kernel.org/stable/c/9427584c2f153d0677ef3bad6f44028c60d728c4 https://git.kernel.org/stable/c/dd4faace51e41a82a8c0770ee0cc26088f9d9d06 https://git.kernel.org/stable/c/c6adf659a8ba85913e16a571d5a9bcd17d3d1234 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fix potential memory leak in mlx5e_init_rep_rx The memory pointed to by the priv->rx_res pointer is not freed in the error path of mlx5e_init_rep_rx, which can lead to a memory leak. Fix by freeing the memory in the error path, thereby making the error path identical to mlx5e_cleanup_rep_rx(). | 2025-12-24 | not yet calculated | CVE-2023-54106 | https://git.kernel.org/stable/c/0582a3caaa3e2f7b80bcb113ad3c910eac15a63e https://git.kernel.org/stable/c/c265d8c2e25546a6b7ee16d36f2bb79b6160c2c3 https://git.kernel.org/stable/c/c6cf0b6097bf1bf1b2a89b521e9ecd26b581a93a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: dropping parent refcount after pd_free_fn() is done Some cgroup policies will access parent pd through child pd even after pd_offline_fn() is done. If pd_free_fn() for parent is called before child, then UAF can be triggered. Hence it’s better to guarantee the order of pd_free_fn(). Currently refcount of parent blkg is dropped in __blkg_release(), which is before pd_free_fn() is called in blkg_free_work_fn() while blkg_free_work_fn() is called asynchronously. This patch make sure pd_free_fn() called from removing cgroup is ordered by delaying dropping parent refcount after calling pd_free_fn() for child. BTW, pd_free_fn() will also be called from blkcg_deactivate_policy() from deleting device, and following patches will guarantee the order. | 2025-12-24 | not yet calculated | CVE-2023-54107 | https://git.kernel.org/stable/c/c7241babf0855d8a6180cd1743ff0ec34de40b4e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests The following message and call trace was seen with debug kernels: DMA-API: qla2xxx 0000:41:00.0: device driver failed to check map error [device address=0x00000002a3ff38d8] [size=1024 bytes] [mapped as single] WARNING: CPU: 0 PID: 2930 at kernel/dma/debug.c:1017 check_unmap+0xf42/0x1990 Call Trace: debug_dma_unmap_page+0xc9/0x100 qla_nvme_ls_unmap+0x141/0x210 [qla2xxx] Remove DMA mapping from the driver altogether, as it is already done by FC layer. This prevents the warning. | 2025-12-24 | not yet calculated | CVE-2023-54108 | https://git.kernel.org/stable/c/3a564de3a299856f2cbd289649cea2e20d671a43 https://git.kernel.org/stable/c/e596253113b69b4018818260bd5da40c201bee73 https://git.kernel.org/stable/c/77302fb0e357da666d5249a6e91078feeef3dade https://git.kernel.org/stable/c/3ee4f1991c54c6707aa9df47e51c02ea25bb63e3 https://git.kernel.org/stable/c/ad6af23593594402c826eefdf43ae174e5f0f202 https://git.kernel.org/stable/c/c75e6aef5039830cce5d4cf764dd204522f89e6b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: rcar_fdp1: Fix refcount leak in probe and remove function rcar_fcp_get() take reference, which should be balanced with rcar_fcp_put(). Add missing rcar_fcp_put() in fdp1_remove and the error paths of fdp1_probe() to fix this. [hverkuil: resolve merge conflict, remove() is now void] | 2025-12-24 | not yet calculated | CVE-2023-54109 | https://git.kernel.org/stable/c/418a8f3140e07f33bbd5a81625d0ef46c0732cef https://git.kernel.org/stable/c/9df630dafa1a59946d1da6f070d4cb64f14ea57c https://git.kernel.org/stable/c/1acb982e3616e70128994fdecf2368a259c8a489 https://git.kernel.org/stable/c/2322b262d2205720518785c2706a3283725ba402 https://git.kernel.org/stable/c/45b7461d914c867ef21c74798da8c42d13d3a0df https://git.kernel.org/stable/c/59c6addfaaaa09ff7654e4d8793cb16fd22a46d4 https://git.kernel.org/stable/c/48765ca7c6b71bf73a4cc8475a4bad9e2633cf61 https://git.kernel.org/stable/c/c766c90faf93897b77c9c5daa603cffab85ba907 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: rndis_host: Secure rndis_query check against int overflow Variables off and len typed as uint32 in rndis_query function are controlled by incoming RNDIS response message thus their value may be manipulated. Setting off to a unexpectetly large value will cause the sum with len and 8 to overflow and pass the implemented validation step. Consequently the response pointer will be referring to a location past the expected buffer boundaries allowing information leakage e.g. via RNDIS_OID_802_3_PERMANENT_ADDRESS OID. | 2025-12-24 | not yet calculated | CVE-2023-54110 | https://git.kernel.org/stable/c/55782f6d63a5a3dd3b84c1e0627738fc5b146b4e https://git.kernel.org/stable/c/02ffb4ecf0614c58e3d0e5bfbe99588c9ddc77c0 https://git.kernel.org/stable/c/ebe6d2fcf7835f98cdbb1bd5e0414be20c321578 https://git.kernel.org/stable/c/232ef345e5d76e5542f430a29658a85dbef07f0b https://git.kernel.org/stable/c/11cd4ec6359d90b13ffb8f85a9df8637f0cf8d95 https://git.kernel.org/stable/c/39eadaf5611ddd064ad1c53da65c02d2b0fe22a4 https://git.kernel.org/stable/c/a713602807f32afc04add331410c77ef790ef77a https://git.kernel.org/stable/c/c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups of_find_node_by_phandle() returns a node pointer with refcount incremented, We should use of_node_put() on it when not needed anymore. Add missing of_node_put() to avoid refcount leak. | 2025-12-24 | not yet calculated | CVE-2023-54111 | https://git.kernel.org/stable/c/aa017ab5716c9157c65fdce061c4a4a568af53a8 https://git.kernel.org/stable/c/5868013522297bf628eee4322d99d6d4de4f308e https://git.kernel.org/stable/c/954a7a0011d94475f8ba5ceb77a5d11e01cf402f https://git.kernel.org/stable/c/d562054a3a2eede3507a5461011ee82b671fcb88 https://git.kernel.org/stable/c/0f735f232ff59863e0b6ebac0849d637e215a9c2 https://git.kernel.org/stable/c/dbef00ef4b9b98d15183340396e5df0fa7a860d8 https://git.kernel.org/stable/c/3c40b34e3462aab12af3dba77d2e1602afc72e80 https://git.kernel.org/stable/c/c818ae563bf99457f02e8170aabd6b174f629f65 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: kcm: Fix memory leak in error path of kcm_sendmsg() syzbot reported a memory leak like below: BUG: memory leak unreferenced object 0xffff88810b088c00 (size 240): comm “syz-executor186”, pid 5012, jiffies 4294943306 (age 13.680s) hex dump (first 32 bytes): 00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: [<ffffffff83e5d5ff>] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634 [<ffffffff84606e59>] alloc_skb include/linux/skbuff.h:1289 [inline] [<ffffffff84606e59>] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815 [<ffffffff83e479c6>] sock_sendmsg_nosec net/socket.c:725 [inline] [<ffffffff83e479c6>] sock_sendmsg+0x56/0xb0 net/socket.c:748 [<ffffffff83e47f55>] ____sys_sendmsg+0x365/0x470 net/socket.c:2494 [<ffffffff83e4c389>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548 [<ffffffff83e4c536>] __sys_sendmsg+0xa6/0x120 net/socket.c:2577 [<ffffffff84ad7bb8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84ad7bb8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd In kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append newly allocated skbs to ‘head’. If some bytes are copied, an error occurred, and jumped to out_error label, ‘last_skb’ is left unmodified. A later kcm_sendmsg() will use an obsoleted ‘last_skb’ reference, corrupting the ‘head’ frag_list and causing the leak. This patch fixes this issue by properly updating the last allocated skb in ‘last_skb’. | 2025-12-24 | not yet calculated | CVE-2023-54112 | https://git.kernel.org/stable/c/8dc7eb757b1652b82725f32e0c89a1e9f6c0e13b https://git.kernel.org/stable/c/5e5554389397e98fafb9efe395d8b4830dd5f042 https://git.kernel.org/stable/c/479c71cda14b3c3a6515773faa39055333eaa2b7 https://git.kernel.org/stable/c/33db24ad811b3576a0c2f8862506763f2be925b0 https://git.kernel.org/stable/c/97275339c34cfbccd65e87bc38fd910ae66c48ba https://git.kernel.org/stable/c/16989de75497574b5fafd174c0c233d5a86858b7 https://git.kernel.org/stable/c/af8085e0fc3207ecbf8b9e7a635c790e36d058c6 https://git.kernel.org/stable/c/c821a88bd720b0046433173185fd841a100d44ad |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rcu: dump vmalloc memory info safely Currently, for double invoke call_rcu(), will dump rcu_head objects memory info, if the objects is not allocated from the slab allocator, the vmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to be held, since the call_rcu() can be invoked in interrupt context, therefore, there is a possibility of spinlock deadlock scenarios. And in Preempt-RT kernel, the rcutorture test also trigger the following lockdep warning: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0 preempt_count: 1, expected: 0 RCU nest depth: 1, expected: 1 3 locks held by swapper/0/1: #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0 #1: ffffffffb5307940 (rcu_read_lock){….}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370 #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70 irq event stamp: 565512 hardirqs last enabled at (565511): [<ffffffffb379b138>] __call_rcu_common+0x218/0x940 hardirqs last disabled at (565512): [<ffffffffb5804262>] rcu_torture_init+0x20b2/0x2370 softirqs last enabled at (399112): [<ffffffffb36b2586>] __local_bh_enable_ip+0x126/0x170 softirqs last disabled at (399106): [<ffffffffb43fef59>] inet_register_protosw+0x9/0x1d0 Preemption disabled at: [<ffffffffb58040c3>] rcu_torture_init+0x1f13/0x2370 CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x68/0xb0 dump_stack+0x14/0x20 __might_resched+0x1aa/0x280 ? __pfx_rcu_torture_err_cb+0x10/0x10 rt_spin_lock+0x53/0x130 ? find_vmap_area+0x1f/0x70 find_vmap_area+0x1f/0x70 vmalloc_dump_obj+0x20/0x60 mem_dump_obj+0x22/0x90 __call_rcu_common+0x5bf/0x940 ? debug_smp_processor_id+0x1b/0x30 call_rcu_hurry+0x14/0x20 rcu_torture_init+0x1f82/0x2370 ? __pfx_rcu_torture_leak_cb+0x10/0x10 ? __pfx_rcu_torture_leak_cb+0x10/0x10 ? __pfx_rcu_torture_init+0x10/0x10 do_one_initcall+0x6c/0x300 ? debug_smp_processor_id+0x1b/0x30 kernel_init_freeable+0x2b9/0x540 ? __pfx_kernel_init+0x10/0x10 kernel_init+0x1f/0x150 ret_from_fork+0x40/0x50 ? __pfx_kernel_init+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> The previous patch fixes this by using the deadlock-safe best-effort version of find_vm_area. However, in case of failure print the fact that the pointer was a vmalloc pointer so that we print at least something. | 2025-12-24 | not yet calculated | CVE-2023-54113 | https://git.kernel.org/stable/c/0a22f9c17b1aa2a35b5eedee928f7841595b55cd https://git.kernel.org/stable/c/3f7a4e88e40e38c0b16a4bcb599b7b1d8c81440d https://git.kernel.org/stable/c/dddca4c46ec92f83449bc91dd199f46a89e066be https://git.kernel.org/stable/c/8fb1601ec0a2c4c34fc2170af767e5c2a6400573 https://git.kernel.org/stable/c/c83ad36a18c02c0f51280b50272327807916987f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() As the call trace shows, skb_panic was caused by wrong skb->mac_header in nsh_gso_segment(): invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 RIP: 0010:skb_panic+0xda/0xe0 call Trace: skb_push+0x91/0xa0 nsh_gso_segment+0x4f3/0x570 skb_mac_gso_segment+0x19e/0x270 __skb_gso_segment+0x1e8/0x3c0 validate_xmit_skb+0x452/0x890 validate_xmit_skb_list+0x99/0xd0 sch_direct_xmit+0x294/0x7c0 __dev_queue_xmit+0x16f0/0x1d70 packet_xmit+0x185/0x210 packet_snd+0xc15/0x1170 packet_sendmsg+0x7b/0xa0 sock_sendmsg+0x14f/0x160 The root cause is: nsh_gso_segment() use skb->network_header – nhoff to reset mac_header in skb_gso_error_unwind() if inner-layer protocol gso fails. However, skb->network_header may be reset by inner-layer protocol gso function e.g. mpls_gso_segment. skb->mac_header reset by the inaccurate network_header will be larger than skb headroom. nsh_gso_segment nhoff = skb->network_header – skb->mac_header; __skb_pull(skb,nsh_len) skb_mac_gso_segment mpls_gso_segment skb_reset_network_header(skb);//skb->network_header+=nsh_len return -EINVAL; skb_gso_error_unwind skb_push(skb, nsh_len); skb->mac_header = skb->network_header – nhoff; // skb->mac_header > skb->headroom, cause skb_push panic Use correct mac_offset to restore mac_header and get rid of nhoff. | 2025-12-24 | not yet calculated | CVE-2023-54114 | https://git.kernel.org/stable/c/2f88c8d38ecf5ed0273f99a067246899ba499eb2 https://git.kernel.org/stable/c/d2309e0cb27b6871b273fbc1725e93be62570d86 https://git.kernel.org/stable/c/435855b0831b351cb72cb38369ee33122ce9574c https://git.kernel.org/stable/c/02b20e0bc0c2628539e9e518dc342787c3332de2 https://git.kernel.org/stable/c/cdd8160dcda1fed2028a5f96575a84afc23aff7d https://git.kernel.org/stable/c/6fbedf987b6b8ed54a50e2205d998eb2c8be72f9 https://git.kernel.org/stable/c/cb38e62922aa3991793344b5a5870e7291c74a44 https://git.kernel.org/stable/c/c83b49383b595be50647f0c764a48c78b5f3c4f8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() When nonstatic_release_resource_db() frees all resources associated with an PCMCIA socket, it forgets to free socket_data too, causing a memory leak observable with kmemleak: unreferenced object 0xc28d1000 (size 64): comm “systemd-udevd”, pid 297, jiffies 4294898478 (age 194.484s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 f0 85 0e c3 00 00 00 00 ……………. 00 00 00 00 0c 10 8d c2 00 00 00 00 00 00 00 00 ……………. backtrace: [<ffda4245>] __kmem_cache_alloc_node+0x2d7/0x4a0 [<7e51f0c8>] kmalloc_trace+0x31/0xa4 [<d52b4ca0>] nonstatic_init+0x24/0x1a4 [pcmcia_rsrc] [<a2f13e08>] pcmcia_register_socket+0x200/0x35c [pcmcia_core] [<a728be1b>] yenta_probe+0x4d8/0xa70 [yenta_socket] [<c48fac39>] pci_device_probe+0x99/0x194 [<84b7c690>] really_probe+0x181/0x45c [<8060fe6e>] __driver_probe_device+0x75/0x1f4 [<b9b76f43>] driver_probe_device+0x28/0xac [<648b766f>] __driver_attach+0xeb/0x1e4 [<6e9659eb>] bus_for_each_dev+0x61/0xb4 [<25a669f3>] driver_attach+0x1e/0x28 [<d8671d6b>] bus_add_driver+0x102/0x20c [<df0d323c>] driver_register+0x5b/0x120 [<942cd8a4>] __pci_register_driver+0x44/0x4c [<e536027e>] __UNIQUE_ID___addressable_cleanup_module188+0x1c/0xfffff000 [iTCO_vendor_support] Fix this by freeing socket_data too. Tested on a Acer Travelmate 4002WLMi by manually binding/unbinding the yenta_cardbus driver (yenta_socket). | 2025-12-24 | not yet calculated | CVE-2023-54115 | https://git.kernel.org/stable/c/bde0b6da7bd893c37afaee3555cc3ac3be582313 https://git.kernel.org/stable/c/2d45e2be0be35a3d66863563ed2591ee18a6897e https://git.kernel.org/stable/c/22100df1d57f04cf2370d5347b9ef547f481deea https://git.kernel.org/stable/c/04bb8af40a7729c398ed4caea7e66cedd2881719 https://git.kernel.org/stable/c/97fd1c8e9c5aa833aab7e836760bc13103afa892 https://git.kernel.org/stable/c/e8a80cf06b4bb0396212289d651b384c949f09d0 https://git.kernel.org/stable/c/fd53a1f28faba2c4806c055e706a7721006291c1 https://git.kernel.org/stable/c/c85fd9422fe0f5d667305efb27f56d09eab120b0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/fbdev-generic: prohibit potential out-of-bounds access The fbdev test of IGT may write after EOF, which lead to out-of-bound access for drm drivers with fbdev-generic. For example, run fbdev test on a x86+ast2400 platform, with 1680×1050 resolution, will cause the linux kernel hang with the following call trace: Oops: 0000 [#1] PREEMPT SMP PTI [IGT] fbdev: starting subtest eof Workqueue: events drm_fb_helper_damage_work [drm_kms_helper] [IGT] fbdev: starting subtest nullptr RIP: 0010:memcpy_erms+0xa/0x20 RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246 RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0 RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000 RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0 R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80 R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30 FS: 0000000000000000(0000) GS:ffff895257380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0 Call Trace: <TASK> ? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper] drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper] process_one_work+0x21f/0x430 worker_thread+0x4e/0x3c0 ? __pfx_worker_thread+0x10/0x10 kthread+0xf4/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 </TASK> CR2: ffffa17d40e0b000 —[ end trace 0000000000000000 ]— The is because damage rectangles computed by drm_fb_helper_memory_range_to_clip() function is not guaranteed to be bound in the screen’s active display area. Possible reasons are: 1) Buffers are allocated in the granularity of page size, for mmap system call support. The shadow screen buffer consumed by fbdev emulation may also choosed be page size aligned. 2) The DIV_ROUND_UP() used in drm_fb_helper_memory_range_to_clip() will introduce off-by-one error. For example, on a 16KB page size system, in order to store a 1920×1080 XRGB framebuffer, we need allocate 507 pages. Unfortunately, the size 1920*1080*4 can not be divided exactly by 16KB. 1920 * 1080 * 4 = 8294400 bytes 506 * 16 * 1024 = 8290304 bytes 507 * 16 * 1024 = 8306688 bytes line_length = 1920*4 = 7680 bytes 507 * 16 * 1024 / 7680 = 1081.6 off / line_length = 507 * 16 * 1024 / 7680 = 1081 DIV_ROUND_UP(507 * 16 * 1024, 7680) will yeild 1082 memcpy_toio() typically issue the copy line by line, when copy the last line, out-of-bound access will be happen. Because: 1082 * line_length = 1082 * 7680 = 8309760, and 8309760 > 8306688 Note that userspace may still write to the invisiable area if a larger buffer than width x stride is exposed. But it is not a big issue as long as there still have memory resolve the access if not drafting so far. – Also limit the y1 (Daniel) – keep fix patch it to minimal (Daniel) – screen_size is page size aligned because of it need mmap (Thomas) – Adding fixes tag (Thomas) | 2025-12-24 | not yet calculated | CVE-2023-54116 | https://git.kernel.org/stable/c/efd2821b8abeccb6b51423002e2a62921481a26e https://git.kernel.org/stable/c/251653fa974ea551a15d16cacfed7cde68cc7f87 https://git.kernel.org/stable/c/c8687694bb1f5c48134f152f8c5c2e53483eb99d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: s390/dcssblk: fix kernel crash with list_add corruption Commit fb08a1908cb1 (“dax: simplify the dax_device <-> gendisk association”) introduced new logic for gendisk association, requiring drivers to explicitly call dax_add_host() and dax_remove_host(). For dcssblk driver, some dax_remove_host() calls were missing, e.g. in device remove path. The commit also broke error handling for out_dax case in device add path, resulting in an extra put_device() w/o the previous get_device() in that case. This lead to stale xarray entries after device add / remove cycles. In the case when a previously used struct gendisk pointer (xarray index) would be used again, because blk_alloc_disk() happened to return such a pointer, the xa_insert() in dax_add_host() would fail and go to out_dax, doing the extra put_device() in the error path. In combination with an already flawed error handling in dcssblk (device_register() cleanup), which needs to be addressed in a separate patch, this resulted in a missing device_del() / klist_del(), and eventually in the kernel crash with list_add corruption on a subsequent device_add() / klist_add(). Fix this by adding the missing dax_remove_host() calls, and also move the put_device() in the error path to restore the previous logic. | 2025-12-24 | not yet calculated | CVE-2023-54117 | https://git.kernel.org/stable/c/6489ec0107860345bc57dcde39e63dfb05ac5c11 https://git.kernel.org/stable/c/b7ad75c77349beb4983b9f27108d9b3f33ae1413 https://git.kernel.org/stable/c/b5c531a9a7d8e047c90c909f09cef06a9f8e62f4 https://git.kernel.org/stable/c/c8f40a0bccefd613748d080147469a4652d6e74c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: setup GPIO controller later in probe The GPIO controller component of the sc16is7xx driver is setup too early, which can result in a race condition where another device tries to utilise the GPIO lines before the sc16is7xx device has finished initialising. This issue manifests itself as an Oops when the GPIO lines are configured: Unable to handle kernel read from unreadable memory at virtual address … pc : sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx] lr : sc16is7xx_gpio_direction_output+0x4c/0x108 [sc16is7xx] … Call trace: sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx] gpiod_direction_output_raw_commit+0x64/0x318 gpiod_direction_output+0xb0/0x170 create_gpio_led+0xec/0x198 gpio_led_probe+0x16c/0x4f0 platform_drv_probe+0x5c/0xb0 really_probe+0xe8/0x448 driver_probe_device+0xe8/0x138 __device_attach_driver+0x94/0x118 bus_for_each_drv+0x8c/0xe0 __device_attach+0x100/0x1b8 device_initial_probe+0x28/0x38 bus_probe_device+0xa4/0xb0 deferred_probe_work_func+0x90/0xe0 process_one_work+0x1c4/0x480 worker_thread+0x54/0x430 kthread+0x138/0x150 ret_from_fork+0x10/0x1c This patch moves the setup of the GPIO controller functions to later in the probe function, ensuring the sc16is7xx device has already finished initialising by the time other devices try to make use of the GPIO lines. The error handling has also been reordered to reflect the new initialisation order. | 2025-12-24 | not yet calculated | CVE-2023-54118 | https://git.kernel.org/stable/c/17b96b5c19bec791b433890549e44ca523dc82aa https://git.kernel.org/stable/c/49b326ce8a686428d8cbb82ed74fc88ed3f95a51 https://git.kernel.org/stable/c/f57c2164d082a36d177ab7fbf54c18970df89c22 https://git.kernel.org/stable/c/b71ff206707855ce73c04794c76f7b678b2d4f72 https://git.kernel.org/stable/c/c8f71b49ee4d28930c4a6798d1969fa91dc4ef3e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: inotify: Avoid reporting event with invalid wd When inotify_freeing_mark() races with inotify_handle_inode_event() it can happen that inotify_handle_inode_event() sees that i_mark->wd got already reset to -1 and reports this value to userspace which can confuse the inotify listener. Avoid the problem by validating that wd is sensible (and pretend the mark got removed before the event got generated otherwise). | 2025-12-24 | not yet calculated | CVE-2023-54119 | https://git.kernel.org/stable/c/8fb33166aed888769ea63d6af49515893f8a1f14 https://git.kernel.org/stable/c/2d65c97777e5b4a845637800d5d7b648f5772106 https://git.kernel.org/stable/c/17ad86d8c12220de97e80d88b5b4c934a40e1812 https://git.kernel.org/stable/c/145f54ea336b06cf4f92eeee996f2ffca939ea43 https://git.kernel.org/stable/c/fb3294998489d39835006240e9c6e6b2ac62022e https://git.kernel.org/stable/c/a48bacee05860c6089c3482bcdc80720b0ee5732 https://git.kernel.org/stable/c/c915d8f5918bea7c3962b09b8884ca128bfd9b0c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix race condition in hidp_session_thread There is a potential race condition in hidp_session_thread that may lead to use-after-free. For instance, the timer is active while hidp_del_timer is called in hidp_session_thread(). After hidp_session_put, then ‘session’ will be freed, causing kernel panic when hidp_idle_timeout is running. The solution is to use del_timer_sync instead of del_timer. Here is the call trace: ? hidp_session_probe+0x780/0x780 call_timer_fn+0x2d/0x1e0 __run_timers.part.0+0x569/0x940 hidp_session_probe+0x780/0x780 call_timer_fn+0x1e0/0x1e0 ktime_get+0x5c/0xf0 lapic_next_deadline+0x2c/0x40 clockevents_program_event+0x205/0x320 run_timer_softirq+0xa9/0x1b0 __do_softirq+0x1b9/0x641 __irq_exit_rcu+0xdc/0x190 irq_exit_rcu+0xe/0x20 sysvec_apic_timer_interrupt+0xa1/0xc0 | 2025-12-24 | not yet calculated | CVE-2023-54120 | https://git.kernel.org/stable/c/152f47bd6b995e0e98c85672f6d19894bc287ef2 https://git.kernel.org/stable/c/5f3d214d19899183d4e0cce7552998262112e4ab https://git.kernel.org/stable/c/8a99e6200c38b78a45dcd12a6bdc43fdf4dc36be https://git.kernel.org/stable/c/f7ec5ca433ceead8d9d78fd2febff094f289441d https://git.kernel.org/stable/c/0efb276d5848a3accc37c6f41b85e442c4768169 https://git.kernel.org/stable/c/f6719fd8f409fa1da8dc956e93822d25e1e8b360 https://git.kernel.org/stable/c/248af9feca062a4ca9c3f2ccf67056c8a5eb817f https://git.kernel.org/stable/c/c95930abd687fcd1aa040dc4fe90dff947916460 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect splitting in btrfs_drop_extent_map_range In production we were seeing a variety of WARN_ON()’s in the extent_map code, specifically in btrfs_drop_extent_map_range() when we have to call add_extent_mapping() for our second split. Consider the following extent map layout PINNED [0 16K) [32K, 48K) and then we call btrfs_drop_extent_map_range for [0, 36K), with skip_pinned == true. The initial loop will have start = 0 end = 36K len = 36K we will find the [0, 16k) extent, but since we are pinned we will skip it, which has this code start = em_end; if (end != (u64)-1) len = start + len – em_end; em_end here is 16K, so now the values are start = 16K len = 16K + 36K – 16K = 36K len should instead be 20K. This is a problem when we find the next extent at [32K, 48K), we need to split this extent to leave [36K, 48k), however the code for the split looks like this split->start = start + len; split->len = em_end – (start + len); In this case we have em_end = 48K split->start = 16K + 36K // this should be 16K + 20K split->len = 48K – (16K + 36K) // this overflows as 16K + 36K is 52K and now we have an invalid extent_map in the tree that potentially overlaps other entries in the extent map. Even in the non-overlapping case we will have split->start set improperly, which will cause problems with any block related calculations. We don’t actually need len in this loop, we can simply use end as our end point, and only adjust start up when we find a pinned extent we need to skip. Adjust the logic to do this, which keeps us from inserting an invalid extent map. We only skip_pinned in the relocation case, so this is relatively rare, except in the case where you are running relocation a lot, which can happen with auto relocation on. | 2025-12-24 | not yet calculated | CVE-2023-54121 | https://git.kernel.org/stable/c/9f68e2105dd96cf0fafffffafb2337fbd0fbae1f https://git.kernel.org/stable/c/b43a4c99d878cf5e59040e45c96bb0a8358bfb3b https://git.kernel.org/stable/c/c962098ca4af146f2625ed64399926a098752c9c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add check for cstate As kzalloc may fail and return NULL pointer, it should be better to check cstate in order to avoid the NULL pointer dereference in __drm_atomic_helper_crtc_reset. Patchwork: https://patchwork.freedesktop.org/patch/514163/ | 2025-12-24 | not yet calculated | CVE-2023-54122 | https://git.kernel.org/stable/c/a6afb8293ec0932f4ed0b7aecfc0ccc00f44dc2b https://git.kernel.org/stable/c/31f2f8de0ea7387cde18a24f94ba5e0b886b9842 https://git.kernel.org/stable/c/d4ba50614cb3f0686bbdb505af685d78e75861dc https://git.kernel.org/stable/c/42442d42c57b9fbc35cb5ef72c7e5347c5f7d082 https://git.kernel.org/stable/c/a52e5a002d18bffabff66f6f59a74f8e9aac5afe https://git.kernel.org/stable/c/c96988b7d99327bb08bd9efd29a203b22cd88ace |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix memleak for ‘conf->bio_split’ In the error path of raid10_run(), ‘conf’ need be freed, however, ‘conf->bio_split’ is missed and memory will be leaked. Since there are 3 places to free ‘conf’, factor out a helper to fix the problem. | 2025-12-24 | not yet calculated | CVE-2023-54123 | https://git.kernel.org/stable/c/133008af833b4f2e021d2c294c29c70364a3f0ba https://git.kernel.org/stable/c/b6460f68c1cc95a80d089af402be501619f228e4 https://git.kernel.org/stable/c/6361b0592b46c465ac926c1f3105d66c30d9658b https://git.kernel.org/stable/c/7f673fa34c0e3f95ee951a1bbf61791164871d2e https://git.kernel.org/stable/c/b21019a220d9cac08819bb6c63000de9ee61eb9e https://git.kernel.org/stable/c/5cba3e26c073b535e4e3b825ea481fb29c53943b https://git.kernel.org/stable/c/e2fec8d95353a48634b085011626ba3ec8ab8b1c https://git.kernel.org/stable/c/c9ac2acde53f5385de185bccf6aaa91cf9ac1541 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to drop all dirty pages during umount() if cp_error is set xfstest generic/361 reports a bug as below: f2fs_bug_on(sbi, sbi->fsync_node_num); kernel BUG at fs/f2fs/super.c:1627! RIP: 0010:f2fs_put_super+0x3a8/0x3b0 Call Trace: generic_shutdown_super+0x8c/0x1b0 kill_block_super+0x2b/0x60 kill_f2fs_super+0x87/0x110 deactivate_locked_super+0x39/0x80 deactivate_super+0x46/0x50 cleanup_mnt+0x109/0x170 __cleanup_mnt+0x16/0x20 task_work_run+0x65/0xa0 exit_to_user_mode_prepare+0x175/0x190 syscall_exit_to_user_mode+0x25/0x50 do_syscall_64+0x4c/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc During umount(), if cp_error is set, f2fs_wait_on_all_pages() should not stop waiting all F2FS_WB_CP_DATA pages to be writebacked, otherwise, fsync_node_num can be non-zero after f2fs_wait_on_all_pages() causing this bug. In this case, to avoid deadloop in f2fs_wait_on_all_pages(), it needs to drop all dirty pages rather than redirtying them. | 2025-12-24 | not yet calculated | CVE-2023-54124 | https://git.kernel.org/stable/c/92575f05a32dafb16348bfa5e62478118a9be069 https://git.kernel.org/stable/c/4ceedc2f8bdffb82e40b7d1bb912304f8e157cb1 https://git.kernel.org/stable/c/ad87bd313f70b51e48019d5ce2d02d73152356b3 https://git.kernel.org/stable/c/d8f4ad5f3979dbd8e6251259562f12472717883a https://git.kernel.org/stable/c/7741ddc882a0c806a6508ba8203c55a779db7a21 https://git.kernel.org/stable/c/82c3d6e9db41cbd3af1d4f90bdb441740b5fad10 https://git.kernel.org/stable/c/c9b3649a934d131151111354bcbb638076f03a30 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Return error for inconsistent extended attributes ntfs_read_ea is called when we want to read extended attributes. There are some sanity checks for the validity of the EAs. However, it fails to return a proper error code for the inconsistent attributes, which might lead to unpredicted memory accesses after return. [ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0 [ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199 [ 138.931132] [ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4 [ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 138.947327] Call Trace: [ 138.949557] <TASK> [ 138.951539] dump_stack_lvl+0x4d/0x67 [ 138.956834] print_report+0x16f/0x4a6 [ 138.960798] ? ntfs_set_ea+0x453/0xbf0 [ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200 [ 138.969793] ? ntfs_set_ea+0x453/0xbf0 [ 138.973523] kasan_report+0xb8/0x140 [ 138.976740] ? ntfs_set_ea+0x453/0xbf0 [ 138.980578] __asan_store4+0x76/0xa0 [ 138.984669] ntfs_set_ea+0x453/0xbf0 [ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10 [ 138.993390] ? kernel_text_address+0xd3/0xe0 [ 138.998270] ? __kernel_text_address+0x16/0x50 [ 139.002121] ? unwind_get_return_address+0x3e/0x60 [ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 139.010177] ? arch_stack_walk+0xa2/0x100 [ 139.013657] ? filter_irq_stacks+0x27/0x80 [ 139.017018] ntfs_setxattr+0x405/0x440 [ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10 [ 139.026569] ? kvmalloc_node+0x2d/0x120 [ 139.030329] ? kasan_save_stack+0x41/0x60 [ 139.033883] ? kasan_save_stack+0x2a/0x60 [ 139.037338] ? kasan_set_track+0x29/0x40 [ 139.040163] ? kasan_save_alloc_info+0x1f/0x30 [ 139.043588] ? __kasan_kmalloc+0x8b/0xa0 [ 139.047255] ? __kmalloc_node+0x68/0x150 [ 139.051264] ? kvmalloc_node+0x2d/0x120 [ 139.055301] ? vmemdup_user+0x2b/0xa0 [ 139.058584] __vfs_setxattr+0x121/0x170 [ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10 [ 139.066282] __vfs_setxattr_noperm+0x97/0x300 [ 139.070061] __vfs_setxattr_locked+0x145/0x170 [ 139.073580] vfs_setxattr+0x137/0x2a0 [ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10 [ 139.080223] ? __kasan_check_write+0x18/0x20 [ 139.084234] do_setxattr+0xce/0x150 [ 139.087768] setxattr+0x126/0x140 [ 139.091250] ? __pfx_setxattr+0x10/0x10 [ 139.094948] ? __virt_addr_valid+0xcb/0x140 [ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330 [ 139.102688] ? debug_smp_processor_id+0x1b/0x30 [ 139.105985] ? kasan_quarantine_put+0x5b/0x190 [ 139.109980] ? putname+0x84/0xa0 [ 139.113886] ? __kasan_slab_free+0x11e/0x1b0 [ 139.117961] ? putname+0x84/0xa0 [ 139.121316] ? preempt_count_sub+0x1c/0xd0 [ 139.124427] ? __mnt_want_write+0xae/0x100 [ 139.127836] ? mnt_want_write+0x8f/0x150 [ 139.130954] path_setxattr+0x164/0x180 [ 139.133998] ? __pfx_path_setxattr+0x10/0x10 [ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10 [ 139.141299] ? debug_smp_processor_id+0x1b/0x30 [ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80 [ 139.150796] __x64_sys_setxattr+0x71/0x90 [ 139.155407] do_syscall_64+0x3f/0x90 [ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 139.163843] RIP: 0033:0x7f108cae4469 [ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 [ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc [ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469 [ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6 [ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618 [ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0 [ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15 —truncated— | 2025-12-24 | not yet calculated | CVE-2023-54125 | https://git.kernel.org/stable/c/1474098b590a426d90f27bb992f17c326e0b60c1 https://git.kernel.org/stable/c/c9db0ff04649aa0b45f497183c957fe260f229f6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: safexcel – Cleanup ring IRQ workqueues on load failure A failure loading the safexcel driver results in the following warning on boot, because the IRQ affinity has not been correctly cleaned up. Ensure we clean up the affinity and workqueues on a failure to load the driver. crypto-safexcel: probe of f2800000.crypto failed with error -2 ————[ cut here ]———— WARNING: CPU: 1 PID: 232 at kernel/irq/manage.c:1913 free_irq+0x300/0x340 Modules linked in: hwmon mdio_i2c crypto_safexcel(+) md5 sha256_generic libsha256 authenc libdes omap_rng rng_core nft_masq nft_nat nft_chain_nat nf_nat nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink fuse autofs4 CPU: 1 PID: 232 Comm: systemd-udevd Tainted: G W 6.1.6-00002-g9d4898824677 #3 Hardware name: MikroTik RB5009 (DT) pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : free_irq+0x300/0x340 lr : free_irq+0x2e0/0x340 sp : ffff800008fa3890 x29: ffff800008fa3890 x28: 0000000000000000 x27: 0000000000000000 x26: ffff8000008e6dc0 x25: ffff000009034cac x24: ffff000009034d50 x23: 0000000000000000 x22: 000000000000004a x21: ffff0000093e0d80 x20: ffff000009034c00 x19: ffff00000615fc00 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 000075f5c1584c5e x14: 0000000000000017 x13: 0000000000000000 x12: 0000000000000040 x11: ffff000000579b60 x10: ffff000000579b62 x9 : ffff800008bbe370 x8 : ffff000000579dd0 x7 : 0000000000000000 x6 : ffff000000579e18 x5 : ffff000000579da8 x4 : ffff800008ca0000 x3 : ffff800008ca0188 x2 : 0000000013033204 x1 : ffff000009034c00 x0 : ffff8000087eadf0 Call trace: free_irq+0x300/0x340 devm_irq_release+0x14/0x20 devres_release_all+0xa0/0x100 device_unbind_cleanup+0x14/0x60 really_probe+0x198/0x2d4 __driver_probe_device+0x74/0xdc driver_probe_device+0x3c/0x110 __driver_attach+0x8c/0x190 bus_for_each_dev+0x6c/0xc0 driver_attach+0x20/0x30 bus_add_driver+0x148/0x1fc driver_register+0x74/0x120 __platform_driver_register+0x24/0x30 safexcel_init+0x48/0x1000 [crypto_safexcel] do_one_initcall+0x4c/0x1b0 do_init_module+0x44/0x1cc load_module+0x1724/0x1be4 __do_sys_finit_module+0xbc/0x110 __arm64_sys_finit_module+0x1c/0x24 invoke_syscall+0x44/0x110 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x20/0x80 el0_svc+0x14/0x4c el0t_64_sync_handler+0xb0/0xb4 el0t_64_sync+0x148/0x14c —[ end trace 0000000000000000 ]— | 2025-12-24 | not yet calculated | CVE-2023-54126 | https://git.kernel.org/stable/c/4f4de392f4926820ec1fd3573a016c704a68893d https://git.kernel.org/stable/c/0a89d4a075524cf1f865cfdbb9cf38ab8e3e5409 https://git.kernel.org/stable/c/09e177d6f7edd0873a63f51abe914902ec0f4400 https://git.kernel.org/stable/c/4d9d2fd86766ee3ec077c011aa482e85b6c9595c https://git.kernel.org/stable/c/162f9daf0c22480f88b24fd46d16abae46c10fce https://git.kernel.org/stable/c/ab573af2655ba509e2a167897de9b5585c2ca44d https://git.kernel.org/stable/c/ca25c00ccbc5f942c63897ed23584cfc66e8ec81 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount() Syzkaller reported the following issue: ================================================================== BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 Free of addr ffff888086408000 by task syz-executor.4/12750 […] Call Trace: <TASK> […] kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 ____kasan_slab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1386 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1291 task_work_run+0x243/0x300 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd […] </TASK> Allocated by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:580 [inline] dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 mount_bdev+0x26c/0x3a0 fs/super.c:1359 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1489 do_new_mount+0x289/0xad0 fs/namespace.c:3145 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 jfs_remount+0x3db/0x710 fs/jfs/super.c:454 reconfigure_super+0x3bc/0x7b0 fs/super.c:935 vfs_fsconfig_locked fs/fsopen.c:254 [inline] __do_sys_fsconfig fs/fsopen.c:439 [inline] __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd […] JFS_SBI(ipbmap->i_sb)->bmap wasn’t set to NULL after kfree() in dbUnmount(). Syzkaller uses faultinject to reproduce this KASAN double-free warning. The issue is triggered if either diMount() or dbMount() fail in jfs_remount(), since diUnmount() or dbUnmount() already happened in such a case – they will do double-free on next execution: jfs_umount or jfs_remount. Tested on both upstream and jfs-next by syzkaller. | 2025-12-24 | not yet calculated | CVE-2023-54127 | https://git.kernel.org/stable/c/798c5f6f98bc9045593d4b3a65c32f05d97bd0e6 https://git.kernel.org/stable/c/aef6507e85475e30831c30405d785c7ed976ea4a https://git.kernel.org/stable/c/b12ccbfdf6539ef0157868f69fcae0b7f7a072b3 https://git.kernel.org/stable/c/6f8b34458948ffca2fe90cd8c614e3fa2ebe0b27 https://git.kernel.org/stable/c/aa5b019a3e0f7f54f4e5370c1af827f6b00fd26b https://git.kernel.org/stable/c/2f7a36448f51d08d3a83f1514abcca4b680bcd3c https://git.kernel.org/stable/c/f71c4bb3ec08dfcbd201350a6a0a914c4e6a9e3f https://git.kernel.org/stable/c/cade5397e5461295f3cb87880534b6a07cafa427 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs: drop peer group ids under namespace lock When cleaning up peer group ids in the failure path we need to make sure to hold on to the namespace lock. Otherwise another thread might just turn the mount from a shared into a non-shared mount concurrently. | 2025-12-24 | not yet calculated | CVE-2023-54128 | https://git.kernel.org/stable/c/0af8fae81d8b7f1beddc17c5d4cfa43235134648 https://git.kernel.org/stable/c/ddca03d97daa7b07b60c52e3d3060762732c6666 https://git.kernel.org/stable/c/65c324d3f35c05e37afec39ac80743583fdcc96c https://git.kernel.org/stable/c/cb2239c198ad9fbd5aced22cf93e45562da781eb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Add validation for lmac type Upon physical link change, firmware reports to the kernel about the change along with the details like speed, lmac_type_id, etc. Kernel derives lmac_type based on lmac_type_id received from firmware. In a few scenarios, firmware returns an invalid lmac_type_id, which is resulting in below kernel panic. This patch adds the missing validation of the lmac_type_id field. Internal error: Oops: 96000005 [#1] PREEMPT SMP [ 35.321595] Modules linked in: [ 35.328982] CPU: 0 PID: 31 Comm: kworker/0:1 Not tainted 5.4.210-g2e3169d8e1bc-dirty #17 [ 35.337014] Hardware name: Marvell CN103XX board (DT) [ 35.344297] Workqueue: events work_for_cpu_fn [ 35.352730] pstate: 40400089 (nZcv daIf +PAN -UAO) [ 35.360267] pc : strncpy+0x10/0x30 [ 35.366595] lr : cgx_link_change_handler+0x90/0x180 | 2025-12-24 | not yet calculated | CVE-2023-54129 | https://git.kernel.org/stable/c/83a7f27c5b94e43f29f8216a32790751139aa61e https://git.kernel.org/stable/c/afd7660c766c4d317feae004e5cd829390bbc4b0 https://git.kernel.org/stable/c/5c0268b141ad612b6fca13d3a66cfda111716dbb https://git.kernel.org/stable/c/cb5edce271764524b88b1a6866b3e626686d9a33 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling Commit 55d1cbbbb29e (“hfs/hfsplus: use WARN_ON for sanity check”) fixed a build warning by turning a comment into a WARN_ON(), but it turns out that syzbot then complains because it can trigger said warning with a corrupted hfs image. The warning actually does warn about a bad situation, but we are much better off just handling it as the error it is. So rather than warn about us doing bad things, stop doing the bad things and return -EIO. While at it, also fix a memory leak that was introduced by an earlier fix for a similar syzbot warning situation, and add a check for one case that historically wasn’t handled at all (ie neither comment nor subsequent WARN_ON). | 2025-12-24 | not yet calculated | CVE-2023-54130 | https://git.kernel.org/stable/c/cc2164ada548addfa8ee215196661c3afe0c5154 https://git.kernel.org/stable/c/82725be426bce0a425cc5e26fbad61ffd29cff03 https://git.kernel.org/stable/c/da23752d9660ba7a8ca6c5768fd8776f67f59ee7 https://git.kernel.org/stable/c/be01f35efa876eb81cebab2cb0add068b7280ef4 https://git.kernel.org/stable/c/f10defb0be6ac42fb6a97b45920d32da6bd6fde8 https://git.kernel.org/stable/c/90e019006644dad35862cb4aa270f561b0732066 https://git.kernel.org/stable/c/45917be9f0af339a45b4619f31c902d37b8aed59 https://git.kernel.org/stable/c/cb7a95af78d29442b8294683eca4897544b8ef46 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rt2x00: Fix memory leak when handling surveys When removing a rt2x00 device, its associated channel surveys are not freed, causing a memory leak observable with kmemleak: unreferenced object 0xffff9620f0881a00 (size 512): comm “systemd-udevd”, pid 2290, jiffies 4294906974 (age 33.768s) hex dump (first 32 bytes): 70 44 12 00 00 00 00 00 92 8a 00 00 00 00 00 00 pD………….. 00 00 00 00 00 00 00 00 ab 87 01 00 00 00 00 00 ……………. backtrace: [<ffffffffb0ed858b>] __kmalloc+0x4b/0x130 [<ffffffffc1b0f29b>] rt2800_probe_hw+0xc2b/0x1380 [rt2800lib] [<ffffffffc1a9496e>] rt2800usb_probe_hw+0xe/0x60 [rt2800usb] [<ffffffffc1ae491a>] rt2x00lib_probe_dev+0x21a/0x7d0 [rt2x00lib] [<ffffffffc1b3b83e>] rt2x00usb_probe+0x1be/0x980 [rt2x00usb] [<ffffffffc05981e2>] usb_probe_interface+0xe2/0x310 [usbcore] [<ffffffffb13be2d5>] really_probe+0x1a5/0x410 [<ffffffffb13be5c8>] __driver_probe_device+0x78/0x180 [<ffffffffb13be6fe>] driver_probe_device+0x1e/0x90 [<ffffffffb13be972>] __driver_attach+0xd2/0x1c0 [<ffffffffb13bbc57>] bus_for_each_dev+0x77/0xd0 [<ffffffffb13bd2a2>] bus_add_driver+0x112/0x210 [<ffffffffb13bfc6c>] driver_register+0x5c/0x120 [<ffffffffc0596ae8>] usb_register_driver+0x88/0x150 [usbcore] [<ffffffffb0c011c4>] do_one_initcall+0x44/0x220 [<ffffffffb0d6134c>] do_init_module+0x4c/0x220 Fix this by freeing the channel surveys on device removal. Tested with a RT3070 based USB wireless adapter. | 2025-12-24 | not yet calculated | CVE-2023-54131 | https://git.kernel.org/stable/c/eb77c0c0a17c53d83b5fe8e46490fb0a7ed9e6af https://git.kernel.org/stable/c/bea3f8aa999318bdffa2d17753e492f76904f0ce https://git.kernel.org/stable/c/494064ffd60d044c097d514917c40913d1affbca https://git.kernel.org/stable/c/0354bce76ed1d775904acdb4cc0bf88c5b9b5b9f https://git.kernel.org/stable/c/cbef9a83c51dfcb07f77cfa6ac26f53a1ea86f49 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: stop parsing non-compact HEAD index if clusterofs is invalid Syzbot generated a crafted image [1] with a non-compact HEAD index of clusterofs 33024 while valid numbers should be 0 ~ lclustersize-1, which causes the following unexpected behavior as below: BUG: unable to handle page fault for address: fffff52101a3fff9 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 23ffed067 P4D 23ffed067 PUD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4398 Comm: kworker/u5:1 Not tainted 6.3.0-rc6-syzkaller-g09a9639e56c0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 Workqueue: erofs_worker z_erofs_decompressqueue_work RIP: 0010:z_erofs_decompress_queue+0xb7e/0x2b40 … Call Trace: <TASK> z_erofs_decompressqueue_work+0x99/0xe0 process_one_work+0x8f6/0x1170 worker_thread+0xa63/0x1210 kthread+0x270/0x300 ret_from_fork+0x1f/0x30 Note that normal images or images using compact indexes are not impacted. Let’s fix this now. [1] https://lore.kernel.org/r/000000000000ec75b005ee97fbaa@google.com | 2025-12-24 | not yet calculated | CVE-2023-54132 | https://git.kernel.org/stable/c/880c79bdb002b9d5b6940e52c2ad3829c2178207 https://git.kernel.org/stable/c/7a4579cd6e4936de107c82499c3c9ee11b63401e https://git.kernel.org/stable/c/060fecf1114ff9fcfe87953fe8c4fc5048777160 https://git.kernel.org/stable/c/7ee7a86e28ce9ead7112286c388df8d254c373c6 https://git.kernel.org/stable/c/f01b2894928affa3339d355608713cf3db8360b8 https://git.kernel.org/stable/c/96a845419b3722869f09883319de4d55c44d9aef https://git.kernel.org/stable/c/cc4efd3dd2ac9f89143e5d881609747ecff04164 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfp: clean mc addresses in application firmware when closing port When moving devices from one namespace to another, mc addresses are cleaned in software while not removed from application firmware. Thus the mc addresses are remained and will cause resource leak. Now use `__dev_mc_unsync` to clean mc addresses when closing port. | 2025-12-24 | not yet calculated | CVE-2023-54133 | https://git.kernel.org/stable/c/c427221733d49fd1e1b79b4a86746acf3ef660e7 https://git.kernel.org/stable/c/cc7eab25b1cf3f9594fe61142d3523ce4d14a788 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: autofs: fix memory leak of waitqueues in autofs_catatonic_mode Syzkaller reports a memory leak: BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm “syz-executor399”, pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ……….’….. 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..’…………. backtrace: [<ffffffff814cfc90>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline] [<ffffffff81bb75ca>] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [<ffffffff81bb88a7>] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 [<ffffffff81bb8c33>] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 [<ffffffff81bb6972>] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 [<ffffffff81bb6a95>] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 [<ffffffff81602a9c>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff81602a9c>] __do_sys_ioctl fs/ioctl.c:870 [inline] [<ffffffff81602a9c>] __se_sys_ioctl fs/ioctl.c:856 [inline] [<ffffffff81602a9c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 [<ffffffff84608225>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84608225>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd autofs_wait_queue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost. In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new waitqueue struct is allocated in autofs_wait(), its initial wait_ctr equals 2. After that wait_event_killable() is interrupted (it returns -ERESTARTSYS), so that ‘wq->name.name == NULL’ condition may be not satisfied. Actually, this condition can be satisfied when autofs_wait_release() or autofs_catatonic_mode() is called and, what is also important, wait_ctr is decremented in those places. Upon the exit of autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process begins: kill_sb calls autofs_catatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour. edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it’s not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn’t been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofs_wait_release() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won’t be woken up until either they are terminated or the mount is umounted. end edit: imk So in catatonic mode we should free waitqueues which counter becomes zero. edit: imk Initially I was concerned that the calling of autofs_wait_release() and autofs_catatonic_mode() was not mutually exclusive but that can’t be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk | 2025-12-24 | not yet calculated | CVE-2023-54134 | https://git.kernel.org/stable/c/1985e8eae8627f02e3364690c5fed7af1c46be55 https://git.kernel.org/stable/c/976abbdc120a97049b9133e60fa7b29627d11de4 https://git.kernel.org/stable/c/6079dc77c6f32936e8a6766ee8334ae3c99f4504 https://git.kernel.org/stable/c/69ddafc7a7afd8401bab53eff5af813fa0d368a2 https://git.kernel.org/stable/c/71eeddcad7342292c19042c290c477697acaccab https://git.kernel.org/stable/c/726deae613bc1b6096ad3b61cc1e63e33330fbc2 https://git.kernel.org/stable/c/696b625f3f85d80fca48c24d2948fbc451e74366 https://git.kernel.org/stable/c/ccbe77f7e45dfb4420f7f531b650c00c6e9c7507 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix potential out-of-bounds access in mas_wr_end_piv() Check the write offset end bounds before using it as the offset into the pivot array. This avoids a possible out-of-bounds access on the pivot array if the write extends to the last slot in the node, in which case the node maximum should be used as the end pivot. akpm: this doesn’t affect any current callers, but new users of mapletree may encounter this problem if backported into earlier kernels, so let’s fix it in -stable kernels in case of this. | 2025-12-24 | not yet calculated | CVE-2023-54135 | https://git.kernel.org/stable/c/4e2ad53ababeaac44d71162650984abfe783960c https://git.kernel.org/stable/c/dc4751bd4aba01ccfc02f91adfeee0ba4cda405c https://git.kernel.org/stable/c/f5fcf6555a2a4f32947d17b92b173837cc652891 https://git.kernel.org/stable/c/cd00dd2585c4158e81fdfac0bbcc0446afbad26d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: serial: sprd: Fix DMA buffer leak issue Release DMA buffer when _probe() returns failure to avoid memory leak. | 2025-12-24 | not yet calculated | CVE-2023-54136 | https://git.kernel.org/stable/c/c65be6ad55e5e45f8c4e40e1d8d7fe0e21b26e77 https://git.kernel.org/stable/c/9a26aaea6c212ea26bab159933dbfd3321a491f6 https://git.kernel.org/stable/c/f34508d934c4f2efb6a85787fc37f42184dabadf https://git.kernel.org/stable/c/6d209ed70f9c388727995aaece1f930fe63d402b https://git.kernel.org/stable/c/0237f913694d57bcd7e0e7ae6f255b648a1c42a7 https://git.kernel.org/stable/c/4ee715e54e255b1be65722f715fca939d5c2ca7a https://git.kernel.org/stable/c/cd119fdc3ee1450fbf7f78862b5de44c42b6e47f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vfio/type1: fix cap_migration information leak Fix an information leak where an uninitialized hole in struct vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace. The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as shown in this pahole(1) output: struct vfio_iommu_type1_info_cap_migration { struct vfio_info_cap_header header; /* 0 8 */ __u32 flags; /* 8 4 */ /* XXX 4 bytes hole, try to pack */ __u64 pgsize_bitmap; /* 16 8 */ __u64 max_dirty_bitmap_size; /* 24 8 */ /* size: 32, cachelines: 1, members: 4 */ /* sum members: 28, holes: 1, sum holes: 4 */ /* last cacheline: 32 bytes */ }; The cap_mig variable is filled in without initializing the hole: static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu, struct vfio_info_cap *caps) { struct vfio_iommu_type1_info_cap_migration cap_mig; cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION; cap_mig.header.version = 1; cap_mig.flags = 0; /* support minimum pgsize */ cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap); cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX; return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig)); } The structure is then copied to a temporary location on the heap. At this point it’s already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace later: int vfio_info_add_capability(struct vfio_info_cap *caps, struct vfio_info_cap_header *cap, size_t size) { struct vfio_info_cap_header *header; header = vfio_info_cap_add(caps, size, cap->id, cap->version); if (IS_ERR(header)) return PTR_ERR(header); memcpy(header + 1, cap + 1, size – sizeof(*header)); return 0; } This issue was found by code inspection. | 2025-12-24 | not yet calculated | CVE-2023-54137 | https://git.kernel.org/stable/c/ad83d83dd891244de0d07678b257dc976db7c132 https://git.kernel.org/stable/c/13fd667db999bffb557c5de7adb3c14f1713dd51 https://git.kernel.org/stable/c/f6f300ecc196d243c02adeb9ee0c62c677c24bfb https://git.kernel.org/stable/c/cbac29a1caa49a34e131394e1f4d924a76d8b0c9 https://git.kernel.org/stable/c/1b5feb8497cdb5b9962db2700814bffbc030fb4a https://git.kernel.org/stable/c/cd24e2a60af633f157d7e59c0a6dba64f131c0b1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix NULL-deref on irq uninstall In case of early initialisation errors and on platforms that do not use the DPU controller, the deinitilisation code can be called with the kms pointer set to NULL. Patchwork: https://patchwork.freedesktop.org/patch/525104/ | 2025-12-24 | not yet calculated | CVE-2023-54138 | https://git.kernel.org/stable/c/e2d1cc82ad509c07a9ab0ab4bf88b6613fbf784b https://git.kernel.org/stable/c/dd8ce825b165acf997689c5ffa45d6a7a1fc0260 https://git.kernel.org/stable/c/bafa985acff9b0ed53957beff33c18be08d6b9a6 https://git.kernel.org/stable/c/72092e34742e8b34accdadfa7bd9a13cf255a531 https://git.kernel.org/stable/c/cd459c005de3e2b855a8cc7768e633ce9d018e9f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tracing/user_events: Ensure write index cannot be negative The write index indicates which event the data is for and accesses a per-file array. The index is passed by user processes during write() calls as the first 4 bytes. Ensure that it cannot be negative by returning -EINVAL to prevent out of bounds accesses. Update ftrace self-test to ensure this occurs properly. | 2025-12-24 | not yet calculated | CVE-2023-54139 | https://git.kernel.org/stable/c/0489c2b2c3104b89f078dbcec8c744dfc157d3e9 https://git.kernel.org/stable/c/4fe46b5adf18e3dc606e62c9e6a0413398a17572 https://git.kernel.org/stable/c/fa7f2f5d1739452280c22727c4384a52b72ab5de https://git.kernel.org/stable/c/cd98c93286a30cc4588dfd02453bec63c2f4acf4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse A syzbot stress test using a corrupted disk image reported that mark_buffer_dirty() called from __nilfs_mark_inode_dirty() or nilfs_palloc_commit_alloc_entry() may output a kernel warning, and can panic if the kernel is booted with panic_on_warn. This is because nilfs2 keeps buffer pointers in local structures for some metadata and reuses them, but such buffers may be forcibly discarded by nilfs_clear_dirty_page() in some critical situations. This issue is reported to appear after commit 28a65b49eb53 (“nilfs2: do not write dirty data after degenerating to read-only”), but the issue has potentially existed before. Fix this issue by checking the uptodate flag when attempting to reuse an internally held buffer, and reloading the metadata instead of reusing the buffer if the flag was lost. | 2025-12-24 | not yet calculated | CVE-2023-54140 | https://git.kernel.org/stable/c/473795610594f261e98920f0945550314df36f07 https://git.kernel.org/stable/c/d95e403588738c7ec38f52b9f490b15e7745d393 https://git.kernel.org/stable/c/99a73016a5e12a09586a96f998e91f9ea145cd00 https://git.kernel.org/stable/c/f1d637b63d8a27ac3386f186a694907f2717fc13 https://git.kernel.org/stable/c/b911bef132a06de01a745c6a24172d6db7216333 https://git.kernel.org/stable/c/4da07e958bfda2d69d83db105780e8916e3ac02e https://git.kernel.org/stable/c/46c11be2dca295742a5508ea910a77f7733fb7f4 https://git.kernel.org/stable/c/b308b3eabc429649b5501d36290cea403fbd746c https://git.kernel.org/stable/c/cdaac8e7e5a059f9b5e816cda257f08d0abffacd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Add missing hw_ops->get_ring_selector() for IPQ5018 During sending data after clients connected, hw_ops->get_ring_selector() will be called. But for IPQ5018, this member isn’t set, and the following NULL pointer exception will be occurred: [ 38.840478] 8<— cut here — [ 38.840517] Unable to handle kernel NULL pointer dereference at virtual address 00000000 … [ 38.923161] PC is at 0x0 [ 38.927930] LR is at ath11k_dp_tx+0x70/0x730 [ath11k] … [ 39.063264] Process hostapd (pid: 1034, stack limit = 0x801ceb3d) [ 39.068994] Stack: (0x856a9a68 to 0x856aa000) … [ 39.438467] [<7f323804>] (ath11k_dp_tx [ath11k]) from [<7f314e6c>] (ath11k_mac_op_tx+0x80/0x190 [ath11k]) [ 39.446607] [<7f314e6c>] (ath11k_mac_op_tx [ath11k]) from [<7f17dbe0>] (ieee80211_handle_wake_tx_queue+0x7c/0xc0 [mac80211]) [ 39.456162] [<7f17dbe0>] (ieee80211_handle_wake_tx_queue [mac80211]) from [<7f174450>] (ieee80211_probereq_get+0x584/0x704 [mac80211]) [ 39.467443] [<7f174450>] (ieee80211_probereq_get [mac80211]) from [<7f178c40>] (ieee80211_tx_prepare_skb+0x1f8/0x248 [mac80211]) [ 39.479334] [<7f178c40>] (ieee80211_tx_prepare_skb [mac80211]) from [<7f179e28>] (__ieee80211_subif_start_xmit+0x32c/0x3d4 [mac80211]) [ 39.491053] [<7f179e28>] (__ieee80211_subif_start_xmit [mac80211]) from [<7f17af08>] (ieee80211_tx_control_port+0x19c/0x288 [mac80211]) [ 39.502946] [<7f17af08>] (ieee80211_tx_control_port [mac80211]) from [<7f0fc704>] (nl80211_tx_control_port+0x174/0x1d4 [cfg80211]) [ 39.515017] [<7f0fc704>] (nl80211_tx_control_port [cfg80211]) from [<808ceac4>] (genl_rcv_msg+0x154/0x340) [ 39.526814] [<808ceac4>] (genl_rcv_msg) from [<808cdb74>] (netlink_rcv_skb+0xb8/0x11c) [ 39.536446] [<808cdb74>] (netlink_rcv_skb) from [<808ce1d0>] (genl_rcv+0x28/0x34) [ 39.544344] [<808ce1d0>] (genl_rcv) from [<808cd234>] (netlink_unicast+0x174/0x274) [ 39.551895] [<808cd234>] (netlink_unicast) from [<808cd510>] (netlink_sendmsg+0x1dc/0x440) [ 39.559362] [<808cd510>] (netlink_sendmsg) from [<808596e0>] (____sys_sendmsg+0x1a8/0x1fc) [ 39.567697] [<808596e0>] (____sys_sendmsg) from [<8085b1a8>] (___sys_sendmsg+0xa4/0xdc) [ 39.575941] [<8085b1a8>] (___sys_sendmsg) from [<8085b310>] (sys_sendmsg+0x44/0x74) [ 39.583841] [<8085b310>] (sys_sendmsg) from [<80300060>] (ret_fast_syscall+0x0/0x40) … [ 39.620734] Code: bad PC value [ 39.625869] —[ end trace 8aef983ad3cbc032 ]— | 2025-12-24 | not yet calculated | CVE-2023-54141 | https://git.kernel.org/stable/c/d1992d72a359732f143cc962917104d193705da7 https://git.kernel.org/stable/c/c36289e3c5e83286974ef68c20c821fd5b63801c https://git.kernel.org/stable/c/ce282d8de71f07f0056ea319541141152c65f552 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gtp: Fix use-after-free in __gtp_encap_destroy(). syzkaller reported use-after-free in __gtp_encap_destroy(). [0] It shows the same process freed sk and touched it illegally. Commit e198987e7dd7 (“gtp: fix suspicious RCU usage”) added lock_sock() and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, but release_sock() is called after sock_put() releases the last refcnt. [0]: BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:351 [inline] print_report+0xcc/0x620 mm/kasan/report.c:462 kasan_report+0xb2/0xe0 mm/kasan/report.c:572 check_region_inline mm/kasan/generic.c:181 [inline] kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:186 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] release_sock+0x1f/0x1a0 net/core/sock.c:3526 gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 rtnl_delete_link net/core/rtnetlink.c:3216 [inline] rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x1b7/0x200 net/socket.c:747 ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f1168b1fe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 </TASK> Allocated by task 1483: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x —truncated— | 2025-12-24 | not yet calculated | CVE-2023-54142 | https://git.kernel.org/stable/c/d38039697184aacff1cf576e14ef583112fdefef https://git.kernel.org/stable/c/e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6 https://git.kernel.org/stable/c/9c9662e2512b5e4ee7b03108802c5222e0fa77a4 https://git.kernel.org/stable/c/bccc7ace12e69dee4684a3bb4b69737972e570d6 https://git.kernel.org/stable/c/ebd6d2077a083329110695a996c00e8ca94bc640 https://git.kernel.org/stable/c/17d6b6354f0025b7c10a56da783fd0cbb3819c5d https://git.kernel.org/stable/c/dae6095bdb24f537b4798ffd9201515b97bac94e https://git.kernel.org/stable/c/58fa341327fdb4bdf92597fd8796a9abc8d20ea3 https://git.kernel.org/stable/c/ce3aee7114c575fab32a5e9e939d4bbb3dcca79f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix resource leaks in vdec_msg_queue_init() If we encounter any error in the vdec_msg_queue_init() then we need to set “msg_queue->wdma_addr.size = 0;”. Normally, this is done inside the vdec_msg_queue_deinit() function. However, if the first call to allocate &msg_queue->wdma_addr fails, then the vdec_msg_queue_deinit() function is a no-op. For that situation, just set the size to zero explicitly and return. There were two other error paths which did not clean up before returning. Change those error paths to goto mem_alloc_err. | 2025-12-24 | not yet calculated | CVE-2023-54143 | https://git.kernel.org/stable/c/858322c409e0aba8f70810d23f35c482744f007c https://git.kernel.org/stable/c/b7dbc27301f560c3b915235c53383155b3512083 https://git.kernel.org/stable/c/451dc187cadd47771e5d9434fe220fad7be84057 https://git.kernel.org/stable/c/cf10b0bb503c974ba049d6f888b21178be20a962 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix kernel warning during topology setup This patch fixes the following kernel warning seen during driver load by correctly initializing the p2plink attr before creating the sysfs file: [ +0.002865] ————[ cut here ]———— [ +0.002327] kobject: ‘(null)’ (0000000056260cfb): is not initialized, yet kobject_put() is being called. [ +0.004780] WARNING: CPU: 32 PID: 1006 at lib/kobject.c:718 kobject_put+0xaa/0x1c0 [ +0.001361] Call Trace: [ +0.001234] <TASK> [ +0.001067] kfd_remove_sysfs_node_entry+0x24a/0x2d0 [amdgpu] [ +0.003147] kfd_topology_update_sysfs+0x3d/0x750 [amdgpu] [ +0.002890] kfd_topology_add_device+0xbd7/0xc70 [amdgpu] [ +0.002844] ? lock_release+0x13c/0x2e0 [ +0.001936] ? smu_cmn_send_smc_msg_with_param+0x1e8/0x2d0 [amdgpu] [ +0.003313] ? amdgpu_dpm_get_mclk+0x54/0x60 [amdgpu] [ +0.002703] kgd2kfd_device_init.cold+0x39f/0x4ed [amdgpu] [ +0.002930] amdgpu_amdkfd_device_init+0x13d/0x1f0 [amdgpu] [ +0.002944] amdgpu_device_init.cold+0x1464/0x17b4 [amdgpu] [ +0.002970] ? pci_bus_read_config_word+0x43/0x80 [ +0.002380] amdgpu_driver_load_kms+0x15/0x100 [amdgpu] [ +0.002744] amdgpu_pci_probe+0x147/0x370 [amdgpu] [ +0.002522] local_pci_probe+0x40/0x80 [ +0.001896] work_for_cpu_fn+0x10/0x20 [ +0.001892] process_one_work+0x26e/0x5a0 [ +0.002029] worker_thread+0x1fd/0x3e0 [ +0.001890] ? process_one_work+0x5a0/0x5a0 [ +0.002115] kthread+0xea/0x110 [ +0.001618] ? kthread_complete_and_exit+0x20/0x20 [ +0.002422] ret_from_fork+0x1f/0x30 [ +0.001808] </TASK> [ +0.001103] irq event stamp: 59837 [ +0.001718] hardirqs last enabled at (59849): [<ffffffffb30fab12>] __up_console_sem+0x52/0x60 [ +0.004414] hardirqs last disabled at (59860): [<ffffffffb30faaf7>] __up_console_sem+0x37/0x60 [ +0.004414] softirqs last enabled at (59654): [<ffffffffb307d9c7>] irq_exit_rcu+0xd7/0x130 [ +0.004205] softirqs last disabled at (59649): [<ffffffffb307d9c7>] irq_exit_rcu+0xd7/0x130 [ +0.004203] —[ end trace 0000000000000000 ]— | 2025-12-24 | not yet calculated | CVE-2023-54144 | https://git.kernel.org/stable/c/2d5a6742a242091292cc0a2b607be701a45d0c4e https://git.kernel.org/stable/c/306888b1246bf44e703b6f1ccc746c2746c1a981 https://git.kernel.org/stable/c/cf97eb7e47d4671084c7e114c5d88a3d0540ecbd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log It’s trivial for user to trigger “verifier log line truncated” warning, as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at least two pieces of user-provided information that can be output through this buffer, and both can be arbitrarily sized by user: – BTF names; – BTF.ext source code lines strings. Verifier log buffer should be properly sized for typical verifier state output. But it’s sort-of expected that this buffer won’t be long enough in some circumstances. So let’s drop the check. In any case code will work correctly, at worst truncating a part of a single line output. | 2025-12-24 | not yet calculated | CVE-2023-54145 | https://git.kernel.org/stable/c/40c88c429a598006f91ad7a2b89856cd50b3a008 https://git.kernel.org/stable/c/926a175026fed5d534f587ea4ec3ec49265cd3c5 https://git.kernel.org/stable/c/cff36398bd4c7d322d424433db437f3c3391c491 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Fix double-free of elf header buffer After b3e34a47f989 (“x86/kexec: fix memory leak of elf header buffer”), freeing image->elf_headers in the error path of crash_load_segments() is not needed because kimage_file_post_load_cleanup() will take care of that later. And not clearing it could result in a double-free. Drop the superfluous vfree() call at the error path of crash_load_segments(). | 2025-12-24 | not yet calculated | CVE-2023-54146 | https://git.kernel.org/stable/c/4c71a552b97fb4f46eb300224434fe56fcf4f254 https://git.kernel.org/stable/c/554a880a1fff46dd5a355dec21cd77d542a0ddf2 https://git.kernel.org/stable/c/fbdbf8ac333d3d47c0d9ea81d7d445654431d100 https://git.kernel.org/stable/c/5bd3c7abeb69fb4133418b846a1c6dc11313d6f0 https://git.kernel.org/stable/c/d00dd2f2645dca04cf399d8fc692f3f69b6dd996 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: platform: mtk-mdp3: Add missing check and free for ida_alloc Add the check for the return value of the ida_alloc in order to avoid NULL pointer dereference. Moreover, free allocated “ctx->id” if mdp_m2m_open fails later in order to avoid memory leak. | 2025-12-24 | not yet calculated | CVE-2023-54147 | https://git.kernel.org/stable/c/51fc1880e47421ee7b192372e8e86b7bbba40776 https://git.kernel.org/stable/c/4c173a65a2b1cc0556c3f6f0bab82e4fdb449522 https://git.kernel.org/stable/c/22b72cad501fb75500cc60af4d92de3066fb6fc2 https://git.kernel.org/stable/c/d00f592250782538cda87745607695b0fe27dcd4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Move representor neigh cleanup to profile cleanup_tx For IP tunnel encapsulation in ECMP (Equal-Cost Multipath) mode, as the flow is duplicated to the peer eswitch, the related neighbour information on the peer uplink representor is created as well. In the cited commit, eswitch devcom unpair is moved to uplink unload API, specifically the profile->cleanup_tx. If there is a encap rule offloaded in ECMP mode, when one eswitch does unpair (because of unloading the driver, for instance), and the peer rule from the peer eswitch is going to be deleted, the use-after-free error is triggered while accessing neigh info, as it is already cleaned up in uplink’s profile->disable, which is before its profile->cleanup_tx. To fix this issue, move the neigh cleanup to profile’s cleanup_tx callback, and after mlx5e_cleanup_uplink_rep_tx is called. The neigh init is moved to init_tx for symmeter. [ 2453.376299] BUG: KASAN: slab-use-after-free in mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.379125] Read of size 4 at addr ffff888127af9008 by task modprobe/2496 [ 2453.381542] CPU: 7 PID: 2496 Comm: modprobe Tainted: G B 6.4.0-rc7+ #15 [ 2453.383386] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 2453.384335] Call Trace: [ 2453.384625] <TASK> [ 2453.384891] dump_stack_lvl+0x33/0x50 [ 2453.385285] print_report+0xc2/0x610 [ 2453.385667] ? __virt_addr_valid+0xb1/0x130 [ 2453.386091] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.386757] kasan_report+0xae/0xe0 [ 2453.387123] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.387798] mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.388465] mlx5e_rep_encap_entry_detach+0xa6/0xe0 [mlx5_core] [ 2453.389111] mlx5e_encap_dealloc+0xa7/0x100 [mlx5_core] [ 2453.389706] mlx5e_tc_tun_encap_dests_unset+0x61/0xb0 [mlx5_core] [ 2453.390361] mlx5_free_flow_attr_actions+0x11e/0x340 [mlx5_core] [ 2453.391015] ? complete_all+0x43/0xd0 [ 2453.391398] ? free_flow_post_acts+0x38/0x120 [mlx5_core] [ 2453.392004] mlx5e_tc_del_fdb_flow+0x4ae/0x690 [mlx5_core] [ 2453.392618] mlx5e_tc_del_fdb_peers_flow+0x308/0x370 [mlx5_core] [ 2453.393276] mlx5e_tc_clean_fdb_peer_flows+0xf5/0x140 [mlx5_core] [ 2453.393925] mlx5_esw_offloads_unpair+0x86/0x540 [mlx5_core] [ 2453.394546] ? mlx5_esw_offloads_set_ns_peer.isra.0+0x180/0x180 [mlx5_core] [ 2453.395268] ? down_write+0xaa/0x100 [ 2453.395652] mlx5_esw_offloads_devcom_event+0x203/0x530 [mlx5_core] [ 2453.396317] mlx5_devcom_send_event+0xbb/0x190 [mlx5_core] [ 2453.396917] mlx5_esw_offloads_devcom_cleanup+0xb0/0xd0 [mlx5_core] [ 2453.397582] mlx5e_tc_esw_cleanup+0x42/0x120 [mlx5_core] [ 2453.398182] mlx5e_rep_tc_cleanup+0x15/0x30 [mlx5_core] [ 2453.398768] mlx5e_cleanup_rep_tx+0x6c/0x80 [mlx5_core] [ 2453.399367] mlx5e_detach_netdev+0xee/0x120 [mlx5_core] [ 2453.399957] mlx5e_netdev_change_profile+0x84/0x170 [mlx5_core] [ 2453.400598] mlx5e_vport_rep_unload+0xe0/0xf0 [mlx5_core] [ 2453.403781] mlx5_eswitch_unregister_vport_reps+0x15e/0x190 [mlx5_core] [ 2453.404479] ? mlx5_eswitch_register_vport_reps+0x200/0x200 [mlx5_core] [ 2453.405170] ? up_write+0x39/0x60 [ 2453.405529] ? kernfs_remove_by_name_ns+0xb7/0xe0 [ 2453.405985] auxiliary_bus_remove+0x2e/0x40 [ 2453.406405] device_release_driver_internal+0x243/0x2d0 [ 2453.406900] ? kobject_put+0x42/0x2d0 [ 2453.407284] bus_remove_device+0x128/0x1d0 [ 2453.407687] device_del+0x240/0x550 [ 2453.408053] ? waiting_for_supplier_show+0xe0/0xe0 [ 2453.408511] ? kobject_put+0xfa/0x2d0 [ 2453.408889] ? __kmem_cache_free+0x14d/0x280 [ 2453.409310] mlx5_rescan_drivers_locked.part.0+0xcd/0x2b0 [mlx5_core] [ 2453.409973] mlx5_unregister_device+0x40/0x50 [mlx5_core] [ 2453.410561] mlx5_uninit_one+0x3d/0x110 [mlx5_core] [ 2453.411111] remove_one+0x89/0x130 [mlx5_core] [ 24 —truncated— | 2025-12-24 | not yet calculated | CVE-2023-54148 | https://git.kernel.org/stable/c/d628ba98eb1637acce44001e04c718d8dbb1f7ce https://git.kernel.org/stable/c/36697c592cd0809e626df01b3644c23ac522a4d0 https://git.kernel.org/stable/c/d03b6e6f31820b84f7449cca022047f36c42bc3f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses When using the felix driver (the only one which supports UC filtering and MC filtering) as a DSA master for a random other DSA switch, one can see the following stack trace when the downstream switch ports join a VLAN-aware bridge: ============================= WARNING: suspicious RCU usage —————————– net/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage! stack backtrace: Workqueue: dsa_ordered dsa_slave_switchdev_event_work Call trace: lockdep_rcu_suspicious+0x170/0x210 vlan_for_each+0x8c/0x188 dsa_slave_sync_uc+0x128/0x178 __hw_addr_sync_dev+0x138/0x158 dsa_slave_set_rx_mode+0x58/0x70 __dev_set_rx_mode+0x88/0xa8 dev_uc_add+0x74/0xa0 dsa_port_bridge_host_fdb_add+0xec/0x180 dsa_slave_switchdev_event_work+0x7c/0x1c8 process_one_work+0x290/0x568 What it’s saying is that vlan_for_each() expects rtnl_lock() context and it’s not getting it, when it’s called from the DSA master’s ndo_set_rx_mode(). The caller of that – dsa_slave_set_rx_mode() – is the slave DSA interface’s dsa_port_bridge_host_fdb_add() which comes from the deferred dsa_slave_switchdev_event_work(). We went to great lengths to avoid the rtnl_lock() context in that call path in commit 0faf890fc519 (“net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work”), and calling rtnl_lock() is simply not an option due to the possibility of deadlocking when calling dsa_flush_workqueue() from the call paths that do hold rtnl_lock() – basically all of them. So, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(), the state of the 8021q driver on this device is really not protected from concurrent access by anything. Looking at net/8021q/, I don’t think that vlan_info->vid_list was particularly designed with RCU traversal in mind, so introducing an RCU read-side form of vlan_for_each() – vlan_for_each_rcu() – won’t be so easy, and it also wouldn’t be exactly what we need anyway. In general I believe that the solution isn’t in net/8021q/ anyway; vlan_for_each() is not cut out for this task. DSA doesn’t need rtnl_lock() to be held per se – since it’s not a netdev state change that we’re blocking, but rather, just concurrent additions/removals to a VLAN list. We don’t even need sleepable context – the callback of vlan_for_each() just schedules deferred work. The proposed escape is to remove the dependency on vlan_for_each() and to open-code a non-sleepable, rtnl-free alternative to that, based on copies of the VLAN list modified from .ndo_vlan_rx_add_vid() and .ndo_vlan_rx_kill_vid(). | 2025-12-24 | not yet calculated | CVE-2023-54149 | https://git.kernel.org/stable/c/3948c69b3837fec2ee5a90fbc911c343199be0ac https://git.kernel.org/stable/c/3f9e79f31e51b7d5bf95c617540deb6cf2816a3f https://git.kernel.org/stable/c/d06f925f13976ab82167c93467c70a337a0a3cda |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix an out of bounds error in BIOS parser The array is hardcoded to 8 in atomfirmware.h, but firmware provides a bigger one sometimes. Deferencing the larger array causes an out of bounds error. commit 4fc1ba4aa589 (“drm/amd/display: fix array index out of bound error in bios parser”) fixed some of this, but there are two other cases not covered by it. Fix those as well. | 2025-12-24 | not yet calculated | CVE-2023-54150 | https://git.kernel.org/stable/c/b8e7589f50b709b647b642531599e70707faf70c https://git.kernel.org/stable/c/66acfe798cd08b36cfbb65a30fab3159811304a7 https://git.kernel.org/stable/c/5675ecd2e0b00a4318ba1db1a1234e7d45b13d6b https://git.kernel.org/stable/c/dea2dbec716c38a0b73b6ad01d91e2b120cc5f1e https://git.kernel.org/stable/c/d116db180decec1b21bba31d2ff495ac4d8e1b83 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: Fix system crash due to lack of free space in LFS When f2fs tries to checkpoint during foreground gc in LFS mode, system crash occurs due to lack of free space if the amount of dirty node and dentry pages generated by data migration exceeds free space. The reproduction sequence is as follows. – 20GiB capacity block device (null_blk) – format and mount with LFS mode – create a file and write 20,000MiB – 4k random write on full range of the file RIP: 0010:new_curseg+0x48a/0x510 [f2fs] Code: 55 e7 f5 89 c0 48 0f af c3 48 8b 5d c0 48 c1 e8 20 83 c0 01 89 43 6c 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc <0f> 0b f0 41 80 4f 48 04 45 85 f6 0f 84 ba fd ff ff e9 ef fe ff ff RSP: 0018:ffff977bc397b218 EFLAGS: 00010246 RAX: 00000000000027b9 RBX: 0000000000000000 RCX: 00000000000027c0 RDX: 0000000000000000 RSI: 00000000000027b9 RDI: ffff8c25ab4e74f8 RBP: ffff977bc397b268 R08: 00000000000027b9 R09: ffff8c29e4a34b40 R10: 0000000000000001 R11: ffff977bc397b0d8 R12: 0000000000000000 R13: ffff8c25b4dd81a0 R14: 0000000000000000 R15: ffff8c2f667f9000 FS: 0000000000000000(0000) GS:ffff8c344ec80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c00055d000 CR3: 0000000e30810003 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> allocate_segment_by_default+0x9c/0x110 [f2fs] f2fs_allocate_data_block+0x243/0xa30 [f2fs] ? __mod_lruvec_page_state+0xa0/0x150 do_write_page+0x80/0x160 [f2fs] f2fs_do_write_node_page+0x32/0x50 [f2fs] __write_node_page+0x339/0x730 [f2fs] f2fs_sync_node_pages+0x5a6/0x780 [f2fs] block_operations+0x257/0x340 [f2fs] f2fs_write_checkpoint+0x102/0x1050 [f2fs] f2fs_gc+0x27c/0x630 [f2fs] ? folio_mark_dirty+0x36/0x70 f2fs_balance_fs+0x16f/0x180 [f2fs] This patch adds checking whether free sections are enough before checkpoint during gc. [Jaegeuk Kim: code clean-up] | 2025-12-24 | not yet calculated | CVE-2023-54151 | https://git.kernel.org/stable/c/f4631d295ae3fff9e240ab78dc17f4b83d14f7bc https://git.kernel.org/stable/c/ce71c61d661cfac3f097af928995abfcebd2b8c5 https://git.kernel.org/stable/c/d11cef14f8146f3babd286c2cc8ca09c166295e2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: j1939: prevent deadlock by moving j1939_sk_errqueue() This commit addresses a deadlock situation that can occur in certain scenarios, such as when running data TP/ETP transfer and subscribing to the error queue while receiving a net down event. The deadlock involves locks in the following order: 3 j1939_session_list_lock -> active_session_list_lock j1939_session_activate … j1939_sk_queue_activate_next -> sk_session_queue_lock … j1939_xtp_rx_eoma_one 2 j1939_sk_queue_drop_all -> sk_session_queue_lock … j1939_sk_netdev_event_netdown -> j1939_socks_lock j1939_netdev_notify 1 j1939_sk_errqueue -> j1939_socks_lock __j1939_session_cancel -> active_session_list_lock j1939_tp_rxtimer CPU0 CPU1 —- —- lock(&priv->active_session_list_lock); lock(&jsk->sk_session_queue_lock); lock(&priv->active_session_list_lock); lock(&priv->j1939_socks_lock); The solution implemented in this commit is to move the j1939_sk_errqueue() call out of the active_session_list_lock context, thus preventing the deadlock situation. | 2025-12-24 | not yet calculated | CVE-2023-54152 | https://git.kernel.org/stable/c/8a581b71cf686b4cd1a85c9c2dfc2fb88382c3b4 https://git.kernel.org/stable/c/ace6aa2ab5ba5869563ca689bbd912100514ae7b https://git.kernel.org/stable/c/f09ce9d765de1f064ce3919f57c6beb061744784 https://git.kernel.org/stable/c/d1366b283d94ac4537a4b3a1e8668da4df7ce7e9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: turn quotas off if mount failed after enabling quotas Yi found during a review of the patch “ext4: don’t BUG on inconsistent journal feature” that when ext4_mark_recovery_complete() returns an error value, the error handling path does not turn off the enabled quotas, which triggers the following kmemleak: ================================================================ unreferenced object 0xffff8cf68678e7c0 (size 64): comm “mount”, pid 746, jiffies 4294871231 (age 11.540s) hex dump (first 32 bytes): 00 90 ef 82 f6 8c ff ff 00 00 00 00 41 01 00 00 …………A… c7 00 00 00 bd 00 00 00 0a 00 00 00 48 00 00 00 …………H… backtrace: [<00000000c561ef24>] __kmem_cache_alloc_node+0x4d4/0x880 [<00000000d4e621d7>] kmalloc_trace+0x39/0x140 [<00000000837eee74>] v2_read_file_info+0x18a/0x3a0 [<0000000088f6c877>] dquot_load_quota_sb+0x2ed/0x770 [<00000000340a4782>] dquot_load_quota_inode+0xc6/0x1c0 [<0000000089a18bd5>] ext4_enable_quotas+0x17e/0x3a0 [ext4] [<000000003a0268fa>] __ext4_fill_super+0x3448/0x3910 [ext4] [<00000000b0f2a8a8>] ext4_fill_super+0x13d/0x340 [ext4] [<000000004a9489c4>] get_tree_bdev+0x1dc/0x370 [<000000006e723bf1>] ext4_get_tree+0x1d/0x30 [ext4] [<00000000c7cb663d>] vfs_get_tree+0x31/0x160 [<00000000320e1bed>] do_new_mount+0x1d5/0x480 [<00000000c074654c>] path_mount+0x22e/0xbe0 [<0000000003e97a8e>] do_mount+0x95/0xc0 [<000000002f3d3736>] __x64_sys_mount+0xc4/0x160 [<0000000027d2140c>] do_syscall_64+0x3f/0x90 ================================================================ To solve this problem, we add a “failed_mount10” tag, and call ext4_quota_off_umount() in this tag to release the enabled qoutas. | 2025-12-24 | not yet calculated | CVE-2023-54153 | https://git.kernel.org/stable/c/c327b83c59ee938792a0300df646efac39c7d6a7 https://git.kernel.org/stable/c/deef86fa3005cbb61ae8aa5729324c09b3f4ba73 https://git.kernel.org/stable/c/77c3ca1108eb4a26db4f256c42b271a430cebc7d https://git.kernel.org/stable/c/d13f99632748462c32fc95d729f5e754bab06064 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix target_cmd_counter leak The target_cmd_counter struct allocated via target_alloc_cmd_counter() is never freed, resulting in leaks across various transport types, e.g.: unreferenced object 0xffff88801f920120 (size 96): comm “sh”, pid 102, jiffies 4294892535 (age 713.412s) hex dump (first 32 bytes): 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ……..8……. backtrace: [<00000000e58a6252>] kmalloc_trace+0x11/0x20 [<0000000043af4b2f>] target_alloc_cmd_counter+0x17/0x90 [target_core_mod] [<000000007da2dfa7>] target_setup_session+0x2d/0x140 [target_core_mod] [<0000000068feef86>] tcm_loop_tpg_nexus_store+0x19b/0x350 [tcm_loop] [<000000006a80e021>] configfs_write_iter+0xb1/0x120 [<00000000e9f4d860>] vfs_write+0x2e4/0x3c0 [<000000008143433b>] ksys_write+0x80/0xb0 [<00000000a7df29b2>] do_syscall_64+0x42/0x90 [<0000000053f45fb8>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Free the structure alongside the corresponding iscsit_conn / se_sess parent. | 2025-12-24 | not yet calculated | CVE-2023-54154 | https://git.kernel.org/stable/c/1cd41d1669bcbc5052afa897f85608a62ff3fb30 https://git.kernel.org/stable/c/f84639c5ac5f4f95b3992da1af4ff382ebf2e819 https://git.kernel.org/stable/c/d14e3e553e05cb763964c991fe6acb0a6a1c6f9c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail() Syzkaller reported the following issue: ======================================= Too BIG xdp->frame_sz = 131072 WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline] WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103 … Call Trace: <TASK> bpf_prog_4add87e5301a4105+0x1a/0x1c __bpf_prog_run include/linux/filter.h:600 [inline] bpf_prog_run_xdp include/linux/filter.h:775 [inline] bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721 netif_receive_generic_xdp net/core/dev.c:4807 [inline] do_xdp_generic+0x35c/0x770 net/core/dev.c:4866 tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919 tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043 call_write_iter include/linux/fs.h:1871 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x650/0xe40 fs/read_write.c:584 ksys_write+0x12f/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd xdp->frame_sz > PAGE_SIZE check was introduced in commit c8741e2bfe87 (“xdp: Allow bpf_xdp_adjust_tail() to grow packet size”). But Jesper Dangaard Brouer <jbrouer@redhat.com> noted that after introducing the xdp_init_buff() which all XDP driver use – it’s safe to remove this check. The original intend was to catch cases where XDP drivers have not been updated to use xdp.frame_sz, but that is not longer a concern (since xdp_init_buff). Running the initial syzkaller repro it was discovered that the contiguous physical memory allocation is used for both xdp paths in tun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also stated by Jesper Dangaard Brouer <jbrouer@redhat.com> that XDP can work on higher order pages, as long as this is contiguous physical memory (e.g. a page). | 2025-12-24 | not yet calculated | CVE-2023-54155 | https://git.kernel.org/stable/c/a09c258cfa77d3ba0a7acc555c73eb6b005c4bd8 https://git.kernel.org/stable/c/20acffcdc2b74fb7dcc4e299f7aca173df89d911 https://git.kernel.org/stable/c/d9252d67ed2f921c230bba449ee051b5c32e4841 https://git.kernel.org/stable/c/d14eea09edf427fa36bd446f4a3271f99164202f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sfc: fix crash when reading stats while NIC is resetting efx_net_stats() (.ndo_get_stats64) can be called during an ethtool selftest, during which time nic_data->mc_stats is NULL as the NIC has been fini’d. In this case do not attempt to fetch the latest stats from the hardware, else we will crash on a NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000038 RIP efx_nic_update_stats abridged calltrace: efx_ef10_update_stats_pf efx_net_stats dev_get_stats dev_seq_printf_stats Skipping the read is safe, we will simply give out stale stats. To ensure that the free in efx_ef10_fini_nic() does not race against efx_ef10_update_stats_pf(), which could cause a TOCTTOU bug, take the efx->stats_lock in fini_nic (it is already held across update_stats). | 2025-12-24 | not yet calculated | CVE-2023-54156 | https://git.kernel.org/stable/c/cb1aa7cc562cab6a87ea33574c8c65f2d2fd7aeb https://git.kernel.org/stable/c/91f4ef204e731565afdc6c2a7fcf509a3fd6fd67 https://git.kernel.org/stable/c/446f5567934331923d0aec4ce045e4ecb0174aae https://git.kernel.org/stable/c/470152d76b3ed107d172ea46acc4bfa941f20b4b https://git.kernel.org/stable/c/aba32b4c58112960c0c708703ca6b44dc8944082 https://git.kernel.org/stable/c/d1b355438b8325a486f087e506d412c4e852f37b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of alloc->vma in race with munmap() [ cmllamas: clean forward port from commit 015ac18be7de (“binder: fix UAF of alloc->vma in race with munmap()”) in 5.10 stable. It is needed in mainline after the revert of commit a43cfc87caaf (“android: binder: stop saving a pointer to the VMA”) as pointed out by Liam. The commit log and tags have been tweaked to reflect this. ] In commit 720c24192404 (“ANDROID: binder: change down_write to down_read”) binder assumed the mmap read lock is sufficient to protect alloc->vma inside binder_update_page_range(). This used to be accurate until commit dd2283f2605e (“mm: mmap: zap pages with read mmap_sem in munmap”), which now downgrades the mmap_lock after detaching the vma from the rbtree in munmap(). Then it proceeds to teardown and free the vma with only the read lock held. This means that accesses to alloc->vma in binder_update_page_range() now will race with vm_area_free() in munmap() and can cause a UAF as shown in the following KASAN trace: ================================================================== BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0 Read of size 8 at addr ffff16204ad00600 by task server/558 CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2a0 show_stack+0x18/0x2c dump_stack+0xf8/0x164 print_address_description.constprop.0+0x9c/0x538 kasan_report+0x120/0x200 __asan_load8+0xa0/0xc4 vm_insert_page+0x7c/0x1f0 binder_update_page_range+0x278/0x50c binder_alloc_new_buf+0x3f0/0xba0 binder_transaction+0x64c/0x3040 binder_thread_write+0x924/0x2020 binder_ioctl+0x1610/0x2e5c __arm64_sys_ioctl+0xd4/0x120 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Allocated by task 559: kasan_save_stack+0x38/0x6c __kasan_kmalloc.constprop.0+0xe4/0xf0 kasan_slab_alloc+0x18/0x2c kmem_cache_alloc+0x1b0/0x2d0 vm_area_alloc+0x28/0x94 mmap_region+0x378/0x920 do_mmap+0x3f0/0x600 vm_mmap_pgoff+0x150/0x17c ksys_mmap_pgoff+0x284/0x2dc __arm64_sys_mmap+0x84/0xa4 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Freed by task 560: kasan_save_stack+0x38/0x6c kasan_set_track+0x28/0x40 kasan_set_free_info+0x24/0x4c __kasan_slab_free+0x100/0x164 kasan_slab_free+0x14/0x20 kmem_cache_free+0xc4/0x34c vm_area_free+0x1c/0x2c remove_vma+0x7c/0x94 __do_munmap+0x358/0x710 __vm_munmap+0xbc/0x130 __arm64_sys_munmap+0x4c/0x64 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 […] ================================================================== To prevent the race above, revert back to taking the mmap write lock inside binder_update_page_range(). One might expect an increase of mmap lock contention. However, binder already serializes these calls via top level alloc->mutex. Also, there was no performance impact shown when running the binder benchmark tests. | 2025-12-24 | not yet calculated | CVE-2023-54157 | https://git.kernel.org/stable/c/1bb8a65190d45cd5c7dbc85e29b9102110cd6be6 https://git.kernel.org/stable/c/931ea1ed31be939c1efdbc49bc66d2a45684f9b4 https://git.kernel.org/stable/c/ca0cc0a9c6e56c699e2acbb93d8024523021f3c3 https://git.kernel.org/stable/c/d1d8875c8c13517f6fd1ff8d4d3e1ac366a17e07 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: don’t free qgroup space unless specified Boris noticed in his simple quotas testing that he was getting a leak with Sweet Tea’s change to subvol create that stopped doing a transaction commit. This was just a side effect of that change. In the delayed inode code we have an optimization that will free extra reservations if we think we can pack a dir item into an already modified leaf. Previously this wouldn’t be triggered in the subvolume create case because we’d commit the transaction, it was still possible but much harder to trigger. It could actually be triggered if we did a mkdir && subvol create with qgroups enabled. This occurs because in btrfs_insert_delayed_dir_index(), which gets called when we’re adding the dir item, we do the following: btrfs_block_rsv_release(fs_info, trans->block_rsv, bytes, NULL); if we’re able to skip reserving space. The problem here is that trans->block_rsv points at the temporary block rsv for the subvolume create, which has qgroup reservations in the block rsv. This is a problem because btrfs_block_rsv_release() will do the following: if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) { qgroup_to_release = block_rsv->qgroup_rsv_reserved – block_rsv->qgroup_rsv_size; block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size; } The temporary block rsv just has ->qgroup_rsv_reserved set, ->qgroup_rsv_size == 0. The optimization in btrfs_insert_delayed_dir_index() sets ->qgroup_rsv_reserved = 0. Then later on when we call btrfs_subvolume_release_metadata() which has btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release); btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release); qgroup_to_release is set to 0, and we do not convert the reserved metadata space. The problem here is that the block rsv code has been unconditionally messing with ->qgroup_rsv_reserved, because the main place this is used is delalloc, and any time we call btrfs_block_rsv_release() we do it with qgroup_to_release set, and thus do the proper accounting. The subvolume code is the only other code that uses the qgroup reservation stuff, but it’s intermingled with the above optimization, and thus was getting its reservation freed out from underneath it and thus leaking the reserved space. The solution is to simply not mess with the qgroup reservations if we don’t have qgroup_to_release set. This works with the existing code as anything that messes with the delalloc reservations always have qgroup_to_release set. This fixes the leak that Boris was observing. | 2025-12-24 | not yet calculated | CVE-2023-54158 | https://git.kernel.org/stable/c/1e05bf5e80bb1161b7294c9ce5292b26232ab853 https://git.kernel.org/stable/c/148b16cd30b202999ec5b534e3e5d8ab4b766f21 https://git.kernel.org/stable/c/f264be24146bee2d652010a18ae2517df5856261 https://git.kernel.org/stable/c/15e877e5923ec6d6caa5e447dcc4b79a8ff7cc53 https://git.kernel.org/stable/c/04ff6bd0317735791ef3e443c7c89f3c0dda548d https://git.kernel.org/stable/c/478bd15f46b6e3aae78aac4f3788697f1546eea6 https://git.kernel.org/stable/c/d246331b78cbef86237f9c22389205bc9b4e1cc1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: mtu3: fix kernel panic at qmu transfer done irq handler When handle qmu transfer irq, it will unlock @mtu->lock before give back request, if another thread handle disconnect event at the same time, and try to disable ep, it may lock @mtu->lock and free qmu ring, then qmu irq hanlder may get a NULL gpd, avoid the KE by checking gpd’s value before handling it. e.g. qmu done irq on cpu0 thread running on cpu1 qmu_done_tx() handle gpd [0] mtu3_requ_complete() mtu3_gadget_ep_disable() unlock @mtu->lock give back request lock @mtu->lock mtu3_ep_disable() mtu3_gpd_ring_free() unlock @mtu->lock lock @mtu->lock get next gpd [1] [1]: goto [0] to handle next gpd, and next gpd may be NULL. | 2025-12-24 | not yet calculated | CVE-2023-54159 | https://git.kernel.org/stable/c/26ca30516b2c49dd04c134cbdf122311c538df98 https://git.kernel.org/stable/c/012936502a9cb7b0604e85bb961eb15e2bb40dd9 https://git.kernel.org/stable/c/ee53a7a88027cea765c68f3b00a50b8f58d6f786 https://git.kernel.org/stable/c/f26273428657ef4ca74740e578ae45a3be492f6f https://git.kernel.org/stable/c/b636aff94a67be46582d4321d11743f1a10cc2c1 https://git.kernel.org/stable/c/3a7d4959560a2ee493ef222e3b63d359365f41ec https://git.kernel.org/stable/c/d28f4091ea7ec3510fd6a3c6d433234e7a2bef14 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: arm_sdei: Fix sleep from invalid context BUG Running a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra triggers: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46 in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0 preempt_count: 0, expected: 0 RCU nest depth: 0, expected: 0 3 locks held by cpuhp/0/24: #0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248 #1: ffffda30217c7120 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248 #2: ffffda3021c711f0 (sdei_list_lock){….}-{3:3}, at: sdei_cpuhp_up+0x3c/0x130 irq event stamp: 36 hardirqs last enabled at (35): [<ffffda301e85b7bc>] finish_task_switch+0xb4/0x2b0 hardirqs last disabled at (36): [<ffffda301e812fec>] cpuhp_thread_fun+0x21c/0x248 softirqs last enabled at (0): [<ffffda301e80b184>] copy_process+0x63c/0x1ac0 softirqs last disabled at (0): [<0000000000000000>] 0x0 CPU: 0 PID: 24 Comm: cpuhp/0 Not tainted 5.19.0-rc3-rt5-[…] Hardware name: WIWYNN Mt.Jade Server […] Call trace: dump_backtrace+0x114/0x120 show_stack+0x20/0x70 dump_stack_lvl+0x9c/0xd8 dump_stack+0x18/0x34 __might_resched+0x188/0x228 rt_spin_lock+0x70/0x120 sdei_cpuhp_up+0x3c/0x130 cpuhp_invoke_callback+0x250/0xf08 cpuhp_thread_fun+0x120/0x248 smpboot_thread_fn+0x280/0x320 kthread+0x130/0x140 ret_from_fork+0x10/0x20 sdei_cpuhp_up() is called in the STARTING hotplug section, which runs with interrupts disabled. Use a CPUHP_AP_ONLINE_DYN entry instead to execute the cpuhp cb later, with preemption enabled. SDEI originally got its own cpuhp slot to allow interacting with perf. It got superseded by pNMI and this early slot is not relevant anymore. [1] Some SDEI calls (e.g. SDEI_1_0_FN_SDEI_PE_MASK) take actions on the calling CPU. It is checked that preemption is disabled for them. _ONLINE cpuhp cb are executed in the ‘per CPU hotplug thread’. Preemption is enabled in those threads, but their cpumask is limited to 1 CPU. Move ‘WARN_ON_ONCE(preemptible())’ statements so that SDEI cpuhp cb don’t trigger them. Also add a check for the SDEI_1_0_FN_SDEI_PRIVATE_RESET SDEI call which acts on the calling CPU. [1]: https://lore.kernel.org/all/5813b8c5-ae3e-87fd-fccc-94c9cd08816d@arm.com/ | 2025-12-24 | not yet calculated | CVE-2023-54160 | https://git.kernel.org/stable/c/59842a9ba27d5390ae5bf3233a92cad3a26d495c https://git.kernel.org/stable/c/48ac727ea4a3577eb1b4e24f807ba532c47930f9 https://git.kernel.org/stable/c/7d8f5ccc826b39e05ff252b1fccd808c7a0725e0 https://git.kernel.org/stable/c/66caf22787714c925e755719c293aaf3cb0b873b https://git.kernel.org/stable/c/a8267bc8de736cae927165191b52fbc20d101dd1 https://git.kernel.org/stable/c/18d5ea5b746120a3972e6c347ad9428228445327 https://git.kernel.org/stable/c/d2c48b2387eb89e0bf2a2e06e30987cf410acad4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix null-ptr-deref in unix_stream_sendpage(). Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage() with detailed analysis and a nice repro. unix_stream_sendpage() tries to add data to the last skb in the peer’s recv queue without locking the queue. If the peer’s FD is passed to another socket and the socket’s FD is passed to the peer, there is a loop between them. If we close both sockets without receiving FD, the sockets will be cleaned up by garbage collection. The garbage collection iterates such sockets and unlinks skb with FD from the socket’s receive queue under the queue’s lock. So, there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. To avoid the issue, unix_stream_sendpage() must lock the peer’s recv queue. Note the issue does not exist in 6.5+ thanks to the recent sendpage() refactoring. This patch is originally written by Linus Torvalds. BUG: unable to handle page fault for address: ffff988004dd6870 PF: supervisor read access in kernel mode PF: error_code(0x0000) – not-present page PGD 0 P4D 0 PREEMPT SMP PTI CPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0 Code: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 <49> 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44 RSP: 0018:ffffc9000079fac0 EFLAGS: 00000246 RAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284 RDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0 RBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00 R13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8 FS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x1a/0x1f ? page_fault_oops+0xa9/0x1e0 ? fixup_exception+0x1d/0x310 ? exc_page_fault+0xa8/0x150 ? asm_exc_page_fault+0x22/0x30 ? kmem_cache_alloc_node+0xa2/0x1e0 ? __alloc_skb+0x16c/0x1e0 __alloc_skb+0x16c/0x1e0 alloc_skb_with_frags+0x48/0x1e0 sock_alloc_send_pskb+0x234/0x270 unix_stream_sendmsg+0x1f5/0x690 sock_sendmsg+0x5d/0x60 ____sys_sendmsg+0x210/0x260 ___sys_sendmsg+0x83/0xd0 ? kmem_cache_alloc+0xc6/0x1c0 ? avc_disable+0x20/0x20 ? percpu_counter_add_batch+0x53/0xc0 ? alloc_empty_file+0x5d/0xb0 ? alloc_file+0x91/0x170 ? alloc_file_pseudo+0x94/0x100 ? __fget_light+0x9f/0x120 __sys_sendmsg+0x54/0xa0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x69/0xd3 RIP: 0033:0x7f174d639a7d Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48 RSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d RDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007 RBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff R10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28 R13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000 </TASK> | 2025-12-24 | not yet calculated | CVE-2023-54161 | https://git.kernel.org/stable/c/d39fc9b94dc0719afa4bc8e58341a5eb41febef3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Fix stack_depot usage Add missing stack_depot_init() call when CONFIG_DRM_XE_DEBUG_GUC is enabled to fix the following call stack: [] BUG: kernel NULL pointer dereference, address: 0000000000000000 [] Workqueue: drm_sched_run_job_work [gpu_sched] [] RIP: 0010:stack_depot_save_flags+0x172/0x870 [] Call Trace: [] <TASK> [] fast_req_track+0x58/0xb0 [xe] (cherry picked from commit 64fdf496a6929a0a194387d2bb5efaf5da2b542f) | 2025-12-22 | not yet calculated | CVE-2025-68326 | https://git.kernel.org/stable/c/1966838d1c82149cbf4a652322d26a6e5aae9c4e https://git.kernel.org/stable/c/0e234632e39bd21dd28ffc9ba3ae8eec4deb949c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Fix synchronous external abort on unbind A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is executed after the configuration sequence described above: modprobe usb_f_ecm modprobe libcomposite modprobe configfs cd /sys/kernel/config/usb_gadget mkdir -p g1 cd g1 echo “0x1d6b” > idVendor echo “0x0104” > idProduct mkdir -p strings/0x409 echo “0123456789” > strings/0x409/serialnumber echo “Renesas.” > strings/0x409/manufacturer echo “Ethernet Gadget” > strings/0x409/product mkdir -p functions/ecm.usb0 mkdir -p configs/c.1 mkdir -p configs/c.1/strings/0x409 echo “ECM” > configs/c.1/strings/0x409/configuration if [ ! -L configs/c.1/ecm.usb0 ]; then ln -s functions/ecm.usb0 configs/c.1 fi echo 11e20000.usb > UDC echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind The displayed trace is as follows: Internal error: synchronous external abort: 0000000096000010 [#1] SMP CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT Tainted: [M]=MACHINE_CHECK Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs] sp : ffff8000838b3920 x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810 x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000 x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020 x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344 x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000 x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418 x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80 Call trace: usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P) usbhsg_pullup+0x4c/0x7c [renesas_usbhs] usb_gadget_disconnect_locked+0x48/0xd4 gadget_unbind_driver+0x44/0x114 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 device_release_driver+0x18/0x24 bus_remove_device+0xcc/0x10c device_del+0x14c/0x404 usb_del_gadget+0x88/0xc0 usb_del_gadget_udc+0x18/0x30 usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs] usbhs_mod_remove+0x20/0x30 [renesas_usbhs] usbhs_remove+0x98/0xdc [renesas_usbhs] platform_remove+0x20/0x30 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 device_driver_detach+0x18/0x24 unbind_store+0xb4/0xb8 drv_attr_store+0x24/0x38 sysfs_kf_write+0x7c/0x94 kernfs_fop_write_iter+0x128/0x1b8 vfs_write+0x2ac/0x350 ksys_write+0x68/0xfc __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021) —[ end trace 0000000000000000 ]— note: sh[188] exited with irqs disabled note: sh[188] exited with preempt_count 1 The issue occurs because usbhs_sys_function_pullup(), which accesses the IP registers, is executed after the USBHS clocks have been disabled. The problem is reproducible on the Renesas RZ/G3S SoC starting with the addition of module stop in the clock enable/disable APIs. With module stop functionality enabled, a bus error is expected if a master accesses a module whose clock has been stopped and module stop activated. Disable the IP clocks at the end of remove. | 2025-12-22 | not yet calculated | CVE-2025-68327 | https://git.kernel.org/stable/c/fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a https://git.kernel.org/stable/c/cd5e86e34c66a831b5cb9b720ad411a006962cc8 https://git.kernel.org/stable/c/230b1bc1310edcd5c1b71dcd6b77ccba43139cb5 https://git.kernel.org/stable/c/9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1 https://git.kernel.org/stable/c/26838f147aeaa8f820ff799d72815fba5e209bd9 https://git.kernel.org/stable/c/aa658a6d5ac21c7cde54c6d015f2d4daff32e02d https://git.kernel.org/stable/c/eb9ac779830b2235847b72cb15cf07c7e3333c5e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-svc: fix bug in saving controller data Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They both are of the same data and overrides each other. This resulted in the rmmod of the svc driver to fail and throw a kernel panic for kthread_stop and fifo free. | 2025-12-22 | not yet calculated | CVE-2025-68328 | https://git.kernel.org/stable/c/9d0a330abd9e49bcebf6307aac185081bde49a43 https://git.kernel.org/stable/c/354fb03002da0970d337f0d3edbeb46cc4fa6f41 https://git.kernel.org/stable/c/b359df793f609b1efce31dadfe6883ec73852619 https://git.kernel.org/stable/c/71796c91ee8e33faf4434a9e210b5063c28ea907 https://git.kernel.org/stable/c/60ab1851614e6007344042b66da6e31d1cc26cb3 https://git.kernel.org/stable/c/bd226fa02ed6db6fce0fae010802f0950fd14fb9 https://git.kernel.org/stable/c/d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs When a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel calls vm_ops->close on each portion. For trace buffer mappings, this results in ring_buffer_unmap() being called multiple times while ring_buffer_map() was only called once. This causes ring_buffer_unmap() to return -ENODEV on subsequent calls because user_mapped is already 0, triggering a WARN_ON. Trace buffer mappings cannot support partial mappings because the ring buffer structure requires the complete buffer including the meta page. Fix this by adding a may_split callback that returns -EINVAL to prevent VMA splits entirely. | 2025-12-22 | not yet calculated | CVE-2025-68329 | https://git.kernel.org/stable/c/922fdd0b755a84f9933b3ca195f60092b6bb88ee https://git.kernel.org/stable/c/45053c12c45f0fb8ef6ab95118dd928d2fec0255 https://git.kernel.org/stable/c/b042fdf18e89a347177a49e795d8e5184778b5b6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iio: accel: bmc150: Fix irq assumption regression The code in bmc150-accel-core.c unconditionally calls bmc150_accel_set_interrupt() in the iio_buffer_setup_ops, such as on the runtime PM resume path giving a kernel splat like this if the device has no interrupts: Unable to handle kernel NULL pointer dereference at virtual address 00000001 when read PC is at bmc150_accel_set_interrupt+0x98/0x194 LR is at __pm_runtime_resume+0x5c/0x64 (…) Call trace: bmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108 bmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc __iio_update_buffers from enable_store+0x84/0xc8 enable_store from kernfs_fop_write_iter+0x154/0x1b4 This bug seems to have been in the driver since the beginning, but it only manifests recently, I do not know why. Store the IRQ number in the state struct, as this is a common pattern in other drivers, then use this to determine if we have IRQ support or not. | 2025-12-22 | not yet calculated | CVE-2025-68330 | https://git.kernel.org/stable/c/aad9d048a3211c48ec02efa405bf462856feb862 https://git.kernel.org/stable/c/c891f504bb66604c822e7985e093cf39b97fdeb0 https://git.kernel.org/stable/c/cdd4a9e98004bd7c7488311951fa6dbae38b2b80 https://git.kernel.org/stable/c/65ad4ed983fd9ee0259d86391d6a53f78203918c https://git.kernel.org/stable/c/93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3 https://git.kernel.org/stable/c/3aa385a9c75c09b59dcab2ff76423439d23673ab |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer When a UAS device is unplugged during data transfer, there is a probability of a system panic occurring. The root cause is an access to an invalid memory address during URB callback handling. Specifically, this happens when the dma_direct_unmap_sg() function is called within the usb_hcd_unmap_urb_for_dma() interface, but the sg->dma_address field is 0 and the sg data structure has already been freed. The SCSI driver sends transfer commands by invoking uas_queuecommand_lck() in uas.c, using the uas_submit_urbs() function to submit requests to USB. Within the uas_submit_urbs() implementation, three URBs (sense_urb, data_urb, and cmd_urb) are sequentially submitted. Device removal may occur at any point during uas_submit_urbs execution, which may result in URB submission failure. However, some URBs might have been successfully submitted before the failure, and uas_submit_urbs will return the -ENODEV error code in this case. The current error handling directly calls scsi_done(). In the SCSI driver, this eventually triggers scsi_complete() to invoke scsi_end_request() for releasing the sgtable. The successfully submitted URBs, when being unlinked to giveback, call usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg unmapping operations since the sg data structure has already been freed. This patch modifies the error condition check in the uas_submit_urbs() function. When a UAS device is removed but one or more URBs have already been successfully submitted to USB, it avoids immediately invoking scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully submitted URBs is completed before devinfo->resetting being set, then the scsi_done() function will be called within uas_try_complete() after all pending URB operations are finalized. Otherwise, the scsi_done() function will be called within uas_zap_pending(), which is executed after usb_kill_anchored_urbs(). The error handling only takes effect when uas_queuecommand_lck() calls uas_submit_urbs() and returns the error value -ENODEV . In this case, the device is disconnected, and the flow proceeds to uas_disconnect(), where uas_zap_pending() is invoked to call uas_try_complete(). | 2025-12-22 | not yet calculated | CVE-2025-68331 | https://git.kernel.org/stable/c/6289fc489e94c9beb6be2b502ccc263663733d72 https://git.kernel.org/stable/c/66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17 https://git.kernel.org/stable/c/75f8e2643085db4f7e136fc6b368eb114dd80a64 https://git.kernel.org/stable/c/e3a55221f4de080cb7a91ba10f01c4f708603f8d https://git.kernel.org/stable/c/2b90a8131c83f6f2be69397d2b7d14d217d95d2f https://git.kernel.org/stable/c/426edbfc88b22601ea34a441a469092e7b301c52 https://git.kernel.org/stable/c/26d56a9fcb2014b99e654127960aa0a48a391e3c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: c6xdigio: Fix invalid PNP driver unregistration The Comedi low-level driver “c6xdigio” seems to be for a parallel port connected device. When the Comedi core calls the driver’s Comedi “attach” handler `c6xdigio_attach()` to configure a Comedi to use this driver, it tries to enable the parallel port PNP resources by registering a PNP driver with `pnp_register_driver()`, but ignores the return value. (The `struct pnp_driver` it uses has only the `name` and `id_table` members filled in.) The driver’s Comedi “detach” handler `c6xdigio_detach()` unconditionally unregisters the PNP driver with `pnp_unregister_driver()`. It is possible for `c6xdigio_attach()` to return an error before it calls `pnp_register_driver()` and it is possible for the call to `pnp_register_driver()` to return an error (that is ignored). In both cases, the driver should not be calling `pnp_unregister_driver()` as it does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be called by the Comedi core if `c6xdigio_attach()` returns an error, or if the Comedi core decides to detach the Comedi device from the driver for some other reason.) The unconditional call to `pnp_unregister_driver()` without a previous successful call to `pnp_register_driver()` will cause `driver_unregister()` to issue a warning “Unexpected driver unregister!”. This was detected by Syzbot [1]. Also, the PNP driver registration and unregistration should be done at module init and exit time, respectively, not when attaching or detaching Comedi devices to the driver. (There might be more than one Comedi device being attached to the driver, although that is unlikely.) Change the driver to do the PNP driver registration at module init time, and the unregistration at module exit time. Since `c6xdigio_detach()` now only calls `comedi_legacy_detach()`, remove the function and change the Comedi driver “detach” handler to `comedi_legacy_detach`. ——————————————- [1] Syzbot sample crash report: Unexpected driver unregister! WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline] WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270 Modules linked in: CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline] RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270 Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41 RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8 RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660 R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000 FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0 Call Trace: <TASK> comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207 comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215 comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011 do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872 comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_sys —truncated— | 2025-12-22 | not yet calculated | CVE-2025-68332 | https://git.kernel.org/stable/c/9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072 https://git.kernel.org/stable/c/698149d797d0178162f394c55d4ed52aa0e0b7f6 https://git.kernel.org/stable/c/888f7e2847bcb9df8257e656e1e837828942c53b https://git.kernel.org/stable/c/72262330f7b3ad2130e800cecf02adcce3c32c77 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix possible deadlock in the deferred_irq_workfn() For PREEMPT_RT=y kernels, the deferred_irq_workfn() is executed in the per-cpu irq_work/* task context and not disable-irq, if the rq returned by container_of() is current CPU’s rq, the following scenarios may occur: lock(&rq->__lock); <Interrupt> lock(&rq->__lock); This commit use IRQ_WORK_INIT_HARD() to replace init_irq_work() to initialize rq->scx.deferred_irq_work, make the deferred_irq_workfn() is always invoked in hard-irq context. | 2025-12-22 | not yet calculated | CVE-2025-68333 | https://git.kernel.org/stable/c/600b4379b9a7ba41340d652211fb29699da4c629 https://git.kernel.org/stable/c/a257e974210320ede524f340ffe16bf4bf0dda1e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/pmc: Add support for Van Gogh SoC The ROG Xbox Ally (non-X) SoC features a similar architecture to the Steam Deck. While the Steam Deck supports S3 (s2idle causes a crash), this support was dropped by the Xbox Ally which only S0ix suspend. Since the handler is missing here, this causes the device to not suspend and the AMD GPU driver to crash while trying to resume afterwards due to a power hang. | 2025-12-22 | not yet calculated | CVE-2025-68334 | https://git.kernel.org/stable/c/9654c56b111cd1415aca7e77f0c63c109453c409 https://git.kernel.org/stable/c/db4a3f0fbedb0398f77b9047e8b8bb2b49f355bb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from the fact that in case of early device detach via pcl818_detach(), subdevice dev->read_subdev may not have initialized its pointer to &struct comedi_async as intended. Thus, any such dereferencing of &s->async->cmd will lead to general protection fault and kernel crash. Mitigate this problem by removing a call to pcl818_ai_cancel() from pcl818_detach() altogether. This way, if the subdevice setups its support for async commands, everything async-related will be handled via subdevice’s own ->cancel() function in comedi_device_detach_locked() even before pcl818_detach(). If no support for asynchronous commands is provided, there is no need to cancel anything either. [1] Syzbot crash: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762 … Call Trace: <TASK> pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115 comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207 do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline] comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] … | 2025-12-22 | not yet calculated | CVE-2025-68335 | https://git.kernel.org/stable/c/5caa40e7c6a43e08e3574f990865127705c22861 https://git.kernel.org/stable/c/d948c53dec36dafe182631457597c49c1f1df5ea https://git.kernel.org/stable/c/877adccfacb32687b90714a27cfb09f444fdfa16 https://git.kernel.org/stable/c/a51f025b5038abd3d22eed2ede4cd46793d89565 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: locking/spinlock/debug: Fix data-race in do_raw_write_lock KCSAN reports: BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: do_raw_write_lock+0x120/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: do_raw_write_lock+0x88/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork value changed: 0xffffffff -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111 Commit 1a365e822372 (“locking/spinlock/debug: Fix various data races”) has adressed most of these races, but seems to be not consistent/not complete. >From do_raw_write_lock() only debug_write_lock_after() part has been converted to WRITE_ONCE(), but not debug_write_lock_before() part. Do it now. | 2025-12-22 | not yet calculated | CVE-2025-68336 | https://git.kernel.org/stable/c/b163a5e8c703201c905d6ec7920ed79d167e8442 https://git.kernel.org/stable/c/16b3590c0e1e615757dade098c8fbc0d4f040c76 https://git.kernel.org/stable/c/396a9270a7b90886be501611b13aa636f2e8c703 https://git.kernel.org/stable/c/c14ecb555c3ee80eeb030a4e46d00e679537f03a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted There’s issue when file system corrupted: ————[ cut here ]———— kernel BUG at fs/jbd2/transaction.c:1289! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0 RSP: 0018:ffff888117aafa30 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534 RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010 RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028 R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0 Call Trace: <TASK> __ext4_journal_get_create_access+0x42/0x170 ext4_getblk+0x319/0x6f0 ext4_bread+0x11/0x100 ext4_append+0x1e6/0x4a0 ext4_init_new_dir+0x145/0x1d0 ext4_mkdir+0x326/0x920 vfs_mkdir+0x45c/0x740 do_mkdirat+0x234/0x2f0 __x64_sys_mkdir+0xd6/0x120 do_syscall_64+0x5f/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The above issue occurs with us in errors=continue mode when accompanied by storage failures. There have been many inconsistencies in the file system data. In the case of file system data inconsistency, for example, if the block bitmap of a referenced block is not set, it can lead to the situation where a block being committed is allocated and used again. As a result, the following condition will not be satisfied then trigger BUG_ON. Of course, it is entirely possible to construct a problematic image that can trigger this BUG_ON through specific operations. In fact, I have constructed such an image and easily reproduced this issue. Therefore, J_ASSERT() holds true only under ideal conditions, but it may not necessarily be satisfied in exceptional scenarios. Using J_ASSERT() directly in abnormal situations would cause the system to crash, which is clearly not what we want. So here we directly trigger a JBD abort instead of immediately invoking BUG_ON. | 2025-12-22 | not yet calculated | CVE-2025-68337 | https://git.kernel.org/stable/c/a2a7f854d154a3e9232fec80782dad951655f52f https://git.kernel.org/stable/c/bf34c72337e40c4670cceeb79b353356933a254b https://git.kernel.org/stable/c/aa1703f3f706ea0867fb1991dcac709c9ec94cfb https://git.kernel.org/stable/c/986835bf4d11032bba4ab8414d18fce038c61bb4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: microchip: Don’t free uninitialized ksz_irq If something goes wrong at setup, ksz_irq_free() can be called on uninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It leads to freeing uninitialized IRQ numbers and/or domains. Use dsa_switch_for_each_user_port_continue_reverse() in the error path to iterate only over the fully initialized ports. | 2025-12-23 | not yet calculated | CVE-2025-68338 | https://git.kernel.org/stable/c/9428654c827fa8d38b898135d26d39ee2d544246 https://git.kernel.org/stable/c/32abbcf4379a0f851d7eb9d4389e7bf5c64bf6c0 https://git.kernel.org/stable/c/25b62cc5b22c45face094ae3e8717258e46d1d19 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: atm/fore200e: Fix possible data race in fore200e_open() Protect access to fore200e->available_cell_rate with rate_mtx lock in the error handling path of fore200e_open() to prevent a data race. The field fore200e->available_cell_rate is a shared resource used to track available bandwidth. It is concurrently accessed by fore200e_open(), fore200e_close(), and fore200e_change_qos(). In fore200e_open(), the lock rate_mtx is correctly held when subtracting vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth. However, if the subsequent call to fore200e_activate_vcin() fails, the function restores the reserved bandwidth by adding back to available_cell_rate without holding the lock. This introduces a race condition because available_cell_rate is a global device resource shared across all VCCs. If the error path in fore200e_open() executes concurrently with operations like fore200e_close() or fore200e_change_qos() on other VCCs, a read-modify-write race occurs. Specifically, the error path reads the rate without the lock. If another CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in fore200e_close()) between this read and the subsequent write, the error path will overwrite the concurrent update with a stale value. This results in incorrect bandwidth accounting. | 2025-12-23 | not yet calculated | CVE-2025-68339 | https://git.kernel.org/stable/c/1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d https://git.kernel.org/stable/c/bd1415efbab507b9b995918105eef953013449dd https://git.kernel.org/stable/c/ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1 https://git.kernel.org/stable/c/9917ba597cf95f307778e495f71ff25a5064d167 https://git.kernel.org/stable/c/667ac868823224374f819500adc5baa2889c7bc5 https://git.kernel.org/stable/c/6610361458e7eb6502dd3182f586f91fcc218039 https://git.kernel.org/stable/c/82fca3d8a4a34667f01ec2351a607135249c9cff |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of team_port_add Attempting to add a port device that is already up will expectedly fail, but not before modifying the team device header_ops. In the case of the syzbot reproducer the gre0 device is already in state UP when it attempts to add it as a port device of team0, this fails but before that header_ops->create of team0 is changed from eth_header to ipgre_header in the call to team_dev_type_check_change. Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense as the private data of the device still holds a struct team. Example sequence of iproute2 commands to reproduce the hang/BUG(): ip link add dev team0 type team ip link add dev gre0 type gre ip link set dev gre0 up ip link set dev gre0 master team0 ip link set dev team0 up ping -I team0 1.1.1.1 Move team_dev_type_check_change down where all other checks have passed as it changes the dev type with no way to restore it in case one of the checks that follow it fail. Also make sure to preserve the origial mtu assignment: – If port_dev is not the same type as dev, dev takes mtu from port_dev – If port_dev is the same type as dev, port_dev takes mtu from dev This is done by adding a conditional before the call to dev_set_mtu to prevent it from assigning port_dev->mtu = dev->mtu and instead letting team_dev_type_check_change assign dev->mtu = port_dev->mtu. The conditional is needed because the patch moves the call to team_dev_type_check_change past dev_set_mtu. Testing: – team device driver in-tree selftests – Add/remove various devices as slaves of team device – syzbot | 2025-12-23 | not yet calculated | CVE-2025-68340 | https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: veth: reduce XDP no_direct return section to fix race As explain in commit fa349e396e48 (“veth: Fix race with AF_XDP exposing old or uninitialized descriptors”) for veth there is a chance after napi_complete_done() that another CPU can manage start another NAPI instance running veth_pool(). For NAPI this is correctly handled as the napi_schedule_prep() check will prevent multiple instances from getting scheduled, but for the remaining code in veth_pool() this can run concurrent with the newly started NAPI instance. The problem/race is that xdp_clear_return_frame_no_direct() isn’t designed to be nested. Prior to commit 401cb7dae813 (“net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.”) the temporary BPF net context bpf_redirect_info was stored per CPU, where this wasn’t an issue. Since this commit the BPF context is stored in ‘current’ task_struct. When running veth in threaded-NAPI mode, then the kthread becomes the storage area. Now a race exists between two concurrent veth_pool() function calls one exiting NAPI and one running new NAPI, both using the same BPF net context. Race is when another CPU gets within the xdp_set_return_frame_no_direct() section before exiting veth_pool() calls the clear-function xdp_clear_return_frame_no_direct(). | 2025-12-23 | not yet calculated | CVE-2025-68341 | https://git.kernel.org/stable/c/c1ceabcb347d1b0f7e70a7384ec7eff3847b7628 https://git.kernel.org/stable/c/d0bd018ad72a8a598ae709588934135017f8af52 https://git.kernel.org/stable/c/a14602fcae17a3f1cb8a8521bedf31728f9e7e39 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data The URB received in gs_usb_receive_bulk_callback() contains a struct gs_host_frame. The length of the data after the header depends on the gs_host_frame hf::flags and the active device features (e.g. time stamping). Introduce a new function gs_usb_get_minimum_length() and check that we have at least received the required amount of data before accessing it. Only copy the data to that skb that has actually been received. [mkl: rename gs_usb_get_minimum_length() -> +gs_usb_get_minimum_rx_length()] | 2025-12-23 | not yet calculated | CVE-2025-68342 | https://git.kernel.org/stable/c/4ffac725154cf6a253f5e6aa0c8946232b6a0af5 https://git.kernel.org/stable/c/ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b https://git.kernel.org/stable/c/fb0c7c77a7ae3a2c3404b7d0173b8739a754b513 https://git.kernel.org/stable/c/395d988f93861101ec89d0dd9e3b876ae9392a5b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header The driver expects to receive a struct gs_host_frame in gs_usb_receive_bulk_callback(). Use struct_group to describe the header of the struct gs_host_frame and check that we have at least received the header before accessing any members of it. To resubmit the URB, do not dereference the pointer chain “dev->parent->hf_size_rx” but use “parent->hf_size_rx” instead. Since “urb->context” contains “parent”, it is always defined, while “dev” is not defined if the URB it too short. | 2025-12-23 | not yet calculated | CVE-2025-68343 | https://git.kernel.org/stable/c/18cbce43363c9f84b90a92d57df341155eee0697 https://git.kernel.org/stable/c/3433680b759646efcacc64fe36aa2e51ae34b8f0 https://git.kernel.org/stable/c/616eee3e895b8ca0028163fcb1dce5e3e9dea322 https://git.kernel.org/stable/c/f31693dc3a584c0ad3937e857b59dbc1a7ed2b87 https://git.kernel.org/stable/c/6fe9f3279f7d2518439a7962c5870c6e9ecbadcf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: wavefront: Fix integer overflow in sample size validation The wavefront_send_sample() function has an integer overflow issue when validating sample size. The header->size field is u32 but gets cast to int for comparison with dev->freemem Fix by using unsigned comparison to avoid integer overflow. | 2025-12-24 | not yet calculated | CVE-2025-68344 | https://git.kernel.org/stable/c/5588b7c86effffa9bb55383a38800649d7b40778 https://git.kernel.org/stable/c/bca11de0a277b8baeb7d006f93b543c907b6e782 https://git.kernel.org/stable/c/1823e08f76c68b9e1d26f6d5ef831b96f61a62a0 https://git.kernel.org/stable/c/0c4a13ba88594fd4a27292853e736c6b4349823d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() The acpi_get_first_physical_node() function can return NULL, in which case the get_device() function also returns NULL, but this value is then dereferenced without checking,so add a check to prevent a crash. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2025-12-24 | not yet calculated | CVE-2025-68345 | https://git.kernel.org/stable/c/c28946b7409b7b68fb0481ec738c8b04578b11c6 https://git.kernel.org/stable/c/343fa9800cf9870ec681e21f0a6f2157b74ae520 https://git.kernel.org/stable/c/c34b04cc6178f33c08331568c7fd25c5b9a39f66 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: dice: fix buffer overflow in detect_stream_formats() The function detect_stream_formats() reads the stream_count value directly from a FireWire device without validating it. This can lead to out-of-bounds writes when a malicious device provides a stream_count value greater than MAX_STREAMS. Fix by applying the same validation to both TX and RX stream counts in detect_stream_formats(). | 2025-12-24 | not yet calculated | CVE-2025-68346 | https://git.kernel.org/stable/c/c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6 https://git.kernel.org/stable/c/932aa1e80b022419cf9710e970739b7a8794f27c https://git.kernel.org/stable/c/1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9 https://git.kernel.org/stable/c/324f3e03e8a85931ce0880654e3c3eb38b0f0bba |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events The DSP event handling code in hwdep_read() could write more bytes to the user buffer than requested, when a user provides a buffer smaller than the event header size (8 bytes). Fix by using min_t() to clamp the copy size, This ensures we never copy more than the user requested. | 2025-12-24 | not yet calculated | CVE-2025-68347 | https://git.kernel.org/stable/c/6275fd726d53a8ec724f20201cf3bd862711e17b https://git.kernel.org/stable/c/161291bac551821bba98eb4ea84c82338578d1b0 https://git.kernel.org/stable/c/cdda0d06f8650e33255f79839f188bbece44117c https://git.kernel.org/stable/c/210d77cca3d0494ed30a5c628b20c1d95fa04fb1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: block: fix memory leak in __blkdev_issue_zero_pages Move the fatal signal check before bio_alloc() to prevent a memory leak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending. Previously, the bio was allocated before checking for a fatal signal. If a signal was pending, the code would break out of the loop without freeing or chaining the just-allocated bio, causing a memory leak. This matches the pattern already used in __blkdev_issue_write_zeroes() where the signal check precedes the allocation. | 2025-12-24 | not yet calculated | CVE-2025-68348 | https://git.kernel.org/stable/c/453e4b0c84d0db1454ff0adf655d91179e6fca3a https://git.kernel.org/stable/c/7957635c679e8a01147163a3a4a1f16e1210fa03 https://git.kernel.org/stable/c/7193407bc4457212fa38ec3aff9c640e63a8dbef https://git.kernel.org/stable/c/f7e3f852a42d7cd8f1af2c330d9d153e30c8adcf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Fixes a crash when layout is null during this call stack: write_inode -> nfs4_write_inode -> pnfs_layoutcommit_inode pnfs_set_layoutcommit relies on the lseg refcount to keep the layout around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt to reference a null layout. | 2025-12-24 | not yet calculated | CVE-2025-68349 | https://git.kernel.org/stable/c/59947dff0fb7c19c09ce6dccbcd253fd542b6c25 https://git.kernel.org/stable/c/ca2e7fdad7c683b64821c94a58b9b68733214dad https://git.kernel.org/stable/c/38694f9aae00459ab443a7dc8b3949a6b33b560a https://git.kernel.org/stable/c/e0f8058f2cb56de0b7572f51cd563ca5debce746 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: exfat: fix divide-by-zero in exfat_allocate_bitmap The variable max_ra_count can be 0 in exfat_allocate_bitmap(), which causes a divide-by-zero error in the subsequent modulo operation (i % max_ra_count), leading to a system crash. When max_ra_count is 0, it means that readahead is not used. This patch load the bitmap without readahead. | 2025-12-24 | not yet calculated | CVE-2025-68350 | https://git.kernel.org/stable/c/88fc3dd6e631b3e2975f898c6c2b6bc6f7058b44 https://git.kernel.org/stable/c/d70a5804c563b5e34825353ba9927509df709651 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: exfat: fix refcount leak in exfat_find Fix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`. Function `exfat_get_dentry_set` would increase the reference counter of `es->bh` on success. Therefore, `exfat_put_dentry_set` must be called after `exfat_get_dentry_set` to ensure refcount consistency. This patch relocate two checks to avoid possible leaks. | 2025-12-24 | not yet calculated | CVE-2025-68351 | https://git.kernel.org/stable/c/d009ff8959d28d2a33aeb96a5f7e7161c421d78f https://git.kernel.org/stable/c/9aee8de970f18c2aaaa348e3de86c38e2d956c1d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix out-of-bounds memory access in ch341_transfer_one Discovered by Atuin – Automated Vulnerability Discovery Engine. The ‘len’ variable is calculated as ‘min(32, trans->len + 1)’, which includes the 1-byte command header. When copying data from ‘trans->tx_buf’ to ‘ch341->tx_buf + 1’, using ‘len’ as the length is incorrect because: 1. It causes an out-of-bounds read from ‘trans->tx_buf’ (which has size ‘trans->len’, i.e., ‘len – 1’ in this context). 2. It can cause an out-of-bounds write to ‘ch341->tx_buf’ if ‘len’ is CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341->tx_buf + 1 overflows the buffer. Fix this by copying ‘len – 1’ bytes. | 2025-12-24 | not yet calculated | CVE-2025-68352 | https://git.kernel.org/stable/c/cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974 https://git.kernel.org/stable/c/ea1e43966cd03098fcd5f0d72e6c2901d45fa08d https://git.kernel.org/stable/c/81841da1f30f66a850cc8796d99ba330aad9d696 https://git.kernel.org/stable/c/545d1287e40a55242f6ab68bcc1ba3b74088b1bc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: vxlan: prevent NULL deref in vxlan_xmit_one Neither sock4 nor sock6 pointers are guaranteed to be non-NULL in vxlan_xmit_one, e.g. if the iface is brought down. This can lead to the following NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:vxlan_xmit_one+0xbb3/0x1580 Call Trace: vxlan_xmit+0x429/0x610 dev_hard_start_xmit+0x55/0xa0 __dev_queue_xmit+0x6d0/0x7f0 ip_finish_output2+0x24b/0x590 ip_output+0x63/0x110 Mentioned commits changed the code path in vxlan_xmit_one and as a side effect the sock4/6 pointer validity checks in vxlan(6)_get_route were lost. Fix this by adding back checks. Since both commits being fixed were released in the same version (v6.7) and are strongly related, bundle the fixes in a single commit. | 2025-12-24 | not yet calculated | CVE-2025-68353 | https://git.kernel.org/stable/c/4ac26aafdc8c7271414e2e7c0b2cb266a26591bc https://git.kernel.org/stable/c/1f73a56f986005f0bc64ed23873930e2ee4f5911 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex regulator_supply_alias_list was accessed without any locking in regulator_supply_alias(), regulator_register_supply_alias(), and regulator_unregister_supply_alias(). Concurrent registration, unregistration and lookups can race, leading to: 1 use-after-free if an alias entry is removed while being read, 2 duplicate entries when two threads register the same alias, 3 inconsistent alias mappings observed by consumers. Protect all traversals, insertions and deletions on regulator_supply_alias_list with the existing regulator_list_mutex. | 2025-12-24 | not yet calculated | CVE-2025-68354 | https://git.kernel.org/stable/c/a9864d42ebcdd394ebb864643b961b36e7b515be https://git.kernel.org/stable/c/431a1d44ad4866362cc28fc1cc4ca93d84989239 https://git.kernel.org/stable/c/64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf https://git.kernel.org/stable/c/0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix exclusive map memory leak When excl_prog_hash is 0 and excl_prog_hash_size is non-zero, the map also needs to be freed. Otherwise, the map memory will not be reclaimed, just like the memory leak problem reported by syzbot [1]. syzbot reported: BUG: memory leak backtrace (crc 7b9fb9b4): map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512 __sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131 | 2025-12-24 | not yet calculated | CVE-2025-68355 | https://git.kernel.org/stable/c/f0022551745d72fc0e7bc8601234d690dee2178d https://git.kernel.org/stable/c/688b745401ab16e2e1a3b504863f0a45fd345638 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: Prevent recursive memory reclaim Function new_inode() returns a new inode with inode->i_mapping->gfp_mask set to GFP_HIGHUSER_MOVABLE. This value includes the __GFP_FS flag, so allocations in that address space can recurse into filesystem memory reclaim. We don’t want that to happen because it can consume a significant amount of stack memory. Worse than that is that it can also deadlock: for example, in several places, gfs2_unstuff_dinode() is called inside filesystem transactions. This calls filemap_grab_folio(), which can allocate a new folio, which can trigger memory reclaim. If memory reclaim recurses into the filesystem and starts another transaction, a deadlock will ensue. To fix these kinds of problems, prevent memory reclaim from recursing into filesystem code by making sure that the gfp_mask of inode address spaces doesn’t include __GFP_FS. The “meta” and resource group address spaces were already using GFP_NOFS as their gfp_mask (which doesn’t include __GFP_FS). The default value of GFP_HIGHUSER_MOVABLE is less restrictive than GFP_NOFS, though. To avoid being overly limiting, use the default value and only knock off the __GFP_FS flag. I’m not sure if this will actually make a difference, but it also shouldn’t hurt. This patch is loosely based on commit ad22c7a043c2 (“xfs: prevent stack overflows from page cache allocation”). Fixes xfstest generic/273. | 2025-12-24 | not yet calculated | CVE-2025-68356 | https://git.kernel.org/stable/c/edb2b255618621dc83d0ec23150e16b2c697077f https://git.kernel.org/stable/c/9c0960ed112398bdb6c60ccf6e6b583bc59acede https://git.kernel.org/stable/c/49e7347f4644d031306d56cb4d51e467cbdcbc69 https://git.kernel.org/stable/c/2c5f4a53476e3cab70adc77b38942c066bd2c17c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iomap: allocate s_dio_done_wq for async reads as well Since commit 222f2c7c6d14 (“iomap: always run error completions in user context”), read error completions are deferred to s_dio_done_wq. This means the workqueue also needs to be allocated for async reads. | 2025-12-24 | not yet calculated | CVE-2025-68357 | https://git.kernel.org/stable/c/c67775cf0da2407f113c1229e350758f4dca0f51 https://git.kernel.org/stable/c/7fd8720dff2d9c70cf5a1a13b7513af01952ec02 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix racy bitfield write in btrfs_clear_space_info_full() From the memory-barriers.txt document regarding memory barrier ordering guarantees: (*) These guarantees do not apply to bitfields, because compilers often generate code to modify these using non-atomic read-modify-write sequences. Do not attempt to use bitfields to synchronize parallel algorithms. (*) Even in cases where bitfields are protected by locks, all fields in a given bitfield must be protected by one lock. If two fields in a given bitfield are protected by different locks, the compiler’s non-atomic read-modify-write sequences can cause an update to one field to corrupt the value of an adjacent field. btrfs_space_info has a bitfield sharing an underlying word consisting of the fields full, chunk_alloc, and flush: struct btrfs_space_info { struct btrfs_fs_info * fs_info; /* 0 8 */ struct btrfs_space_info * parent; /* 8 8 */ … int clamp; /* 172 4 */ unsigned int full:1; /* 176: 0 4 */ unsigned int chunk_alloc:1; /* 176: 1 4 */ unsigned int flush:1; /* 176: 2 4 */ … Therefore, to be safe from parallel read-modify-writes losing a write to one of the bitfield members protected by a lock, all writes to all the bitfields must use the lock. They almost universally do, except for btrfs_clear_space_info_full() which iterates over the space_infos and writes out found->full = 0 without a lock. Imagine that we have one thread completing a transaction in which we finished deleting a block_group and are thus calling btrfs_clear_space_info_full() while simultaneously the data reclaim ticket infrastructure is running do_async_reclaim_data_space(): T1 T2 btrfs_commit_transaction btrfs_clear_space_info_full data_sinfo->full = 0 READ: full:0, chunk_alloc:0, flush:1 do_async_reclaim_data_space(data_sinfo) spin_lock(&space_info->lock); if(list_empty(tickets)) space_info->flush = 0; READ: full: 0, chunk_alloc:0, flush:1 MOD/WRITE: full: 0, chunk_alloc:0, flush:0 spin_unlock(&space_info->lock); return; MOD/WRITE: full:0, chunk_alloc:0, flush:1 and now data_sinfo->flush is 1 but the reclaim worker has exited. This breaks the invariant that flush is 0 iff there is no work queued or running. Once this invariant is violated, future allocations that go into __reserve_bytes() will add tickets to space_info->tickets but will see space_info->flush is set to 1 and not queue the work. After this, they will block forever on the resulting ticket, as it is now impossible to kick the worker again. I also confirmed by looking at the assembly of the affected kernel that it is doing RMW operations. For example, to set the flush (3rd) bit to 0, the assembly is: andb $0xfb,0x60(%rbx) and similarly for setting the full (1st) bit to 0: andb $0xfe,-0x20(%rax) So I think this is really a bug on practical systems. I have observed a number of systems in this exact state, but am currently unable to reproduce it. Rather than leaving this footgun lying around for the future, take advantage of the fact that there is room in the struct anyway, and that it is already quite large and simply change the three bitfield members to bools. This avoids writes to space_info->full having any effect on —truncated— | 2025-12-24 | not yet calculated | CVE-2025-68358 | https://git.kernel.org/stable/c/6f442808a86eef847ee10afa9e6459494ed85bb3 https://git.kernel.org/stable/c/742b90eaf394f0018352c0e10dc89763b2dd5267 https://git.kernel.org/stable/c/38e818718c5e04961eea0fa8feff3f100ce40408 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of qgroup record after failure to add delayed ref head In the previous code it was possible to incur into a double kfree() scenario when calling add_delayed_ref_head(). This could happen if the record was reported to already exist in the btrfs_qgroup_trace_extent_nolock() call, but then there was an error later on add_delayed_ref_head(). In this case, since add_delayed_ref_head() returned an error, the caller went to free the record. Since add_delayed_ref_head() couldn’t set this kfree’d pointer to NULL, then kfree() would have acted on a non-NULL ‘record’ object which was pointing to memory already freed by the callee. The problem comes from the fact that the responsibility to kfree the object is on both the caller and the callee at the same time. Hence, the fix for this is to shift the ownership of the ‘qrecord’ object out of the add_delayed_ref_head(). That is, we will never attempt to kfree() the given object inside of this function, and will expect the caller to act on the ‘qrecord’ object on its own. The only exception where the ‘qrecord’ object cannot be kfree’d is if it was inserted into the tracing logic, for which we already have the ‘qrecord_inserted_ret’ boolean to account for this. Hence, the caller has to kfree the object only if add_delayed_ref_head() reports not to have inserted it on the tracing logic. As a side-effect of the above, we must guarantee that ‘qrecord_inserted_ret’ is properly initialized at the start of the function, not at the end, and then set when an actual insert happens. This way we avoid ‘qrecord_inserted_ret’ having an invalid value on an early exit. The documentation from the add_delayed_ref_head() has also been updated to reflect on the exact ownership of the ‘qrecord’ object. | 2025-12-24 | not yet calculated | CVE-2025-68359 | https://git.kernel.org/stable/c/7617680769e3119dfb3b43a2b7c287ce2242211c https://git.kernel.org/stable/c/364685c4c2d9c9f4408d95451bcf42fdeebc3ebb https://git.kernel.org/stable/c/725e46298876a2cc1f1c3fb22ba69d29102c3ddf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks MT7996 driver can use both wed and wed_hif2 devices to offload traffic from/to the wireless NIC. In the current codebase we assume to always use the primary wed device in wed callbacks resulting in the following crash if the hw runs wed_hif2 (e.g. 6GHz link). [ 297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a [ 297.464928] Mem abort info: [ 297.467722] ESR = 0x0000000096000005 [ 297.471461] EC = 0x25: DABT (current EL), IL = 32 bits [ 297.476766] SET = 0, FnV = 0 [ 297.479809] EA = 0, S1PTW = 0 [ 297.482940] FSC = 0x05: level 1 translation fault [ 297.487809] Data abort info: [ 297.490679] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 297.496156] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 297.501196] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000 [ 297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000 [ 297.523532] Internal error: Oops: 0000000096000005 [#1] SMP [ 297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G O 6.12.50 #0 [ 297.723908] Tainted: [O]=OOT_MODULE [ 297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT) [ 297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table] [ 297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76] [ 297.752688] lr : mtk_wed_flow_remove+0x58/0x80 [ 297.757126] sp : ffffffc080fe3ae0 [ 297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7 [ 297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00 [ 297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018 [ 297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000 [ 297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000 [ 297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da [ 297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200 [ 297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002 [ 297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000 [ 297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8 [ 297.831686] Call trace: [ 297.834123] mt76_wed_offload_disable+0x64/0xa0 [mt76] [ 297.839254] mtk_wed_flow_remove+0x58/0x80 [ 297.843342] mtk_flow_offload_cmd+0x434/0x574 [ 297.847689] mtk_wed_setup_tc_block_cb+0x30/0x40 [ 297.852295] nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table] [ 297.858466] nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table] [ 297.864463] process_one_work+0x174/0x300 [ 297.868465] worker_thread+0x278/0x430 [ 297.872204] kthread+0xd8/0xdc [ 297.875251] ret_from_fork+0x10/0x20 [ 297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421) [ 297.884901] —[ end trace 0000000000000000 ]— Fix the issue detecting the proper wed reference to use running wed callabacks. | 2025-12-24 | not yet calculated | CVE-2025-68360 | https://git.kernel.org/stable/c/ab94ecb997fd1bbc501a0116c7aad51556b67c86 https://git.kernel.org/stable/c/d582d0e988d696698c94edf097062bb987ae592c https://git.kernel.org/stable/c/385aab8fccd7a8746b9f1a17f3c1e38498a14bc7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: limit the level of fs stacking for file-backed mounts Otherwise, it could cause potential kernel stack overflow (e.g., EROFS mounting itself). | 2025-12-24 | not yet calculated | CVE-2025-68361 | https://git.kernel.org/stable/c/34447aeedbaea8f9aad3da5b07030a1c0e124639 https://git.kernel.org/stable/c/b4911825348a494e894e6ccfcf88d99e9425f129 https://git.kernel.org/stable/c/620472e6b303c4dbcc7ecf1aba1cda4f3523e4a4 https://git.kernel.org/stable/c/d53cd891f0e4311889349fff3a784dc552f814b9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() The rtl8187_rx_cb() calculates the rx descriptor header address by subtracting its size from the skb tail pointer. However, it does not validate if the received packet (skb->len from urb->actual_length) is large enough to contain this header. If a truncated packet is received, this will lead to a buffer underflow, reading memory before the start of the skb data area, and causing a kernel panic. Add length checks for both rtl8187 and rtl8187b descriptor headers before attempting to access them, dropping the packet cleanly if the check fails. | 2025-12-24 | not yet calculated | CVE-2025-68362 | https://git.kernel.org/stable/c/4758770a673c60d8f615809304d72e1432fa6355 https://git.kernel.org/stable/c/638d4148e166d114a4cd7becaae992ce1a815ed8 https://git.kernel.org/stable/c/5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15 https://git.kernel.org/stable/c/b647d2574e4583c2e3b0ab35568f60c88e910840 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Check skb->transport_header is set in bpf_skb_check_mtu The bpf_skb_check_mtu helper needs to use skb->transport_header when the BPF_MTU_CHK_SEGS flag is used: bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS) The transport_header is not always set. There is a WARN_ON_ONCE report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set + bpf_prog_test_run is used: WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 skb_gso_validate_network_len bpf_skb_check_mtu bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch bpf_test_run bpf_prog_test_run_skb For a normal ingress skb (not test_run), skb_reset_transport_header is performed but there is plan to avoid setting it as described in commit 2170a1f09148 (“net: no longer reset transport_header in __netif_receive_skb_core()”). This patch fixes the bpf helper by checking skb_transport_header_was_set(). The check is done just before skb->transport_header is used, to avoid breaking the existing bpf prog. The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next. | 2025-12-24 | not yet calculated | CVE-2025-68363 | https://git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9 https://git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7 https://git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5 https://git.kernel.org/stable/c/d946f3c98328171fa50ddb908593cf833587f725 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() In ‘__ocfs2_move_extent()’, relax ‘BUG()’ to ‘ocfs2_error()’ just to avoid crashing the whole kernel due to a filesystem corruption. | 2025-12-24 | not yet calculated | CVE-2025-68364 | https://git.kernel.org/stable/c/e5c2503696ec2e0dc7b2aee902dc859ccde39ddf https://git.kernel.org/stable/c/7abbe41d22a06aae00fd46d29f59dd40a01e988f https://git.kernel.org/stable/c/e5c52c320577cd405b251943ef77842dc6f303bf https://git.kernel.org/stable/c/8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Initialize allocated memory before use KMSAN reports: Multiple uninitialized values detected: – KMSAN: uninit-value in ntfs_read_hdr (3) – KMSAN: uninit-value in bcmp (3) Memory is allocated by __getname(), which is a wrapper for kmem_cache_alloc(). This memory is used before being properly cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to properly allocate and clear memory before use. | 2025-12-24 | not yet calculated | CVE-2025-68365 | https://git.kernel.org/stable/c/192e8ce302f14ac66259231dd10cede19858d742 https://git.kernel.org/stable/c/a8a3ca23bbd9d849308a7921a049330dc6c91398 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nbd: defer config unlock in nbd_genl_connect There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK: nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf ————[ cut here ]———— refcount_t: addition on 0; use-after-free. WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 nbd_genl_connect+0x16d0/0x1ab0 genl_family_rcv_msg_doit+0x1f3/0x310 genl_rcv_msg+0x44a/0x790 The issue can be easily reproduced by adding a small delay before refcount_inc(&nbd->config_refs) in nbd_genl_connect(): mutex_unlock(&nbd->config_lock); if (!ret) { set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); + printk(“before sleepn”); + mdelay(5 * 1000); + printk(“after sleepn”); refcount_inc(&nbd->config_refs); nbd_connect_reply(info, nbd->index); } | 2025-12-24 | not yet calculated | CVE-2025-68366 | https://git.kernel.org/stable/c/c9b99c948b4fb014812afe7b5ccf2db121d22e46 https://git.kernel.org/stable/c/9a38306643874566d20f7aba7dff9e6f657b51a9 https://git.kernel.org/stable/c/c9e805f6a35d1dd189a9345595a5c20e87611942 https://git.kernel.org/stable/c/1649714b930f9ea6233ce0810ba885999da3b5d4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse The following warning appears when running syzkaller, and this issue also exists in the mainline code. ————[ cut here ]———— list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100. WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130 Modules linked in: CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__list_add_valid_or_report+0xf7/0x130 RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817 RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001 RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100 R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48 FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: <TASK> input_register_handler+0xb3/0x210 mac_hid_start_emulation+0x1c5/0x290 mac_hid_toggle_emumouse+0x20a/0x240 proc_sys_call_handler+0x4c2/0x6e0 new_sync_write+0x1b1/0x2d0 vfs_write+0x709/0x950 ksys_write+0x12a/0x250 do_syscall_64+0x5a/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2 The WARNING occurs when two processes concurrently write to the mac-hid emulation sysctl, causing a race condition in mac_hid_toggle_emumouse(). Both processes read old_val=0, then both try to register the input handler, leading to a double list_add of the same handler. CPU0 CPU1 ————————- ————————- vfs_write() //write 1 vfs_write() //write 1 proc_sys_write() proc_sys_write() mac_hid_toggle_emumouse() mac_hid_toggle_emumouse() old_val = *valp // old_val=0 old_val = *valp // old_val=0 mutex_lock_killable() proc_dointvec() // *valp=1 mac_hid_start_emulation() input_register_handler() mutex_unlock() mutex_lock_killable() proc_dointvec() mac_hid_start_emulation() input_register_handler() //Trigger Warning mutex_unlock() Fix this by moving the old_val read inside the mutex lock region. | 2025-12-24 | not yet calculated | CVE-2025-68367 | https://git.kernel.org/stable/c/230621ffdb361d15cd3ef92d8b4fa8d314f4fad4 https://git.kernel.org/stable/c/388391dd1cc567fcf0b372b63d414c119d23e911 https://git.kernel.org/stable/c/48a7d427eb65922b3f17fbe00e2bbc7cb9eac381 https://git.kernel.org/stable/c/1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md: init bioset in mddev_init IO operations may be needed before md_run(), such as updating metadata after writing sysfs. Without bioset, this triggers a NULL pointer dereference as below: BUG: kernel NULL pointer dereference, address: 0000000000000020 Call Trace: md_update_sb+0x658/0xe00 new_level_store+0xc5/0x120 md_attr_store+0xc9/0x1e0 sysfs_kf_write+0x6f/0xa0 kernfs_fop_write_iter+0x141/0x2a0 vfs_write+0x1fc/0x5a0 ksys_write+0x79/0x180 __x64_sys_write+0x1d/0x30 x64_sys_call+0x2818/0x2880 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Reproducer “` mdadm -CR /dev/md0 -l1 -n2 /dev/sd[cd] echo inactive > /sys/block/md0/md/array_state echo 10 > /sys/block/md0/md/new_level “` mddev_init() can only be called once per mddev, no need to test if bioset has been initialized anymore. | 2025-12-24 | not yet calculated | CVE-2025-68368 | https://git.kernel.org/stable/c/9d37fe37dfa0833a8768740f0575e0ffd793cb4a https://git.kernel.org/stable/c/381a3ce1c0ffed647c9b913e142b099c7e9d5afc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: init run lock for extend inode After setting the inode mode of $Extend to a regular file, executing the truncate system call will enter the do_truncate() routine, causing the run_lock uninitialized error reported by syzbot. Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to a regular file, the do_truncate() routine would not be entered. Add the run_lock initialization when loading $Extend. syzbot reported: INFO: trying to register non-static key. Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984 register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299 __lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868 down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590 ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860 ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387 ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808 | 2025-12-24 | not yet calculated | CVE-2025-68369 | https://git.kernel.org/stable/c/6e17555728bc469d484c59db4a0abc65c19bc315 https://git.kernel.org/stable/c/19164d8228317f3f1fe2662a9ba587cfe3b2d29e https://git.kernel.org/stable/c/ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076 https://git.kernel.org/stable/c/be99c62ac7e7af514e4b13f83c891a3cccefaa48 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: coresight: tmc: add the handle of the event to the path The handle is essential for retrieving the AUX_EVENT of each CPU and is required in perf mode. It has been added to the coresight_path so that dependent devices can access it from the path when needed. The existing bug can be reproduced with: perf record -e cs_etm//k -C 0-9 dd if=/dev/zero of=/dev/null Showing an oops as follows: Unable to handle kernel paging request at virtual address 000f6e84934ed19e Call trace: tmc_etr_get_buffer+0x30/0x80 [coresight_tmc] (P) catu_enable_hw+0xbc/0x3d0 [coresight_catu] catu_enable+0x70/0xe0 [coresight_catu] coresight_enable_path+0xb0/0x258 [coresight] | 2025-12-24 | not yet calculated | CVE-2025-68370 | https://git.kernel.org/stable/c/faa8f38f7ccb344ace2c1f364efc70e3a12d32f3 https://git.kernel.org/stable/c/d0c9effd82f2c19b92acd07d357fac5f392d549a https://git.kernel.org/stable/c/aaa5abcc9d44d2c8484f779ab46d242d774cabcb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix device resources accessed after device removal Correct possible race conditions during device removal. Previously, a scheduled work item to reset a LUN could still execute after the device was removed, leading to use-after-free and other resource access issues. This race condition occurs because the abort handler may schedule a LUN reset concurrently with device removal via sdev_destroy(), leading to use-after-free and improper access to freed resources. – Check in the device reset handler if the device is still present in the controller’s SCSI device list before running; if not, the reset is skipped. – Cancel any pending TMF work that has not started in sdev_destroy(). – Ensure device freeing in sdev_destroy() is done while holding the LUN reset mutex to avoid races with ongoing resets. | 2025-12-24 | not yet calculated | CVE-2025-68371 | https://git.kernel.org/stable/c/eccc02ba1747501d92bb2049e3ce378ba372f641 https://git.kernel.org/stable/c/4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1 https://git.kernel.org/stable/c/1a5c5a2f88e839af5320216a02ffb075b668596a https://git.kernel.org/stable/c/b518e86d1a70a88f6592a7c396cf1b93493d1aab |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nbd: defer config put in recv_work There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Or only running NBD_CLEAR_SOCK: nbd_genl_connect // conf_ref=2 nbd_open // conf_ref=3 NBD_CLEAR_SOCK // conf_ref=2 close nbd nbd_release config_put // conf_ref=1 recv_work config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Commit 87aac3a80af5 (“nbd: call nbd_config_put() before notifying the waiter”) moved nbd_config_put() to run before waking up the waiter in recv_work, in order to ensure that nbd_start_device_ioctl() would not be woken up while nbd->task_recv was still uncleared. However, in nbd_start_device_ioctl(), after being woken up it explicitly calls flush_workqueue() to make sure all current works are finished. Therefore, there is no need to move the config put ahead of the wakeup. Move nbd_config_put() to the end of recv_work, so that the reference is held for the whole lifetime of the worker thread. This makes sure the config cannot be freed while recv_work is still running, even if clear + reconfigure interleave. In addition, we don’t need to worry about recv_work dropping the last nbd_put (which causes deadlock): path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=1 (trigger recv_work) open nbd // nbd_refs=2 NBD_CLEAR_SOCK close nbd nbd_release nbd_disconnect_and_put flush_workqueue // recv_work done nbd_config_put nbd_put // nbd_refs=1 nbd_put // nbd_refs=0 queue_work path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=2 (trigger recv_work) open nbd // nbd_refs=3 NBD_CLEAR_SOCK // conf_refs=2 close nbd nbd_release nbd_config_put // conf_refs=1 nbd_put // nbd_refs=2 recv_work done // conf_refs=0, nbd_refs=1 rmmod // nbd_refs=0 Depends-on: e2daec488c57 (“nbd: Fix hungtask when nbd_config_put”) | 2025-12-24 | not yet calculated | CVE-2025-68372 | https://git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6 https://git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622f https://git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01 https://git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md: avoid repeated calls to del_gendisk There is a uaf problem which is found by case 23rdev-lifetime: Oops: general protection fault, probably for non-canonical address 0xdead000000000122 RIP: 0010:bdi_unregister+0x4b/0x170 Call Trace: <TASK> __del_gendisk+0x356/0x3e0 mddev_unlock+0x351/0x360 rdev_attr_store+0x217/0x280 kernfs_fop_write_iter+0x14a/0x210 vfs_write+0x29e/0x550 ksys_write+0x74/0xf0 do_syscall_64+0xbb/0x380 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff5250a177e The sequence is: 1. rdev remove path gets reconfig_mutex 2. rdev remove path release reconfig_mutex in mddev_unlock 3. md stop calls do_md_stop and sets MD_DELETED 4. rdev remove path calls del_gendisk because MD_DELETED is set 5. md stop path release reconfig_mutex and calls del_gendisk again So there is a race condition we should resolve. This patch adds a flag MD_DO_DELETE to avoid the race condition. | 2025-12-24 | not yet calculated | CVE-2025-68373 | https://git.kernel.org/stable/c/b4c5cf406062ad44cd178269571530c6435b2f3b https://git.kernel.org/stable/c/f0fae1debeb9102398ddf2ef69b4f5d395afafed https://git.kernel.org/stable/c/90e3bb44c0a86e245d8e5c6520206fa113acb1ee |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md: fix rcu protection in md_wakeup_thread We attempted to use RCU to protect the pointer ‘thread’, but directly passed the value when calling md_wakeup_thread(). This means that the RCU pointer has been acquired before rcu_read_lock(), which renders rcu_read_lock() ineffective and could lead to a use-after-free. | 2025-12-24 | not yet calculated | CVE-2025-68374 | https://git.kernel.org/stable/c/21989cb5034c835b212385a2afadf279d8069da0 https://git.kernel.org/stable/c/a4bd1caf591faeae44cb10b6517e7dacb5139bda https://git.kernel.org/stable/c/f98b191f78124405294481dea85f8a22a3eb0a59 https://git.kernel.org/stable/c/0dc76205549b4c25705e54345f211b9f66e018a0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86: Fix NULL event access and potential PEBS record loss When intel_pmu_drain_pebs_icl() is called to drain PEBS records, the perf_event_overflow() could be called to process the last PEBS record. While perf_event_overflow() could trigger the interrupt throttle and stop all events of the group, like what the below call-chain shows. perf_event_overflow() -> __perf_event_overflow() ->__perf_event_account_interrupt() -> perf_event_throttle_group() -> perf_event_throttle() -> event->pmu->stop() -> x86_pmu_stop() The side effect of stopping the events is that all corresponding event pointers in cpuc->events[] array are cleared to NULL. Assume there are two PEBS events (event a and event b) in a group. When intel_pmu_drain_pebs_icl() calls perf_event_overflow() to process the last PEBS record of PEBS event a, interrupt throttle is triggered and all pointers of event a and event b are cleared to NULL. Then intel_pmu_drain_pebs_icl() tries to process the last PEBS record of event b and encounters NULL pointer access. To avoid this issue, move cpuc->events[] clearing from x86_pmu_stop() to x86_pmu_del(). It’s safe since cpuc->active_mask or cpuc->pebs_enabled is always checked before access the event pointer from cpuc->events[]. | 2025-12-24 | not yet calculated | CVE-2025-68375 | https://git.kernel.org/stable/c/cf69b99805c263117305ac6dffbc85aaf9259d32 https://git.kernel.org/stable/c/6b089028bff1f2ff9e0c62b8f1faca1a620e5d6e https://git.kernel.org/stable/c/7e772a93eb61cb6265bdd1c5bde17d0f2718b452 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: coresight: ETR: Fix ETR buffer use-after-free issue When ETR is enabled as CS_MODE_SYSFS, if the buffer size is changed and enabled again, currently sysfs_buf will point to the newly allocated memory(buf_new) and free the old memory(buf_old). But the etr_buf that is being used by the ETR remains pointed to buf_old, not updated to buf_new. In this case, it will result in a memory use-after-free issue. Fix this by checking ETR’s mode before updating and releasing buf_old, if the mode is CS_MODE_SYSFS, then skip updating and releasing it. | 2025-12-24 | not yet calculated | CVE-2025-68376 | https://git.kernel.org/stable/c/70acbc9c77686b7a521af6d7a543dcd9c324cf07 https://git.kernel.org/stable/c/cda077a19f5c8d6ec61e5b97deca203d95e3a422 https://git.kernel.org/stable/c/35501ac3c7d40a7bb9568c2f89d6b56beaf9bed3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ns: initialize ns_list_node for initial namespaces Make sure that the list is always initialized for initial namespaces. | 2025-12-24 | not yet calculated | CVE-2025-68377 | https://git.kernel.org/stable/c/e31c902d785411eb4a246fba2e8a32aa59d33ce2 https://git.kernel.org/stable/c/3dd50c58664e2684bd610a57bf3ab713cbb0ea91 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check in __bpf_get_stackid() Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid() when copying stack trace data. The issue occurs when the perf trace contains more stack entries than the stack map bucket can hold, leading to an out-of-bounds write in the bucket’s data array. | 2025-12-24 | not yet calculated | CVE-2025-68378 | https://git.kernel.org/stable/c/d1f424a77b6bd27b361737ed73df49a0158f1590 https://git.kernel.org/stable/c/2a008f6de163279deffd488c1deab081bce5667c https://git.kernel.org/stable/c/4669a8db976c8cbd5427fe9945f12c5fa5168ff3 https://git.kernel.org/stable/c/23f852daa4bab4d579110e034e4d513f7d490846 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix null deref on srq->rq.queue after resize failure A NULL pointer dereference can occur in rxe_srq_chk_attr() when ibv_modify_srq() is invoked twice in succession under certain error conditions. The first call may fail in rxe_queue_resize(), which leads rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then triggers a crash (null deref) when accessing srq->rq.queue->buf->index_mask. Call Trace: <TASK> rxe_modify_srq+0x170/0x480 [rdma_rxe] ? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe] ? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs] ? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs] ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs] ? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs] ? tryinc_node_nr_active+0xe6/0x150 ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs] ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs] ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs] ? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs] ? __pfx___raw_spin_lock_irqsave+0x10/0x10 ? __pfx_do_vfs_ioctl+0x10/0x10 ? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0 ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10 ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs] ? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs] __x64_sys_ioctl+0x138/0x1c0 do_syscall_64+0x82/0x250 ? fdget_pos+0x58/0x4c0 ? ksys_write+0xf3/0x1c0 ? __pfx_ksys_write+0x10/0x10 ? do_syscall_64+0xc8/0x250 ? __pfx_vm_mmap_pgoff+0x10/0x10 ? fget+0x173/0x230 ? fput+0x2a/0x80 ? ksys_mmap_pgoff+0x224/0x4c0 ? do_syscall_64+0xc8/0x250 ? do_user_addr_fault+0x37b/0xfe0 ? clear_bhb_loop+0x50/0xa0 ? clear_bhb_loop+0x50/0xa0 ? clear_bhb_loop+0x50/0xa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e | 2025-12-24 | not yet calculated | CVE-2025-68379 | https://git.kernel.org/stable/c/b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7 https://git.kernel.org/stable/c/5dbeb421e137824aa9bd8358bdfc926a3965fc0d https://git.kernel.org/stable/c/bc4c14a3863cc0e03698caec9a0cdabd779776ee https://git.kernel.org/stable/c/503a5e4690ae14c18570141bc0dcf7501a8419b0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix peer HE MCS assignment In ath11k_wmi_send_peer_assoc_cmd(), peer’s transmit MCS is sent to firmware as receive MCS while peer’s receive MCS sent as transmit MCS, which goes against firmwire’s definition. While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field. Ext Tag: HE Capabilities […] Supported HE-MCS and NSS Set […] Rx and Tx MCS Maps 160 MHz […] Tx HE-MCS Map 160 MHz: 0xffff Swap the assignment to fix this issue. As the HE rate control mask is meant to limit our own transmit MCS, it needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping done, change is needed as well to apply it to the peer’s receive MCS. Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 | 2025-12-24 | not yet calculated | CVE-2025-68380 | https://git.kernel.org/stable/c/097c870b91817779e5a312c6539099a884b1fe2b https://git.kernel.org/stable/c/381096a417b7019896e93e86f4c585c592bf98e2 https://git.kernel.org/stable/c/6b1a0da75932353f66e710976ca85a7131f647ff https://git.kernel.org/stable/c/4a013ca2d490c73c40588d62712ffaa432046a04 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys – prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetric_key_id structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a possible buffer overflow when copying data from potentially malicious X.509 certificate fields that can be arbitrarily large, such as ASN.1 INTEGER serial numbers, issuer names, etc. | 2025-12-24 | not yet calculated | CVE-2025-68724 | https://git.kernel.org/stable/c/c73be4f51eed98fa0c7c189db8f279e1c86bfbf7 https://git.kernel.org/stable/c/6af753ac5205115e6c310c8c4236c01b59a1c44f https://git.kernel.org/stable/c/b7090a5c153105b9fd221a5a81459ee8cd5babd6 https://git.kernel.org/stable/c/df0845cf447ae1556c3440b8b155de0926cbaa56 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Do not let BPF test infra emit invalid GSO types to stack Yinhao et al. reported that their fuzzer tool was able to trigger a skb_warn_bad_offload() from netif_skb_features() -> gso_features_check(). When a BPF program – triggered via BPF test infra – pushes the packet to the loopback device via bpf_clone_redirect() then mentioned offload warning can be seen. GSO-related features are then rightfully disabled. We get into this situation due to convert___skb_to_skb() setting gso_segs and gso_size but not gso_type. Technically, it makes sense that this warning triggers since the GSO properties are malformed due to the gso_type. Potentially, the gso_type could be marked non-trustworthy through setting it at least to SKB_GSO_DODGY without any other specific assumptions, but that also feels wrong given we should not go further into the GSO engine in the first place. The checks were added in 121d57af308d (“gso: validate gso_type in GSO handlers”) because there were malicious (syzbot) senders that combine a protocol with a non-matching gso_type. If we would want to drop such packets, gso_features_check() currently only returns feature flags via netif_skb_features(), so one location for potentially dropping such skbs could be validate_xmit_unreadable_skb(), but then otoh it would be an additional check in the fast-path for a very corner case. Given bpf_clone_redirect() is the only place where BPF test infra could emit such packets, lets reject them right there. | 2025-12-24 | not yet calculated | CVE-2025-68725 | https://git.kernel.org/stable/c/fbea4c63b5385588cb44ab21f91e55e33c719a54 https://git.kernel.org/stable/c/04a899573fb87273a656f178b5f920c505f68875 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: aead – Fix reqsize handling Commit afddce13ce81d (“crypto: api – Add reqsize to crypto_alg”) introduced cra_reqsize field in crypto_alg struct to replace type specific reqsize fields. It looks like this was introduced specifically for ahash and acomp from the commit description as subsequent commits add necessary changes in these alg frameworks. However, this is being recommended for use in all crypto algs instead of setting reqsize using crypto_*_set_reqsize(). Using cra_reqsize in aead algorithms, hence, causes memory corruptions and crashes as the underlying functions in the algorithm framework have not been updated to set the reqsize properly from cra_reqsize. [1] Add proper set_reqsize calls in the aead init function to properly initialize reqsize for these algorithms in the framework. [1]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b | 2025-12-24 | not yet calculated | CVE-2025-68726 | https://git.kernel.org/stable/c/64377e66e187164bd6737112d07257f5f0feb681 https://git.kernel.org/stable/c/12b413f5460c393d1151a37f591140693eca0f84 https://git.kernel.org/stable/c/9b04d8f00569573796dd05397f5779135593eb24 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: Fix uninit buffer allocated by __getname() Fix uninit errors caused after buffer allocation given to ‘de’; by initializing the buffer with zeroes. The fix was found by using KMSAN. | 2025-12-24 | not yet calculated | CVE-2025-68727 | https://git.kernel.org/stable/c/4b1fd82848fdf0e01b3320815b261006c1722c3e https://git.kernel.org/stable/c/d88d4b455b6794f48d7adad52593f1700c7bd50e https://git.kernel.org/stable/c/b40a4eb4a0543d49686a6e693745009dac3b86a9 https://git.kernel.org/stable/c/9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix uninit memory after failed mi_read in mi_format_new Fix a KMSAN un-init bug found by syzkaller. ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be uptodate. We do not bring the buffer uptodate before setting it as uptodate. If the buffer were to not be uptodate, it could mean adding a buffer with un-init data to the mi record. Attempting to load that record will trigger KMSAN. Avoid this by setting the buffer as uptodate, if it’s not already, by overwriting it. | 2025-12-24 | not yet calculated | CVE-2025-68728 | https://git.kernel.org/stable/c/7ce8f2028dfccb2161b905cf8ab85cdd9e93909c https://git.kernel.org/stable/c/46f2a881e5a7311d41551edb3915e4d4e8802341 https://git.kernel.org/stable/c/81ffe9a265df3e41534726b852ab08792e3d374d https://git.kernel.org/stable/c/73e6b9dacf72a1e7a4265eacca46f8f33e0997d6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix MSDU buffer types handling in RX error path Currently, packets received on the REO exception ring from unassociated peers are of MSDU buffer type, while the driver expects link descriptor type packets. These packets are not parsed further due to a return check on packet type in ath12k_hal_desc_reo_parse_err(), but the associated skb is not freed. This may lead to kernel crashes and buffer leaks. Hence to fix, update the RX error handler to explicitly drop MSDU buffer type packets received on the REO exception ring. This prevents further processing of invalid packets and ensures stability in the RX error handling path. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 | 2025-12-24 | not yet calculated | CVE-2025-68729 | https://git.kernel.org/stable/c/5ff5a9d71cdc49c3400f30583a784ad0a17d01ec https://git.kernel.org/stable/c/ab0554f51e5f2b9506e8a09e8accd02f00056729 https://git.kernel.org/stable/c/36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context() Don’t add BO to the vdev->bo_list in ivpu_gem_create_object(). When failure happens inside drm_gem_shmem_create(), the BO is not fully created and ivpu_gem_bo_free() callback will not be called causing a deleted BO to be left on the list. | 2025-12-24 | not yet calculated | CVE-2025-68730 | https://git.kernel.org/stable/c/8172838a284c27190fa6782c2740a97020434750 https://git.kernel.org/stable/c/c9ef5ccd8bd9bcf598b6d3f77e7eb4dde7149aec https://git.kernel.org/stable/c/8b694b405a84696f1d964f6da7cf9721e68c4714 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array() The unpublished smatch static checker reported a warning. drivers/accel/amdxdna/aie2_pci.c:904 aie2_query_ctx_status_array() warn: potential user controlled sizeof overflow ‘args->num_element * args->element_size’ ‘1-u32max(user) * 1-u32max(user)’ Even this will not cause a real issue, it is better to put a reasonable limitation for element_size and num_element. Add condition to make sure the input element_size <= 4K and num_element <= 1K. | 2025-12-24 | not yet calculated | CVE-2025-68731 | https://git.kernel.org/stable/c/359653edd5374fbba28f93043554dcc494aee85f https://git.kernel.org/stable/c/9e16c8bf9aebf629344cfd4cd5e3dc7d8c3f7d82 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gpu: host1x: Fix race in syncpt alloc/free Fix race condition between host1x_syncpt_alloc() and host1x_syncpt_put() by using kref_put_mutex() instead of kref_put() + manual mutex locking. This ensures no thread can acquire the syncpt_mutex after the refcount drops to zero but before syncpt_release acquires it. This prevents races where syncpoints could be allocated while still being cleaned up from a previous release. Remove explicit mutex locking in syncpt_release as kref_put_mutex() handles this atomically. | 2025-12-24 | not yet calculated | CVE-2025-68732 | https://git.kernel.org/stable/c/4e6e07ce0197aecfb6c4a62862acc93b3efedeb7 https://git.kernel.org/stable/c/d138f73ffb0c57ded473c577719e6e551b7b1f27 https://git.kernel.org/stable/c/79197c6007f2afbfd7bcf5b9b80ccabf8483d774 https://git.kernel.org/stable/c/c7d393267c497502fa737607f435f05dfe6e3d9b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: smack: fix bug: unprivileged task can create labels If an unprivileged task is allowed to relabel itself (/smack/relabel-self is not empty), it can freely create new labels by writing their names into own /proc/PID/attr/smack/current This occurs because do_setattr() imports the provided label in advance, before checking “relabel-self” list. This change ensures that the “relabel-self” list is checked before importing the label. | 2025-12-24 | not yet calculated | CVE-2025-68733 | https://git.kernel.org/stable/c/ac9fce2efabad37c338aac86fbe100f77a080e59 https://git.kernel.org/stable/c/64aa81250171b6bb6803e97ea7a5d73bfa061f6e https://git.kernel.org/stable/c/60e8d49989410a7ade60f5dadfcd979c117d05c0 https://git.kernel.org/stable/c/c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when setup_instance() fails with an error code. Fix that by freeing the urb before freeing the hw structure. Also change the error paths to use the goto ladder style. Compile tested only. Issue found using a prototype static analysis tool. | 2025-12-24 | not yet calculated | CVE-2025-68734 | https://git.kernel.org/stable/c/475032fa2bb82ffb592c321885e917e39f47357f https://git.kernel.org/stable/c/adb7577e23a431fc53aa1b6107733c0d751015fb https://git.kernel.org/stable/c/b70c24827e11fdc71465f9207e974526fb457bb9 https://git.kernel.org/stable/c/3f7c72bc73c4e542fde14cce017549d8a0b61a3c https://git.kernel.org/stable/c/03695541b3349bc40bf5d6563d44d6147fb20260 https://git.kernel.org/stable/c/6dce43433e0635e7b00346bc937b69ce48ea71bb https://git.kernel.org/stable/c/ea7936304ed74ab7f965d17f942a173ce91a5ca8 https://git.kernel.org/stable/c/3f978e3f1570155a1327ffa25f60968bc7b9398f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Prevent potential UAF in group creation This commit prevents the possibility of a use after free issue in the GROUP_CREATE ioctl function, which arose as pointer to the group is accessed in that ioctl function after storing it in the Xarray. A malicious userspace can second guess the handle of a group and try to call GROUP_DESTROY ioctl from another thread around the same time as GROUP_CREATE ioctl. To prevent the use after free exploit, this commit uses a mark on an entry of group pool Xarray which is added just before returning from the GROUP_CREATE ioctl function. The mark is checked for all ioctls that specify the group handle and so userspace won’t be abe to delete a group that isn’t marked yet. v2: Add R-bs and fixes tags | 2025-12-24 | not yet calculated | CVE-2025-68735 | https://git.kernel.org/stable/c/deb8b2491f6b9882ae02d7dc2651c7bf4f3b7e05 https://git.kernel.org/stable/c/c646ebff3fa571e7ea974235286fb9ed3edc260c https://git.kernel.org/stable/c/eec7e23d848d2194dd8791fcd0f4a54d4378eecd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: landlock: Fix handling of disconnected directories Disconnected files or directories can appear when they are visible and opened from a bind mount, but have been renamed or moved from the source of the bind mount in a way that makes them inaccessible from the mount point (i.e. out of scope). Previously, access rights tied to files or directories opened through a disconnected directory were collected by walking the related hierarchy down to the root of the filesystem, without taking into account the mount point because it couldn’t be found. This could lead to inconsistent access results, potential access right widening, and hard-to-debug renames, especially since such paths cannot be printed. For a sandboxed task to create a disconnected directory, it needs to have write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to the underlying source of the bind mount, and read access to the related mount point. Because a sandboxed task cannot acquire more access rights than those defined by its Landlock domain, this could lead to inconsistent access rights due to missing permissions that should be inherited from the mount point hierarchy, while inheriting permissions from the filesystem hierarchy hidden by this mount point instead. Landlock now handles files and directories opened from disconnected directories by taking into account the filesystem hierarchy when the mount point is not found in the hierarchy walk, and also always taking into account the mount point from which these disconnected directories were opened. This ensures that a rename is not allowed if it would widen access rights [1]. The rationale is that, even if disconnected hierarchies might not be visible or accessible to a sandboxed task, relying on the collected access rights from them improves the guarantee that access rights will not be widened during a rename because of the access right comparison between the source and the destination (see LANDLOCK_ACCESS_FS_REFER). It may look like this would grant more access on disconnected files and directories, but the security policies are always enforced for all the evaluated hierarchies. This new behavior should be less surprising to users and safer from an access control perspective. Remove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and fix the related comment. Because opened files have their access rights stored in the related file security properties, there is no impact for disconnected or unlinked files. | 2025-12-24 | not yet calculated | CVE-2025-68736 | https://git.kernel.org/stable/c/cadb28f8b3fd6908e3051e86158c65c3a8e1c907 https://git.kernel.org/stable/c/49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/pageattr: Propagate return value from __change_memory_common The rodata=on security measure requires that any code path which does vmalloc -> set_memory_ro/set_memory_rox must protect the linear map alias too. Therefore, if such a call fails, we must abort set_memory_* and caller must take appropriate action; currently we are suppressing the error, and there is a real chance of such an error arising post commit a166563e7ec3 (“arm64: mm: support large block mapping when rodata=full”). Therefore, propagate any error to the caller. | 2025-12-24 | not yet calculated | CVE-2025-68737 | https://git.kernel.org/stable/c/3e2fc1e57a5361633a4bf4222640c6bfe41ff8ea https://git.kernel.org/stable/c/e5efd56fa157d2e7d789949d1d64eccbac18a897 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx() If a link does not have an assigned channel yet, mt7996_vif_link returns NULL. We still need to store the updated queue settings in that case, and apply them later. Move the location of the queue params to within struct mt7996_vif_link. | 2025-12-24 | not yet calculated | CVE-2025-68738 | https://git.kernel.org/stable/c/96841352aaba7723c20afb3a5356746810ef8198 https://git.kernel.org/stable/c/b8f34c1c5c4f5130c20e3253c95ba1d844d402b9 https://git.kernel.org/stable/c/79277f8ad15ec5f255ed0e1427c7a8a3e94e7f52 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: hisi: Fix potential UAF in OPP handling Ensure all required data is acquired before calling dev_pm_opp_put(opp) to maintain correct resource acquisition and release order. | 2025-12-24 | not yet calculated | CVE-2025-68739 | https://git.kernel.org/stable/c/efb028b07f7b2d141b91c2fab5276b601f0d0dbe https://git.kernel.org/stable/c/469b0b8ce08818f3e4f01d2fa8d0dadeab501e1f https://git.kernel.org/stable/c/26dd44a40096468396b6438985d8e44e0743f64c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ima: Handle error code returned by ima_filter_rule_match() In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to the rule being NULL, the function incorrectly skips the ‘if (!rc)’ check and sets ‘result = true’. The LSM rule is considered a match, causing extra files to be measured by IMA. This issue can be reproduced in the following scenario: After unloading the SELinux policy module via ‘semodule -d’, if an IMA measurement is triggered before ima_lsm_rules is updated, in ima_match_rules(), the first call to ima_filter_rule_match() returns -ESTALE. This causes the code to enter the ‘if (rc == -ESTALE && !rule_reinitialized)’ block, perform ima_lsm_copy_rule() and retry. In ima_lsm_copy_rule(), since the SELinux module has been removed, the rule becomes NULL, and the second call to ima_filter_rule_match() returns -ENOENT. This bypasses the ‘if (!rc)’ check and results in a false match. Call trace: selinux_audit_rule_match+0x310/0x3b8 security_audit_rule_match+0x60/0xa0 ima_match_rules+0x2e4/0x4a0 ima_match_policy+0x9c/0x1e8 ima_get_action+0x48/0x60 process_measurement+0xf8/0xa98 ima_bprm_check+0x98/0xd8 security_bprm_check+0x5c/0x78 search_binary_handler+0x6c/0x318 exec_binprm+0x58/0x1b8 bprm_execve+0xb8/0x130 do_execveat_common.isra.0+0x1a8/0x258 __arm64_sys_execve+0x48/0x68 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x44/0x200 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x3c8/0x3d0 Fix this by changing ‘if (!rc)’ to ‘if (rc <= 0)’ to ensure that error codes like -ENOENT do not bypass the check and accidentally result in a successful match. | 2025-12-24 | not yet calculated | CVE-2025-68740 | https://git.kernel.org/stable/c/c2238d487a640ae3511e1b6f4640ab27ce10d7f6 https://git.kernel.org/stable/c/de4431faf308d0c533cb386f5fa9af009bc86158 https://git.kernel.org/stable/c/32952c4f4d1b2deb30dce72ba109da808a9018e1 https://git.kernel.org/stable/c/738c9738e690f5cea24a3ad6fd2d9a323cf614f6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix improper freeing of purex item In qla2xxx_process_purls_iocb(), an item is allocated via qla27xx_copy_multiple_pkt(), which internally calls qla24xx_alloc_purex_item(). The qla24xx_alloc_purex_item() function may return a pre-allocated item from a per-adapter pool for small allocations, instead of dynamically allocating memory with kzalloc(). An error handling path in qla2xxx_process_purls_iocb() incorrectly uses kfree() to release the item. If the item was from the pre-allocated pool, calling kfree() on it is a bug that can lead to memory corruption. Fix this by using the correct deallocation function, qla24xx_free_purex_item(), which properly handles both dynamically allocated and pre-allocated items. | 2025-12-24 | not yet calculated | CVE-2025-68741 | https://git.kernel.org/stable/c/8e9f0a0717ba31d5842721627ade1e62d7aec012 https://git.kernel.org/stable/c/cfe3e2f768d248fd3d965d561d0768a56dd0b9f8 https://git.kernel.org/stable/c/5fa1c8226b4532ad7011d295d3ab4ad45df105ae https://git.kernel.org/stable/c/78b1a242fe612a755f2158fd206ee6bb577d18ca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix invalid prog->stats access when update_effective_progs fails Syzkaller triggers an invalid memory access issue following fault injection in update_effective_progs. The issue can be described as follows: __cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <– fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog —softirq start— __do_softirq … __cgroup_bpf_run_filter_skb __bpf_prog_run_save_cb bpf_prog_run stats = this_cpu_ptr(prog->stats) /* invalid memory access */ flags = u64_stats_update_begin_irqsave(&stats->syncp) —softirq end— static_branch_dec(&cgroup_bpf_enabled_key[atype]) The reason is that fault injection caused update_effective_progs to fail and then changed the original prog into dummy_bpf_prog.prog in purge_effective_progs. Then a softirq came, and accessing the members of dummy_bpf_prog.prog in the softirq triggers invalid mem access. To fix it, skip updating stats when stats is NULL. | 2025-12-24 | not yet calculated | CVE-2025-68742 | https://git.kernel.org/stable/c/539137e3038ce6f953efd72110110f03c14c7d97 https://git.kernel.org/stable/c/56905bb70c8b88421709bb4e32fcba617aa37d41 https://git.kernel.org/stable/c/2579c356ccd35d06238b176e4b460978186d804b https://git.kernel.org/stable/c/7dc211c1159d991db609bdf4b0fb9033c04adcbc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mshv: Fix create memory region overlap check The current check is incorrect; it only checks if the beginning or end of a region is within an existing region. This doesn’t account for userspace specifying a region that begins before and ends after an existing region. Change the logic to a range intersection check against gfns and uaddrs for each region. Remove mshv_partition_region_by_uaddr() as it is no longer used. | 2025-12-24 | not yet calculated | CVE-2025-68743 | https://git.kernel.org/stable/c/2183924dd834e0703f87e17c17e689bcbf55d69d https://git.kernel.org/stable/c/ab3e7a78d83a61d335458cfe2e4d17eba69ae73d https://git.kernel.org/stable/c/ba9eb9b86d232854e983203dc2fb1ba18e316681 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Free special fields when update [lru_,]percpu_hash maps As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing calls to ‘bpf_obj_free_fields()’ in ‘pcpu_copy_value()’ could cause the memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the map gets freed. Fix this by calling ‘bpf_obj_free_fields()’ after ‘copy_map_value[,_long]()’ in ‘pcpu_copy_value()’. | 2025-12-24 | not yet calculated | CVE-2025-68744 | https://git.kernel.org/stable/c/3bf1378747e251571e0de15e7e0a6bf2919044e7 https://git.kernel.org/stable/c/96a5cb7072cabbac5c66ac9318242c3bdceebb68 https://git.kernel.org/stable/c/4a03d69cece145e4fb527464be29c3806aa3221e https://git.kernel.org/stable/c/6af6e49a76c9af7d42eb923703e7648cb2bf401a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Clear cmds after chip reset Commit aefed3e5548f (“scsi: qla2xxx: target: Fix offline port handling and host reset handling”) caused two problems: 1. Commands sent to FW, after chip reset got stuck and never freed as FW is not going to respond to them anymore. 2. BUG_ON(cmd->sg_mapped) in qlt_free_cmd(). Commit 26f9ce53817a (“scsi: qla2xxx: Fix missed DMA unmap for aborted commands”) attempted to fix this, but introduced another bug under different circumstances when two different CPUs were racing to call qlt_unmap_sg() at the same time: BUG_ON(!valid_dma_direction(dir)) in dma_unmap_sg_attrs(). So revert “scsi: qla2xxx: Fix missed DMA unmap for aborted commands” and partially revert “scsi: qla2xxx: target: Fix offline port handling and host reset handling” at __qla2x00_abort_all_cmds. | 2025-12-24 | not yet calculated | CVE-2025-68745 | https://git.kernel.org/stable/c/5c1fb3fd05da3d55b8cbc42d7d660b313cbdc936 https://git.kernel.org/stable/c/d46c69a087aa3d1513f7a78f871b80251ea0c1ae |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Fix timeout handling When the CPU that the QSPI interrupt handler runs on (typically CPU 0) is excessively busy, it can lead to rare cases of the IRQ thread not running before the transfer timeout is reached. While handling the timeouts, any pending transfers are cleaned up and the message that they correspond to is marked as failed, which leaves the curr_xfer field pointing at stale memory. To avoid this, clear curr_xfer to NULL upon timeout and check for this condition when the IRQ thread is finally run. While at it, also make sure to clear interrupts on failure so that new interrupts can be run. A better, more involved, fix would move the interrupt clearing into a hard IRQ handler. Ideally we would also want to signal that the IRQ thread no longer needs to be run after the timeout is hit to avoid the extra check for a valid transfer. | 2025-12-24 | not yet calculated | CVE-2025-68746 | https://git.kernel.org/stable/c/551060efb156c50fe33799038ba8145418cfdeef https://git.kernel.org/stable/c/bb0c58be84f907285af45657c1d4847b960a12bf https://git.kernel.org/stable/c/01bbf25c767219b14c3235bfa85906b8d2cb8fbc https://git.kernel.org/stable/c/b4e002d8a7cee3b1d70efad0e222567f92a73000 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF on kernel BO VA nodes If the MMU is down, panthor_vm_unmap_range() might return an error. We expect the page table to be updated still, and if the MMU is blocked, the rest of the GPU should be blocked too, so no risk of accessing physical memory returned to the system (which the current code doesn’t cover for anyway). Proceed with the rest of the cleanup instead of bailing out and leaving the va_node inserted in the drm_mm, which leads to UAF when other adjacent nodes are removed from the drm_mm tree. | 2025-12-24 | not yet calculated | CVE-2025-68747 | https://git.kernel.org/stable/c/5a0060ddfc1fcfdb0f7b4fa1b7b3b0c436151391 https://git.kernel.org/stable/c/1123eadb843588b361c96f53a771202b7953154f https://git.kernel.org/stable/c/0612704b6f6ddf2ae223019c52148c5ac76cf70e https://git.kernel.org/stable/c/98dd5143447af0ee33551776d8b2560c35d0bc4a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF race between device unplug and FW event processing The function panthor_fw_unplug() will free the FW memory sections. The problem is that there could still be pending FW events which are yet not handled at this point. process_fw_events_work() can in this case try to access said freed memory. Simply call disable_work_sync() to both drain and prevent future invocation of process_fw_events_work(). | 2025-12-24 | not yet calculated | CVE-2025-68748 | https://git.kernel.org/stable/c/31db188355a49337e3e8ec98b99377e482eab22c https://git.kernel.org/stable/c/5e3ff56d4cb591daea70786d07dc21d06dc34108 https://git.kernel.org/stable/c/6c1da9ae2c123a9ffda5375e64cc81f9ed3cc04a https://git.kernel.org/stable/c/7051f6ba968fa69918d72cc26de4d6cf7ea05b90 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix race condition when unbinding BOs Fix ‘Memory manager not clean during takedown’ warning that occurs when ivpu_gem_bo_free() removes the BO from the BOs list before it gets unmapped. Then file_priv_unbind() triggers a warning in drm_mm_takedown() during context teardown. Protect the unmapping sequence with bo_list_lock to ensure the BO is always fully unmapped when removed from the list. This ensures the BO is either fully unmapped at context teardown time or present on the list and unmapped by file_priv_unbind(). | 2025-12-24 | not yet calculated | CVE-2025-68749 | https://git.kernel.org/stable/c/fb16493ebd8f171bcf0772262619618a131f30f7 https://git.kernel.org/stable/c/d71333ffdd3707d84cfb95acfaf8ba892adc066b https://git.kernel.org/stable/c/00812636df370bedf4e44a0c81b86ea96bca8628 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: potential integer overflow in usbg_make_tpg() The variable tpgt in usbg_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven’t tried to trigger it myself, but it is possible to trigger it by calling usbg_make_tpg() with a large value for tpgt. I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the relevant code accordingly. This patch is similar to commit 59c816c1f24d (“vhost/scsi: potential memory corruption”). | 2025-12-24 | not yet calculated | CVE-2025-68750 | https://git.kernel.org/stable/c/0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24 https://git.kernel.org/stable/c/603a83e5fee38a950bfcfb2f36449311fa00a474 https://git.kernel.org/stable/c/6f77e344515b5258edb3988188311464209b1c7c https://git.kernel.org/stable/c/6722e080b5b39ab7471386c73d0c1b39572f943c https://git.kernel.org/stable/c/a33f507f36d5881f602dab581ab0f8d22b49762c https://git.kernel.org/stable/c/358d5ba08f1609c34a054aed88c431844d09705a https://git.kernel.org/stable/c/620a5e1e84a3a7004270703a118d33eeb1c0f368 https://git.kernel.org/stable/c/153874010354d050f62f8ae25cbb960c17633dc5 |
| Liton Arefin–WP Adminify | Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Adminify: from n/a through <= 4.0.6.1. | 2025-12-24 | not yet calculated | CVE-2025-68592 | https://vdp.patchstack.com/database/Wordpress/Plugin/adminify/vulnerability/wordpress-wp-adminify-plugin-4-0-6-1-broken-access-control-vulnerability-2?_s_id=cve |
| Liton Arefin–WP Adminify | Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Adminify: from n/a through <= 4.0.6.1. | 2025-12-24 | not yet calculated | CVE-2025-68593 | https://vdp.patchstack.com/database/Wordpress/Plugin/adminify/vulnerability/wordpress-wp-adminify-plugin-4-0-6-1-broken-access-control-vulnerability?_s_id=cve |
| LiveComposer–Page Builder: Live Composer | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in LiveComposer Page Builder: Live Composer live-composer-page-builder allows Stored XSS. This issue affects Page Builder: Live Composer: from n/a through <= 2.0.5. | 2025-12-24 | not yet calculated | CVE-2025-68598 | https://vdp.patchstack.com/database/Wordpress/Plugin/live-composer-page-builder/vulnerability/wordpress-page-builder-live-composer-plugin-2-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| MariaDB–MariaDB | MariaDB mariadb-dump Utility Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MariaDB. Interaction with the mariadb-dump utility is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of view names. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27000. | 2025-12-23 | not yet calculated | CVE-2025-13699 | ZDI-25-1025 vendor-provided URL |
| Marketing Fire–Editorial Calendar | Missing Authorization vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editorial Calendar: from n/a through <= 3.8.8. | 2025-12-24 | not yet calculated | CVE-2025-68603 | https://vdp.patchstack.com/database/Wordpress/Plugin/editorial-calendar/vulnerability/wordpress-editorial-calendar-plugin-3-8-8-broken-access-control-vulnerability?_s_id=cve |
| Mitchell Bennis–Simple File List | Missing Authorization vulnerability in Mitchell Bennis Simple File List simple-file-list allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple File List: from n/a through <= 6.1.15. | 2025-12-24 | not yet calculated | CVE-2025-68591 | https://vdp.patchstack.com/database/Wordpress/Plugin/simple-file-list/vulnerability/wordpress-simple-file-list-plugin-6-1-15-broken-access-control-vulnerability?_s_id=cve |
| modeltheme–ModelTheme Addons for WPBakery and Elementor | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery allows Stored XSS.This issue affects ModelTheme Addons for WPBakery and Elementor: from n/a through < 1.5.6. | 2025-12-24 | not yet calculated | CVE-2025-68532 | https://vdp.patchstack.com/database/Wordpress/Plugin/modeltheme-addons-for-wpbakery/vulnerability/wordpress-modeltheme-addons-for-wpbakery-and-elementor-plugin-1-5-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| MSP360–Free Backup | MSP360 Free Backup Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MSP360 Free Backup. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is needed additionally. The specific flaw exists within the restore functionality. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27245. | 2025-12-23 | not yet calculated | CVE-2025-12838 | ZDI-25-988 |
| Frappe–Attachments module of Frappe Framework v15.89.0 | An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file. | 2025-12-22 | not yet calculated | CVE-2025-67289 | http://erpnext.com http://frappe.com https://github.com/vuquyen03/CVE/blob/main/CVE-2025-67289/README.md |
| Blitz–Blitz Panel v1.17.0 | An open redirect vulnerability in the login endpoint of Blitz Panel v1.17.0 allows attackers to redirect users to malicious domains via a crafted URL. This issue affects the next_url parameter in the login endpoint and could lead to phishing or token theft after successful authentication. | 2025-12-24 | not yet calculated | CVE-2025-60935 | https://github.com/ReturnFI/Blitz https://gist.github.com/HEXER365/2e866b47d56585e1e59e7c16bf4b4db7 |
| Cadmium–Cadmium CMS v.0.4.9 | Cadmium CMS v.0.4.9 has a background arbitrary file upload vulnerability in /admin/content/filemanager/uploads. | 2025-12-23 | not yet calculated | CVE-2025-51511 | https://github.com/cadmium-org/cadmium-cms/issues/23 |
| ClinCapture–ClinCapture EDC 3.0 and 2.2.3 | Reflected cross-site scripting (XSS) vulnerability in ClinCapture EDC 3.0 and 2.2.3, allowing an unauthenticated remote attacker to execute JavaScript code in the context of the victim’s browser. | 2025-12-22 | not yet calculated | CVE-2025-65270 | https://www.clincapture.com/ https://github.com/xh4vm/CVE-2025-65270 |
| ClipBucket–ClipBucket 5.5.2 | ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default credentials, resulting in full administrative control of the application. | 2025-12-22 | not yet calculated | CVE-2025-67418 | http://clipbucket.com https://medium.com/@arpit03sharma2003/cve-2025-67418-when-default-credentials-become-a-remote-root-button-03be5ee4b927 |
| CloudLog–Cloudlog v2.6.15 | Time-based blind SQL Injection vulnerability in Cloudlog v2.6.15 at the endpoint /index.php/logbookadvanced/search in the qsoresults parameter. | 2025-12-26 | not yet calculated | CVE-2024-44065 | https://github.com/magicbug/Cloudlog https://github.com/jacopo1223/jacopo.github/tree/main/CVE-2024-44065 |
| Cola–Cola Dnslog v1.3.2 | Cola Dnslog v1.3.2 is vulnerable to Directory Traversal. When a DNS query for a TXT record is processed, the application concatenates the requested URL (or a portion of it) directly with a base path using os.path.join. This bypass allows directory traversal or absolute path injection, leading to the potential exposure of sensitive information. | 2025-12-26 | not yet calculated | CVE-2025-57403 | https://github.com/AbelChe/cola_dnslog/issues/29 https://gist.github.com/Captaince/99b728c792c72b2666c2400625702df0 |
| Comtech–Comtech EF Data CDM-625 / CDM-625A | Incorrect access control in Comtech EF Data CDM-625 / CDM-625A Advanced Satellite Modem with firmware v2.5.1 allows attackers to change the Administrator password and escalate privileges via sending a crafted POST request to /Forms/admin_access_1. | 2025-12-26 | not yet calculated | CVE-2025-67015 | https://www.comtechefdata.com/ https://github.com/shiky8/my–cve-vulnerability-research/tree/main/CVE-2025-67015%20_%20Comtech%20EF%20Data%20CDM-625%20_%20CDM-625A%20Advanced%20_%20Broken%20Access%20Control |
| Croogo–Croogo CMS 4.0.7 | A path traversal vulnerability in Croogo CMS 4.0.7 allows remote attackers to read arbitrary files via a specially crafted path in the ‘edit-file’ parameter. | 2025-12-26 | not yet calculated | CVE-2024-42718 | https://github.com/croogo/croogo https://github.com/jacopo1223/jacopo.github/tree/main/CVE-2024-42718 |
| –Delight Custom Firmware (CFW) for Nokia Symbian Belle devices on Nokia 808 (Delight v1.8), Nokia N8 (Delight v6.7), Nokia E7 (Delight v1.3), Nokia C7 (Delight v6.7), Nokia 700 (Delight v1.2), Nokia 701 (Delight v1.1), Nokia 603 (Delight v1.0), Nokia 500 (Delight v1.2), Nokia E6 (Delight v1.0), Nokia Oro (Delight v1.0), and Vertu Constellation T (Delight v1.0) | An issue was discovered in the Delight Custom Firmware (CFW) for Nokia Symbian Belle devices on Nokia 808 (Delight v1.8), Nokia N8 (Delight v6.7), Nokia E7 (Delight v1.3), Nokia C7 (Delight v6.7), Nokia 700 (Delight v1.2), Nokia 701 (Delight v1.1), Nokia 603 (Delight v1.0), Nokia 500 (Delight v1.2), Nokia E6 (Delight v1.0), Nokia Oro (Delight v1.0), and Vertu Constellation T (Delight v1.0) allowing local attackers to inject startup scripts via crafted .txt files in the :Data directory. | 2025-12-26 | not yet calculated | CVE-2025-65885 | https://www.symwld.com/delight/ https://gist.github.com/symbuzzer/3315e88adc2bba0b6cc66d192b49546d |
| –DEV Systemtechnik GmbH DEV 7113 RF over Fiber Distribution System 32-0078 H.01 | Incorrect access control in DEV Systemtechnik GmbH DEV 7113 RF over Fiber Distribution System 32-0078 H.01 allows unauthenticated attackers to access an administrative endpoint. | 2025-12-26 | not yet calculated | CVE-2025-67014 | https://dev-systemtechnik.com https://github.com/shiky8/my–cve-vulnerability-research/tree/main/CVE-2025-67014%20_%20DEV%20Systemtechnik%20GmbH%20DEV%207113%20RF%20over%20_%20Broken%20Access%20Control |
| Eclipse–Eclipse Cyclone DDS before v0.10.5 | Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges. | 2025-12-23 | not yet calculated | CVE-2025-67109 | http://eclipse.com https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/ddsrt/src/time/posix/time.c#L28 https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/security/builtin_plugins/authentication/src/auth_utils.c#L84 https://gist.github.com/lkloliver/669e15bc7e6194133e4ee1026ce157e6 |
| eProsima–eProsima Fast-DDS v3.3 | An integer overflow in eProsima Fast-DDS v3.3 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-12-23 | not yet calculated | CVE-2025-65865 | http://eprosima.com http://fast-dds.com https://github.com/lkloliver/poc/blob/main/Detail.md https://gist.github.com/lkloliver/7aa48cb9fc7a1dd74cb595212bb69d33 |
| eProsima–eProsima Fast-DDS v3.3 | eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections. | 2025-12-23 | not yet calculated | CVE-2025-67108 | http://eprosima.com http://fast-dds.com https://github.com/eProsima/Fast-DDS/blob/master/src/cpp/security/accesscontrol/Permissions.cpp#L263 https://gist.github.com/lkloliver/81b5d5a8328d712dbfd497bf11dbe913 |
| –ETL Systems Ltd DEXTRA Series ‘ Digital L-Band Distribution System v1.8 | The web management interface in ETL Systems Ltd DEXTRA Series ‘ Digital L-Band Distribution System v1.8 does not implement Cross-Site Request Forgery (CSRF) protection mechanisms (no tokens, no Origin/Referer validation) on critical configuration endpoints. | 2025-12-26 | not yet calculated | CVE-2025-67013 | https://www.etlsystems.com/ https://github.com/shiky8/my–cve-vulnerability-research/tree/main/CVE-2025-67013%20_%20ETL%20Systems%20Ltd%20DEXTRA%20Series%20_%20CSRF |
| FluentCMS–FluentCMS 1.2.3. | A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as an admin and navigating to the “Add Page” function, the application fails to properly sanitize input in the <head> section, allowing remote attackers to inject arbitrary script tags. | 2025-12-26 | not yet calculated | CVE-2025-67349 | https://github.com/fluentcms/FluentCMS/issues/2403 https://github.com/eoniboogie/CVE_Disclosures/blob/main/CVE-2025-67349/CVE-2025-67349.md |
| FuguHub–FuguHub 8.1 | A reflected cross-site scripting (XSS) vulnerability exists in FuguHub 8.1 when serving SVG files through the /fs/ file manager interface. FuguHub does not sanitize or restrict script execution inside SVG content. When a victim opens a crafted SVG containing an inline <script> element, the browser executes the attacker-controlled JavaScript. | 2025-12-22 | not yet calculated | CVE-2025-65790 | https://fuguhub.com/ https://github.com/hunterxxx/FuguHub-8.1-Reflected-SVG-XSS-CVE-2025-65790 |
| GNU–GNU Unrtf v0.21.10 | A stack overflow in the src/main.c component of GNU Unrtf v0.21.10 allows attackers to cause a Denial of Service (DoS) via injecting a crafted input into the filename parameter. | 2025-12-23 | not yet calculated | CVE-2025-65410 | https://www.gnu.org/software/unrtf/ https://lists.gnu.org/archive/html/bug-unrtf/2025-11/msg00001.html https://savannah.gnu.org/projects/unrtf/ https://hg.savannah.gnu.org/hgweb/unrtf/rev/a5d3b025a8b1 |
| –GT Edge AI Platform before v2.0.10 | Insecure permissions in the /api/v1/agents API of GT Edge AI Platform before v2.0.10-dev allows unauthorized attackers to access sensitive information. | 2025-12-22 | not yet calculated | CVE-2025-63662 | https://github.com/p80n-sec/Vulnerability-Research/blob/main/Pending https://gist.github.com/p80n-sec/48ce34c929e8b946f0ad25f76e7b8cef |
| –GT Edge AI Platform before v2.0.10 | Incorrect access control in the /api/v1/conversations/*/files API of GT Edge AI Platform before v2.0.10 allows unauthorized attackers to access other users’ uploaded files. | 2025-12-22 | not yet calculated | CVE-2025-63663 | https://github.com/p80n-sec/Vulnerability-Research/blob/main/Pending https://gist.github.com/p80n-sec/f3ca933480157cb4e18c387d92f4d0c2 |
| –GT Edge AI Platform before v2.0.10 | Incorrect access control in the /api/v1/conversations/*/messages API of GT Edge AI Platform before v2.0.10-dev allows unauthorized attackers to access other users’ message history with AI agents. | 2025-12-22 | not yet calculated | CVE-2025-63664 | https://github.com/p80n-sec/Vulnerability-Research/blob/main/Pending https://gist.github.com/p80n-sec/0a0a71a2190d5e6f8083bf6069e7b5f2 |
| –Home Assistant Core before v2025.8.0 | Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability. | 2025-12-23 | not yet calculated | CVE-2025-65713 | https://github.com/home-assistant/core/pull/150046 https://gist.github.com/GenoWang/7359360285e0fe21a7a58d10ff71d032 |
| –K7 Ultimate Security 17.0.2045. | An issue was discovered in K7 Ultimate Security 17.0.2045. A Local Privilege Escalation (LPE) vulnerability in the K7 Ultimate Security antivirus can be exploited by a local unprivileged user on default installations of the product. Insecure access to a named pipe allows unprivileged users to edit any registry key, leading to a full compromise as SYSTEM. | 2025-12-22 | not yet calculated | CVE-2025-67826 | https://www.k7computing.com/ https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-22nd-Dec-2025 |
| –Keyfactor SignServer versions prior to 7.2. | An error in the SignServer container startup logic was found in Keyfactor SignServer versions prior to 7.2. The Admin CLI command used to configure Certificate access to the initial startup of the container sets a property of “allowany” to allow any user with a valid and trusted client auth certificate to connect. Admins can then set more restricted access to specific certificates. A logic error caused this admin CLI command to be run on each restart of the container instead of only the first startup as intended resetting the configuration to “allowany”. | 2025-12-22 | not yet calculated | CVE-2025-26787 | https://support.keyfactor.com/hc/en-us/articles/33997706776987-SignServer-security-advisory-Container-vulnerability-CVE-2025-26787-fixed-in-version-7-2 https://docs.keyfactor.com/signserver/latest/signserver-7-2-release-notes |
| Krishanmuraiji–krishanmuraiji SMS v.1.0 | SQL injection vulnerability in krishanmuraiji SMS v.1.0, within the /studentms/admin/edit-class-detail.php via the editid GET parameter. An attacker can trigger controlled delays using SQL SLEEP() to infer database contents. Successful exploitation may lead to full database compromise, especially within an administrative module. | 2025-12-26 | not yet calculated | CVE-2025-66947 | https://github.com/kabir0104k/CVE-2025-66947/blob/main/README.md |
| libxmljs–libxmljs 1.0.11 | A vulnerability exists in the libxmljs 1.0.11 when parsing a specially crafted XML document. Accessing the internal _ref property on entity_ref and entity_decl nodes causes a segmentation fault, potentially leading to a denial-of-service (DoS). | 2025-12-26 | not yet calculated | CVE-2025-25341 | https://github.com/libxmljs/libxmljs/issues/667 |
| Linksys–Linksys E5600 V1.1.0.26 | Linksys E5600 V1.1.0.26 is vulnerable to command injection in the runtime.macClone function via the mc.ip parameter. | 2025-12-23 | not yet calculated | CVE-2025-29228 | https://github.com/JZP018/Vuln/blob/main/linsys/E5600/CI_macClone_mc.ip/CI_macClone_mc.ip.md |
| Linksys–Linksys E5600 V1.1.0.26 | linksys E5600 V1.1.0.26 is vulnerable to command injection in the function ddnsStatus. | 2025-12-23 | not yet calculated | CVE-2025-29229 | https://github.com/JZP018/Vuln/blob/main/linsys/E5600/CI_ddnsStatus/CI_ddnsStatus.md |
| n–LSC Smart Connect Indoor IP Camera 1.4.13 | LSC Smart Connect Indoor IP Camera 1.4.13 contains a RCE vulnerability in start_app.sh. | 2025-12-22 | not yet calculated | CVE-2025-65817 | https://github.com/Istaarkk/CVE-2025-65817/blob/main/README.md |
| –Media module of Piranha CMS v12.1 | A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field. | 2025-12-22 | not yet calculated | CVE-2025-67291 | http://piranha.com https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67291 |
| MynNET–MyNET up to v26.05 | MyNET up to v26.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the src parameter. | 2025-12-22 | not yet calculated | CVE-2024-25812 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://github.com/am0nt31r0/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md |
| MyNET–MyNET up to v26.05 | MyNET up to v26.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the msg parameter. | 2025-12-22 | not yet calculated | CVE-2024-25814 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://github.com/am0nt31r0/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md |
| MyNET–MyNET up to v26.06 | Iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET v.26.06 and before allows a remote attacker to execute arbitrary code via the src parameter. | 2025-12-22 | not yet calculated | CVE-2024-27708 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://github.com/esquim0/Common_Vulnerabilities_and_Exposures_CVE/blob/main/2024/MyNet.md |
| MyNET–MyNET up to v26.08 | MyNET up to v26.08 was discovered to contain a Reflected cross-site scripting (XSS) vulnerability via the msgtipo parameter. | 2025-12-22 | not yet calculated | CVE-2024-35321 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://github.com/am0nt31r0/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md https://github.com/Manuel-arc/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md |
| MyNET–MyNET up to v26.08 | MyNET up to v26.08 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the ficheiro parameter. | 2025-12-24 | not yet calculated | CVE-2024-35322 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://miguelsantareno.github.io/airc_exploit.txt |
| MyNET–MyNET up to v26.08 | A reflected cross-site scripting (XSS) vulnerability in MyNET up to v26.08 allows attackers to execute arbitrary code in the context of a user’s browser via injecting a crafted payload into the parameter HTTP. | 2025-12-24 | not yet calculated | CVE-2024-40317 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://miguelsantareno.github.io/airc_exploit.txt |
| MyNET–MyNET up to v26.08.316 | MyNET up to v26.08.316 was discovered to contain an Unauthenticated SQL Injection vulnerability via the intmenu parameter. | 2025-12-24 | not yet calculated | CVE-2024-39037 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://miguelsantareno.github.io/airc_exploit.txt |
| Netgear–Netgear EX8000 V1.0.0.126 | Netgear EX8000 V1.0.0.126 is vulnerable to Command Injection via the iface parameter in the action_bandwidth function. | 2025-12-23 | not yet calculated | CVE-2025-45493 | https://github.com/JZP018/vuln03/blob/main/netgear/EX8000/cve-netgear_EX8000_CI_action_bandwidth.pdf https://github.com/JZP018/vuln03/blob/main/netgear/EX8000/netgear_EX8000_CI_action_bandwidth.mp4 |
| Netgear–Netgear EX8000 V1.0.0.126 | Netgear EX8000 V1.0.0.126 was discovered to contain a command injection vulnerability via the switch_status function. | 2025-12-23 | not yet calculated | CVE-2025-50526 | https://github.com/JZP018/vuln03/blob/main/netgear/EX8000/cve-netgear_EX8000_CI_switch_status.pdf https://github.com/JZP018/vuln03/blob/main/netgear/EX8000/netgear_EX8000_CI_switch_status.mp4 |
| –Page Settings module of Piranha CMS v12.1 | A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field. | 2025-12-22 | not yet calculated | CVE-2025-67290 | http://piranha.com https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67290 |
| –PluXml CMS 5.8.22 | Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php). | 2025-12-22 | not yet calculated | CVE-2025-67436 | https://github.com/pluxml/PluXml https://github.com/RajChowdhury240/CVE-2025-67435/ |
| –PublicCMS V5.202506.b | PublicCMS V5.202506.b is vulnerable to Cross Site Scripting (XSS) in the Content Search module. | 2025-12-22 | not yet calculated | CVE-2025-65837 | https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/XSS_1.md https://github.com/sanluan/PublicCMS/issues/100 |
| –RTPS protocol implementation of OpenDDS DDS before v3.33.0 | An integer overflow in the RTPS protocol implementation of OpenDDS DDS before v3.33.0 allows attackers to cause a Denial of Service (DoS) via a crafted message. | 2025-12-23 | not yet calculated | CVE-2025-67111 | https://github.com/lkloliver/poc/blob/main/POC_OpenDDS.md https://gist.github.com/lkloliver/fcc5da83b4cba137ce95177a9afc4126 |
| RuoYi–RuoYi v.4.7.9 | SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java. | 2025-12-23 | not yet calculated | CVE-2024-57521 | https://gitee.com/y_project/RuoYi/commit/ddd858ca732618a472b10eaab2f8e4b45812ffc5 https://gitee.com/y_project/RuoYi/issues/IBC976 https://github.com/mrlihd/Ruoyi-4.7.9-SQL-Injection-PoC https://github.com/mrlihd/CVE-2024-57521-SQL-Injection-PoC/blob/main/README.md |
| Schlix–Schlix CMS before v2.2.9-5 | Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel. | 2025-12-22 | not yet calculated | CVE-2025-67443 | https://www.schlix.com/news/release/december-2025-errata-5-bug-fix-release.html#:~:text=Fixed%20XSS%20vulnerability%20bug%20when%20clicking%20New%20User%20%28thank%20you%20to%20Ak%C4%B1ner%20K%C4%B1sa%20who%20reported%20this%20security%20bug%20and%20provided%20reasonable%20time%20to%20fix%29 https://gist.github.com/akinerkisa/b22f4517a4011d049c5fc7fd3b29c9f2 |
| Speedify–Speedify VPN up to v15.0.0 | A command injection vulnerability in the me.connectify.SMJobBlessHelper XPC service of Speedify VPN up to v15.0.0 allows attackers to execute arbitrary commands with root-level privileges. | 2025-12-23 | not yet calculated | CVE-2025-25364 | https://connectify.me https://speedify.com/ https://speedify.com/blog/news/speedify-macos-vpn-application-vulnerability/ |
| TechStore–TechStore version 1.0. | A reflected Cross-Site Scripting (XSS) vulnerability has been identified in TechStore version 1.0. The user_name endpoint reflects the id query parameter directly into the HTML response without output encoding or sanitization, allowing execution of arbitrary JavaScript code in a victim’s browser. | 2025-12-23 | not yet calculated | CVE-2025-66845 | https://gist.github.com/MuratSevri/d78efed86ca5f82e8a6683ace5061319 |
| Terra–Terra Informatica Software, Inc Sciter v.4.4.7.0 | An issue in Terra Informatica Software, Inc Sciter v.4.4.7.0 allows a local attacker to obtain sensitive information via the adopt component of the Sciter video rendering function. | 2025-12-26 | not yet calculated | CVE-2024-29720 | https://github.com/sciter-sdk/rust-sciter/issues/143 |
| Umbraco–Umbraco CMS v16.3.3 | An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. | 2025-12-22 | not yet calculated | CVE-2025-67288 | http://umbraco.com https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288 |
| Webmail–Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 | A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory. | 2025-12-22 | not yet calculated | CVE-2025-68645 | https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy |
| Xionmai–Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 | Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access. | 2025-12-22 | not yet calculated | CVE-2025-65856 | http://ip.com http://hangzhou.com https://luismirandaacebedo.github.io/CVE-2025-65856/ |
| Xiongmai–Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. | An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access. | 2025-12-22 | not yet calculated | CVE-2025-65857 | http://ip.com http://hangzhou.com https://luismirandaacebedo.github.io/CVE-2025-65857/ |
| Yealink–Yealink T21P_E2 Phone 52.84.0.15 | Yealink T21P_E2 Phone 52.84.0.15 is vulnerable to Directory Traversal. A remote normal privileged attacker can read arbitrary files via a crafted request result read function of the diagnostic component. | 2025-12-26 | not yet calculated | CVE-2025-66737 | http://yealink.com https://drive.google.com/file/d/1MpxnCL4koKupqWWDmY3ljlybjIPD8ieD/view?usp=sharing |
| Yealink–Yealink T21P_E2 Phone 52.84.0.15 | An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component. | 2025-12-26 | not yet calculated | CVE-2025-66738 | http://yealink.com https://drive.google.com/file/d/13t5ywSPJMx4487njJcH3ZTNuc_k3h4ty/view?usp=sharing |
| youlai–youlai-boot V2.21.1 | youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The getRoleForm function in SysRoleController.java does not perform permission checks, which may allow non-root users to directly access root roles. | 2025-12-22 | not yet calculated | CVE-2025-66735 | https://gitee.com/youlaiorg/youlai-boot/issues/ICH8FR https://gitee.com/youlaiorg/youlai-boot/commit/9197065102f92264ded814a9d3e9f2a4ff0da121 https://gist.github.com/old6ma/dc9e6e4a693d12c1a35fd4e1d21d4743 |
| youlai–youlai-boot V2.21.1 | youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The importUsers function in SysUserController.java does not perform a permission check on the current user’s identity, which may allow regular users to import user data into the database, resulting in an authorization bypass vulnerability. | 2025-12-22 | not yet calculated | CVE-2025-66736 | https://gitee.com/youlaiorg/youlai-boot/commit/9197065102f92264ded814a9d3e9f2a4ff0da121 https://gitee.com/youlaiorg/youlai-boot/issues/ICH8FV https://gist.github.com/old6ma/be1d4a5373ee2de901ed4c8d81485046 |
| Nawawi Jamili–Docket Cache | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Nawawi Jamili Docket Cache docket-cache allows PHP Local File Inclusion.This issue affects Docket Cache: from n/a through <= 24.07.03. | 2025-12-24 | not yet calculated | CVE-2025-68506 | https://vdp.patchstack.com/database/Wordpress/Plugin/docket-cache/vulnerability/wordpress-docket-cache-plugin-24-07-03-local-file-inclusion-vulnerability?_s_id=cve |
| NSF Unidata–NetCDF-C | NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of time units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27273. | 2025-12-23 | not yet calculated | CVE-2025-14932 | ZDI-25-1153 |
| NSF Unidata–NetCDF-C | NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of NC variables. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27266. | 2025-12-23 | not yet calculated | CVE-2025-14933 | ZDI-25-1151 |
| NSF Unidata–NetCDF-C | NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of variable names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27267. | 2025-12-23 | not yet calculated | CVE-2025-14934 | ZDI-25-1152 |
| NSF Unidata–NetCDF-C | NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of dimension names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27168. | 2025-12-23 | not yet calculated | CVE-2025-14935 | ZDI-25-1154 |
| NSF Unidata–NetCDF-C | NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of attribute names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27269. | 2025-12-23 | not yet calculated | CVE-2025-14936 | ZDI-25-1155 |
| Open Design Alliance–ODA Drawings SDK – All Versions < 2026.12 | A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object `COdaMfcAppApp theApp` may access `OdString::kEmpty` before its initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior, memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios. | 2025-12-22 | not yet calculated | CVE-2025-10021 | https://www.opendesign.com/security-advisories |
| pavothemes–Bookory | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in pavothemes Bookory bookory allows PHP Local File Inclusion. This issue affects Bookory: from n/a through <= 2.2.7. | 2025-12-24 | not yet calculated | CVE-2025-68530 | https://vdp.patchstack.com/database/Wordpress/Theme/bookory/vulnerability/wordpress-bookory-theme-2-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| pdfforge–PDF Architect | pdfforge PDF Architect DOC File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of DOC files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27503. | 2025-12-23 | not yet calculated | CVE-2025-14416 | ZDI-25-1073 |
| pdfforge–PDF Architect | pdfforge PDF Architect Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the Launch action. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27501. | 2025-12-23 | not yet calculated | CVE-2025-14417 | ZDI-25-1074 |
| pdfforge–PDF Architect | pdfforge PDF Architect XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27502. | 2025-12-23 | not yet calculated | CVE-2025-14418 | ZDI-25-1075 |
| pdfforge–PDF Architect | pdfforge PDF Architect PDF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27902. | 2025-12-23 | not yet calculated | CVE-2025-14419 | ZDI-25-1076 |
| pdfforge–PDF Architect | pdfforge PDF Architect CBZ File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CBZ files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27514. | 2025-12-23 | not yet calculated | CVE-2025-14420 | ZDI-25-1077 |
| pdfforge–PDF Architect | pdfforge PDF Architect PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27915. | 2025-12-23 | not yet calculated | CVE-2025-14421 | ZDI-25-1078 |
| PDFsam–Enhanced | PDFsam Enhanced App Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of App objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27260. | 2025-12-23 | not yet calculated | CVE-2025-14401 | ZDI-25-1089 |
| PDFsam–Enhanced | PDFsam Enhanced DOC File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of DOC files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27499. | 2025-12-23 | not yet calculated | CVE-2025-14402 | ZDI-25-1090 |
| PDFsam–Enhanced | PDFsam Enhanced Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the Launch action. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27500. | 2025-12-23 | not yet calculated | CVE-2025-14403 | ZDI-25-1091 |
| PDFsam–Enhanced | PDFsam Enhanced XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27498. | 2025-12-23 | not yet calculated | CVE-2025-14404 | ZDI-25-1092 |
| PDFsam–Enhanced | PDFsam Enhanced Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows phyiscally-present attackers to escalate privileges on affected installations of PDFsam Enhanced. An attacker must first obtain the ability to mount a malicious drive onto the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27867. | 2025-12-23 | not yet calculated | CVE-2025-14405 | ZDI-25-1093 |
| PHP Group–PHP | In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. | 2025-12-27 | not yet calculated | CVE-2025-14177 | https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7 |
| PHP Group–PHP | In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server. | 2025-12-27 | not yet calculated | CVE-2025-14180 | https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj |
| PickPlugins–Post Grid and Gutenberg Blocks | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Stored XSS. This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.18. | 2025-12-24 | not yet calculated | CVE-2025-68605 | https://vdp.patchstack.com/database/Wordpress/Plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-18-cross-site-scripting-xss-vulnerability?_s_id=cve |
| pixelgrade–Category Icon | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in pixelgrade Category Icon category-icon allows Stored XSS. This issue affects Category Icon: from n/a through <= 1.0.2. | 2025-12-24 | not yet calculated | CVE-2025-68525 | https://vdp.patchstack.com/database/Wordpress/Plugin/category-icon/vulnerability/wordpress-category-icon-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| pluginsware–Advanced Classifieds & Directory Pro | Cross-Site Request Forgery (CSRF) vulnerability in pluginsware Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro allows Cross Site Request Forgery.This issue affects Advanced Classifieds & Directory Pro: from n/a through <= 3.2.9. | 2025-12-24 | not yet calculated | CVE-2025-68580 | https://vdp.patchstack.com/database/Wordpress/Plugin/advanced-classifieds-and-directory-pro/vulnerability/wordpress-advanced-classifieds-directory-pro-plugin-3-2-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| RealDefense–SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27657. | 2025-12-23 | not yet calculated | CVE-2025-14488 | ZDI-25-1167 |
| RealDefense–SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27658. | 2025-12-23 | not yet calculated | CVE-2025-14489 | ZDI-25-1165 |
| RealDefense–SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27659. | 2025-12-23 | not yet calculated | CVE-2025-14490 | ZDI-25-1166 |
| RealDefense–SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27660. | 2025-12-23 | not yet calculated | CVE-2025-14491 | ZDI-25-1164 |
| RealDefense–SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27668. | 2025-12-23 | not yet calculated | CVE-2025-14492 | ZDI-25-1172 |
| RealDefense–SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27675. | 2025-12-23 | not yet calculated | CVE-2025-14493 | ZDI-25-1170 |
| RealDefense–SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27676. | 2025-12-23 | not yet calculated | CVE-2025-14494 | ZDI-25-1163 |
| RealDefense–SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27677. | 2025-12-23 | not yet calculated | CVE-2025-14495 | ZDI-25-1169 |
| RealDefense–SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27678. | 2025-12-23 | not yet calculated | CVE-2025-14496 | ZDI-25-1171 |
| RealDefense–SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27680. | 2025-12-23 | not yet calculated | CVE-2025-14497 | ZDI-25-1168 |
| Rhys Wynne–WP Email Capture | Cross-Site Request Forgery (CSRF) vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Cross Site Request Forgery. This issue affects WP Email Capture: from n/a through <= 3.12.5. | 2025-12-24 | not yet calculated | CVE-2025-68529 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-email-capture/vulnerability/wordpress-wp-email-capture-plugin-3-12-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Rustaurius–Five Star Restaurant Reservations | Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Cross Site Request Forgery. This issue affects Five Star Restaurant Reservations: from n/a through <= 2.7.7. | 2025-12-24 | not yet calculated | CVE-2025-68601 | https://vdp.patchstack.com/database/Wordpress/Plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| SALESmanago–SALESmanago | Missing Authorization vulnerability in SALESmanago SALESmanago salesmanago allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SALESmanago: from n/a through <= 3.9.0. | 2025-12-24 | not yet calculated | CVE-2025-68571 | https://vdp.patchstack.com/database/Wordpress/Plugin/salesmanago/vulnerability/wordpress-salesmanago-plugin-3-9-0-broken-access-control-vulnerability?_s_id=cve |
| Sante–PACS Server | Sante PACS Server HTTP Content-Length Header Handling NULL Pointer Dereference Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HTTP Content-Length header. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-26770. | 2025-12-23 | not yet calculated | CVE-2025-14501 | ZDI-25-1104 |
| Scott Paterson–Accept Donations with PayPal | URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Scott Paterson Accept Donations with PayPal easy-paypal-donation allows Phishing. This issue affects Accept Donations with PayPal: from n/a through <= 1.5.1. | 2025-12-24 | not yet calculated | CVE-2025-68602 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-paypal-donation/vulnerability/wordpress-accept-donations-with-paypal-plugin-1-5-1-open-redirection-vulnerability?_s_id=cve |
| Senstar–Symphony | Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Senstar Symphony. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of FetchStoredLicense method. The issue results from the exposure of sensitive information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26908. | 2025-12-23 | not yet calculated | CVE-2025-12491 | ZDI-25-1060 |
| Sharp Display Solutions, Ltd.–Media Player MP-01 | Missing Authentication for Critical Function vulnerability in Sharp Display Solutions Media Player MP-01 All Verisons allows a attacker may access to the web interface of the affected product without authentication and change settings or perform other operations, and deliver content from the authoring software to the affected product without authentication. | 2025-12-22 | not yet calculated | CVE-2025-12049 | https://sharp-displays.jp.sharp/global/support/info/MP01-CVE-2025-12049.html |
| Sharp Display Solutions, Ltd.–NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ | Path Traversal vulnerability in Sharp Display Solutions projectors allows a attacker may access and read any files within the projector. | 2025-12-22 | not yet calculated | CVE-2025-11540 | https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11540.html |
| Sharp Display Solutions, Ltd.–NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ | Stack-based Buffer Overflow vulnerability in Sharp Display Solutions projectors allows a attacker may execute arbitrary commands and programs. | 2025-12-22 | not yet calculated | CVE-2025-11541 | https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11540.html |
| Sharp Display Solutions, Ltd.–NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ | Stack-based Buffer Overflow vulnerability in Sharp Display Solutions projectors allows a attacker may execute arbitrary commands and programs. | 2025-12-22 | not yet calculated | CVE-2025-11542 | https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11540.html |
| Sharp Display Solutions, Ltd.–NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ | Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may create and run unauthorized firmware. | 2025-12-22 | not yet calculated | CVE-2025-11543 | https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11540.html |
| Sharp Display Solutions, Ltd.–NP-P627UL, NP-P627ULG, NP-P627UL+, NP-P547UL, NP-P547ULG, NP-P607UL+, NP-CG6600UL, NP-H6271UL, NP-H5471UL, NP-P627ULH, NP-P547ULH, NP-PE455UL, NP-PE455ULG, NP-PE455WL, NP-PE455WLG, NP-PE505XLG, NP-CG6500XL, NP-CG6400UL, NP-CG6400WL, NP-CB4500XL, NP-CA4120X, NP-CA4160W, NP-CA4160X, NP-CA4200U, NP-CA4200W, NP-CA4202W, NP-CA4260X, NP-CA4300X, NP-CA4355X, NP-CD2100U, NP-CD2120X, NP-CD2300X, NP-CR2100X, NP-CR2170W, NP-CR2170X, NP-CR2200U, NP-CR2200W, NP-CR2280X, NP-CR2310X, NP-CR2350X, NP-MC302XG, NP-MC332WG, NP-MC342XG, NP-MC372X, NP-MC372XG, NP-MC382W, NP-MC382WG, NP-MC422XG, NP-ME342UG, NP-ME372W, NP-ME372WG, NP-ME382U, NP-ME382UG, NP-ME402X, NP-ME402XG, NP-P525UL, NP-P525ULG, NP-P525UL+, NP-P525WL, NP-P525WLG, NP-P525WL+, NP-P605UL, NP-P605ULG, NP-P605UL+, NP-CG6500UL, NP-CG6500WL, NP-CB4500UL, NP-CB4500WL, NP-P525ULH, NP-P525WLH, NP-P605ULH, NP-P554U, NP-P554UG, NP-P554U+, NP-P554W, NP-P554WG, NP-P554W+, NP-P474U, NP-P474UG, NP-P474W, NP-P474WG, NP-P604XG, NP-P604X+, NP-P603XG, NP-P523X+, NP-PE523XG, NP-PE523X+, NP-CF6600U, NP-CF6600W, NP-CF6700X, NP-CF6500X, NP-CB4600U, NP-P554UH, NP-P554WH, NP-P474UH, NP-P474WH, NP-P604XH, NP-P603XH, NP-PE523XH, NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG ,NP-ME401W, NP-ME361W, NP-ME331W, NP-ME301W, NP-ME401X, NP-ME361X, NP-ME331X, NP-ME301X, NP-ME401WG, NP-ME361WG, NP-ME331WG, NP-ME301WG, NP-ME401XG, NP-ME361XG, NP-ME331XG, NP-ME301XG, NP-CA4155W, NP-CA4350X, NP-CA4255X, NP-CA4155X, NP-CA4115X, NP-MC331WG, NP-MC421XG, NP-MC401XG, NP-MC371XG, NP-MC331XG, NP-MC301XG, NP-CK4155W, NP-CK4255X, NP-CK4155X, NP-CK4055X, NP-CM4150X, NP-CM4050X, NP-CK4155WG, NP-CK4255XG, NP-CK4155XG, NP-CR2165W, NP-CR2305X, NP-CR2275X, NP-CR2165X, NP-CR2155X, NP-CD2115X, NP-CD2105X, NP-CM4151X, NP-CR2276X, NP-CD2116X, NP-P502H, NP-P502W, NP-P452H, NP-P452W | Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may create and run unauthorized firmware. | 2025-12-22 | not yet calculated | CVE-2025-11544 | https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11544.html |
| Sharp Display Solutions, Ltd.–NP-PA1705UL-W, NP-PA1705UL-W+, NP-PA1705UL-B, NP-PA1705UL-B+, NP-PA1505UL-W, NP-PA1505UL-W+, NP-PA1505UL-B, NP-PA1505UL-B+, NP-PA1505UL-BJL NP-PV800UL-W, NP-PV800UL-W+, NP-PV800UL-B, NP-PV800UL-B+, NP-PV710UL-W, NP-PV710UL-W+, NP-PV710UL-B, NP-PV710UL-B+, NP-PV800UL-W1, NP-PV800UL-B1, NP-PV710UL-W1, NP-PV710UL-B1, NP-PV800UL-B1G, NP-PV710UL-B1G, NP-PV800UL-WH, NP-PV710UL-WH, NP-P627UL, NP-P627ULG, NP-P627UL+, NP-P547UL, NP-P547ULG, NP-P607UL+, NP-CG6600UL, NP-H6271UL, NP-H5471UL, NP-P627ULH, NP-P547ULH NP-PV710UL+ NP-PA1004UL-W, NP-PA1004UL-WG, NP-PA1004UL-W+, NP-PA1004UL-WH, NP-PA1004UL-B, NP-PA1004UL-BG, NP-PA1004UL-B+, NP-PA804UL-W, NP-PA804UL-WG, NP-PA804UL-W+, NP-PA804UL-WH, NP-PA804UL-B, NP-PA804UL-BG, NP-PA804UL-B+, NP-PA1004UL-BH, NP-PA804UL-BH, NP-PE455UL, NP-PE455ULG, NP-PE455WL, NP-PE455WLG, NP-PE505XLG, NP-CG6500XL, NP-CG6400UL, NP-CG6400WL, NP-CB4500XL, NP-CA4120X, NP-CA4160W, NP-CA4160X, NP-CA4200U, NP-CA4200W, NP-CA4202W, NP-CA4260X, NP-CA4300X, NP-CA4355X, NP-CD2100U, NP-CD2120X, NP-CD2300X, NP-CR2100X, NP-CR2170W, NP-CR2170X, NP-CR2200U, NP-CR2200W, NP-CR2280X, NP-CR2310X, NP-CR2350X, NP-MC302XG, NP-MC332WG, NP-MC342XG, NP-MC372X, NP-MC372XG, NP-MC382W, NP-MC382WG, NP-MC422XG, NP-ME342UG, NP-ME372W, NP-ME372WG, NP-ME382U, NP-ME382UG, NP-ME402X, NP-ME402XG NP-CU4300XD, NP-CU4200XD, NP-CU4200WD, NP-UM383WL, NP-UM383WLG, NP-CJ2200WD, NP-PH3501QL, NP-PH3501QL+, NP-PH2601QL, NP-PH2601QL+, NP-PH350Q40L, NP-PH260Q30L, NP-PX1005QL-W, NP-PX1005QL-B, NP-PX1005QL-B+, NP-P525UL, NP-P525ULG, NP-P525UL+, NP-P525WL, NP-P525WLG, NP-P525WL+, NP-P605UL, NP-P605ULG, NP-P605UL+ | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sharp Display Solutions projectors allows a attacker may improperly access the HTTP server and execute arbitrary actions. | 2025-12-22 | not yet calculated | CVE-2025-11545 | https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11545.html |
| siyuan-note–siyuan | SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode is stored within the session cookie, an attacker who intercepts or obtains a user’s encrypted session cookie (e.g., via session hijacking) can locally decrypt it using the public key. Once decrypted, the attacker can retrieve the AccessAuthCode in plain text and use it to authenticate or take over the session. | 2025-12-27 | not yet calculated | CVE-2025-68948 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f7ph-rc3w-qp28 |
| Soda PDF–Desktop | Soda PDF Desktop Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Soda PDF Desktop. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-25793. | 2025-12-23 | not yet calculated | CVE-2025-14406 | ZDI-25-1079 |
| Soda PDF–Desktop | Soda PDF Desktop PDF File Parsing Memory Corruption Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27141. | 2025-12-23 | not yet calculated | CVE-2025-14407 | ZDI-25-1080 |
| Soda PDF–Desktop | Soda PDF Desktop PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27143. | 2025-12-23 | not yet calculated | CVE-2025-14408 | ZDI-25-1081 |
| Soda PDF–Desktop | Soda PDF Desktop PDF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27120. | 2025-12-23 | not yet calculated | CVE-2025-14409 | ZDI-25-1082 |
| Soda PDF–Desktop | Soda PDF Desktop PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27142. | 2025-12-23 | not yet calculated | CVE-2025-14410 | ZDI-25-1083 |
| Soda PDF–Desktop | Soda PDF Desktop PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27140. | 2025-12-23 | not yet calculated | CVE-2025-14411 | ZDI-25-1084 |
| Soda PDF–Desktop | Soda PDF Desktop XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27495. | 2025-12-23 | not yet calculated | CVE-2025-14412 | ZDI-25-1085 |
| Soda PDF–Desktop | Soda PDF Desktop CBZ File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CBZ files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27509. | 2025-12-23 | not yet calculated | CVE-2025-14413 | ZDI-25-1086 |
| Soda PDF–Desktop | Soda PDF Desktop Word File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Word files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27496. | 2025-12-23 | not yet calculated | CVE-2025-14414 | ZDI-25-1087 |
| Soda PDF–Desktop | Soda PDF Desktop Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the Launch action. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27494. | 2025-12-23 | not yet calculated | CVE-2025-14415 | ZDI-25-1088 |
| Spider Themes–BBP Core | Missing Authorization vulnerability in Spider Themes BBP Core bbp-core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BBP Core: from n/a through <= 1.4.1. | 2025-12-24 | not yet calculated | CVE-2025-68572 | https://vdp.patchstack.com/database/Wordpress/Plugin/bbp-core/vulnerability/wordpress-bbp-core-plugin-1-4-1-broken-access-control-vulnerability?_s_id=cve |
| Spiffy Plugins–Spiffy Calendar | Missing Authorization vulnerability in Spiffy Plugins Spiffy Calendar spiffy-calendar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spiffy Calendar: from n/a through <= 5.0.7. | 2025-12-24 | not yet calculated | CVE-2025-68523 | https://vdp.patchstack.com/database/Wordpress/Plugin/spiffy-calendar/vulnerability/wordpress-spiffy-calendar-plugin-5-0-7-broken-access-control-vulnerability?_s_id=cve |
| sunshinephotocart–Sunshine Photo Cart | Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sunshine Photo Cart: from n/a through <= 3.5.7.1. | 2025-12-24 | not yet calculated | CVE-2025-68535 | https://vdp.patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-5-7-1-broken-access-control-vulnerability?_s_id=cve |
| Syed Balkhi–User Feedback | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection. This issue affects User Feedback: from n/a through <= 1.10.1. | 2025-12-24 | not yet calculated | CVE-2025-68496 | https://vdp.patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-sql-injection-vulnerability?_s_id=cve |
| Tencent–FaceDetection-DSFD | Tencent FaceDetection-DSFD resnet Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent FaceDetection-DSFD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the resnet endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27197. | 2025-12-23 | not yet calculated | CVE-2025-13715 | ZDI-25-1183 vendor-provided URL |
| Tencent–Hunyuan3D-1 | Tencent Hunyuan3D-1 load_pretrained Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent Hunyuan3D-1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the load_pretrained function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27191. | 2025-12-23 | not yet calculated | CVE-2025-13713 | ZDI-25-1027 vendor-provided URL |
| Tencent–HunyuanDiT | Tencent HunyuanDiT model_resume Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the model_resume function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27183. | 2025-12-23 | not yet calculated | CVE-2025-13707 | ZDI-25-1029 vendor-provided URL |
| Tencent–HunyuanDiT | Tencent HunyuanDiT merge Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the merge endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27190. | 2025-12-23 | not yet calculated | CVE-2025-13712 | ZDI-25-1028 vendor-provided URL |
| Tencent–HunyuanVideo | Tencent HunyuanVideo load_vae Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanVideo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the load_vae function.The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27186. | 2025-12-23 | not yet calculated | CVE-2025-13710 | ZDI-25-1030 vendor-provided URL |
| Tencent–MedicalNet | Tencent MedicalNet generate_model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent MedicalNet. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the generate_model function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27192. | 2025-12-23 | not yet calculated | CVE-2025-13714 | ZDI-25-1031 vendor-provided URL |
| Tencent–MimicMotion | Tencent MimicMotion create_pipeline Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent MimicMotion. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the create_pipeline function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27208. | 2025-12-23 | not yet calculated | CVE-2025-13716 | ZDI-25-1032 vendor-provided URL |
| Tencent–NeuralNLP-NeuralClassifier | Tencent NeuralNLP-NeuralClassifier _load_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent NeuralNLP-NeuralClassifier. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the _load_checkpoint function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27184. | 2025-12-23 | not yet calculated | CVE-2025-13708 | ZDI-25-1033 vendor-provided URL |
| Tencent–PatrickStar | Tencent PatrickStar merge_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent PatrickStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the merge_checkpoint endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27182. | 2025-12-23 | not yet calculated | CVE-2025-13706 | ZDI-25-1034 vendor-provided URL |
| Tencent–TFace | Tencent TFace restore_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent TFace. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the restore_checkpoint function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27185. | 2025-12-23 | not yet calculated | CVE-2025-13709 | ZDI-25-1036 vendor-provided URL |
| Tencent–TFace | Tencent TFace eval Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent TFace. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the eval endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27187. | 2025-12-23 | not yet calculated | CVE-2025-13711 | ZDI-25-1035 vendor-provided URL |
| The Plugin Factory–Google AdSense for Responsive Design | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in The Plugin Factory Google AdSense for Responsive Design – GARD google-adsense-for-responsive-design-gard allows DOM-Based XSS.This issue affects Google AdSense for Responsive Design – GARD: from n/a through <= 2.23. | 2025-12-24 | not yet calculated | CVE-2025-67632 | https://vdp.patchstack.com/database/Wordpress/Plugin/google-adsense-for-responsive-design-gard/vulnerability/wordpress-google-adsense-for-responsive-design-gard-plugin-2-23-cross-site-scripting-xss-vulnerability?_s_id=cve |
| thembay–Fana | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in thembay Fana fana allows PHP Local File Inclusion. This issue affects Fana: from n/a through <= 1.1.35. | 2025-12-24 | not yet calculated | CVE-2025-68540 | https://vdp.patchstack.com/database/Wordpress/Theme/fana/vulnerability/wordpress-fana-theme-1-1-35-local-file-inclusion-vulnerability?_s_id=cve |
| thembay–Zota | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in thembay Zota zota allows PHP Local File Inclusion. This issue affects Zota: from n/a through <= 1.3.14. | 2025-12-24 | not yet calculated | CVE-2025-68537 | https://vdp.patchstack.com/database/Wordpress/Theme/zota/vulnerability/wordpress-zota-theme-1-3-14-local-file-inclusion-vulnerability?_s_id=cve |
| Tikweb Management–Fast User Switching | Cross-Site Request Forgery (CSRF) vulnerability in Tikweb Management Fast User Switching fast-user-switching allows Cross Site Request Forgery. This issue affects Fast User Switching: from n/a through <= 1.4.10. | 2025-12-24 | not yet calculated | CVE-2025-68583 | https://vdp.patchstack.com/database/Wordpress/Plugin/fast-user-switching/vulnerability/wordpress-fast-user-switching-plugin-1-4-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| titopandub–Evergreen Post Tweeter | Cross-Site Request Forgery (CSRF) vulnerability in titopandub Evergreen Post Tweeter evergreen-post-tweeter allows Stored XSS. This issue affects Evergreen Post Tweeter: from n/a through <= 1.8.9. | 2025-12-24 | not yet calculated | CVE-2025-67622 | https://vdp.patchstack.com/database/Wordpress/Plugin/evergreen-post-tweeter/vulnerability/wordpress-evergreen-post-tweeter-plugin-1-8-9-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve |
| tmtraderunner–Trade Runner | Cross-Site Request Forgery (CSRF) vulnerability in tmtraderunner Trade Runner traderunner allows Cross Site Request Forgery. This issue affects Trade Runner: from n/a through <= 3.14. | 2025-12-24 | not yet calculated | CVE-2025-67625 | https://vdp.patchstack.com/database/Wordpress/Plugin/traderunner/vulnerability/wordpress-trade-runner-plugin-3-14-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| totalsoft–TS Poll | Missing Authorization vulnerability in totalsoft TS Poll poll-wp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TS Poll: from n/a through <= 2.5.3. | 2025-12-24 | not yet calculated | CVE-2025-68588 | https://vdp.patchstack.com/database/Wordpress/Plugin/poll-wp/vulnerability/wordpress-ts-poll-plugin-2-5-3-broken-access-control-vulnerability?_s_id=cve |
| TouchOfTech–Draft Notify | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in TouchOfTech Draft Notify draft-notify allows Stored XSS. This issue affects Draft Notify: from n/a through <= 1.5. | 2025-12-24 | not yet calculated | CVE-2025-67627 | https://vdp.patchstack.com/database/Wordpress/Plugin/draft-notify/vulnerability/wordpress-draft-notify-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TradingView–Desktop | TradingView Desktop Electron Uncontrolled Search Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of TradingView Desktop. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of the Electron framework. The product loads a script file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-27395. | 2025-12-23 | not yet calculated | CVE-2025-14498 | ZDI-25-1070 |
| Trustindex–Widgets for Social Photo Feed | Missing Authorization vulnerability in Trustindex Widgets for Social Photo Feed social-photo-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Widgets for Social Photo Feed: from n/a through <= 1.7.7. | 2025-12-24 | not yet calculated | CVE-2025-68595 | https://vdp.patchstack.com/database/Wordpress/Plugin/social-photo-feed-widget/vulnerability/wordpress-widgets-for-social-photo-feed-plugin-1-7-7-broken-access-control-vulnerability?_s_id=cve |
| Unknown–Gravity Forms | The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path. | 2025-12-24 | not yet calculated | CVE-2025-13407 | https://wpscan.com/vulnerability/e09908fb-f5ad-45ca-8698-c0d596fd39cc/ |
| VIPRE–Advanced Security | VIPRE Advanced Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Advanced Security for PC. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The issue results from incorrect permissions on a folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27147. | 2025-12-23 | not yet calculated | CVE-2025-13703 | ZDI-25-1023 vendor-provided URL |
| Virusdie–Virusdie | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Virusdie Virusdie virusdie allows Retrieve Embedded Sensitive Data. This issue affects Virusdie: from n/a through <= 1.1.6. | 2025-12-24 | not yet calculated | CVE-2025-68576 | https://vdp.patchstack.com/database/Wordpress/Plugin/virusdie/vulnerability/wordpress-virusdie-plugin-1-1-6-sensitive-data-exposure-vulnerability?_s_id=cve |
| Virusdie–Virusdie | Missing Authorization vulnerability in Virusdie Virusdie virusdie allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Virusdie: from n/a through <= 1.1.6. | 2025-12-24 | not yet calculated | CVE-2025-68577 | https://vdp.patchstack.com/database/Wordpress/Plugin/virusdie/vulnerability/wordpress-virusdie-plugin-1-1-6-broken-access-control-vulnerability?_s_id=cve |
| voidcoders–WPBakery Visual Composer WHMCS Elements | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in voidcoders WPBakery Visual Composer WHMCS Elements void-visual-whmcs-element allows DOM-Based XSS.This issue affects WPBakery Visual Composer WHMCS Elements: from n/a through <= 1.0.4.3. | 2025-12-24 | not yet calculated | CVE-2025-68574 | https://vdp.patchstack.com/database/Wordpress/Plugin/void-visual-whmcs-element/vulnerability/wordpress-wpbakery-visual-composer-whmcs-elements-plugin-1-0-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Wappointment team–Wappointment | Missing Authorization vulnerability in Wappointment team Wappointment wappointment allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wappointment: from n/a through <=2.7.2. | 2025-12-24 | not yet calculated | CVE-2025-68575 | https://vdp.patchstack.com/database/Wordpress/Plugin/wappointment/vulnerability/wordpress-wappointment-plugin-2-7-2-broken-access-control-vulnerability?_s_id=cve |
| wb2osz–Dire Wolf | wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior to commit 694c954, contain a stack-based buffer overflow vulnerability in the function kiss_rec_byte() located in src/kiss_frame.c. When processing crafted KISS frames that reach the maximum allowed frame length (MAX_KISS_LEN), the function appends a terminating FEND byte without reserving sufficient space in the stack buffer. This results in an out-of-bounds write followed by an out-of-bounds read during the subsequent call to kiss_unwrap(), leading to stack memory corruption or application crashes. This vulnerability may allow remote unauthenticated attackers to trigger a denial-of-service condition. | 2025-12-22 | not yet calculated | CVE-2025-34457 | https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-010-direwolf-stack-buffer-overflow-kiss-frame.md https://github.com/wb2osz/direwolf/issues/617 https://github.com/wb2osz/direwolf/commit/694c954 https://www.vulncheck.com/advisories/wb2osz-direwolf-stack-based-buffer-overflow-dos |
| wb2osz–Dire Wolf | wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior to commit 3658a87, contain a reachable assertion vulnerability in the APRS MIC-E decoder function aprs_mic_e() located in src/decode_aprs.c. When processing a specially crafted AX.25 frame containing a MIC-E message with an empty or truncated comment field, the application triggers an unhandled assertion checking for a non-empty comment. This assertion failure causes immediate process termination, allowing a remote, unauthenticated attacker to cause a denial of service by sending malformed APRS traffic. | 2025-12-22 | not yet calculated | CVE-2025-34458 | https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-010-direwolf-stack-buffer-overflow-kiss-frame.md https://github.com/wb2osz/direwolf/issues/618 https://github.com/wb2osz/direwolf/commit/3658a87 https://www.vulncheck.com/advisories/wb2osz-direwolf-reachable-assertion-dos |
| webheadcoder–WH Tweaks | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in webheadcoder WH Tweaks wh-tweaks allows Stored XSS. This issue affects WH Tweaks: from n/a through <= 1.0.2. | 2025-12-24 | not yet calculated | CVE-2025-67630 | https://vdp.patchstack.com/database/Wordpress/Plugin/wh-tweaks/vulnerability/wordpress-wh-tweaks-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Shuffle–Subscribe to Unlock Lite | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in WP Shuffle Subscribe to Unlock Lite subscribe-to-unlock-lite allows PHP Local File Inclusion. This issue affects Subscribe to Unlock Lite: from n/a through <= 1.3.0. | 2025-12-24 | not yet calculated | CVE-2025-68563 | https://vdp.patchstack.com/database/Wordpress/Plugin/subscribe-to-unlock-lite/vulnerability/wordpress-subscribe-to-unlock-lite-plugin-1-3-0-local-file-inclusion-vulnerability?_s_id=cve |
| WP Socio–WP Telegram Widget and Join Link | Missing Authorization vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Telegram Widget and Join Link: from n/a through <= 2.2.11. | 2025-12-24 | not yet calculated | CVE-2025-68589 | https://vdp.patchstack.com/database/Wordpress/Plugin/wptelegram-widget/vulnerability/wordpress-wp-telegram-widget-and-join-link-plugin-2-2-11-broken-access-control-vulnerability?_s_id=cve |
| WP Swings–Membership For WooCommerce | Authorization Bypass Through User-Controlled Key vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Membership For WooCommerce: from n/a through <= 3.0.3. | 2025-12-24 | not yet calculated | CVE-2025-67909 | https://vdp.patchstack.com/database/Wordpress/Plugin/membership-for-woocommerce/vulnerability/wordpress-membership-for-woocommerce-plugin-3-0-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WPFactory–Free Shipping Bar: Amount Left for Free Shipping for WooCommerce | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPFactory Free Shipping Bar: Amount Left for Free Shipping for WooCommerce amount-left-free-shipping-woocommerce allows Stored XSS. This issue affects Free Shipping Bar: Amount Left for Free Shipping for WooCommerce: from n/a through <= 2.4.9. | 2025-12-24 | not yet calculated | CVE-2025-68528 | https://vdp.patchstack.com/database/Wordpress/Plugin/amount-left-free-shipping-woocommerce/vulnerability/wordpress-free-shipping-bar-amount-left-for-free-shipping-for-woocommerce-plugin-2-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wphocus–My auctions allegro | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Stored XSS. This issue affects My auctions allegro: from n/a through <= 3.6.32. | 2025-12-24 | not yet calculated | CVE-2025-68566 | https://vdp.patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wphocus–My auctions allegro | Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Cross Site Request Forgery. This issue affects My auctions allegro: from n/a through <= 3.6.32. | 2025-12-24 | not yet calculated | CVE-2025-68567 | https://vdp.patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| wpstream–WpStream | Missing Authorization vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpStream: from n/a through <= 4.9.5. | 2025-12-24 | not yet calculated | CVE-2025-68521 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-9-5-broken-access-control-vulnerability?_s_id=cve |
| wpstream–WpStream | Missing Authorization vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpStream: from n/a through <= 4.9.5. | 2025-12-24 | not yet calculated | CVE-2025-68522 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-9-5-broken-access-control-vulnerability-2?_s_id=cve |
| WPXPO–PostX | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPXPO PostX ultimate-post allows Retrieve Embedded Sensitive Data. This issue affects PostX: from n/a through <= 5.0.3. | 2025-12-24 | not yet calculated | CVE-2025-68606 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-5-0-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Yannick Lefebvre–Link Library | Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery. This issue affects Link Library: from n/a through <= 7.8.4. | 2025-12-24 | not yet calculated | CVE-2025-68600 | https://vdp.patchstack.com/database/Wordpress/Plugin/link-library/vulnerability/wordpress-link-library-plugin-7-8-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| YITHEMES–YITH Slider for page builders | Missing Authorization vulnerability in YITHEMES YITH Slider for page builders yith-slider-for-page-builders allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH Slider for page builders: from n/a through <= 1.0.11. | 2025-12-24 | not yet calculated | CVE-2025-68581 | https://vdp.patchstack.com/database/Wordpress/Plugin/yith-slider-for-page-builders/vulnerability/wordpress-yith-slider-for-page-builders-plugin-1-0-11-broken-access-control-vulnerability?_s_id=cve |