High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| SmarterTools–SmarterMail | Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. | 2025-12-29 | 10 | CVE-2025-52691 | https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/ |
| MiniDVBLinux–MiniDVBLinux | MiniDVBLinux 5.4 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands as root through the ‘command’ GET parameter. Attackers can exploit the /tpl/commands.sh endpoint by sending malicious command values to gain root-level system access. | 2025-12-30 | 9.8 | CVE-2022-50691 | Zero Science Lab Disclosure (ZSL-2022-5718) Packet Storm Security Exploit Entry VulnCheck Advisory: MiniDVBLinux 5.4 Remote Root Command Execution via commands.sh |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains a network vulnerability that allows unauthenticated attackers to send ICMP signals to arbitrary hosts through network command scripts. Attackers can abuse ping.php, traceroute.php, and dns.php to generate network flooding attacks targeting external hosts. | 2025-12-30 | 9.8 | CVE-2022-50695 | Zero Science Lab Disclosure (ZSL-2022-5728) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x ICMP Flood Attack via Network Commands |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated vulnerability that allows remote attackers to access live radio stream information through webplay or ffmpeg scripts. Attackers can exploit the vulnerability by calling specific web scripts to disclose radio stream details without requiring authentication. | 2025-12-30 | 9.8 | CVE-2022-50790 | Zero Science Lab Disclosure (ZSL-2022-5734) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Radio Stream Disclosure |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive system files. Attackers can exploit the vulnerability by manipulating the ‘file’ GET parameter to disclose arbitrary files on the affected device. | 2025-12-30 | 9.8 | CVE-2022-50792 | Zero Science Lab Disclosure (ZSL-2022-5736) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated File Disclosure Vulnerability |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated command injection vulnerability in the username parameter. Attackers can exploit index.php and login.php scripts by injecting arbitrary shell commands through the HTTP POST ‘username’ parameter to execute system commands. | 2025-12-30 | 9.8 | CVE-2022-50794 | Zero Science Lab Disclosure (ZSL-2022-5739) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Command Injection via Username |
| JM-DATA ONU–JF511-TV | JM-DATA ONU JF511-TV version 1.0.67 uses default credentials that allow attackers to gain unauthorized access to the device with administrative privileges. | 2025-12-30 | 9.8 | CVE-2022-50803 | Zero Science Lab Disclosure (ZSL-2022-5708) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Entry JM-DATA Vendor Homepage VulnCheck Advisory: JM-DATA ONU JF511-TV 1.0.67 Default Credentials Vulnerability |
| The Akuvox Company–Akuvox Smart Doorphone | Akuvox Smart Intercom S539 contains an unauthenticated vulnerability that allows remote attackers to access live video streams by requesting the video.cgi endpoint on port 8080. Attackers can retrieve video stream data without authentication by directly accessing the specified endpoint on affected Akuvox doorphone and intercom devices. | 2025-12-30 | 9.8 | CVE-2024-58336 | Zero Science Lab Disclosure (ZSL-2024-5826) Packet Storm Security Exploit Entry VulnCheck Advisory: Akuvox Smart Intercom S539 Unauthenticated Video Stream Disclosure |
| Ateme–Flamingo XL | Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute command. Attackers can exploit the traceroute command to inject shell commands and gain full root access to the device by bypassing the restricted login environment. | 2025-12-30 | 9.8 | CVE-2024-58338 | ExploitDB-51516 Ateme Vendor Homepage Zero Science Lab Disclosure (ZSL-2023-5780) VulnCheck Advisory: Anevia Flamingo XL 3.2.9 Remote Root Jailbreak via Traceroute Command |
| wpmudev–Branda White Label & Branding, Free Login Page Customizer | The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user’s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user’s passwords, including administrators, and leverage that to gain access to their account. | 2026-01-02 | 9.8 | CVE-2025-14998 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae46be82-570f-4172-9c3f-746b894b84b9?source=cve https://plugins.trac.wordpress.org/browser/branda-white-labeling/tags/3.4.24/inc/modules/login-screen/signup-password.php#L24 https://plugins.trac.wordpress.org/changeset/3429115/branda-white-labeling#file1749 |
| Delta Electronics–DVP-12SE11T | DVP-12SE11T – Password Protection Bypass | 2025-12-30 | 9.1 | CVE-2025-15102 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00022_DVP-12SE11T%20Multiple%20Vulnerabilities.pdf |
| Ksenia Security S.p.A.–Ksenia Security Lares 4.0 Home Automation | Ksenia Security Lares 4.0 Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the ‘basisInfo’ XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication. | 2025-12-30 | 9.8 | CVE-2025-15114 | Zero Science Lab Disclosure (ZSL-2025-5929) VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 PIN Exposure Vulnerability |
| D-Link–DIR-600 | A vulnerability was found in D-Link DIR-600 up to 2.15WWb02. Affected by this vulnerability is an unknown functionality of the file hedwig.cgi of the component HTTP Header Handler. The manipulation of the argument Cookie results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-29 | 9.8 | CVE-2025-15194 | VDB-338581 | D-Link DIR-600 HTTP Header hedwig.cgi stack-based overflow VDB-338581 | CTI Indicators (IOB, IOC, IOA) Submit #724404 | D-Link DIR-600 v2.15WWb02 and possibly earlier versions Stack-based Buffer Overflow https://github.com/LonTan0/CVE/blob/main/Stack-Based%20Buffer%20Overflow%20Vulnerability%20in%20hedwig.cgi%20of%20D-Link%20DIR-600.md https://github.com/LonTan0/CVE/blob/main/Stack-Based%20Buffer%20Overflow%20Vulnerability%20in%20hedwig.cgi%20of%20D-Link%20DIR-600.md#poc https://www.dlink.com/ |
| Sunnet–WMPro | WMPro developed by Sunnet has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2025-12-29 | 9.8 | CVE-2025-15226 | https://www.twcert.org.tw/tw/cp-132-10602-c1c69-1.html https://www.twcert.org.tw/en/cp-139-10603-67149-2.html |
| WELLTEND TECHNOLOGY–BPMFlowWebkit | BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2025-12-29 | 9.8 | CVE-2025-15228 | https://www.twcert.org.tw/tw/cp-132-10604-c65aa-1.html https://www.twcert.org.tw/en/cp-139-10605-426b6-2.html |
| Tenda–W6-S | A vulnerability was determined in Tenda W6-S 1.0.0.4(510). This impacts an unknown function of the file /bin/httpd of the component R7websSsecurityHandler. Executing manipulation of the argument Cookie can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-30 | 9.8 | CVE-2025-15255 | VDB-338645 | Tenda W6-S R7websSsecurityHandler httpd stack-based overflow VDB-338645 | CTI Indicators (IOB, IOC, IOA) Submit #725500 | Tenda W6-S V1.0.0.4(510) Stack-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/R7WebsSecurityHandler.md https://www.tenda.com.cn/ |
| Delta Electronics–DVP-12SE11T | DVP-12SE11T – Out-of-bound memory write Vulnerability | 2025-12-30 | 9.1 | CVE-2025-15359 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00022_DVP-12SE11T%20Multiple%20Vulnerabilities.pdf |
| ConoHa by GMO–WING WordPress Migrator | Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator allows Upload a Web Shell to a Web Server.This issue affects WING WordPress Migrator: from n/a through 1.1.9. | 2025-12-30 | 9.6 | CVE-2025-52835 | https://vdp.patchstack.com/database/wordpress/plugin/wing-migrator/vulnerability/wordpress-wing-wordpress-migrator-plugin-1-1-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| SignalK–signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator’s “Restore” functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability. | 2026-01-01 | 9.7 | CVE-2025-66398 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9 https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 |
| RomanCode–MapSVG | Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3. | 2025-12-29 | 9.9 | CVE-2025-68562 | https://vdp.patchstack.com/database/wordpress/plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-3-arbitrary-file-upload-vulnerability?_s_id=cve |
| SignalK–signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. The first is Unauthenticated WebSocket Request Enumeration: When a WebSocket client connects to the SignalK stream endpoint with the `serverevents=all` query parameter, the server sends all cached server events including `ACCESS_REQUEST` events that contain details about pending access requests. The `startServerEvents` function iterates over `app.lastServerEvents` and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when `allow_readonly` is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses. The second is Unauthenticated Token Polling: The access request status endpoint at `/signalk/v1/access/requests/:id` returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The `queryRequest` function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access. An attacker has two paths to exploit these vulnerabilities. Either the attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token; or the attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials. Both paths require zero authentication and enable complete authentication bypass. Version 2.19.0 fixes the underlying issues. | 2026-01-01 | 9.1 | CVE-2025-68620 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-fq56-hvg6-wvm5 https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 |
| Mobile Builder–Mobile builder | Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through 1.4.2. | 2025-12-29 | 9.8 | CVE-2025-68860 | https://vdp.patchstack.com/database/wordpress/plugin/mobile-builder/vulnerability/wordpress-mobile-builder-plugin-1-4-2-broken-authentication-vulnerability?_s_id=cve |
| Mohammad I. Okfie–IF AS Shortcode | Improper Control of Generation of Code (‘Code Injection’) vulnerability in Mohammad I. Okfie IF AS Shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through 1.2. | 2025-12-29 | 9.9 | CVE-2025-68897 | https://vdp.patchstack.com/database/wordpress/plugin/if-as-shortcode/vulnerability/wordpress-if-as-shortcode-plugin-1-2-remote-code-execution-rce-vulnerability?_s_id=cve |
| rustfs–rustfs | RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.77, RustFS implements gRPC authentication using a hardcoded static token `”rustfs rpc”` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.77 contains a fix for the issue. | 2025-12-30 | 9.8 | CVE-2025-68926 | https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj |
| frappe–frappe | Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available. | 2025-12-29 | 9.1 | CVE-2025-68929 | https://github.com/frappe/frappe/security/advisories/GHSA-qq98-vfv9-xmxh https://github.com/frappe/frappe/releases/tag/v14.99.6 https://github.com/frappe/frappe/releases/tag/v15.88.1 |
| kromitgmbh–titra | Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue. | 2025-12-31 | 9.1 | CVE-2025-69288 | https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e https://github.com/kromitgmbh/titra/releases/tag/0.99.49 |
| Selea–Selea CarPlateServer (CPS) | Selea CarPlateServer 4.0.1.6 contains an unquoted service path vulnerability in the Windows service configuration that allows local users to potentially execute code with elevated privileges. Attackers can exploit the service’s unquoted binary path by inserting malicious code in the system root path that could execute with LocalSystem privileges during application startup or reboot. | 2025-12-31 | 8.4 | CVE-2020-36903 | ExploitDB-49453 Vendor Homepage Zero Science Lab Disclosure (ZSL-2021-5621) VulnCheck Advisory: Selea CarPlateServer 4.0.1.6 Local Privilege Escalation via Unquoted Service Path |
| Epic Games Inc.–Epic Games Psyonix Rocket League | Epic Games Psyonix Rocket League <=1.95 contains an insecure permissions vulnerability that allows authenticated users to modify executable files with full access permissions. Attackers can leverage the ‘F’ (Full) flag for the ‘Authenticated Users’ group to change executable files and potentially escalate system privileges. | 2025-12-31 | 8.8 | CVE-2021-47742 | Zero Science Lab Disclosure (ZSL-2021-5650) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange Entry Rocket League Product Homepage VulnCheck Advisory: Epic Games Psyonix Rocket League <=1.95 Elevation of Privileges via Insecure Permissions |
| Cypress–200 | Cypress Solutions CTM-200 2.7.1 contains an authenticated command injection vulnerability in the firmware upgrade script that allows remote attackers to execute shell commands. Attackers can exploit the ‘fw_url’ parameter in the ctm-config-upgrade.sh script to inject and execute arbitrary commands with root privileges. | 2025-12-31 | 8.8 | CVE-2021-47745 | ExploitDB-50408 Cypress Solutions Product Homepage Zero Science Lab Disclosure (ZSL-2021-5687) VulnCheck Advisory: Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection via Firmware Upgrade |
| Metern–meterN | meterN 1.2.3 contains an authenticated remote code execution vulnerability in admin_meter2.php and admin_indicator2.php scripts. Attackers can exploit the ‘COMMANDx’ and ‘LIVECOMMANDx’ POST parameters to execute arbitrary system commands with administrative privileges. | 2025-12-31 | 8.8 | CVE-2021-47747 | ExploitDB-50596 Archived Vendor Homepage Zero Science Lab Disclosure (ZSL-2021-5690) VulnCheck Advisory: meterN 1.2.3 Authenticated Remote Code Execution via Admin Scripts |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an SQL injection vulnerability in the ‘username’ POST parameter of index.php that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through the username parameter to bypass authentication and potentially access unauthorized database information. | 2025-12-30 | 8.2 | CVE-2022-50694 | Zero Science Lab Disclosure (ZSL-2022-5727) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x SQL Injection via Username Parameter |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory with .dns.pid extension. Unauthenticated attackers can execute the malicious commands by making a single HTTP POST request to the vulnerable dns.php script, which triggers command execution and then deletes the file. | 2025-12-30 | 8.4 | CVE-2022-50789 | Zero Science Lab Disclosure (ZSL-2022-5733) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Conditional Command Injection via dns.php |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a conditional command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can execute commands by making a single HTTP POST request to the vulnerable ping.php script, which triggers the malicious file and then deletes it. | 2025-12-30 | 8.4 | CVE-2022-50791 | Zero Science Lab Disclosure (ZSL-2022-5735) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Conditional Command Injection via ping.php |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an authenticated command injection vulnerability in the www-data-handler.php script that allows attackers to inject system commands through the ‘services’ POST parameter. Attackers can exploit this vulnerability by crafting malicious ‘services’ parameter values to execute arbitrary system commands with www-data user privileges. | 2025-12-30 | 8.8 | CVE-2022-50793 | Zero Science Lab Disclosure (ZSL-2022-5737) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Authenticated Command Injection via www-data-handler.php |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a conditional command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can execute commands by making a single HTTP POST request to the traceroute.php script, which triggers the malicious file and then deletes it after execution. | 2025-12-30 | 8.4 | CVE-2022-50795 | Zero Science Lab Disclosure (ZSL-2022-5740) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Conditional Command Injection via traceroute.php |
| NLB Banka AD Skopje–NLB mKlik Makedonija | NLB mKlik Macedonia 3.3.12 contains a SQL injection vulnerability in international transfer parameters that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through unsanitized input to potentially disclose sensitive information from the mobile banking application. | 2025-12-30 | 8.2 | CVE-2023-54163 | Zero Science Lab Disclosure (ZSL-2023-5797) Google Play Store App Listing Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing VulnCheck Advisory: NLB mKlik Macedonia 3.3.12 SQL Injection via International Transfer Parameters |
| Tosibox Oy–Tosibox Key Service | Tosibox Key Service 3.3.0 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can exploit the service startup process by inserting malicious code in the system root path, enabling unauthorized code execution during application startup or system reboot. | 2025-12-30 | 8.4 | CVE-2024-58315 | Zero Science Lab Disclosure (ZSL-2024-5812) Packet Storm Security Exploit Entry Vendor Homepage VulnCheck Advisory: Tosibox Key Service 3.3.0 Local Privilege Escalation via Unquoted Service Path |
| Delta Electronics–DVP-12SE11T | DVP-12SE11T – Authentication Bypass via Partial Password Disclosure | 2025-12-30 | 8.1 | CVE-2025-15103 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00022_DVP-12SE11T%20Multiple%20Vulnerabilities.pdf |
| Ksenia Security S.p.A.–Ksenia Security Lares 4.0 Home Automation | Ksenia Security Lares 4.0 version 1.6 contains a URL redirection vulnerability in the ‘cmdOk.xml’ script that allows attackers to manipulate the ‘redirectPage’ GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain. | 2025-12-30 | 8 | CVE-2025-15112 | Zero Science Lab Disclosure (ZSL-2025-5928) Packet Storm Security Exploit Entry Ksenia Security Vendor Homepage VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 URL Redirection Vulnerability |
| D-Link–DWR-M920 | A vulnerability was identified in D-Link DWR-M920 up to 1.1.50. This issue affects the function sub_464794 of the file /boafrm/formDefRoute. The manipulation of the argument submit-url leads to buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-12-29 | 8.8 | CVE-2025-15189 | VDB-338574 | D-Link DWR-M920 formDefRoute sub_464794 buffer overflow VDB-338574 | CTI Indicators (IOB, IOC, IOA) Submit #723552 | D-Link DWR-M920 VV1.1.50 Buffer Overflow https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formDefRoute.md https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formDefRoute.md#poc https://www.dlink.com/ |
| D-Link–DWR-M920 | A security flaw has been discovered in D-Link DWR-M920 up to 1.1.50. Impacted is the function sub_42261C of the file /boafrm/formFilter. The manipulation of the argument ip6addr results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-29 | 8.8 | CVE-2025-15190 | VDB-338575 | D-Link DWR-M920 formFilter sub_42261C stack-based overflow VDB-338575 | CTI Indicators (IOB, IOC, IOA) Submit #723553 | D-Link DWR-M920 V1.1.50 Buffer Overflow https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formFilter.md https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formFilter.md#poc https://www.dlink.com/ |
| D-Link–DWR-M920 | A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. This affects the function sub_423848 of the file /boafrm/formParentControl. Performing manipulation of the argument submit-url results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-12-29 | 8.8 | CVE-2025-15193 | VDB-338578 | D-Link DWR-M920 formParentControl sub_423848 buffer overflow VDB-338578 | CTI Indicators (IOB, IOC, IOA) Submit #723556 | D-Link DWR-M920 V1.1.50 Buffer Overflow https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formParentControl.md https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formParentControl.md#poc https://www.dlink.com/ |
| Tenda–AC10U | A vulnerability was determined in Tenda AC10U 15.03.06.48/15.03.06.49. This affects the function formSetPPTPUserList of the file /goform/setPptpUserList of the component HTTP POST Request Handler. This manipulation of the argument list causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-30 | 8.8 | CVE-2025-15215 | VDB-338600 | Tenda AC10U HTTP POST Request setPptpUserList formSetPPTPUserList buffer overflow VDB-338600 | CTI Indicators (IOB, IOC, IOA) Submit #725365 | Tenda AC10U AC10U v1.0 Firmware V15.03.06.48、AC10U v1.0 Firmware V15.03.06.49 Buffer Overflow https://www.notion.so/Tenda-AC10U-setPptpUserList-2d753a41781f80e8ba6bc37ba6100343?pvs=73 https://www.tenda.com.cn/ |
| Tenda–AC23 | A vulnerability was identified in Tenda AC23 16.03.07.52. This impacts the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument bindnum leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-12-30 | 8.8 | CVE-2025-15216 | VDB-338601 | Tenda AC23 SetIpMacBind fromSetIpMacBind stack-based overflow VDB-338601 | CTI Indicators (IOB, IOC, IOA) Submit #725447 | Tenda AC23 AC23 V16.03.07.52 Buffer Overflow https://lavender-bicycle-a5a.notion.site/Tenda-AC23-SetIpMacBind-2d753a41781f8026a001f16e85226a21?source=copy_link https://www.tenda.com.cn/ |
| Tenda–AC23 | A security flaw has been discovered in Tenda AC23 16.03.07.52. Affected is the function formSetPPTPUserList of the component HTTP POST Request Handler. Performing manipulation of the argument list results in buffer overflow. The attack can be initiated remotely. | 2025-12-30 | 8.8 | CVE-2025-15217 | VDB-338602 | Tenda AC23 HTTP POST Request formSetPPTPUserList buffer overflow VDB-338602 | CTI Indicators (IOB, IOC, IOA) Submit #725448 | Tenda AC23 AC23 V16.03.07.52 Buffer Overflow https://lavender-bicycle-a5a.notion.site/Tenda-AC23-formSetPPTPUserList-2d753a41781f8091b772cf9e66a687f1?source=copy_link https://www.tenda.com.cn/ |
| Tenda–AC10U | A weakness has been identified in Tenda AC10U 15.03.06.48/15.03.06.49. Affected by this vulnerability is the function fromadvsetlanip of the file /goform/AdvSetLanip of the component POST Request Parameter Handler. Executing manipulation of the argument lanMask can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-12-30 | 8.8 | CVE-2025-15218 | VDB-338603 | Tenda AC10U POST Request Parameter AdvSetLanip fromadvsetlanip buffer overflow VDB-338603 | CTI Indicators (IOB, IOC, IOA) Submit #725461 | Tenda AC10U AC10U v1.0 Firmware V15.03.06.48、AC10U v1.0 Firmware V15.03.06.49 Buffer Overflow https://lavender-bicycle-a5a.notion.site/Tenda-AC10U-fromadvsetlanip-2d753a41781f800c86c8d388a38e8101?source=copy_link https://www.tenda.com.cn/ |
| Tenda–M3 | A vulnerability was found in Tenda M3 1.0.0.13(4903). Affected by this issue is the function formSetVlanPolicy of the file /goform/setVlanPolicyData. Performing manipulation of the argument qvlan_truck_port results in heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-12-30 | 8.8 | CVE-2025-15230 | VDB-338626 | Tenda M3 setVlanPolicyData formSetVlanPolicy heap-based overflow VDB-338626 | CTI Indicators (IOB, IOC, IOA) Submit #725490 | Tenda M3 V1.0.0.13(4903) Heap-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/setVlanPolicy.md https://www.tenda.com.cn/ |
| Tenda–M3 | A vulnerability was determined in Tenda M3 1.0.0.13(4903). This affects the function formSetRemoteVlanInfo of the file /goform/setVlanInfo. Executing manipulation of the argument ID/vlan/port can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-30 | 8.8 | CVE-2025-15231 | VDB-338627 | Tenda M3 setVlanInfo formSetRemoteVlanInfo stack-based overflow VDB-338627 | CTI Indicators (IOB, IOC, IOA) Submit #725493 | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteVlanInfo.md https://www.tenda.com.cn/ |
| Tenda–M3 | A vulnerability was identified in Tenda M3 1.0.0.13(4903). This vulnerability affects the function formSetAdPushInfo of the file /goform/setAdPushInfo. The manipulation of the argument mac/terminal leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-12-30 | 8.8 | CVE-2025-15232 | VDB-338628 | Tenda M3 setAdPushInfo formSetAdPushInfo stack-based overflow VDB-338628 | CTI Indicators (IOB, IOC, IOA) Submit #725494 | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/setAdPushInfo.md https://www.tenda.com.cn/ |
| Tenda–M3 | A security flaw has been discovered in Tenda M3 1.0.0.13(4903). This issue affects the function formSetAdInfoDetails of the file /goform/setAdInfoDetail. The manipulation of the argument adName/smsPassword/smsAccount/weixinAccount/weixinName/smsSignature/adRedirectUrl/adCopyRight/smsContent/adItemUID results in heap-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-12-30 | 8.8 | CVE-2025-15233 | VDB-338629 | Tenda M3 setAdInfoDetail formSetAdInfoDetails heap-based overflow VDB-338629 | CTI Indicators (IOB, IOC, IOA) Submit #725495 | Tenda M3 V1.0.0.13(4903) Heap-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/setAdInfoDetail.md https://www.tenda.com.cn/ |
| Tenda–M3 | A weakness has been identified in Tenda M3 1.0.0.13(4903). Impacted is the function formSetRemoteInternetLanInfo of the file /goform/setInternetLanInfo. This manipulation of the argument portIp/portMask/portGateWay/portDns/portSecDns causes heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-12-30 | 8.8 | CVE-2025-15234 | VDB-338630 | Tenda M3 setInternetLanInfo formSetRemoteInternetLanInfo heap-based overflow VDB-338630 | CTI Indicators (IOB, IOC, IOA) Submit #725496 | Tenda M3 V1.0.0.13(4903) Heap-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteInternetLanInfo.md https://www.tenda.com.cn/ |
| Tenda–M3 | A flaw has been found in Tenda M3 1.0.0.13(4903). The affected element is the function formSetRemoteDhcpForAp of the file /goform/setDhcpAP. This manipulation of the argument startip/endip/leasetime/gateway/dns1/dns2 causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-12-30 | 8.8 | CVE-2025-15252 | VDB-338642 | Tenda M3 setDhcpAP formSetRemoteDhcpForAp stack-based overflow VDB-338642 | CTI Indicators (IOB, IOC, IOA) Submit #725497 | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteDhcpForAp.md https://www.tenda.com.cn/ |
| Tenda–M3 | A vulnerability has been found in Tenda M3 1.0.0.13(4903). The impacted element is an unknown function of the file /goform/exeCommand. Such manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-30 | 8.8 | CVE-2025-15253 | VDB-338643 | Tenda M3 exeCommand stack-based overflow VDB-338643 | CTI Indicators (IOB, IOC, IOA) Submit #725498 | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/execCommand.md https://www.tenda.com.cn/ |
| Tenda–AC20 | A vulnerability has been found in Tenda AC20 up to 16.03.08.12. The impacted element is the function sscanf of the file /goform/PowerSaveSet. The manipulation of the argument powerSavingEn/time/powerSaveDelay/ledCloseType leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-30 | 8.8 | CVE-2025-15356 | VDB-338742 | Tenda AC20 PowerSaveSet sscanf buffer overflow VDB-338742 | CTI Indicators (IOB, IOC, IOA) Submit #726360 | Tenda Tenda AC20 V16.03.08.12 Buffer Overflow https://github.com/xyh4ck/iot_poc/tree/main/Tenda%20AC20_Buffer_Overflow https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC20_Buffer_Overflow/Tenda%20AC20_Buffer_Overflow.md#poc https://www.tenda.com.cn/ |
| QNO Technology–VPN Firewall | VPN Firewall developed by QNO Technology has a Insufficient Entropy vulnerability, allowing unauthenticated remote attackers to obtain any logged-in user session through brute-force attacks and subsequently log into the system. | 2025-12-31 | 8.8 | CVE-2025-15387 | https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html |
| QNO Technology–VPN Firewall | VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2025-12-31 | 8.8 | CVE-2025-15388 | https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html |
| QNO Technology–VPN Firewall | VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2025-12-31 | 8.8 | CVE-2025-15389 | https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html |
| UTT– 512W | A weakness has been identified in UTT 进取 512W 1.7.7-171114. Affected is the function strcpy of the file /goform/formRemoteControl. This manipulation of the argument Profile causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 8.8 | CVE-2025-15428 | VDB-339350 | UTT 进取 512W formRemoteControl strcpy buffer overflow VDB-339350 | CTI Indicators (IOB, IOC, IOA) Submit #721875 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow https://github.com/Lena-lyy/cve/blob/main/1223/18.md https://github.com/Lena-lyy/cve/blob/main/1223/18.md#poc |
| UTT– 512W | A security vulnerability has been detected in UTT 进取 512W 1.7.7-171114. Affected by this vulnerability is the function strcpy of the file /goform/formConfigCliForEngineerOnly. Such manipulation of the argument addCommand leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 8.8 | CVE-2025-15429 | VDB-339351 | UTT 进取 512W formConfigCliForEngineerOnly strcpy buffer overflow VDB-339351 | CTI Indicators (IOB, IOC, IOA) Submit #721876 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow https://github.com/Lena-lyy/cve/blob/main/1223/19.md https://github.com/Lena-lyy/cve/blob/main/1223/19.md#poc |
| UTT– 512W | A vulnerability was detected in UTT 进取 512W 1.7.7-171114. Affected by this issue is the function strcpy of the file /goform/formFtpServerShareDirSelcet. Performing manipulation of the argument oldfilename results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 8.8 | CVE-2025-15430 | VDB-339352 | UTT 进取 512W formFtpServerShareDirSelcet strcpy buffer overflow VDB-339352 | CTI Indicators (IOB, IOC, IOA) Submit #721888 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow https://github.com/GUOTINGTING2297/cve/blob/main/1234/20.md https://github.com/GUOTINGTING2297/cve/blob/main/1234/20.md#poc |
| UTT– 512W | A flaw has been found in UTT 进取 512W 1.7.7-171114. This affects the function strcpy of the file /goform/formFtpServerDirConfig. Executing manipulation of the argument filename can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 8.8 | CVE-2025-15431 | VDB-339353 | UTT 进取 512W formFtpServerDirConfig strcpy buffer overflow VDB-339353 | CTI Indicators (IOB, IOC, IOA) Submit #721889 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow https://github.com/GUOTINGTING2297/cve/blob/main/1234/21.md https://github.com/GUOTINGTING2297/cve/blob/main/1234/21.md#poc |
| Codedraft–Mediabay – WordPress Media Library Folders | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Codedraft Mediabay – WordPress Media Library Folders allows Blind SQL Injection.This issue affects Mediabay – WordPress Media Library Folders: from n/a through 1.4. | 2025-12-31 | 8.5 | CVE-2025-28949 | https://vdp.patchstack.com/database/wordpress/plugin/mediabay/vulnerability/wordpress-mediabay-wordpress-media-library-folders-1-4-sql-injection-vulnerability?_s_id=cve |
| AA-Team–Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. | 2025-12-31 | 8.5 | CVE-2025-30628 | https://vdp.patchstack.com/database/wordpress/plugin/azon-addon-js-composer/vulnerability/wordpress-amazon-affiliates-addon-for-wpbakery-page-builder-formerly-visual-composer-1-2-sql-injection-vulnerability?_s_id=cve |
| Priority–Web | CWE-434 Unrestricted Upload of File with Dangerous Type | 2025-12-29 | 8.8 | CVE-2025-55061 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0 |
| Plex–Media Server | Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token. | 2026-01-02 | 8.5 | CVE-2025-69414 | https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md |
| Selea–Selea CarPlateServer (CPS) | Selea CarPlateServer 4.0.1.6 contains a remote program execution vulnerability that allows attackers to execute arbitrary Windows binaries by manipulating the NO_LIST_EXE_PATH configuration parameter. Attackers can bypass authentication through the /cps/ endpoint and modify server configuration, including changing admin passwords and executing system commands. | 2025-12-31 | 7.5 | CVE-2020-36904 | ExploitDB-49452 Vendor Homepage Zero Science Lab Disclosure (ZSL-2021-5622) VulnCheck Advisory: Selea CarPlateServer 4.0.1.6 Remote Program Execution via Configuration Endpoint |
| Nucom–NuCom 11N Wireless Router | NuCom 11N Wireless Router 5.07.90 contains a privilege escalation vulnerability that allows non-privileged users to access administrative credentials through the configuration backup endpoint. Attackers can send a crafted HTTP GET request to the backup configuration page with a specific cookie to retrieve and decode the admin password in Base64 format. | 2025-12-31 | 7.5 | CVE-2021-47726 | ExploitDB-49634 NuCom Vendor Homepage Zero Science Lab Disclosure (ZSL-2021-5629) VulnCheck Advisory: NuCom 11N Wireless Router 5.07.90 Privilege Escalation via Configuration Backup |
| KZ Broadband Technologies, Ltd.–JT3500V | KZTech JT3500V 4G LTE CPE 2.0.1 contains a session management vulnerability that allows attackers to reuse old session credentials without proper expiration. Attackers can exploit the weak session handling to maintain unauthorized access and potentially compromise device authentication mechanisms. | 2025-12-31 | 7.5 | CVE-2021-47740 | Zero Science Lab Disclosure (ZSL-2021-5646) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange Entry KZ TECH Vendor Homepage JATON TEC Homepage Neotel Vendor Homepage VulnCheck Advisory: KZTech JT3500V 4G LTE CPE 2.0.1 Insufficient Session Expiration Vulnerability |
| Zblchina–ZBL EPON ONU Broadband Router | ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints. Attackers can exploit the vulnerability by accessing the configuration backup or password page to disclose the super user password and gain additional privileged functionalities. | 2025-12-31 | 7.5 | CVE-2021-47741 | ExploitDB-49737 ZBL China Vendor Homepage Archived W&D Thailand Vendor Homepage Zero Science Lab Disclosure (ZSL-2021-5647) VulnCheck Advisory: ZBL EPON ONU Broadband Router V100R001 Privilege Escalation via Configuration Endpoint |
| Cypress–ONE | Cypress Solutions CTM-200/CTM-ONE 1.3.6 contains hard-coded credentials vulnerability in Linux distribution that exposes root access. Attackers can exploit the static ‘Chameleon’ password to gain remote root access via Telnet or SSH on affected devices. | 2025-12-31 | 7.5 | CVE-2021-47744 | ExploitDB-50407 Cypress Solutions Official Homepage Zero Science Lab Disclosure (ZSL-2021-5686) VulnCheck Advisory: Cypress Solutions CTM-200/CTM-ONE 1.3.6 Hard-coded Credentials Remote Root |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an insufficient session expiration vulnerability that allows attackers to reuse old session credentials. Attackers can exploit weak session management to potentially hijack active user sessions and gain unauthorized access to the application. | 2025-12-30 | 7.5 | CVE-2022-50692 | Zero Science Lab Disclosure (ZSL-2022-5724) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Insufficient Session Expiration Vulnerability |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains an unauthenticated stored cross-site scripting vulnerability in the username parameter that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated username input to execute arbitrary HTML and JavaScript code in victim browser sessions without authentication. | 2025-12-30 | 7.2 | CVE-2022-50787 | Zero Science Lab Disclosure (ZSL-2022-5731) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Stored Cross-Site Scripting |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive log files. Attackers can directly browse the /log directory to retrieve system and sensitive information without authentication. | 2025-12-30 | 7.5 | CVE-2022-50788 | Zero Science Lab Disclosure (ZSL-2022-5732) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Information Disclosure via Log Directory |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an unauthenticated remote code execution vulnerability in the firmware upload functionality with path traversal flaw. Attackers can exploit the upload.cgi script to write malicious files to the system with www-data permissions, enabling unauthorized access and code execution. | 2025-12-30 | 7.5 | CVE-2022-50796 | Zero Science Lab Disclosure (ZSL-2022-5741) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Remote Code Execution via upload.cgi |
| Chris Bagwell–SoX | SoX 14.4.2 contains a division by zero vulnerability when handling WAV files that can cause program crashes. Attackers can trigger a floating point exception by providing a specially crafted WAV file that causes arithmetic errors during sound file processing. | 2025-12-30 | 7.5 | CVE-2022-50798 | ExploitDB-51034 SoX Official SourceForge Page SoX Wikipedia Entry Zero Science Lab Disclosure (ZSL-2022-5712) VulnCheck Advisory: SoX 14.4.2 Denial of Service Vulnerability via WAV File Processing |
| Fetch Softworks–Fetch Softworks Fetch FTP Client | Fetch FTP Client 5.8.2 contains a denial of service vulnerability that allows attackers to trigger 100% CPU consumption by sending long server responses. Attackers can send specially crafted FTP server responses exceeding 2K bytes to cause excessive resource utilization and potentially crash the application. | 2025-12-30 | 7.5 | CVE-2022-50799 | ExploitDB-50696 Fetch Softworks Product Homepage Zero Science Lab Disclosure (ZSL-2022-5696) VulnCheck Advisory: Fetch Softworks Fetch FTP Client 5.8.2 Remote CPU Consumption Denial of Service |
| Hangzhou H3C Technologies–H3C SSL VPN | H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the ‘txtUsrName’ POST parameter. Attackers can submit different usernames to the login_submit.cgi endpoint and analyze response messages to distinguish between existing and non-existing accounts. | 2025-12-30 | 7.5 | CVE-2022-50800 | ExploitDB-50742 H3C Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5697) VulnCheck Advisory: H3C SSL VPN n/a Username Enumeration via Login Script Credential Verification |
| Ateme–Anevia Flamingo XL/XS | Anevia Flamingo XL/XS 3.6.20 contains a critical vulnerability with weak default administrative credentials that can be easily guessed. Attackers can leverage these hard-coded credentials to gain full remote system control without complex authentication mechanisms. | 2025-12-30 | 7.5 | CVE-2023-53983 | Zero Science Lab Disclosure (ZSL-2023-5777) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry CXSecurity Vulnerability Listing Ateme Vendor Homepage VulnCheck Advisory: Anevia Flamingo XL/XS 3.6.20 Default Credentials Authentication Bypass |
| Tinycontrol–LAN Controller | Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit the /stm.cgi endpoint with a specially crafted authentication parameter to disable access controls and modify administrative credentials. | 2025-12-30 | 7.5 | CVE-2023-54327 | ExploitDB-51732 Tinycontrol Official Product Homepage Zero Science Lab Disclosure (ZSL-2023-5787) VulnCheck Advisory: Tinycontrol LAN Controller 1.58a Authentication Bypass via Admin Password Change |
| The Akuvox Company–Akuvox Smart Doorphone | Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with ‘User’ privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities. | 2025-12-30 | 7.5 | CVE-2024-58337 | Zero Science Lab Disclosure (ZSL-2024-5862) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing VulnCheck Advisory: Akuvox Smart Intercom S539 Improper Access Control via ServicesHTTPAPI |
| monetizemore–Advanced Ads Ad Manager & AdSense | The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the ‘change-ad__content’ shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server. | 2025-12-29 | 7.2 | CVE-2025-13592 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f9e83561-aa71-4984-8a26-207e208d70e8?source=cve https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.14/includes/ads/class-ad-plain.php#L36 https://plugins.trac.wordpress.org/changeset/3427297/advanced-ads#file9 |
| villatheme–Lucky Wheel for WooCommerce Spin a Sale | The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the ‘Conditional Tags’ setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments. | 2025-12-30 | 7.2 | CVE-2025-14509 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9a41bc0e-0ab9-4cee-b3ca-d730c828782c?source=cve https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/trunk/frontend/frontend.php#L127 https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/tags/1.1.13/frontend/frontend.php#L127 https://plugins.trac.wordpress.org/changeset/3428063/ |
| Innorix–Innorix WP | Unrestricted Upload of File with Dangerous Type vulnerability in Innorix Innorix WP allows Upload a Web Shell to a Web Server.This issue affects Innorix WP from All versions If the “exam” directory exists under the directory where the product is installed (ex: innorix/exam) | 2025-12-29 | 7.7 | CVE-2025-15067 | https://www.innorix.com/ https://www.gnit.co.kr/software/innorix_product.html |
| Gmission–Web Fax | Missing Authorization vulnerability in Gmission Web Fax allows Privilege Abuse, Session Credential Falsification through Manipulation.This issue affects Web Fax: from 3.0 before 4.0. | 2025-12-29 | 7.7 | CVE-2025-15068 | https://www.gmission.co.kr/fax1 |
| Gmission–Web Fax | Improper Authentication vulnerability in Gmission Web Fax allows Privilege Escalation.This issue affects Web Fax: from 3.0 before 4.0. | 2025-12-29 | 7.1 | CVE-2025-15069 | https://www.gmission.co.kr/fax1 |
| Ksenia Security S.p.A.–Ksenia Security Lares 4.0 Home Automation | Ksenia Security Lares 4.0 Home Automation version 1.6 contains a default credentials vulnerability that allows unauthorized attackers to gain administrative access. Attackers can exploit the weak default administrative credentials to obtain full control of the home automation system. | 2025-12-30 | 7.5 | CVE-2025-15111 | Zero Science Lab Disclosure (ZSL-2025-5927) Packet Storm Security Exploit Entry Ksenia Security Vendor Homepage VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 Default Credentials Vulnerability |
| Ksenia Security S.p.A.–Ksenia Security Lares 4.0 Home Automation | Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system’s web server. | 2025-12-30 | 7.8 | CVE-2025-15113 | Zero Science Lab Disclosure (ZSL-2025-5930) Ksenia Security Vendor Homepage Packet Storm Security Exploit VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 Remote Code Execution via MPFS Upload |
| Tenda–WH450 | A vulnerability was identified in Tenda WH450 1.0.0.18. Affected by this issue is some unknown functionality of the file /goform/SafeEmailFilter. The manipulation of the argument page leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-12-29 | 7.2 | CVE-2025-15163 | VDB-338538 | Tenda WH450 SafeEmailFilter stack-based overflow VDB-338538 | CTI Indicators (IOB, IOC, IOA) Submit #721214 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeEmailFilter/SafeEmailFilter.md https://www.tenda.com.cn/ |
| Tenda–WH450 | A security flaw has been discovered in Tenda WH450 1.0.0.18. This affects an unknown part of the file /goform/SafeMacFilter. The manipulation of the argument page results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-12-29 | 7.2 | CVE-2025-15164 | VDB-338539 | Tenda WH450 SafeMacFilter stack-based overflow VDB-338539 | CTI Indicators (IOB, IOC, IOA) Submit #721215 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeMacFilter/SafeMacFilter.md https://www.tenda.com.cn/ |
| itsourcecode–Online Cake Ordering System | A vulnerability has been found in itsourcecode Online Cake Ordering System 1.0. The impacted element is an unknown function of the file /updatecustomer.php?action=edit. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-29 | 7.3 | CVE-2025-15165 | VDB-338544 | itsourcecode Online Cake Ordering System updatecustomer.php sql injection VDB-338544 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721106 | itsourcecode Online Cake Ordering System V1.0 SQL Injection https://github.com/LaneyYu/cve/issues/4 https://itsourcecode.com/ |
| itsourcecode–Online Cake Ordering System | A vulnerability was found in itsourcecode Online Cake Ordering System 1.0. This affects an unknown function of the file /updatesupplier.php?action=edit. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2025-12-29 | 7.3 | CVE-2025-15166 | VDB-338545 | itsourcecode Online Cake Ordering System updatesupplier.php sql injection VDB-338545 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721108 | itsourcecode Online Cake Ordering System V1.0 SQL Injection https://github.com/LaneyYu/cve/issues/5 https://itsourcecode.com/ |
| itsourcecode–Online Cake Ordering System | A vulnerability was determined in itsourcecode Online Cake Ordering System 1.0. This impacts an unknown function of the file /detailtransac.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-12-29 | 7.3 | CVE-2025-15167 | VDB-338546 | itsourcecode Online Cake Ordering System detailtransac.php sql injection VDB-338546 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721109 | itsourcecode Online Cake Ordering System V1.0 SQL Injection https://github.com/LaneyYu/cve/issues/6 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A vulnerability was identified in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /statistical.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2025-12-29 | 7.3 | CVE-2025-15168 | VDB-338547 | itsourcecode Student Management System statistical.php sql injection VDB-338547 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721155 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/Susen2/cve/issues/1 https://itsourcecode.com/ |
| Tenda–WH450 | A vulnerability has been found in Tenda WH450 1.0.0.18. This vulnerability affects unknown code of the file /goform/SetIpBind of the component HTTP Request Handler. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-29 | 7.2 | CVE-2025-15177 | VDB-338562 | Tenda WH450 HTTP Request SetIpBind stack-based overflow VDB-338562 | CTI Indicators (IOB, IOC, IOA) Submit #721216 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SetIpBind/SetIpBind.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SetIpBind/SetIpBind.md#reproduce https://www.tenda.com.cn/ |
| Tenda–WH450 | A vulnerability was found in Tenda WH450 1.0.0.18. This issue affects some unknown processing of the file /goform/VirtualSer of the component HTTP Request Handler. The manipulation of the argument page results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used. | 2025-12-29 | 7.2 | CVE-2025-15178 | VDB-338563 | Tenda WH450 HTTP Request VirtualSer stack-based overflow VDB-338563 | CTI Indicators (IOB, IOC, IOA) Submit #721217 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/VirtualSer/VirtualSer.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/VirtualSer/VirtualSer.md#reproduce https://www.tenda.com.cn/ |
| Tenda–WH450 | A vulnerability was determined in Tenda WH450 1.0.0.18. Impacted is an unknown function of the file /goform/qossetting. This manipulation of the argument page causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-29 | 7.2 | CVE-2025-15179 | VDB-338564 | Tenda WH450 qossetting stack-based overflow VDB-338564 | CTI Indicators (IOB, IOC, IOA) Submit #721218 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/qossetting/qossetting.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/qossetting/qossetting.md#reproduce https://www.tenda.com.cn/ |
| Tenda–WH450 | A vulnerability was identified in Tenda WH450 1.0.0.18. The affected element is an unknown function of the file /goform/webExcptypemanFilte of the component HTTP Request Handler. Such manipulation of the argument page leads to stack-based buffer overflow. The attack may be launched remotely. The exploit is publicly available and might be used. | 2025-12-29 | 7.2 | CVE-2025-15180 | VDB-338565 | Tenda WH450 HTTP Request webExcptypemanFilte stack-based overflow VDB-338565 | CTI Indicators (IOB, IOC, IOA) Submit #721219 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/webExcptypemanFilter/webExcptypemanFilter.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/webExcptypemanFilter/webExcptypemanFilter.md#reproduce https://www.tenda.com.cn/ |
| code-projects–Refugee Food Management System | A security flaw has been discovered in code-projects Refugee Food Management System 1.0. The impacted element is an unknown function of the file /home/pagenateRefugeesList.php. Performing manipulation of the argument rfid results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-12-29 | 7.3 | CVE-2025-15181 | VDB-338566 | code-projects Refugee Food Management System pagenateRefugeesList.php sql injection VDB-338566 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721270 | Code-projects Refugee Food Management System v1.0 SQL Injection Submit #722805 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate) https://github.com/ctg503/CVE/issues/1 https://code-projects.org/ |
| code-projects–Refugee Food Management System | A weakness has been identified in code-projects Refugee Food Management System 1.0. This affects an unknown function of the file /home/served.php. Executing manipulation of the argument refNo can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-12-29 | 7.3 | CVE-2025-15182 | VDB-338567 | code-projects Refugee Food Management System served.php sql injection VDB-338567 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721272 | Code-projects Refugee Food Management System v1.0 SQL Injection https://github.com/ctg503/CVE/issues/2 https://code-projects.org/ |
| code-projects–Refugee Food Management System | A security vulnerability has been detected in code-projects Refugee Food Management System 1.0. This impacts an unknown function of the file /home/viewtakenfd.php. The manipulation of the argument tfid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2025-12-29 | 7.3 | CVE-2025-15183 | VDB-338568 | code-projects Refugee Food Management System viewtakenfd.php sql injection VDB-338568 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721273 | Code-projects Refugee Food Management System v1.0 SQL Injection Submit #722808 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate) Submit #722809 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate) Submit #722810 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate) https://github.com/ctg503/CVE/issues/3 https://code-projects.org/ |
| code-projects–Refugee Food Management System | A vulnerability was detected in code-projects Refugee Food Management System 1.0. Affected is an unknown function of the file /home/refugeesreport2.php. The manipulation of the argument a results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2025-12-29 | 7.3 | CVE-2025-15184 | VDB-338569 | code-projects Refugee Food Management System refugeesreport2.php sql injection VDB-338569 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721274 | Code-projects Refugee Food Management System v1.0 SQL Injection https://github.com/ctg503/CVE/issues/4 https://code-projects.org/ |
| code-projects–Refugee Food Management System | A flaw has been found in code-projects Refugee Food Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /home/refugeesreport.php. This manipulation of the argument a causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-12-29 | 7.3 | CVE-2025-15185 | VDB-338570 | code-projects Refugee Food Management System refugeesreport.php sql injection VDB-338570 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721275 | Code-projects Refugee Food Management System v1.0 SQL Injection https://github.com/ctg503/CVE/issues/5 https://code-projects.org/ |
| code-projects–Refugee Food Management System | A vulnerability has been found in code-projects Refugee Food Management System 1.0. Affected by this issue is some unknown functionality of the file /home/addusers.php. Such manipulation of the argument a leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-12-29 | 7.3 | CVE-2025-15186 | VDB-338571 | code-projects Refugee Food Management System addusers.php sql injection VDB-338571 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721277 | Code-projects Refugee Food Management System v1.0 SQL Injection Submit #722802 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate) https://github.com/ctg503/CVE/issues/6 https://code-projects.org/ |
| code-projects–Assessment Management | A vulnerability was determined in code-projects Assessment Management 1.0. Affected by this issue is some unknown functionality of the file /admin/add-module.php. This manipulation of the argument linked[] causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-29 | 7.3 | CVE-2025-15195 | VDB-338582 | code-projects Assessment Management add-module.php sql injection VDB-338582 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724717 | Code-projects Assessment Management v1.0 SQL injection https://github.com/Limingqian123/CVE/issues/3 https://code-projects.org/ |
| code-projects–Assessment Management | A vulnerability was identified in code-projects Assessment Management 1.0. This affects an unknown part of the file login.php. Such manipulation of the argument userid leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2025-12-29 | 7.3 | CVE-2025-15196 | VDB-338583 | code-projects Assessment Management login.php sql injection VDB-338583 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724718 | Code-projects Assessment Management v1.0 SQL injection https://github.com/Limingqian123/CVE/issues/4 https://code-projects.org/ |
| code-projects–College Notes Uploading System | A weakness has been identified in code-projects College Notes Uploading System 1.0. This issue affects some unknown processing of the file /login.php. Executing manipulation of the argument User can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-12-29 | 7.3 | CVE-2025-15198 | VDB-338585 | code-projects College Notes Uploading System login.php sql injection VDB-338585 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724724 | Code-projects College Notes Uploading System v1.0 SQL injection https://github.com/Limingqian123/CVE/issues/10 https://code-projects.org/ |
| Campcodes–Supplier Management System | A flaw has been found in Campcodes Supplier Management System 1.0. This impacts an unknown function of the file /admin/add_area.php. Executing manipulation of the argument txtAreaCode can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. | 2025-12-29 | 7.3 | CVE-2025-15206 | VDB-338579 | Campcodes Supplier Management System add_area.php sql injection VDB-338579 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #723951 | Campcodes Supplier Management System V1.0 SQL Injection https://github.com/IMZGforever/CVEs/issues/5 https://www.campcodes.com/ |
| Campcodes–Supplier Management System | A vulnerability has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/view_products.php. The manipulation of the argument chkId[] leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-12-29 | 7.3 | CVE-2025-15207 | VDB-338580 | Campcodes Supplier Management System view_products.php sql injection VDB-338580 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #723953 | Campcodes Supplier Management System 1.0 SQL Injection https://github.com/IMZGforever/CVEs/issues/6 https://www.campcodes.com/ |
| code-projects–Refugee Food Management System | A security flaw has been discovered in code-projects Refugee Food Management System 1.0. Affected by this issue is some unknown functionality of the file /home/editrefugee.php. The manipulation of the argument rfid results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-29 | 7.3 | CVE-2025-15208 | VDB-338593 | code-projects Refugee Food Management System editrefugee.php sql injection VDB-338593 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721753 | Code-projects Refugee Food Management System v1.0 SQL Injection https://github.com/11alert/CVE/issues/1 https://code-projects.org/ |
| Sunnet–WMPro | WMPro developed by Sunnet has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to read arbitrary system files. | 2025-12-29 | 7.5 | CVE-2025-15225 | https://www.twcert.org.tw/tw/cp-132-10602-c1c69-1.html https://www.twcert.org.tw/en/cp-139-10603-67149-2.html |
| WELLTEND TECHNOLOGY–BPMFlowWebkit | BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | 2025-12-29 | 7.5 | CVE-2025-15227 | https://www.twcert.org.tw/tw/cp-132-10604-c65aa-1.html https://www.twcert.org.tw/en/cp-139-10605-426b6-2.html |
| code-projects–Simple Stock System | A flaw has been found in code-projects Simple Stock System 1.0. This affects an unknown function of the file /market/login.php. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | 2025-12-30 | 7.3 | CVE-2025-15243 | VDB-338633 | code-projects Simple Stock System login.php sql injection VDB-338633 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725689 | Code-Projects Simple Stock System V1.0 SQL Injection https://github.com/c13641462064-lgtm/sql_injection/issues/1 https://code-projects.org/ |
| gmg137–snap7-rs | A vulnerability was identified in gmg137 snap7-rs up to 153d3e8c16decd7271e2a5b2e3da4d6f68589424. Affected by this issue is the function snap7_rs::client::S7Client::download of the file client.rs. Such manipulation leads to heap-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-30 | 7.3 | CVE-2025-15247 | VDB-338637 | gmg137 snap7-rs client.rs download heap-based overflow VDB-338637 | CTI Indicators (IOB, IOC, IOA) https://gitee.com/gmg137/snap7-rs/issues/ID2H7V |
| Edimax–BR-6208AC | A vulnerability was identified in Edimax BR-6208AC 1.02/1.03. Affected is the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component Web-based Configuration Interface. The manipulation of the argument rootAPmac leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. Edimax confirms this issue: “The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security.” This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-30 | 7.3 | CVE-2025-15256 | VDB-338646 | Edimax BR-6208AC Web-based Configuration formStaDrvSetup command injection VDB-338646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722014 | Edimax BR-6208AC V2_1.02 Command Injection https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Command-Injection-Vulnerability-in-Web-formStaDrvSetup-handler-2d2b5c52018a803ebd91c200b3e2925b?source=copy_link |
| Edimax–BR-6208AC | A security flaw has been discovered in Edimax BR-6208AC 1.02/1.03. Affected by this vulnerability is the function formRoute of the file /gogorm/formRoute of the component Web-based Configuration Interface. The manipulation of the argument strIp/strMask/strGateway results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. Edimax confirms this issue: “The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security.” This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-30 | 7.3 | CVE-2025-15257 | VDB-338647 | Edimax BR-6208AC Web-based Configuration formRoute command injection VDB-338647 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722426 | Edimax BR-6208AC V2_1.02 Command Injection https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Command-Injection-Vulnerability-in-Web-formRoute-handler-2d3b5c52018a805983d3cf0780b28407?source=copy_link |
| BiggiDroid–Simple PHP CMS | A weakness has been identified in BiggiDroid Simple PHP CMS 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login. Executing manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-12-30 | 7.3 | CVE-2025-15263 | VDB-338657 | BiggiDroid Simple PHP CMS Admin Login login.php sql injection VDB-338657 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725820 | BiggiDroid Simple-PHP-Blog 1.0 SQL Injection https://gitee.com/devilrunsun/mywork/issues/IDGMME |
| n/a–FeehiCMS | A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file frontend/web/timthumb.php of the component TimThumb. Executing manipulation of the argument src can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-30 | 7.3 | CVE-2025-15264 | VDB-338663 | FeehiCMS TimThumb timthumb.php server-side request forgery VDB-338663 | CTI Indicators (IOB, IOC, IOA) Submit #718278 | FeehiCMS https://github.com/liufee/cms v2.1.1 Server-Side Request Forgery |
| HTTP–DOS | Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable. DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === ‘[]’ && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoCTest 1 – Basic bypass: npm install qs const qs = require(‘qs’); const result = qs.parse(‘a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6’, { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Test 2 – DoS demonstration: const qs = require(‘qs’); const attack = ‘a[]=’ + Array(10000).fill(‘x’).join(‘&a[]=’); const result = qs.parse(attack, { arrayLimit: 100 }); console.log(result.a.length); // Output: 10000 (should be max 100) Configuration: * arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2) * Use bracket notation: a[]=value (not indexed a[0]=value) ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection. Attack scenario: * Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&…&filters[]=x (100,000+ times) * Application parses with qs.parse(query, { arrayLimit: 100 }) * qs ignores limit, parses all 100,000 elements into array * Server memory exhausted → application crashes or becomes unresponsive * Service unavailable for all users Real-world impact: * Single malicious request can crash server * No authentication required * Easy to automate and scale * Affects any endpoint parsing query strings with bracket notation | 2025-12-29 | 7.5 | CVE-2025-15284 | https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9 |
| itsourcecode–Society Management System | A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is the function edit_admin_query of the file /admin/edit_admin_query.php. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2025-12-30 | 7.3 | CVE-2025-15353 | VDB-338740 | itsourcecode Society Management System edit_admin_query.php edit_admin_query sql injection VDB-338740 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #726280 | itsourcecode Society Management System V1.0 SQL injection https://github.com/BUPT2025201/CVE/issues/4 https://itsourcecode.com/ |
| itsourcecode–Society Management System | A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/add_admin.php. Executing manipulation of the argument Username can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2025-12-30 | 7.3 | CVE-2025-15354 | VDB-338741 | itsourcecode Society Management System add_admin.php sql injection VDB-338741 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #726282 | itsourcecode Society Management System V1.0 SQL injection https://github.com/BUPT2025201/CVE/issues/2 https://itsourcecode.com/ |
| Delta Electronics–DVP-12SE11T | DVP-12SE11T – Denial of Service Vulnerability | 2025-12-30 | 7.5 | CVE-2025-15358 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00022_DVP-12SE11T%20Multiple%20Vulnerabilities.pdf |
| Tenda–i24 | A vulnerability has been found in Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G and TEG5328F up to 65.10.15.6. Affected is an unknown function of the component Shadow File. Such manipulation with the input Fireitup leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-12-31 | 7.8 | CVE-2025-15371 | VDB-339075 | Tenda i24 Shadow File hard-coded credentials VDB-339075 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727155 | Tenda Tenda i24v3.0 V3.0.0.8(4008) V3.0.0.8(4008) Hard-coded Credentials Submit #727283 | Tenda 4G03ProV1.0re V04.03.01.49 Hard-coded Credentials (Duplicate) Submit #727284 | Tenda 4G05V1.0re V04.05.01.15 Hard-coded Credentials (Duplicate) Submit #727285 | Tenda 4G08V1.0re V04.08.01.28 Hard-coded Credentials (Duplicate) Submit #727302 | Tenda G0-8G-PoEV2.0si V16.01.8.5 Hard-coded Credentials (Duplicate) Submit #727305 | Tenda MW5GV1.0re V1.0.0.35 Hard-coded Credentials (Duplicate) Submit #727306 | Tenda TEG5328FV1.0ma V65.10.15.6 Hard-coded Credentials (Duplicate) https://github.com/vuln-1/vuln/blob/main/Tenda/i24v3.0_V3.0.0.8/report-1.md https://www.tenda.com.cn/ |
| code-projects–Online Guitar Store | A vulnerability has been found in code-projects Online Guitar Store 1.0. This impacts an unknown function of the file /admin/Create_category.php. Such manipulation of the argument dre_Ctitle leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2026-01-01 | 7.3 | CVE-2025-15407 | VDB-339327 | code-projects Online Guitar Store Create_category.php sql injection VDB-339327 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728391 | Code-projects Online Guitar Store v1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr19/issues/1 https://code-projects.org/ |
| code-projects–Online Guitar Store | A vulnerability was found in code-projects Online Guitar Store 1.0. Affected is an unknown function of the file /admin/Create_product.php. Performing manipulation of the argument dre_title results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2026-01-01 | 7.3 | CVE-2025-15408 | VDB-339328 | code-projects Online Guitar Store Create_product.php sql injection VDB-339328 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728392 | Code-projects Online Guitar Store v1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr19/issues/2 https://code-projects.org/ |
| code-projects–Online Guitar Store | A vulnerability was determined in code-projects Online Guitar Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/Delete_product.php. Executing manipulation of the argument del_pro can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-01-01 | 7.3 | CVE-2025-15409 | VDB-339329 | code-projects Online Guitar Store Delete_product.php sql injection VDB-339329 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728393 | Code-projects Online Guitar Store v1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr19/issues/3 https://code-projects.org/ |
| code-projects–Online Guitar Store | A vulnerability was identified in code-projects Online Guitar Store 1.0. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument L_email leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-01-01 | 7.3 | CVE-2025-15410 | VDB-339330 | code-projects Online Guitar Store login.php sql injection VDB-339330 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728394 | Code-projects Online Guitar Store v1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr19/issues/4 https://code-projects.org/ |
| Yonyou–KSOA | A security vulnerability has been detected in Yonyou KSOA 9.0. This affects an unknown part of the file /worksheet/agent_work_report.jsp. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15420 | VDB-339342 | Yonyou KSOA agent_work_report.jsp sql injection VDB-339342 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721099 | Yonyou KSOA V9.0 SQL Injection Submit #721531 | Yonyou KSOA V9.0 SQL Injection (Duplicate) https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_work_report.jsp%20SQL%20injection.md |
| Yonyou–KSOA | A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/agent_worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15421 | VDB-339343 | Yonyou KSOA HTTP GET Parameter agent_worksadd.jsp sql injection VDB-339343 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721324 | Yonyou KSOA V9.0 SQL Injection Submit #721527 | Yonyou KSOA V9.0 SQL Injection (Duplicate) https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_worksadd.jsp%20SQL%20injection.md |
| Yonyou–KSOA | A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /worksheet/agent_worksdel.jsp of the component HTTP GET Parameter Handler. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15424 | VDB-339346 | Yonyou KSOA HTTP GET Parameter agent_worksdel.jsp sql injection VDB-339346 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721348 | Yonyou KSOA V9.0 SQL Injection Submit #721526 | Yonyou KSOA V9.0 SQL Injection (Duplicate) https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_worksdel.jsp%20SQL%20injection.md https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_worksdel.jsp%20SQL%20injection.md#vulnerability-details-and-poc |
| Yonyou–KSOA | A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_user.jsp of the component HTTP GET Parameter Handler. Executing manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15425 | VDB-339347 | Yonyou KSOA HTTP GET Parameter del_user.jsp sql injection VDB-339347 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721352 | Yonyou KSOA V9.0 SQL Injection https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platform%20worksheet%20del_user.jsp%20SQL%20injection.md https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platform%20worksheet%20del_user.jsp%20SQL%20injection.md#vulnerability-details-and-poc |
| jackying–H-ui.admin | A vulnerability was identified in jackying H-ui.admin up to 3.1. This affects an unknown function in the library /lib/webuploader/0.1.5/server/preview.php. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15426 | VDB-339348 | jackying H-ui.admin preview.php unrestricted upload VDB-339348 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721457 | https://www.h-ui.net/ H-ui.admin v3.1 RCE https://github.com/TiKi-r/CVE-Report/blob/main/H-ui.admin%20RCE.md https://github.com/TiKi-r/CVE-Report/blob/main/H-ui.admin%20RCE.md#4-proof-of-concept-poc |
| Seeyon–Zhiyuan OA Web Application System | A security flaw has been discovered in Seeyon Zhiyuan OA Web Application System up to 20251222. This impacts an unknown function of the file /carManager/carUseDetailList.j%73p. The manipulation of the argument CAR_BRAND_NO results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15427 | VDB-339349 | Seeyon Zhiyuan OA Web Application System carUseDetailList.j%73p sql injection VDB-339349 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721493 | Seeyou Collaborative Platform V1.0 SQL Injection https://github.com/cly-yuxiu/CVE/issues/2 |
| Yonyou–KSOA | A vulnerability was detected in Yonyou KSOA 9.0. Affected is an unknown function of the file /kp/PrintZPYG.jsp. The manipulation of the argument zpjhid results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15434 | VDB-339361 | Yonyou KSOA PrintZPYG.jsp sql injection VDB-339361 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721490 | Yonyou KSOA V1.0 SQL Injection https://github.com/cly-yuxiu/CVE/issues/1 |
| Yonyou–KSOA | A flaw has been found in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_update.jsp. This manipulation of the argument Report causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15435 | VDB-339362 | Yonyou KSOA work_update.jsp sql injection VDB-339362 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721918 | Yonyou KSOA V1.0 SQL Injection https://github.com/xiaozipang/CVE/issues/1 |
| Yonyou–KSOA | A vulnerability has been found in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /worksheet/work_edit.jsp. Such manipulation of the argument Report leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15436 | VDB-339363 | Yonyou KSOA work_edit.jsp sql injection VDB-339363 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721925 | Yonyou KSOA V1.0 SQL Injection https://github.com/xinshou-test/CVE/issues/2 |
| Seeyon–Zhiyuan OA Web Application System | A flaw has been found in Seeyon Zhiyuan OA Web Application System up to 20251223. The impacted element is an unknown function of the file /assetsGroupReport/fixedAssetsList.j%73p. Executing a manipulation of the argument unitCode can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-04 | 7.3 | CVE-2025-15446 | VDB-339479 | Seeyon Zhiyuan OA Web Application System fixedAssetsList.j%73p sql injection VDB-339479 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721917 | Seeyou Collaborative Platform V1.0 SQL Injection https://github.com/xiaozipang/CVE/issues/2 |
| Seeyon–Zhiyuan OA Web Application System | A vulnerability has been found in Seeyon Zhiyuan OA Web Application System up to 20251223. This affects an unknown function of the file /assetsGroupReport/assetsService.j%73p. The manipulation of the argument unitCode leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-04 | 7.3 | CVE-2025-15447 | VDB-339480 | Seeyon Zhiyuan OA Web Application System assetsService.j%73p sql injection VDB-339480 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721926 | Seeyou Collaborative Platform V1.0 SQL Injection https://github.com/xinshou-test/CVE/issues/1 |
| Rakessh–Ads24 Lite | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Rakessh Ads24 Lite allows Reflected XSS.This issue affects Ads24 Lite: from n/a through 1.0. | 2025-12-29 | 7.1 | CVE-2025-23458 | https://vdp.patchstack.com/database/wordpress/plugin/wp-ad-management/vulnerability/wordpress-ads24-lite-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Sleekplan–Sleekplan | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Sleekplan allows Reflected XSS.This issue affects Sleekplan: from n/a through 0.2.0. | 2025-12-29 | 7.1 | CVE-2025-23469 | https://vdp.patchstack.com/database/wordpress/plugin/sleekplan/vulnerability/wordpress-sleekplan-plugin-0-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Kemal YAZICI–Product Puller | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Kemal YAZICI Product Puller allows Reflected XSS.This issue affects Product Puller: from n/a through 1.5.1. | 2025-12-29 | 7.1 | CVE-2025-23550 | https://vdp.patchstack.com/database/wordpress/plugin/product-puller/vulnerability/wordpress-product-puller-plugin-1-5-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jakub Glos–Off Page SEO | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Jakub Glos Off Page SEO allows Reflected XSS.This issue affects Off Page SEO: from n/a through 3.0.3. | 2025-12-29 | 7.1 | CVE-2025-23554 | https://vdp.patchstack.com/database/wordpress/plugin/off-page-seo/vulnerability/wordpress-off-page-seo-plugin-3-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Omar Mohamed Mohamoud–LIVE TV | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Omar Mohamed Mohamoud LIVE TV allows Reflected XSS.This issue affects LIVE TV: from n/a through 1.2. | 2025-12-31 | 7.1 | CVE-2025-23608 | https://vdp.patchstack.com/database/wordpress/plugin/live-tv/vulnerability/wordpress-live-tv-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Christopher Churchill–custom-post-edit | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Christopher Churchill allows Reflected XSS.This issue affects custom-post-edit: from n/a through 1.0.4. | 2025-12-31 | 7.1 | CVE-2025-23667 | https://vdp.patchstack.com/database/wordpress/plugin/front-end-post-edit/vulnerability/wordpress-custom-post-edit-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Terry Zielke–Zielke Design Project Gallery | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Terry Zielke Zielke Design Project Gallery allows Reflected XSS.This issue affects Zielke Design Project Gallery: from n/a through 2.5.0. | 2025-12-31 | 7.1 | CVE-2025-23705 | https://vdp.patchstack.com/database/wordpress/plugin/zielke-design-project-gallery/vulnerability/wordpress-zielke-design-project-gallery-plugin-2-5-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Matamko–En Masse | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Matamko En Masse allows Reflected XSS.This issue affects En Masse: from n/a through 1.0. | 2025-12-31 | 7.1 | CVE-2025-23707 | https://vdp.patchstack.com/database/wordpress/plugin/en-masse-wp/vulnerability/wordpress-en-masse-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| zckevin–ZhinaTwitterWidget | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in zckevin ZhinaTwitterWidget allows Reflected XSS.This issue affects ZhinaTwitterWidget: from n/a through 1.0. | 2025-12-31 | 7.1 | CVE-2025-23719 | https://vdp.patchstack.com/database/wordpress/plugin/zhina-twitter-widget/vulnerability/wordpress-zhinatwitterwidget-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Proloy Chakroborty–ZD Scribd iPaper | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Proloy Chakroborty ZD Scribd iPaper allows Reflected XSS.This issue affects ZD Scribd iPaper: from n/a through 1.0. | 2025-12-31 | 7.1 | CVE-2025-23757 | https://vdp.patchstack.com/database/wordpress/plugin/zd-scribd-ipaper/vulnerability/wordpress-zd-scribd-ipaper-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Themefy–Bloggie | Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through 2.0.8. | 2025-12-31 | 7.1 | CVE-2025-31054 | https://vdp.patchstack.com/database/wordpress/theme/bloggie/vulnerability/wordpress-bloggie-2-0-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Petlibrio–Smart Pet Feeder Platform | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authorization bypass vulnerability that allows unauthorized users to add users as shared owners to any device by exploiting missing permission checks. Attackers can send requests to the device share API to gain unauthorized access to devices and view owner information without proper authorization validation. | 2026-01-03 | 7.3 | CVE-2025-3646 | Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Authorization Bypass via Device Share API |
| Petlibrio–Smart Pet Feeder Platform | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device control APIs to change feeding schedules, trigger manual feeds, access camera feeds, and modify device settings without authorization checks. | 2026-01-03 | 7.3 | CVE-2025-3653 | Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks VulnCheck Advisory: Petlibro Smart Pet Feeder through 1.7.31 Platform Improper Access Control via API endpoint |
| ZoomSounds–ZoomSounds | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ZoomSounds allows Reflected XSS.This issue affects ZoomSounds: from n/a through 6.91. | 2025-12-31 | 7.1 | CVE-2025-47566 | https://vdp.patchstack.com/database/wordpress/plugin/dzs-zoomsounds/vulnerability/wordpress-zoomsounds-plugin-6-91-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Zoho Mail–Zoho ZeptoMail | Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoho ZeptoMail allows Stored XSS.This issue affects Zoho ZeptoMail: from n/a through 3.3.1. | 2025-12-31 | 7.1 | CVE-2025-49028 | https://vdp.patchstack.com/database/wordpress/plugin/transmail/vulnerability/wordpress-zoho-zeptomail-plugin-3-3-1-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve |
| Wolfgang Hfelinger–Custom Style | Cross-Site Request Forgery (CSRF) vulnerability in Wolfgang Häfelinger Custom Style allows Stored XSS.This issue affects Custom Style: from n/a through 1.0. | 2025-12-31 | 7.1 | CVE-2025-49342 | https://vdp.patchstack.com/database/wordpress/plugin/custom-style/vulnerability/wordpress-custom-style-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Socialprofilr–Social Profilr | Cross-Site Request Forgery (CSRF) vulnerability in Socialprofilr Social Profilr allows Stored XSS.This issue affects Social Profilr: from n/a through 1.0. | 2025-12-31 | 7.1 | CVE-2025-49343 | https://vdp.patchstack.com/database/wordpress/plugin/social-profilr-display-social-network-profile/vulnerability/wordpress-social-profilr-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Rene Ade–SensitiveTagCloud | Cross-Site Request Forgery (CSRF) vulnerability in Rene Ade SensitiveTagCloud allows Stored XSS.This issue affects SensitiveTagCloud: from n/a through 1.4.1. | 2025-12-31 | 7.1 | CVE-2025-49344 | https://vdp.patchstack.com/database/wordpress/plugin/sensitive-tag-cloud/vulnerability/wordpress-sensitivetagcloud-plugin-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| mg12–WP-EasyArchives | Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through 3.1.2. | 2025-12-31 | 7.1 | CVE-2025-49345 | https://vdp.patchstack.com/database/wordpress/plugin/wp-easyarchives/vulnerability/wordpress-wp-easyarchives-plugin-3-1-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Peter Sterling–Simple Archive Generator | Cross-Site Request Forgery (CSRF) vulnerability in Peter Sterling Simple Archive Generator allows Stored XSS.This issue affects Simple Archive Generator: from n/a through 5.2. | 2025-12-31 | 7.1 | CVE-2025-49346 | https://vdp.patchstack.com/database/wordpress/plugin/simple-archive-generator/vulnerability/wordpress-simple-archive-generator-plugin-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Marcin Kijak–Noindex by Path | Cross-Site Request Forgery (CSRF) vulnerability in Marcin Kijak Noindex by Path allows Stored XSS.This issue affects Noindex by Path: from n/a through 1.0. | 2025-12-31 | 7.1 | CVE-2025-49353 | https://vdp.patchstack.com/database/wordpress/plugin/noindex-by-path/vulnerability/wordpress-noindex-by-path-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Mindstien Technologies–Recent Posts From Each Category | Cross-Site Request Forgery (CSRF) vulnerability in Mindstien Technologies Recent Posts From Each Category allows Stored XSS.This issue affects Recent Posts From Each Category: from n/a through 1.4. | 2025-12-31 | 7.1 | CVE-2025-49354 | https://vdp.patchstack.com/database/wordpress/plugin/recent-posts-from-each-category/vulnerability/wordpress-recent-posts-from-each-category-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| nebelhorn–Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in nebelhorn Blappsta Mobile App Plugin & Your native, mobile iPhone App and Android App allows Reflected XSS.This issue affects Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App: from n/a through 0.8.8.8. | 2025-12-31 | 7.1 | CVE-2025-50053 | https://vdp.patchstack.com/database/wordpress/plugin/yournewsapp/vulnerability/wordpress-blappsta-mobile-app-plugin-your-native-mobile-iphone-app-and-android-app-plugin-0-8-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| uxper–Sala | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in uxper Sala allows Reflected XSS.This issue affects Sala: from n/a through 1.1.3. | 2025-12-31 | 7.1 | CVE-2025-52739 | https://vdp.patchstack.com/database/wordpress/theme/sala/vulnerability/wordpress-sala-theme-1-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| osuthorpe–Easy Social | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in osuthorpe Easy Social allows Reflected XSS.This issue affects Easy Social: from n/a through 1.3. | 2025-12-31 | 7.1 | CVE-2025-53235 | https://vdp.patchstack.com/database/wordpress/plugin/easy-social-media/vulnerability/wordpress-easy-social-plugin-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Kopek Reem–ReKord client | CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 2026-01-01 | 7.5 | CVE-2025-55065 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0 |
| Appointify–Appointify | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Appointify allows Blind SQL Injection.This issue affects Appointify: from n/a through 1.0.8. | 2025-12-30 | 7.6 | CVE-2025-59129 | https://vdp.patchstack.com/database/wordpress/plugin/appointify/vulnerability/wordpress-appointify-plugin-1-0-8-sql-injection-vulnerability?_s_id=cve |
| Hoernerfranz–WP-CalDav2ICS | Cross-Site Request Forgery (CSRF) vulnerability in Hoernerfranz WP-CalDav2ICS allows Stored XSS.This issue affects WP-CalDav2ICS: from n/a through 1.3.4. | 2025-12-30 | 7.1 | CVE-2025-59131 | https://vdp.patchstack.com/database/wordpress/plugin/wp-caldav2ics/vulnerability/wordpress-wp-caldav2ics-plugin-1-3-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| eLEOPARD–Behance Portfolio Manager | Cross-Site Request Forgery (CSRF) vulnerability in eLEOPARD Behance Portfolio Manager allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through 1.7.5. | 2025-12-31 | 7.1 | CVE-2025-59137 | https://vdp.patchstack.com/database/wordpress/plugin/portfolio-manager-powered-by-behance/vulnerability/wordpress-behance-portfolio-manager-plugin-1-7-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| MadrasThemes–MAS Videos | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in MadrasThemes MAS Videos allows PHP Local File Inclusion.This issue affects MAS Videos: from n/a through 1.3.2. | 2025-12-30 | 7.5 | CVE-2025-62753 | https://vdp.patchstack.com/database/wordpress/plugin/masvideos/vulnerability/wordpress-mas-videos-plugin-1-3-2-local-file-inclusion-vulnerability?_s_id=cve |
| Emraan Cheema–CubeWP | Missing Authorization vulnerability in Emraan Cheema CubeWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CubeWP: from n/a through 1.1.27. | 2025-12-29 | 7.5 | CVE-2025-68036 | https://vdp.patchstack.com/database/wordpress/plugin/cubewp-framework/vulnerability/wordpress-cubewp-plugin-1-1-27-broken-access-control-vulnerability?_s_id=cve |
| SignalK–signalk-server | Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a “JavaScript heap out of memory” error due to unbounded in-memory storage of request objects. Version 2.19.0 fixes the issue. | 2026-01-01 | 7.5 | CVE-2025-68272 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-7rqc-ff8m-7j23 https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 |
| Plugin Optimizer–Plugin Optimizer | Missing Authorization vulnerability in Plugin Optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin Optimizer: from n/a through 1.3.7. | 2025-12-29 | 7.1 | CVE-2025-68861 | https://vdp.patchstack.com/database/wordpress/plugin/plugin-optimizer/vulnerability/wordpress-plugin-optimizer-plugin-1-3-7-broken-access-control-vulnerability?_s_id=cve |
| reDim GmbH–CookieHint WP | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in reDim GmbH CookieHint WP allows PHP Local File Inclusion.This issue affects CookieHint WP: from n/a through 1.0.0. | 2025-12-29 | 7.5 | CVE-2025-68870 | https://vdp.patchstack.com/database/wordpress/plugin/cookiehint-wp/vulnerability/wordpress-cookiehint-wp-plugin-1-0-0-local-file-inclusion-vulnerability?_s_id=cve |
| INVELITY–Invelity SPS connect | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in INVELITY Invelity SPS connect allows Reflected XSS.This issue affects Invelity SPS connect: from n/a through 1.0.8. | 2025-12-29 | 7.1 | CVE-2025-68876 | https://vdp.patchstack.com/database/wordpress/plugin/invelity-sps-connect/vulnerability/wordpress-invelity-sps-connect-plugin-1-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CedCommerce–CedCommerce Integration for Good Market | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in CedCommerce CedCommerce Integration for Good Market allows PHP Local File Inclusion.This issue affects CedCommerce Integration for Good Market: from n/a through 1.0.6. | 2025-12-29 | 7.5 | CVE-2025-68877 | https://vdp.patchstack.com/database/wordpress/plugin/ced-good-market-integration/vulnerability/wordpress-cedcommerce-integration-for-good-market-plugin-1-0-6-local-file-inclusion-vulnerability?_s_id=cve |
| Prasadkirpekar–Advanced Custom CSS | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Prasadkirpekar Advanced Custom CSS allows Reflected XSS.This issue affects Advanced Custom CSS: from n/a through 1.1.0. | 2025-12-29 | 7.1 | CVE-2025-68878 | https://vdp.patchstack.com/database/wordpress/plugin/advanced-custom-css/vulnerability/wordpress-advanced-custom-css-plugin-1-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Councilsoft–Content Grid Slider | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Councilsoft Content Grid Slider allows Reflected XSS.This issue affects Content Grid Slider: from n/a through 1.5. | 2025-12-29 | 7.1 | CVE-2025-68879 | https://vdp.patchstack.com/database/wordpress/plugin/content-grid-slider/vulnerability/wordpress-content-grid-slider-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Page Carbajal–Custom Post Status | Cross-Site Request Forgery (CSRF) vulnerability in Page Carbajal Custom Post Status allows Stored XSS.This issue affects Custom Post Status: from n/a through 1.1.0. | 2025-12-31 | 7.1 | CVE-2025-68885 | https://vdp.patchstack.com/database/wordpress/plugin/custom-post-status/vulnerability/wordpress-custom-post-status-plugin-1-1-0-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve |
| thorsten–phpMyFAQ | phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue. | 2025-12-29 | 7.5 | CVE-2025-69200 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9cg9-4h4f-j6fg https://github.com/thorsten/phpMyFAQ/commit/b0e99ee3695152115841cb546d8dce64ceb8c29a |
| coturn–coturn | coturn is a free open source implementation of TURN and STUN Server. Versions 4.6.2r5 through 4.7.0-r4 have a bad random number generator for nonces and port randomization after refactoring. Additionally, random numbers aren’t generated with openssl’s RAND_bytes but libc’s random() (if it’s not running on Windows). When fetching about 50 sequential nonces (i.e., through sending 50 unauthenticated allocations requests) it is possible to completely reconstruct the current state of the random number generator, thereby predicting the next nonce. This allows authentication while spoofing IPs. An attacker can send authenticated messages without ever receiving the responses, including the nonce (requires knowledge of the credentials, which is e.g., often the case in IoT settings). Since the port randomization is deterministic given the pseudorandom seed, an attacker can exactly reconstruct the ports and, hence predict the randomization of the ports. If an attacker allocates a relay port, they know the current port, and they are able to predict the next relay port (at least if it is not used before). Commit 11fc465f4bba70bb0ad8aae17d6c4a63a29917d9 contains a fix. | 2025-12-30 | 7.7 | CVE-2025-69217 | https://github.com/coturn/coturn/security/advisories/GHSA-fvj6-9jhg-9j84 https://github.com/coturn/coturn/commit/11fc465f4bba70bb0ad8aae17d6c4a63a29917d9 https://github.com/coturn/coturn/commit/88ced471385869d7e7fbbc4766e78ef521b36af6 |
| serverless–serverless | The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework’s built-in MCP server package (@serverless/mcp). This vulnerability only affects users of the experimental MCP server feature (serverless mcp), which represents less than 0.1% of Serverless Framework users. The core Serverless Framework CLI and deployment functionality are not affected. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process’s privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). Version 4.29.3 fixes the issue. | 2025-12-30 | 7.5 | CVE-2025-69256 | https://github.com/serverless/serverless/security/advisories/GHSA-rwc2-f344-q6w6 https://github.com/serverless/serverless/commit/681ca039550c7169369f98780c6301a00f2dc4c4 https://github.com/serverless/serverless/blob/6213453da7df375aaf12fb3522ab8870488fc59a/packages/mcp/src/tools/list-projects.js#L68 https://github.com/serverless/serverless/releases/tag/sf-core%404.29.3 |
| Plex–Media Server | In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account. | 2026-01-02 | 7.1 | CVE-2025-69415 | https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md |
| itsourcecode–School Management System | A security flaw has been discovered in itsourcecode School Management System 1.0. This affects an unknown part of the file /student/index.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-01 | 7.3 | CVE-2026-0544 | VDB-339331 | itsourcecode School Management System index.php sql injection VDB-339331 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728909 | itsourcecode School Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/31 https://itsourcecode.com/ |
| code-projects–Content Management System | A vulnerability was determined in code-projects Content Management System 1.0. This impacts an unknown function of the file search.php. This manipulation of the argument Value causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-02 | 7.3 | CVE-2026-0546 | VDB-339338 | code-projects Content Management System search.php sql injection VDB-339338 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728924 | Code-projects Content Management System v1.0 SQL Injection https://github.com/gtxy114514/CVE/issues/1 https://code-projects.org/ |
| code-projects–Content Management System | A weakness has been identified in code-projects Content Management System 1.0. This issue affects some unknown processing of the file /admin/delete.php. Executing manipulation of the argument del can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-02 | 7.3 | CVE-2026-0565 | VDB-339377 | code-projects Content Management System delete.php sql injection VDB-339377 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729227 | Code-projects Content Management System v1.0 SQL Injection https://github.com/Limingqian123/CVE/issues/12 https://code-projects.org/ |
| code-projects–Content Management System | A vulnerability was detected in code-projects Content Management System 1.0. The affected element is an unknown function of the file /pages.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-01-02 | 7.3 | CVE-2026-0567 | VDB-339379 | code-projects Content Management System pages.php sql injection VDB-339379 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729229 | Code-projects Content Management System v1.0 SQL injection https://github.com/Limingqian123/CVE/issues/14 https://code-projects.org/ |
| code-projects–Online Music Site | A flaw has been found in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Frontend/ViewSongs.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-01-02 | 7.3 | CVE-2026-0568 | VDB-339380 | code-projects Online Music Site ViewSongs.php sql injection VDB-339380 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729251 | Code-projects ONLINE MUSIC SITE v1.0 SQL Injection https://github.com/Limingqian123/CVE/issues/15 https://code-projects.org/ |
| code-projects–Online Music Site | A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown function of the file /Frontend/AlbumByCategory.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-01-02 | 7.3 | CVE-2026-0569 | VDB-339381 | code-projects Online Music Site AlbumByCategory.php sql injection VDB-339381 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729252 | Code-projects ONLINE MUSIC SITE v1.0 SQL Injection https://github.com/Limingqian123/CVE/issues/16 https://code-projects.org/ |
| code-projects–Online Music Site | A vulnerability was found in code-projects Online Music Site 1.0. This impacts an unknown function of the file /Frontend/Feedback.php. Performing manipulation of the argument fname results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-01-02 | 7.3 | CVE-2026-0570 | VDB-339382 | code-projects Online Music Site Feedback.php sql injection VDB-339382 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729253 | Code-projects ONLINE MUSIC SITE v1.0 SQL Injection https://github.com/Limingqian123/CVE/issues/18 https://code-projects.org/ |
| code-projects–Online Product Reservation System | A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. This impacts an unknown function of the file /handgunner-administrator/adminlogin.php of the component Administrator Login. Such manipulation of the argument emailadd/pass leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-01-04 | 7.3 | CVE-2026-0575 | VDB-339459 | code-projects Online Product Reservation System Administrator Login adminlogin.php sql injection VDB-339459 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731011 | code-projects Online Product Reservation System V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_login.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_login.md#poc https://code-projects.org/ |
| code-projects–Online Product Reservation System | A vulnerability was detected in code-projects Online Product Reservation System 1.0. Affected is an unknown function of the file /handgunner-administrator/prod.php of the component Parameter Handler. Performing manipulation of the argument cat/price/name/model/serial results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-04 | 7.3 | CVE-2026-0576 | VDB-339460 | code-projects Online Product Reservation System Parameter prod.php sql injection VDB-339460 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731012 | code-projects Online Product Reservation system V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_add_prod.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_add_prod.php.md#poc https://code-projects.org/ |
| code-projects–Online Product Reservation System | A vulnerability has been found in code-projects Online Product Reservation System 1.0. Affected by this issue is some unknown functionality of the file /handgunner-administrator/delete.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-01-04 | 7.3 | CVE-2026-0578 | VDB-339462 | code-projects Online Product Reservation System delete.php sql injection VDB-339462 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731075 | code-projects Online Product Reservation system in PHP with source code V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_delete.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_delete.php.md#poc https://code-projects.org/ |
| code-projects–Online Product Reservation System | A vulnerability was found in code-projects Online Product Reservation System 1.0. This affects an unknown part of the file /handgunner-administrator/edit.php of the component POST Parameter Handler. The manipulation of the argument prod_id/name/price/model/serial results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-01-04 | 7.3 | CVE-2026-0579 | VDB-339463 | code-projects Online Product Reservation System POST Parameter edit.php sql injection VDB-339463 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731091 | code-projects Online Product Reservation system V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_edit.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_edit.php.md#poc https://code-projects.org/ |
| emlog–emlog | Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available. | 2026-01-02 | 7.7 | CVE-2026-21433 | https://github.com/emlog/emlog/security/advisories/GHSA-6rwr-c8hc-mjj4 |
| bagisto–bagisto | Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer’s order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue. | 2026-01-02 | 7.1 | CVE-2026-21447 | https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3 |
| msgpack–msgpack-java | MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. The vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems. Version 0.9.11 fixes the vulnerability. | 2026-01-02 | 7.5 | CVE-2026-21452 | https://github.com/msgpack/msgpack-java/security/advisories/GHSA-cw39-r4h6-8j3x https://github.com/msgpack/msgpack-java/commit/daa2ea6b2f11f500e22c70a22f689f7a9debdeae https://github.com/msgpack/msgpack-java/releases/tag/v0.9.11 |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| COMMAX Co., Ltd.–COMMAX Biometric Access Control System | COMMAX Biometric Access Control System 1.0.0 contains an unauthenticated reflected cross-site scripting vulnerability in cookie parameters ‘CMX_ADMIN_NM’ and ‘CMX_COMPLEX_NM’. Attackers can inject malicious HTML and JavaScript code into these cookie values to execute arbitrary scripts in a victim’s browser session. | 2025-12-31 | 6.1 | CVE-2021-47743 | Zero Science Lab Disclosure (ZSL-2021-5660) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry Vendor Homepage VulnCheck Advisory: COMMAX Biometric Access Control System 1.0.0 Reflected XSS via Cookie Parameters |
| SOUND4 Ltd.–Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain hardcoded credentials embedded in server binaries that cannot be modified through normal device operations. Attackers can leverage these static credentials to gain unauthorized access to the device across Linux and Windows distributions without requiring user interaction. | 2025-12-30 | 6.5 | CVE-2022-50696 | Zero Science Lab Disclosure (ZSL-2022-5729) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Hardcoded Credentials Authentication Bypass |
| ETAP Lighting International NV–ETAP Safety Manager | ETAP Safety Manager 1.0.0.32 contains a cross-site scripting vulnerability in the ‘action’ GET parameter that allows unauthenticated attackers to inject malicious HTML and JavaScript. Attackers can craft specially formed requests to execute arbitrary scripts in victim browser sessions, potentially stealing credentials or performing unauthorized actions. | 2025-12-30 | 6.1 | CVE-2022-50802 | Zero Science Lab Disclosure (ZSL-2022-5711) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database ETAP Vendor Homepage VulnCheck Advisory: ETAP Safety Manager 1.0.0.32 Unauthenticated Reflected Cross-Site Scripting via Action Parameter |
| JM-DATA ONU–JF511-TV | JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to cross-site request forgery (CSRF) attacks, allowing attackers to perform administrative actions on behalf of authenticated users without their knowledge or consent. | 2025-12-30 | 6.5 | CVE-2022-50804 | Zero Science Lab Disclosure (ZSL-2022-5708) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Entry JM-DATA Vendor Homepage VulnCheck Advisory: JM-DATA ONU JF511-TV 1.0.67 Cross-Site Request Forgery (CSRF) Vulnerability |
| smackcoders–WP Import Ultimate CSV XML Importer for WordPress | The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data. | 2026-01-01 | 6.4 | CVE-2025-14627 | https://www.wordfence.com/threat-intel/vulnerabilities/id/87040f2b-4de0-4a8d-ae30-b340638a6df2?source=cve https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L73 https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L290 https://plugins.trac.wordpress.org/changeset/3421699/wp-ultimate-csv-importer/trunk/uploadModules/UrlUpload.php |
| Rapid7–Velociraptor | Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a “.”, only encoding the final “.” AS “%2E”. Although files can be written to incorrect locations, the containing directory must end with “%2E”. This limits the impact of this vulnerability, and prevents it from overwriting critical files. | 2025-12-29 | 6.8 | CVE-2025-14728 | https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/ |
| Kings Information & Network Co.–KESS Enterprise | Exposure of Sensitive Information to an Unauthorized Actor, Missing Encryption of Sensitive Data, Files or Directories Accessible to External Parties vulnerability in Kings Information & Network Co. KESS Enterprise on Windows allows Privilege Escalation, Modify Existing Service, Modify Shared File.This issue affects KESS Enterprise: before *.25.9.19.exe | 2025-12-29 | 6.3 | CVE-2025-15065 | https://www.kings.co.kr/solution/01/KESS.jsp?O=10.64&B=Chrome |
| Innorix–Innorix WP | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Missing Authorization vulnerability in Innorix WP allows Path Traversal.This issue affects Innorix WP from All versions If the “exam” directory exists under the directory where the product is installed (ex: innorix/exam) | 2025-12-29 | 6.2 | CVE-2025-15066 | https://www.innorix.com/ https://www.gnit.co.kr/software/innorix_product.html |
| Petlibrio–Smart Pet Feeder Platform | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows unauthenticated attackers to access any user account by exploiting OAuth token validation flaws in the social login system. Attackers can send requests to /member/auth/thirdLogin with arbitrary Google IDs and phoneBrand parameters to obtain full session tokens and account access without proper OAuth verification. | 2026-01-03 | 6.5 | CVE-2025-15115 | Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Authentication Bypass via API endpoint |
| D-Link–DWR-M920 | A weakness has been identified in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_4155B4 of the file /boafrm/formLtefotaUpgradeFibocom. This manipulation of the argument fota_url causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-12-29 | 6.3 | CVE-2025-15191 | VDB-338576 | D-Link DWR-M920 formLtefotaUpgradeFibocom sub_4155B4 command injection VDB-338576 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #723554 | D-Link DWR-M920 V1.1.50 Command Injection https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeFibocom.md https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeFibocom.md#poc https://www.dlink.com/ |
| D-Link–DWR-M920 | A security vulnerability has been detected in D-Link DWR-M920 up to 1.1.50. The impacted element is the function sub_415328 of the file /boafrm/formLtefotaUpgradeQuectel. Such manipulation of the argument fota_url leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-12-29 | 6.3 | CVE-2025-15192 | VDB-338577 | D-Link DWR-M920 formLtefotaUpgradeQuectel sub_415328 command injection VDB-338577 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #723555 | D-Link DWR-M920 V1.1.50 Command Injection https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeQuectel.md https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeQuectel.md#poc https://www.dlink.com/ |
| code-projects–College Notes Uploading System | A security vulnerability has been detected in code-projects College Notes Uploading System 1.0. Impacted is an unknown function of the file /dashboard/userprofile.php. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-12-29 | 6.3 | CVE-2025-15199 | VDB-338586 | code-projects College Notes Uploading System userprofile.php unrestricted upload VDB-338586 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724794 | Code-projects College Notes Uploading System v1.0 Arbitrary file upload vulnerability https://github.com/jjjjj-zr/jjjjjzr18/issues/1 https://code-projects.org/ |
| code-projects–Student File Management System | A vulnerability was identified in code-projects Student File Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /download.php. The manipulation of the argument istore_id leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-12-29 | 6.3 | CVE-2025-15205 | VDB-338592 | code-projects Student File Management System download.php sql injection VDB-338592 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724818 | Code-Projects Student File Management System V1.0 SQL Injection Vulnerability https://github.com/Bai-public/CVE/issues/4 https://code-projects.org/ |
| code-projects–Refugee Food Management System | A weakness has been identified in code-projects Refugee Food Management System 1.0. This affects an unknown part of the file /home/editfood.php. This manipulation of the argument a/b/c/d causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-12-29 | 6.3 | CVE-2025-15209 | VDB-338594 | code-projects Refugee Food Management System editfood.php sql injection VDB-338594 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722803 | code-projects Refugee Food Management System 1.0 SQL Injection Submit #724713 | Code-projects Refugee Food Management System v1.0 SQL injection (Duplicate) https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_editfood.php.md https://code-projects.org/ |
| code-projects–Refugee Food Management System | A security vulnerability has been detected in code-projects Refugee Food Management System 1.0. This vulnerability affects unknown code of the file /home/editrefugee.php. Such manipulation of the argument a/b/c/sex/d/e/nationality_nid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-12-29 | 6.3 | CVE-2025-15210 | VDB-338595 | code-projects Refugee Food Management System editrefugee.php sql injection VDB-338595 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722804 | code-projects Refugee Food Management System 1.0 SQL Injection https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_editrefugee.php.md https://code-projects.org/ |
| code-projects–Refugee Food Management System | A flaw has been found in code-projects Refugee Food Management System 1.0. Impacted is an unknown function of the file /home/refugee.php. Executing manipulation of the argument refNo/Fname/Lname/sex/age/contact/nationality_nid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2025-12-30 | 6.3 | CVE-2025-15211 | VDB-338597 | code-projects Refugee Food Management System refugee.php sql injection VDB-338597 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722806 | code-projects Refugee Food Management System 1.0 SQL Injection https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_refugee.php.md https://code-projects.org/ |
| code-projects–Refugee Food Management System | A vulnerability was detected in code-projects Refugee Food Management System 1.0. This issue affects some unknown processing of the file /home/regfood.php. Performing manipulation of the argument a results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-12-30 | 6.3 | CVE-2025-15212 | VDB-338596 | code-projects Refugee Food Management System regfood.php sql injection VDB-338596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722807 | code-projects Refugee Food Management System 1.0 SQL Injection Submit #724712 | Code-projects Refugee Food Management System v1.0 SQL injection (Duplicate) https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_regfood.php.md https://code-projects.org/ |
| aizuda–snail-job | A vulnerability was determined in aizuda snail-job up to 1.7.0 on macOS. Affected by this vulnerability is the function FurySerializer.deserialize of the component API. This manipulation of the argument argsStr causes deserialization. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-12-30 | 6.3 | CVE-2025-15246 | VDB-338636 | aizuda snail-job API FurySerializer.deserialize deserialization VDB-338636 | CTI Indicators (IOB, IOC, IOA) https://gitee.com/aizuda/snail-job/issues/ICQV61 |
| Tenda–W6-S | A vulnerability was found in Tenda W6-S 1.0.0.4(510). This affects the function TendaAte of the file /goform/ate of the component ATE Service. Performing manipulation results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-12-30 | 6.3 | CVE-2025-15254 | VDB-338644 | Tenda W6-S ATE Service ate TendaAte os command injection VDB-338644 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725499 | Tenda W6-S V1.0.0.4(510) OS Command Injection https://github.com/dwBruijn/CVEs/blob/main/Tenda/ate.md https://www.tenda.com.cn/ |
| NetVision Information–ISOinsight | ISOinsight developed by NetVision Information has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user’s browser through phishing attacks. | 2025-12-30 | 6.1 | CVE-2025-15355 | https://www.twcert.org.tw/tw/cp-132-10609-0221b-1.html https://www.twcert.org.tw/en/cp-139-10610-b98b4-2.html |
| D-Link–DI-7400G+ | A vulnerability was found in D-Link DI-7400G+ 19.12.25A1. This affects an unknown function of the file /msp_info.htm?flag=cmd. The manipulation of the argument cmd results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2025-12-30 | 6.3 | CVE-2025-15357 | VDB-338743 | D-Link DI-7400G+ msp_info.htm command injection VDB-338743 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #726376 | D-Link D-Link DI_7400G+ V19.12.25A1 Command Injection https://github.com/xyh4ck/iot_poc/tree/main/D-Link_DI_7400G%2B_Command_Injection https://www.dlink.com/ |
| n/a–EyouCMS | A security vulnerability has been detected in EyouCMS up to 1.7.7. Impacted is the function saveRemote of the file application/function.php. Such manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor is “[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8”. | 2025-12-31 | 6.3 | CVE-2025-15373 | VDB-339081 | EyouCMS function.php saveRemote server-side request forgery VDB-339081 | CTI Indicators (IOB, IOC, IOA) Submit #718465 | Eyoucms 1.7.7 SSRF Vulnerability https://note-hxlab.wetolink.com/share/DeUFyoSjsPPK https://note-hxlab.wetolink.com/share/DeUFyoSjsPPK#-span–strong-proof-of-concept—strong—span- |
| n/a–EyouCMS | A flaw has been found in EyouCMS up to 1.7.7. The impacted element is the function unserialize of the file application/api/controller/Ajax.php of the component arcpagelist Handler. Executing manipulation of the argument attstr can lead to deserialization. The attack can be launched remotely. The exploit has been published and may be used. The vendor is “[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8”. | 2025-12-31 | 6.3 | CVE-2025-15375 | VDB-339083 | EyouCMS arcpagelist Ajax.php unserialize deserialization VDB-339083 | CTI Indicators (IOB, IOC, IOA) Submit #718481 | EyouCMS 1.7.7 Deserialization https://note-hxlab.wetolink.com/share/2wLgcbKe9Toh https://note-hxlab.wetolink.com/share/2wLgcbKe9Toh#-span–strong-proof-of-concept—strong—span- |
| PHPGurukul–Small CRM | A security flaw has been discovered in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /admin/edit-user.php. The manipulation results in missing authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-12-31 | 6.3 | CVE-2025-15390 | VDB-339151 | PHPGurukul Small CRM edit-user.php authorization VDB-339151 | CTI Indicators (IOB, IOC, IOA) Submit #727430 | PHPGurukul PHPGurukul Small Customer Relationship Management v4.0 Missing Authorization https://github.com/rsecroot/Small-Customer-Relationship-Management-CRM-in-PHP/blob/main/Broken%20Access%20Control.md https://phpgurukul.com/ |
| D-Link–DIR-806A | A weakness has been identified in D-Link DIR-806A 100CNb11. Affected is the function ssdpcgi_main of the component SSDP Request Handler. This manipulation causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-31 | 6.3 | CVE-2025-15391 | VDB-339152 | D-Link DIR-806A SSDP Request ssdpcgi_main command injection VDB-339152 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727637 | D-Link DIR-806A DIR806A1_FW100CNb11.bin Command Injection https://github.com/ccc-iotsec/cve-/blob/D-Link/D-Link%20DIR-806A%E6%9C%AA%E6%8E%88%E6%9D%83RCE.md https://www.dlink.com/ |
| Kohana–KodiCMS | A weakness has been identified in Kohana KodiCMS up to 13.82.135. This affects the function like of the file cms/modules/pages/classes/kodicms/model/page.php of the component Search API Endpoint. Executing manipulation of the argument keyword can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-31 | 6.3 | CVE-2025-15392 | VDB-339161 | Kohana KodiCMS Search API Endpoint page.php like sql injection VDB-339161 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718289 | KodiCMS https://github.com/KodiCMS-Kohana/cms 13.82.135 SQL Injection |
| Kohana–KodiCMS | A security vulnerability has been detected in Kohana KodiCMS up to 13.82.135. This impacts the function Save of the file cms/modules/kodicms/classes/kodicms/model/file.php of the component Layout API Endpoint. The manipulation of the argument content leads to code injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-31 | 6.3 | CVE-2025-15393 | VDB-339162 | Kohana KodiCMS Layout API Endpoint file.php save code injection VDB-339162 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718290 | KodiCMS https://github.com/KodiCMS-Kohana/cms 13.82.135 Code Injection |
| campcodes–School File Management System | A security vulnerability has been detected in campcodes School File Management System 1.0. The affected element is an unknown function of the file /save_file.php. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-01-01 | 6.3 | CVE-2025-15404 | VDB-339324 | campcodes School File Management System save_file.php unrestricted upload VDB-339324 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728102 | campcodes School File Management System V1.0 Unrestricted Upload https://github.com/LaneyYu/cve/issues/7 https://www.campcodes.com/ |
| PHPGurukul–Online Course Registration | A flaw has been found in PHPGurukul Online Course Registration up to 3.1. This affects an unknown function. This manipulation causes missing authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-01 | 6.3 | CVE-2025-15406 | VDB-339326 | PHPGurukul Online Course Registration authorization VDB-339326 | CTI Indicators (IOB, IOC) Submit #728354 | PHPGurukul Online Course Registration v3.1 Missing Authorization https://github.com/rsecroot/Online-Course-Registration/blob/main/Broken%20Access%20Control.md https://phpgurukul.com/ |
| EmpireSoft–EmpireCMS | A vulnerability has been found in EmpireSoft EmpireCMS up to 8.0. Impacted is the function CheckSaveTranFiletype of the file e/class/connect.php. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 6.3 | CVE-2025-15423 | VDB-339345 | EmpireSoft EmpireCMS connect.php CheckSaveTranFiletype unrestricted upload VDB-339345 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721346 | EmpireSoft EmpireCMS <= 8.0 Unrestricted Upload https://note-hxlab.wetolink.com/share/28QXRLje7Uz1 https://note-hxlab.wetolink.com/share/28QXRLje7Uz1#-span–strong-proof-of-concept—strong—span- |
| n/a–Daptin | A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. The manipulation of the argument column/group/order leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 6.3 | CVE-2025-15439 | VDB-339384 | Daptin Aggregate API resource_aggregate.go goqu.L sql injection VDB-339384 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #719742 | Daptin https://github.com/daptin/daptin 0.10.3 SQL Injection https://note-hxlab.wetolink.com/share/yMZ8oEgMTAur https://note-hxlab.wetolink.com/share/yMZ8oEgMTAur#-span–strong-proof-of-concept—strong—span- |
| AA-Team–Pro Bulk Watermark Plugin for WordPress | Path Traversal: ‘…/…//’ vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through 2.0. | 2025-12-31 | 6.5 | CVE-2025-28973 | https://vdp.patchstack.com/database/wordpress/theme/pro-watermark/vulnerability/wordpress-pro-bulk-watermark-plugin-for-wordpress-2-0-path-traversal-vulnerability?_s_id=cve |
| Petlibrio–Smart Pet Feeder Platform | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains a broken access control vulnerability that allows authenticated users to access other users’ pet data by exploiting missing ownership verification. Attackers can send requests to /member/pet/detailV2 with arbitrary pet IDs to retrieve sensitive information including pet details, member IDs, and avatar URLs without proper authorization checks. | 2026-01-03 | 6.5 | CVE-2025-3660 | Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Broken Access Control via API endpoint |
| Audiomack–Audiomack | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Audiomack allows Stored XSS.This issue affects Audiomack: from n/a through 1.4.8. | 2025-12-31 | 6.5 | CVE-2025-49357 | https://vdp.patchstack.com/database/wordpress/plugin/audiomack/vulnerability/wordpress-audiomack-plugin-1-4-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ruhul Amin–Content Fetcher | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Ruhul Amin Content Fetcher allows DOM-Based XSS.This issue affects Content Fetcher: from n/a through 1.1. | 2025-12-31 | 6.5 | CVE-2025-49358 | https://vdp.patchstack.com/database/wordpress/plugin/content-fetcher/vulnerability/wordpress-content-fetcher-plugin-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Priority–Web | CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’) | 2025-12-29 | 6.1 | CVE-2025-55060 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0 |
| Neilgee–Bootstrap Modals | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Neilgee Bootstrap Modals allows Stored XSS.This issue affects Bootstrap Modals: from n/a through 1.3.2. | 2025-12-31 | 6.5 | CVE-2025-62095 | https://vdp.patchstack.com/database/wordpress/plugin/bootstrap-modals/vulnerability/wordpress-bootstrap-modals-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WPFactory–Maximum Products per User for WooCommerce | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPFactory Maximum Products per User for WooCommerce allows Stored XSS.This issue affects Maximum Products per User for WooCommerce: from n/a through 4.4.2. | 2025-12-31 | 6.5 | CVE-2025-62096 | https://vdp.patchstack.com/database/wordpress/plugin/maximum-products-per-user-for-woocommerce/vulnerability/wordpress-maximum-products-per-user-for-woocommerce-plugin-4-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SEOthemes–SEO Slider | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in SEOthemes SEO Slider allows DOM-Based XSS.This issue affects SEO Slider: from n/a through 1.1.1. | 2025-12-31 | 6.5 | CVE-2025-62097 | https://vdp.patchstack.com/database/wordpress/plugin/seo-slider/vulnerability/wordpress-seo-slider-plugin-1-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Webvitaly–Extra Shortcodes | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Webvitaly Extra Shortcodes allows Stored XSS.This issue affects Extra Shortcodes: from n/a through 2.2. | 2025-12-31 | 6.5 | CVE-2025-62111 | https://vdp.patchstack.com/database/wordpress/plugin/extra-shortcodes/vulnerability/wordpress-extra-shortcodes-plugin-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kcseopro–AdWords Conversion Tracking Code | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in kcseopro AdWords Conversion Tracking Code allows Stored XSS.This issue affects AdWords Conversion Tracking Code: from n/a through 1.0. | 2025-12-31 | 6.5 | CVE-2025-62118 | https://vdp.patchstack.com/database/wordpress/plugin/adwords-conversion-tracking-code/vulnerability/wordpress-adwords-conversion-tracking-code-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Anshul Gangrade–Custom Background Changer | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Anshul Gangrade Custom Background Changer custom-background-changer allows Stored XSS.This issue affects Custom Background Changer: from n/a through 3.0. | 2025-12-31 | 6.5 | CVE-2025-62125 | https://vdp.patchstack.com/database/wordpress/plugin/custom-background-changer/vulnerability/wordpress-custom-background-changer-plugin-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| landwire–Responsive Block Control | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in landwire Responsive Block Control allows DOM-Based XSS.This issue affects Responsive Block Control: from n/a through 1.2.9. | 2025-12-31 | 6.5 | CVE-2025-62135 | https://vdp.patchstack.com/database/wordpress/plugin/responsive-block-control/vulnerability/wordpress-responsive-block-control-plugin-1-2-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThinkUpThemes–Melos | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThinkUpThemes Melos allows Stored XSS.This issue affects Melos: from n/a through 1.6.0. | 2025-12-31 | 6.5 | CVE-2025-62136 | https://vdp.patchstack.com/database/wordpress/theme/melos/vulnerability/wordpress-melos-theme-1-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Shuttlethemes–Shuttle | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Shuttlethemes Shuttle allows Stored XSS.This issue affects Shuttle: from n/a through 1.5.0. | 2025-12-31 | 6.5 | CVE-2025-62137 | https://vdp.patchstack.com/database/wordpress/theme/shuttle/vulnerability/wordpress-shuttle-theme-1-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Maksym Marko–MX Time Zone Clocks | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Maksym Marko MX Time Zone Clocks allows Stored XSS.This issue affects MX Time Zone Clocks: from n/a through 5.1.1. | 2025-12-31 | 6.5 | CVE-2025-62146 | https://vdp.patchstack.com/database/wordpress/plugin/mx-time-zone-clocks/vulnerability/wordpress-mx-time-zone-clocks-plugin-5-1-1-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| Curator.io–Curator.io | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Curator.Io allows Stored XSS.This issue affects Curator.Io: from n/a through 1.9.5. | 2025-12-31 | 6.5 | CVE-2025-62742 | https://vdp.patchstack.com/database/wordpress/plugin/curatorio/vulnerability/wordpress-curator-io-plugin-1-9-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| zookatron–MyBookTable Bookstore | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in zookatron MyBookTable Bookstore allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through 3.5.5. | 2025-12-31 | 6.5 | CVE-2025-62743 | https://vdp.patchstack.com/database/wordpress/plugin/mybooktable/vulnerability/wordpress-mybooktable-bookstore-plugin-3-5-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Chris Steman–Page Title Splitter | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Chris Steman Page Title Splitter allows Stored XSS.This issue affects Page Title Splitter: from n/a through 2.5.9. | 2025-12-31 | 6.5 | CVE-2025-62744 | https://vdp.patchstack.com/database/wordpress/plugin/page-title-splitter/vulnerability/wordpress-page-title-splitter-plugin-2-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CodeFlavors–Featured Video for WordPress & VideographyWP | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in CodeFlavors Featured Video for WordPress & VideographyWP allows Stored XSS.This issue affects Featured Video for WordPress & VideographyWP: from n/a through 1.0.18. | 2025-12-30 | 6.5 | CVE-2025-62746 | https://vdp.patchstack.com/database/wordpress/plugin/videographywp/vulnerability/wordpress-featured-video-for-wordpress-videographywp-plugin-1-0-18-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Genetech Products–Web and WooCommerce Addons for WPBakery Builder | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Genetech Products Web and WooCommerce Addons for WPBakery Builder allows DOM-Based XSS.This issue affects Web and WooCommerce Addons for WPBakery Builder: from n/a through 1.5. | 2025-12-31 | 6.5 | CVE-2025-62748 | https://vdp.patchstack.com/database/wordpress/plugin/vc-addons-by-bit14/vulnerability/wordpress-web-and-woocommerce-addons-for-wpbakery-builder-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Bainternet–User Specific Content | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Bainternet User Specific Content allows DOM-Based XSS.This issue affects User Specific Content: from n/a through 1.0.6. | 2025-12-31 | 6.5 | CVE-2025-62749 | https://vdp.patchstack.com/database/wordpress/plugin/user-specific-content/vulnerability/wordpress-user-specific-content-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kalender.digital–Calendar.online / Kalender.digital | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in kalender.Digital Calendar.Online / Kalender.Digital allows DOM-Based XSS.This issue affects Calendar.Online / Kalender.Digital: from n/a through 1.0.11. | 2025-12-31 | 6.5 | CVE-2025-62752 | https://vdp.patchstack.com/database/wordpress/plugin/kalender-digital/vulnerability/wordpress-calendar-online-kalender-digital-plugin-1-0-11-cross-site-scripting-xss-vulnerability?_s_id=cve |
| lvaudore–The Moneytizer | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in lvaudore The Moneytizer allows DOM-Based XSS.This issue affects The Moneytizer: from n/a through 10.0.6. | 2025-12-31 | 6.5 | CVE-2025-62756 | https://vdp.patchstack.com/database/wordpress/plugin/the-moneytizer/vulnerability/wordpress-the-moneytizer-plugin-10-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WebMan Design | Oliver Juhas–WebMan Amplifier | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WebMan Design | Oliver Juhas WebMan Amplifier allows DOM-Based XSS.This issue affects WebMan Amplifier: from n/a through 1.5.12. | 2025-12-31 | 6.5 | CVE-2025-62757 | https://vdp.patchstack.com/database/wordpress/plugin/webman-amplifier/vulnerability/wordpress-webman-amplifier-plugin-1-5-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Funnelforms–Funnelforms Free | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Funnelforms Funnelforms Free allows DOM-Based XSS.This issue affects Funnelforms Free: from n/a through 3.8. | 2025-12-31 | 6.5 | CVE-2025-62758 | https://vdp.patchstack.com/database/wordpress/plugin/funnelforms-free/vulnerability/wordpress-funnelforms-free-plugin-3-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Justin Tadlock–Series | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Justin Tadlock Series allows Stored XSS.This issue affects Series: from n/a through 2.0.1. | 2025-12-31 | 6.5 | CVE-2025-62759 | https://vdp.patchstack.com/database/wordpress/plugin/series/vulnerability/wordpress-series-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| BuddyDev–BuddyPress Activity Shortcode | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in BuddyDev BuddyPress Activity Shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through 1.1.8. | 2025-12-31 | 6.5 | CVE-2025-62760 | https://vdp.patchstack.com/database/wordpress/plugin/bp-activity-shortcode/vulnerability/wordpress-buddypress-activity-shortcode-plugin-1-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| BasePress–Knowledge Base documentation & wiki plugin BasePress | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in BasePress Knowledge Base documentation & wiki plugin – BasePress allows Stored XSS.This issue affects Knowledge Base documentation & wiki plugin – BasePress: from n/a through 2.17.0.1. | 2025-12-31 | 6.5 | CVE-2025-62761 | https://vdp.patchstack.com/database/wordpress/plugin/basepress/vulnerability/wordpress-knowledge-base-documentation-wiki-plugin-basepress-plugin-2-17-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Livemesh–Livemesh Addons for Beaver Builder | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Livemesh Livemesh Addons for Beaver Builder addons-for-beaver-builder allows Stored XSS.This issue affects Livemesh Addons for Beaver Builder: from n/a through 3.9.2. | 2025-12-31 | 6.5 | CVE-2025-62990 | https://vdp.patchstack.com/database/wordpress/plugin/addons-for-beaver-builder/vulnerability/wordpress-livemesh-addons-for-beaver-builder-plugin-3-9-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThinkUpThemes–Minamaze | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThinkUpThemes Minamaze allows Stored XSS.This issue affects Minamaze: from n/a through 1.10.1. | 2025-12-31 | 6.5 | CVE-2025-62991 | https://vdp.patchstack.com/database/wordpress/theme/minamaze/vulnerability/wordpress-minamaze-theme-1-10-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Everest themes–Everest Backup | Cross-Site Request Forgery (CSRF) vulnerability in Everest themes Everest Backup allows Path Traversal.This issue affects Everest Backup: from n/a through 2.3.9. | 2025-12-31 | 6.5 | CVE-2025-62992 | https://vdp.patchstack.com/database/wordpress/plugin/everest-backup/vulnerability/wordpress-everest-backup-plugin-2-3-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WP for church–Sermon Manager | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WP for church Sermon Manager allows Stored XSS.This issue affects Sermon Manager: from n/a through 2.30.0. | 2025-12-31 | 6.5 | CVE-2025-63000 | https://vdp.patchstack.com/database/wordpress/plugin/sermon-manager-for-wordpress/vulnerability/wordpress-sermon-manager-plugin-2-30-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Tomas–WordPress Tooltips | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Tomas WordPress Tooltips allows Stored XSS.This issue affects WordPress Tooltips: from n/a through 10.7.9. | 2025-12-31 | 6.5 | CVE-2025-63005 | https://vdp.patchstack.com/database/wordpress/plugin/wordpress-tooltips/vulnerability/wordpress-wordpress-tooltips-plugin-10-7-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Wayne Allen–Postie | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Wayne Allen Postie postie allows Stored XSS.This issue affects Postie: from n/a through 1.9.73. | 2025-12-31 | 6.5 | CVE-2025-63020 | https://vdp.patchstack.com/database/wordpress/plugin/postie/vulnerability/wordpress-postie-plugin-1-9-73-cross-site-scripting-xss-vulnerability?_s_id=cve |
| codetipi–Valenti Engine | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in codetipi Valenti Engine allows DOM-Based XSS.This issue affects Valenti Engine: from n/a through 1.0.3. | 2025-12-31 | 6.5 | CVE-2025-63021 | https://vdp.patchstack.com/database/wordpress/plugin/valenti-engine/vulnerability/wordpress-valenti-engine-plugin-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Webcreations907–WBC907 Core | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Webcreations907 WBC907 Core allows Stored XSS.This issue affects WBC907 Core: from n/a through 3.4.1. | 2025-12-30 | 6.5 | CVE-2025-63027 | https://vdp.patchstack.com/database/wordpress/plugin/wbc907-core/vulnerability/wordpress-wbc907-core-plugin-3-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThinkUpThemes–Consulting | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThinkUpThemes Consulting allows Stored XSS.This issue affects Consulting: from n/a through 1.5.0. | 2025-12-31 | 6.5 | CVE-2025-63032 | https://vdp.patchstack.com/database/wordpress/theme/consulting/vulnerability/wordpress-consulting-theme-1-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| 8theme.com–XStore Core | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in 8theme.Com XStore Core allows DOM-Based XSS.This issue affects XStore Core: from n/a before 5.6. | 2025-12-30 | 6.5 | CVE-2025-64190 | https://vdp.patchstack.com/database/wordpress/plugin/et-core-plugin/vulnerability/wordpress-xstore-core-plugin-5-6-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| dmccan–Yada Wiki | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Yada Wiki yada-wiki allows Stored XSS.This issue affects Yada Wiki: from n/a through 3.5. | 2025-12-30 | 6.5 | CVE-2025-66094 | https://vdp.patchstack.com/database/wordpress/plugin/yada-wiki/vulnerability/wordpress-yada-wiki-plugin-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Revmakx–WPCal.io | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Revmakx WPCal.Io allows DOM-Based XSS.This issue affects WPCal.Io: from n/a through 0.9.5.9. | 2025-12-30 | 6.5 | CVE-2025-66103 | https://vdp.patchstack.com/database/wordpress/plugin/wpcal/vulnerability/wordpress-wpcal-io-plugin-0-9-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Esri–ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 2025-12-31 | 6.1 | CVE-2025-67703 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri–ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 2025-12-31 | 6.1 | CVE-2025-67704 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri–ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 2025-12-31 | 6.1 | CVE-2025-67705 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri–ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 2025-12-31 | 6.1 | CVE-2025-67708 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri–ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 2025-12-31 | 6.1 | CVE-2025-67709 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri–ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 2025-12-31 | 6.1 | CVE-2025-67710 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri–ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | 2025-12-31 | 6.1 | CVE-2025-67711 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| weDevs–WP Project Manager | Insertion of Sensitive Information Into Sent Data vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through 3.0.1. | 2025-12-29 | 6.5 | CVE-2025-68040 | https://vdp.patchstack.com/database/wordpress/plugin/wedevs-project-manager/vulnerability/wordpress-wp-project-manager-plugin-2-6-29-sensitive-data-exposure-vulnerability?_s_id=cve |
| strukturag–libheif | libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes. | 2025-12-29 | 6.5 | CVE-2025-68431 | https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46 https://github.com/strukturag/libheif/releases/tag/v1.21.0 |
| Crocoblock–JetTabs | Missing Authorization vulnerability in Crocoblock JetTabs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetTabs: from n/a through 2.2.12. | 2025-12-29 | 6.5 | CVE-2025-68498 | https://vdp.patchstack.com/database/wordpress/plugin/jet-tabs/vulnerability/wordpress-jettabs-plugin-2-2-12-broken-access-control-vulnerability?_s_id=cve |
| Crocoblock–JetTabs | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Crocoblock JetTabs allows DOM-Based XSS.This issue affects JetTabs: from n/a through 2.2.12. | 2025-12-29 | 6.5 | CVE-2025-68499 | https://vdp.patchstack.com/database/wordpress/plugin/jet-tabs/vulnerability/wordpress-jettabs-plugin-2-2-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Crocoblock–JetBlog | Missing Authorization vulnerability in Crocoblock JetBlog allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetBlog: from n/a through 2.4.7. | 2025-12-29 | 6.5 | CVE-2025-68503 | https://vdp.patchstack.com/database/wordpress/plugin/jet-blog/vulnerability/wordpress-jetblog-plugin-2-4-7-broken-access-control-vulnerability?_s_id=cve |
| Crocoblock–JetSearch | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Crocoblock JetSearch allows DOM-Based XSS.This issue affects JetSearch: from n/a through 3.5.16. | 2025-12-29 | 6.5 | CVE-2025-68504 | https://vdp.patchstack.com/database/wordpress/plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-16-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Hiroaki Miyashita–Custom Field Template | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Hiroaki Miyashita Custom Field Template allows Stored XSS.This issue affects Custom Field Template: from n/a through 2.7.5. | 2025-12-29 | 6.5 | CVE-2025-68607 | https://vdp.patchstack.com/database/wordpress/plugin/custom-field-template/vulnerability/wordpress-custom-field-template-plugin-2-7-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Codeaffairs–Wp Text Slider Widget | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Codeaffairs Wp Text Slider Widget allows Stored XSS.This issue affects Wp Text Slider Widget: from n/a through 1.0. | 2025-12-29 | 6.5 | CVE-2025-68868 | https://vdp.patchstack.com/database/wordpress/plugin/wp-text-slider-widget/vulnerability/wordpress-wp-text-slider-widget-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SignalK–signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: `clientId`, `description`, and `permissions`. The SignalK admin UI displays the `description` field prominently to the administrator when showing pending requests, but the actual `permissions` field (which determines the access level granted) is less visible or displayed separately. This allows an attacker to request `admin` permissions while providing a description that suggests readonly access. The access request handler trusts the `X-Forwarded-For` HTTP header without validation to determine the client’s IP address. This header is intended to preserve the original client IP when requests pass through reverse proxies, but when trusted unconditionally, it allows attackers to spoof their IP address. The spoofed IP is displayed to administrators in the access request approval interface, potentially making malicious requests appear to originate from trusted internal network addresses. Since device/source names can be enumerated via the information disclosure vulnerability, an attacker can impersonate a legitimate device or source, craft a convincing description, spoof a trusted internal IP address, and request elevated permissions, creating a highly convincing social engineering scenario that increases the likelihood of administrator approval. Users should upgrade to version 2.19.0 to fix this issue. | 2026-01-01 | 6.3 | CVE-2025-69203 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-vfrf-vcj7-wvr8 https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 |
| olell–uURU | Micro Registration Utility (µURU) is a telephone self registration utility based on asterisk. In versions up to and including commit 88db9a953f38a3026bcd6816d51c7f3b93c55893, an attacker can crafts a special federation name and characters treated special by asterisk can be injected into the `Dial( )` application due to improper input validation. This allows an attacker to redirect calls on both of the federating instances. If the attack succeeds, the impact is very high. However, the requires that an admin accept the federation requests. As of time of publication, a known patched version of µURU is not available. | 2025-12-29 | 6.3 | CVE-2025-69205 | https://github.com/olell/uURU/security/advisories/GHSA-xvrh-pm3f-79v4 https://docs.asterisk.org/Latest_API/API_Documentation/Dialplan_Applications/Dial |
| AsfhtgkDavid–theshit | theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations (e.g., `~/.config/theshit/`) without validating ownership or permissions when executed with elevated privileges. If the tool is invoked with `sudo` or otherwise runs with an effective UID of root, it continues to trust configuration files originating from the unprivileged user’s environment. This allows a local attacker to inject arbitrary Python code via a malicious rule or configuration file, which is then executed with root privileges. Any system where this tool is executed with elevated privileges is affected. In environments where the tool is permitted to run via `sudo` without a password (`NOPASSWD`), a local unprivileged user can escalate privileges to root without additional interaction. The issue has been fixed in version 0.1.1. The patch introduces strict ownership and permission checks for all configuration files and custom rules. The application now enforces that rules are only loaded if they are owned by the effective user executing the tool. When executed with elevated privileges (`EUID=0`), the application refuses to load any files that are not owned by root or that are writable by non-root users. When executed as a non-root user, it similarly refuses to load rules owned by other users. This prevents both vertical and horizontal privilege escalation via execution of untrusted code. If upgrading is not possible, users should avoid executing the application with `sudo` or as the root user. As a temporary mitigation, ensure that directories containing custom rules and configuration files are owned by root and are not writable by non-root users. Administrators may also audit existing custom rules before running the tool with elevated privileges. | 2025-12-30 | 6.7 | CVE-2025-69257 | https://github.com/AsfhtgkDavid/theshit/security/advisories/GHSA-95qg-89c2-w5hj https://github.com/AsfhtgkDavid/theshit/commit/8e0b565e7876a83b0e1cfbacb8af39dadfdcc500 |
| PHPGurukul–Online Course Registration | A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. | 2026-01-02 | 6.3 | CVE-2026-0547 | VDB-339355 | PHPGurukul Online Course Registration Student Registration edit-student-profile.php unrestricted upload VDB-339355 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728988 | PHPGurukul Online Course Registration v3.1 Cross Site Scripting https://github.com/rsecroot/Online-Course-Registration/blob/main/Cross%20Site%20Scripting.md https://phpgurukul.com/ |
| yeqifu–warehouse | A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function saveUserRole of the file warehousesrcmainjavacomyeqifusyscontrollerUserController.java of the component Request Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. | 2026-01-04 | 6.3 | CVE-2026-0574 | VDB-339458 | yeqifu warehouse Request UserController.java saveUserRole improper authorization VDB-339458 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729374 | yeqifu warehouse aaf29962ba407d22d991781de28796ee7b4670e4 vertical privilege escalation https://github.com/5i1encee/Vul/blob/main/Vertical_privilege_escalation_Vulnerability_in_Project_yeqifu_warehouse.md https://github.com/5i1encee/Vul/blob/main/Vertical_privilege_escalation_Vulnerability_in_Project_yeqifu_warehouse.md#poc |
| code-projects–Online Product Reservation System | A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-01-04 | 6.3 | CVE-2026-0577 | VDB-339461 | code-projects Online Product Reservation System prod.php unrestricted upload VDB-339461 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731015 | code-projects Online Product Reservation system in PHP with source code V1.0 Unrestricted Upload https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/file_upload_prod.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/file_upload_prod.php.md#poc https://code-projects.org/ |
| STVS SA–STVS ProVision | STVS ProVision 5.9.10 contains a cross-site scripting vulnerability in the ‘files’ POST parameter that allows authenticated attackers to inject arbitrary HTML code. Attackers can exploit the unvalidated input to execute malicious scripts within a user’s browser session in the context of the affected site. | 2025-12-31 | 5.4 | CVE-2021-47725 | Zero Science Lab Disclosure (ZSL-2021-5624) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Vendor Homepage VulnCheck Advisory: STVS ProVision 5.9.10 Authenticated Reflected Cross-Site Scripting via Files Parameter |
| CodexThemes–TheGem (Elementor) | Vulnerability in CodexThemes TheGem (Elementor), CodexThemes TheGem (WPBakery).This issue affects TheGem (Elementor): from n/a before 5.8.1.1; TheGem (WPBakery): from n/a before 5.8.1.1. | 2025-12-29 | 5.4 | CVE-2023-32238 | https://vdp.patchstack.com/database/wordpress/theme/thegem-elementor/vulnerability/wordpress-thegem-elementor-theme-5-7-2-broken-access-control-vulnerability?_s_id=cve |
| wpdive–Better Elementor Addons | Missing Authorization vulnerability in wpdive Better Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Elementor Addons: from n/a through 1.3.7. | 2025-12-29 | 5.4 | CVE-2023-41656 | https://vdp.patchstack.com/database/wordpress/plugin/better-elementor-addons/vulnerability/wordpress-better-elementor-addons-plugin-1-3-5-broken-access-control-vulnerability?_s_id=cve |
| tareq1988–User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration | The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ‘Frontend_Form_Ajax::submit_post’ function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment. | 2026-01-02 | 5.3 | CVE-2025-14047 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e95b16f-a25a-45c7-a875-2d34a1e127ce?source=cve https://plugins.trac.wordpress.org/changeset/3430352/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax.php#L25 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax.php#L69 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax/Frontend_Form_Ajax.php#L35 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax/Frontend_Form_Ajax.php#L55 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax/Frontend_Form_Ajax.php#L133 |
| pixelyoursite–PixelYourSite Your smart PIXEL (TAG) & API Manager | The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the “Meta API logs” setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1. | 2025-12-29 | 5.3 | CVE-2025-14280 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe77926-8a43-42ce-9d3d-3aac2334dcbd?source=cve https://plugins.trac.wordpress.org/browser/pixelyoursite/tags/11.1.4.2/includes/logger/class-pys-logger.php#L118 https://plugins.trac.wordpress.org/changeset/3424175/pixelyoursite https://plugins.trac.wordpress.org/changeset/3416113/pixelyoursite |
| Gmission–Web Fax | Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization vulnerability in Gmission Web Fax allows Authentication Abuse.This issue affects Web Fax: from 3.0 before 4.0. | 2025-12-29 | 5.5 | CVE-2025-15070 | https://www.gmission.co.kr/fax1 |
| n/a–Open5GS | A flaw has been found in Open5GS up to 2.7.5. This affects the function decode_ipv6_header/ogs_pfcp_pdr_rule_find_by_packet of the file lib/pfcp/rule-match.c of the component PFCP Session Establishment Request Handler. Executing manipulation can lead to reachable assertion. It is possible to launch the attack remotely. The exploit has been published and may be used. This patch is called b72d8349980076e2c033c8324f07747a86eea4f8. Applying a patch is advised to resolve this issue. | 2025-12-29 | 5.3 | CVE-2025-15176 | VDB-338561 | Open5GS PFCP Session Establishment Request rule-match.c ogs_pfcp_pdr_rule_find_by_packet assertion VDB-338561 | CTI Indicators (IOB, IOC, IOA) Submit #719830 | Open5GS v2.7.5 Reachable Assertion https://github.com/open5gs/open5gs/issues/4180 https://github.com/open5gs/open5gs/issues/4180#issuecomment-3615555671 https://github.com/open5gs/open5gs/issues/4180#issue-3666760066 https://github.com/open5gs/open5gs/commit/b72d8349980076e2c033c8324f07747a86eea4f8 |
| Dromara–Sa-Token | A vulnerability has been found in Dromara Sa-Token up to 1.44.0. This issue affects the function ObjectInputStream.readObject of the file SaSerializerTemplateForJdkUseBase64.java. Such manipulation leads to deserialization. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-30 | 5 | CVE-2025-15222 | VDB-338607 | Dromara Sa-Token SaSerializerTemplateForJdkUseBase64.java ObjectInputStream.readObject deserialization VDB-338607 | CTI Indicators (IOB, IOC, IOA) Submit #717703 | https://github.com/dromara/sa-token Sa-Token <=1.44.0 Deserialization https://github.com/Yohane-Mashiro/satoken-deserialization |
| Tenda–CH22 | A vulnerability has been found in Tenda CH22 up to 1.0.0.1. Affected by this vulnerability is the function fromDhcpListClient of the file /goform/DhcpListClient. Such manipulation of the argument LISTLEN leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-30 | 5.3 | CVE-2025-15229 | VDB-338625 | Tenda CH22 DhcpListClient fromDhcpListClient denial of service VDB-338625 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725472 | Tenda CH22 V1.0.0.1 Denial of Service https://github.com/master-abc/cve/issues/7 https://www.tenda.com.cn/ |
| beecue–FastBee | A vulnerability was detected in beecue FastBee up to 2.1. Impacted is the function getRootElement of the file springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/ReqAbstractHandler.java of the component SIP Message Handler. The manipulation results in xml external entity reference. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The project owner replied to the issue report: “Okay, we’ll handle it as soon as possible.” | 2025-12-30 | 5.6 | CVE-2025-15251 | VDB-338641 | beecue FastBee SIP Message ReqAbstractHandler.java getRootElement xml external entity reference VDB-338641 | CTI Indicators (IOB, IOC, IOA) https://gitee.com/beecue/fastbee/issues/ID7HNZ https://gitee.com/beecue/fastbee/issues/ID7HNZ#note_47777408_link |
| WebAssembly–wabt | A weakness has been identified in WebAssembly wabt up to 1.0.39. This vulnerability affects the function wabt::AST::InsertNode of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. This manipulation causes memory corruption. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself. | 2026-01-01 | 5.3 | CVE-2025-15411 | VDB-339332 | WebAssembly wabt wasm-decompile InsertNode memory corruption VDB-339332 | CTI Indicators (IOB, IOC, IOA) Submit #719825 | WebAssembly wabt 1.0.39 and master-branch Heap-based Buffer Overflow https://github.com/WebAssembly/wabt/issues/2679 https://github.com/oneafter/1208/blob/main/af1 |
| WebAssembly–wabt | A security vulnerability has been detected in WebAssembly wabt up to 1.0.39. This issue affects the function wabt::Decompiler::VarName of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. Such manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself. | 2026-01-01 | 5.3 | CVE-2025-15412 | VDB-339333 | WebAssembly wabt wasm-decompile VarName out-of-bounds VDB-339333 | CTI Indicators (IOB, IOC, IOA) Submit #719826 | WebAssembly wabt 1.0.39 and master-branch Memory Corruption https://github.com/WebAssembly/wabt/issues/2678 https://github.com/oneafter/1208/blob/main/af1 |
| n/a–wasm3 | A vulnerability was detected in wasm3 up to 0.5.0. Impacted is the function op_SetSlot_i32/op_CallIndirect of the file m3_exec.h. Performing manipulation results in memory corruption. The attack needs to be approached locally. The exploit is now public and may be used. Unfortunately, the project has no active maintainer at the moment. | 2026-01-01 | 5.3 | CVE-2025-15413 | VDB-339334 | wasm3 m3_exec.h op_CallIndirect memory corruption VDB-339334 | CTI Indicators (IOB, IOC, IOA) Submit #719829 | wasm3 v0.5.0 and master-branch Memory Corruption Submit #719831 | wasm3 v0.5.0 and master-branch Memory Corruption (Duplicate) https://github.com/wasm3/wasm3/issues/543 https://github.com/wasm3/wasm3/issues/547 |
| EmpireSoft–EmpireCMS | A flaw has been found in EmpireSoft EmpireCMS up to 8.0. This issue affects the function egetip of the file e/class/connect.php of the component IP Address Handler. This manipulation causes protection mechanism failure. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 5.3 | CVE-2025-15422 | VDB-339344 | EmpireSoft EmpireCMS IP Address connect.php egetip protection mechanism VDB-339344 | CTI Indicators (IOB, IOC, IOA) Submit #721344 | EmpireCMS <=8.0 Privilege Escalation https://note-hxlab.wetolink.com/share/0x74KEtzecFb https://note-hxlab.wetolink.com/share/0x74KEtzecFb#-span–strong-proof-of-concept—strong—span- |
| yeqifu–carRental | A vulnerability has been found in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. This vulnerability affects the function downloadShowFile of the file /file/downloadShowFile.action of the component com.yeqifu.sys.controller.FileController. The manipulation of the argument path leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-02 | 5.3 | CVE-2025-15432 | VDB-339354 | yeqifu carRental com.yeqifu.sys.controller.FileController downloadShowFile.action downloadShowFile path traversal VDB-339354 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #723220 | https://github.com/yeqifu carRental latest Path Traversal https://github.com/yeqifu/carRental/issues/46 |
| Petlibrio–Smart Pet Feeder Platform | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to /device/deviceAudio/use with arbitrary audio IDs to assign recordings to any device, then retrieve audio URLs to access other users’ private recordings. | 2026-01-03 | 5.3 | CVE-2025-3652 | Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Audio Information Disclosure via API endpoint |
| Petlibrio–Smart Pet Feeder Platform | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and MAC addresses through /device/devicePetRelation/getBoundDevices using pet IDs, enabling full device control without proper authorization checks. | 2026-01-03 | 5.3 | CVE-2025-3654 | Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Information Disclosure via API endpoint |
| Eduardo Villo–MyD Delivery | Authorization Bypass Through User-Controlled Key vulnerability in Eduardo Villão MyD Delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyD Delivery: from n/a through 1.3.7. | 2025-12-31 | 5.3 | CVE-2025-49334 | https://vdp.patchstack.com/database/wordpress/plugin/myd-delivery/vulnerability/wordpress-myd-delivery-plugin-1-3-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| janhenckens–Dashboard Beacon | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in janhenckens Dashboard Beacon allows Stored XSS.This issue affects Dashboard Beacon: from n/a through 1.2.0. | 2025-12-31 | 5.9 | CVE-2025-49337 | https://vdp.patchstack.com/database/wordpress/plugin/wp-dashboard-beacon/vulnerability/wordpress-dashboard-beacon-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Flowbox–Flowbox | Missing Authorization vulnerability in Flowbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flowbox: from n/a through 1.1.5. | 2025-12-31 | 5.3 | CVE-2025-49338 | https://vdp.patchstack.com/database/wordpress/plugin/flowbox/vulnerability/wordpress-flowbox-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve |
| Reuters News Agency–Reuters Direct | Missing Authorization vulnerability in Reuters News Agency Reuters Direct allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reuters Direct: from n/a through 3.0.0. | 2025-12-31 | 5.3 | CVE-2025-49349 | https://vdp.patchstack.com/database/wordpress/plugin/reuters-direct/vulnerability/wordpress-reuters-direct-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve |
| ikaes–Accessibility Press | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ikaes Accessibility Press allows Stored XSS.This issue affects Accessibility Press: from n/a through 1.0.2. | 2025-12-31 | 5.9 | CVE-2025-49355 | https://vdp.patchstack.com/database/wordpress/plugin/ilogic-accessibility/vulnerability/wordpress-accessibility-press-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| meshtastic–firmware | Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compatibility. However, the end-user applications, like Web app, iOS/Android app, and applications built on top of Meshtastic using the SDK, did not have a way to differentiate between end-to-end encrypted DMs and the legacy DMs. This creates a downgrade attack path where adversaries who know a shared channel key can craft and inject spoofed direct messages that are displayed as if they were PKC encrypted. Users are not given any feedback of whether a direct message was decrypted with PKI or with legacy symmetric encryption, undermining the expected security guarantees of the PKI rollout. Version 2.7.15 fixes this issue. | 2025-12-29 | 5.3 | CVE-2025-53627 | https://github.com/meshtastic/firmware/security/advisories/GHSA-377p-prwp-4hwf |
| Inkthemescom–Black Rider | Insertion of Sensitive Information Into Sent Data vulnerability in Inkthemescom Black Rider allows Retrieve Embedded Sensitive Data.This issue affects Black Rider: from n/a through 1.2.3. | 2025-12-31 | 5.8 | CVE-2025-59003 | https://vdp.patchstack.com/database/wordpress/theme/black-rider/vulnerability/wordpress-black-rider-theme-1-2-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| eLEOPARD–Behance Portfolio Manager | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in eLEOPARD Behance Portfolio Manager allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through 1.7.5. | 2025-12-31 | 5.9 | CVE-2025-59135 | https://vdp.patchstack.com/database/wordpress/plugin/portfolio-manager-powered-by-behance/vulnerability/wordpress-behance-portfolio-manager-plugin-1-7-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ef Bank–Gerencianet Oficial | Insertion of Sensitive Information Into Sent Data vulnerability in Efí Bank Gerencianet Oficial allows Retrieve Embedded Sensitive Data.This issue affects Gerencianet Oficial: from n/a through 3.1.3. | 2025-12-31 | 5.3 | CVE-2025-59136 | https://vdp.patchstack.com/database/wordpress/plugin/woo-gerencianet-official/vulnerability/wordpress-gerencianet-oficial-plugin-3-1-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Damian–WP Export Categories & Taxonomies | Missing Authorization vulnerability in Damian WP Export Categories & Taxonomies allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Export Categories & Taxonomies: from n/a through 1.0.3. | 2025-12-31 | 5.3 | CVE-2025-62079 | https://vdp.patchstack.com/database/wordpress/plugin/wp-export-categories-taxonomies/vulnerability/wordpress-wp-export-categories-taxonomies-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve |
| Channelize.io Team–Live Shopping & Shoppable Videos For WooCommerce | Missing Authorization vulnerability in Channelize.Io Team Live Shopping & Shoppable Videos For WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live Shopping & Shoppable Videos For WooCommerce: from n/a through 2.2.0. | 2025-12-31 | 5.3 | CVE-2025-62081 | https://vdp.patchstack.com/database/wordpress/plugin/live-shopping-video-streams/vulnerability/wordpress-live-shopping-shoppable-videos-for-woocommerce-plugin-2-2-0-broken-access-control-vulnerability?_s_id=cve |
| extendons–WordPress & WooCommerce Scraper Plugin, Import Data from Any Site | Server-Side Request Forgery (SSRF) vulnerability in extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site allows Server Side Request Forgery.This issue affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site: from n/a through 1.0.7. | 2025-12-31 | 5.4 | CVE-2025-62088 | https://vdp.patchstack.com/database/wordpress/plugin/wp_scraper/vulnerability/wordpress-wordpress-woocommerce-scraper-plugin-import-data-from-any-site-plugin-1-0-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Vollstart–Serial Codes Generator and Validator with WooCommerce Support | Missing Authorization vulnerability in Vollstart Serial Codes Generator and Validator with WooCommerce Support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Serial Codes Generator and Validator with WooCommerce Support: from n/a through 2.8.2. | 2025-12-31 | 5.4 | CVE-2025-62091 | https://vdp.patchstack.com/database/wordpress/plugin/serial-codes-generator-and-validator/vulnerability/wordpress-serial-codes-generator-and-validator-with-woocommerce-support-plugin-2-8-2-broken-access-control-vulnerability?_s_id=cve |
| Wiremo–Wiremo | Missing Authorization vulnerability in Wiremo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wiremo: from n/a through 1.4.99. | 2025-12-31 | 5.3 | CVE-2025-62092 | https://vdp.patchstack.com/database/wordpress/plugin/woo-reviews-by-wiremo/vulnerability/wordpress-wiremo-plugin-1-4-99-broken-access-control-vulnerability?_s_id=cve |
| Totalsoft–Portfolio Gallery | Missing Authorization vulnerability in Totalsoft Portfolio Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio Gallery: from n/a through 1.4.8. | 2025-12-31 | 5.4 | CVE-2025-62098 | https://vdp.patchstack.com/database/wordpress/plugin/gallery-portfolio/vulnerability/wordpress-portfolio-gallery-plugin-1-4-8-broken-access-control-vulnerability?_s_id=cve |
| SaifuMak–Add Custom Codes | Missing Authorization vulnerability in SaifuMak Add Custom Codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Custom Codes: from n/a through 4.80. | 2025-12-31 | 5.4 | CVE-2025-62108 | https://vdp.patchstack.com/database/wordpress/plugin/add-custom-codes/vulnerability/wordpress-add-custom-codes-plugin-4-80-broken-access-control-vulnerability?_s_id=cve |
| Marcelo Torres–Download Media Library | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcelo Torres Download Media Library allows Retrieve Embedded Sensitive Data.This issue affects Download Media Library: from n/a through 0.2.1. | 2025-12-31 | 5.3 | CVE-2025-62114 | https://vdp.patchstack.com/database/wordpress/plugin/download-media-library/vulnerability/wordpress-download-media-library-plugin-0-2-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| Quadlayers–AI Copilot | Missing Authorization vulnerability in Quadlayers AI Copilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Copilot: from n/a through 1.4.7. | 2025-12-31 | 5.3 | CVE-2025-62116 | https://vdp.patchstack.com/database/wordpress/plugin/ai-copilot/vulnerability/wordpress-ai-copilot-plugin-1-4-7-broken-access-control-vulnerability?_s_id=cve |
| Jayce53–EasyIndex | Cross-Site Request Forgery (CSRF) vulnerability in Jayce53 EasyIndex easyindex allows Cross Site Request Forgery.This issue affects EasyIndex: from n/a through 1.1.1704. | 2025-12-31 | 5.4 | CVE-2025-62117 | https://vdp.patchstack.com/database/wordpress/plugin/easyindex/vulnerability/wordpress-easyindex-plugin-1-1-1704-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ViitorCloud Technologies Pvt Ltd–Add Featured Image Custom Link | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ViitorCloud Technologies Pvt Ltd Add Featured Image Custom Link allows DOM-Based XSS.This issue affects Add Featured Image Custom Link: from n/a through 2.0.0. | 2025-12-31 | 5.9 | CVE-2025-62119 | https://vdp.patchstack.com/database/wordpress/plugin/custom-url-to-featured-image/vulnerability/wordpress-add-featured-image-custom-link-plugin-2-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Rick Beckman–OpenHook | Cross-Site Request Forgery (CSRF) vulnerability in Rick Beckman OpenHook allows Cross Site Request Forgery.This issue affects OpenHook: from n/a through 4.3.1. | 2025-12-31 | 5.4 | CVE-2025-62120 | https://vdp.patchstack.com/database/wordpress/plugin/thesis-openhook/vulnerability/wordpress-openhook-plugin-4-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Imran Emu–Logo Slider , Logo Carousel , Logo showcase , Client Logo | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Imran Emu Logo Slider , Logo Carousel , Logo showcase , Client Logo allows Stored XSS.This issue affects Logo Slider , Logo Carousel , Logo showcase , Client Logo: from n/a through 1.8.1. | 2025-12-31 | 5.9 | CVE-2025-62121 | https://vdp.patchstack.com/database/wordpress/plugin/tc-logo-slider/vulnerability/wordpress-logo-slider-logo-carousel-logo-showcase-client-logo-plugin-1-8-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Solwininfotech–Trash Duplicate and 301 Redirect | Missing Authorization vulnerability in Solwininfotech Trash Duplicate and 301 Redirect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trash Duplicate and 301 Redirect: from n/a through 1.9.1. | 2025-12-31 | 5.3 | CVE-2025-62122 | https://vdp.patchstack.com/database/wordpress/plugin/trash-duplicate-and-301-redirect/vulnerability/wordpress-trash-duplicate-and-301-redirect-plugin-1-9-1-broken-access-control-vulnerability?_s_id=cve |
| Soli–WP Post Signature | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Soli WP Post Signature allows Stored XSS.This issue affects WP Post Signature: from n/a through 0.4.1. | 2025-12-31 | 5.9 | CVE-2025-62124 | https://vdp.patchstack.com/database/wordpress/plugin/wp-post-signature/vulnerability/wordpress-wp-post-signature-plugin-0-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Razvan Stanga–Varnish/Nginx Proxy Caching | Insertion of Sensitive Information Into Sent Data vulnerability in Razvan Stanga Varnish/Nginx Proxy Caching allows Retrieve Embedded Sensitive Data.This issue affects Varnish/Nginx Proxy Caching: from n/a through 1.8.3. | 2025-12-31 | 5.3 | CVE-2025-62126 | https://vdp.patchstack.com/database/wordpress/plugin/vcaching/vulnerability/wordpress-varnish-nginx-proxy-caching-plugin-1-8-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Magnigenie–RestroPress | Missing Authorization vulnerability in Magnigenie RestroPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through 3.2.4.2. | 2025-12-31 | 5.3 | CVE-2025-62129 | https://vdp.patchstack.com/database/wordpress/plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-4-2-broken-access-control-vulnerability?_s_id=cve |
| A WP Life–Contact Form Widget | Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget allows Cross Site Request Forgery.This issue affects Contact Form Widget: from n/a through 1.5.1. | 2025-12-31 | 5.4 | CVE-2025-62134 | https://vdp.patchstack.com/database/wordpress/plugin/new-contact-form-widget/vulnerability/wordpress-contact-form-widget-plugin-1-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| CedCommerce–WP Advanced PDF | Missing Authorization vulnerability in CedCommerce WP Advanced PDF allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Advanced PDF: from n/a through 1.1.7. | 2025-12-31 | 5.3 | CVE-2025-62138 | https://vdp.patchstack.com/database/wordpress/plugin/wp-advanced-pdf/vulnerability/wordpress-wp-advanced-pdf-plugin-1-1-7-other-vulnerability-type-vulnerability?_s_id=cve |
| Vladimir Statsenko–Terms descriptions | Insertion of Sensitive Information Into Sent Data vulnerability in Vladimir Statsenko Terms descriptions allows Retrieve Embedded Sensitive Data.This issue affects Terms descriptions: from n/a through 3.4.9. | 2025-12-31 | 5.3 | CVE-2025-62139 | https://vdp.patchstack.com/database/wordpress/plugin/terms-descriptions/vulnerability/wordpress-terms-descriptions-plugin-3-4-9-sensitive-data-exposure-vulnerability?_s_id=cve |
| Plainware–Locatoraid Store Locator | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Plainware Locatoraid Store Locator allows Stored XSS.This issue affects Locatoraid Store Locator: from n/a through 3.9.65. | 2025-12-31 | 5.9 | CVE-2025-62140 | https://vdp.patchstack.com/database/wordpress/plugin/locatoraid/vulnerability/wordpress-locatoraid-store-locator-plugin-3-9-65-cross-site-scripting-xss-vulnerability?_s_id=cve |
| 101gen–Wawp | Missing Authorization vulnerability in 101gen Wawp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wawp: from n/a through 4.0.5. | 2025-12-31 | 5.3 | CVE-2025-62141 | https://vdp.patchstack.com/database/wordpress/plugin/automation-web-platform/vulnerability/wordpress-wawp-plugin-4-0-5-broken-access-control-vulnerability?_s_id=cve |
| nicashmu–Cincopa video and media plug-in | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in nicashmu Cincopa video and media plugin allows Stored XSS.This issue affects Cincopa video and media plug-in: from n/a through 1.163. | 2025-12-31 | 5.9 | CVE-2025-62142 | https://vdp.patchstack.com/database/wordpress/plugin/video-playlist-and-gallery-plugin/vulnerability/wordpress-post-video-players-plugin-1-163-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Mohammed Kaludi–Core Web Vitals & PageSpeed Booster | Missing Authorization vulnerability in Mohammed Kaludi Core Web Vitals & PageSpeed Booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Core Web Vitals & PageSpeed Booster: from n/a through 1.0.27. | 2025-12-31 | 5.4 | CVE-2025-62144 | https://vdp.patchstack.com/database/wordpress/plugin/core-web-vitals-pagespeed-booster/vulnerability/wordpress-core-web-vitals-pagespeed-booster-plugin-1-0-27-broken-access-control-vulnerability?_s_id=cve |
| NewClarity–DMCA Protection Badge | Missing Authorization vulnerability in NewClarity DMCA Protection Badge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DMCA Protection Badge: from n/a through 2.2.0. | 2025-12-31 | 5.3 | CVE-2025-62145 | https://vdp.patchstack.com/database/wordpress/plugin/dmca-badge/vulnerability/wordpress-dmca-protection-badge-plugin-2-2-0-broken-access-control-vulnerability?_s_id=cve |
| Nik Melnik–Realbig | Missing Authorization vulnerability in Nik Melnik Realbig allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Realbig: from n/a through 1.1.3. | 2025-12-31 | 5.3 | CVE-2025-62147 | https://vdp.patchstack.com/database/wordpress/plugin/realbig-media/vulnerability/wordpress-realbig-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve |
| SaifuMak–Add Custom Codes | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in SaifuMak Add Custom Codes allows Stored XSS.This issue affects Add Custom Codes: from n/a through 4.80. | 2025-12-31 | 5.9 | CVE-2025-62149 | https://vdp.patchstack.com/database/wordpress/plugin/add-custom-codes/vulnerability/wordpress-add-custom-codes-plugin-4-80-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Aum Watcharapon–Featured Image Generator | Missing Authorization vulnerability in Aum Watcharapon Featured Image Generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image Generator: from n/a through 1.3.3. | 2025-12-31 | 5.3 | CVE-2025-62747 | https://vdp.patchstack.com/database/wordpress/plugin/featured-image-generator/vulnerability/wordpress-featured-image-generator-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| Filipe Seabra–WooCommerce Parcelas | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Filipe Seabra WooCommerce Parcelas allows DOM-Based XSS.This issue affects WooCommerce Parcelas: from n/a through 1.3.5. | 2025-12-31 | 5.9 | CVE-2025-62750 | https://vdp.patchstack.com/database/wordpress/plugin/woocommerce-parcelas/vulnerability/wordpress-woocommerce-parcelas-plugin-1-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| GS Plugins–GS Portfolio for Envato | Unauthenticated Broken Access Control in GS Portfolio for Envato <= 1.4.2 versions. | 2025-12-31 | 5.3 | CVE-2025-62755 | https://vdp.patchstack.com/database/wordpress/plugin/gs-envato-portfolio/vulnerability/wordpress-gs-portfolio-for-envato-plugin-1-4-2-broken-access-control-vulnerability?_s_id=cve |
| Marco Milesi–WP Attachments | Missing Authorization vulnerability in Marco Milesi WP Attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attachments: from n/a through 5.2. | 2025-12-31 | 5.4 | CVE-2025-62888 | https://vdp.patchstack.com/database/wordpress/plugin/wp-attachments/vulnerability/wordpress-wp-attachments-plugin-5-2-broken-access-control-vulnerability?_s_id=cve |
| Boxy Studio–Cooked | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Boxy Studio Cooked allows Stored XSS.This issue affects Cooked: from n/a through 1.11.2. | 2025-12-31 | 5.9 | CVE-2025-62989 | https://vdp.patchstack.com/database/wordpress/plugin/cooked/vulnerability/wordpress-cooked-plugin-1-11-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| nicdark–Hotel Booking | Missing Authorization vulnerability in nicdark Hotel Booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Booking: from n/a through 3.8. | 2025-12-31 | 5.3 | CVE-2025-63001 | https://vdp.patchstack.com/database/wordpress/plugin/nd-booking/vulnerability/wordpress-hotel-booking-plugin-3-8-broken-access-control-vulnerability?_s_id=cve |
| Quadlayers–QuadLayers TikTok Feed | Missing Authorization vulnerability in Quadlayers QuadLayers TikTok Feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects QuadLayers TikTok Feed: from n/a through 4.6.4. | 2025-12-31 | 5.3 | CVE-2025-63016 | https://vdp.patchstack.com/database/wordpress/plugin/wp-tiktok-feed/vulnerability/wordpress-quadlayers-tiktok-feed-plugin-4-6-4-broken-access-control-vulnerability?_s_id=cve |
| Illia–Simple Like Page | Missing Authorization vulnerability in Illia Simple Like Page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Like Page: from n/a through 1.5.3. | 2025-12-31 | 5.3 | CVE-2025-63022 | https://vdp.patchstack.com/database/wordpress/plugin/simple-facebook-plugin/vulnerability/wordpress-simple-like-page-plugin-1-5-3-broken-access-control-vulnerability?_s_id=cve |
| WP Grids–EasyTest | Missing Authorization vulnerability in WP Grids EasyTest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EasyTest: from n/a through 1.0.1. | 2025-12-31 | 5.3 | CVE-2025-63031 | https://vdp.patchstack.com/database/wordpress/plugin/convertpro/vulnerability/wordpress-easytest-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| Jewel Theme–Master Addons for Elementor | Authorization Bypass Through User-Controlled Key vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.9.9.4. | 2025-12-31 | 5.3 | CVE-2025-63053 | https://vdp.patchstack.com/database/wordpress/plugin/master-addons/vulnerability/wordpress-master-addons-for-elementor-plugin-2-0-9-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WP Legal Pages–WP Cookie Notice for GDPR, CCPA & ePrivacy Consent | Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through 4.0.3. | 2025-12-30 | 5.3 | CVE-2025-66080 | https://vdp.patchstack.com/database/wordpress/plugin/gdpr-cookie-consent/vulnerability/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-4-0-3-broken-access-control-vulnerability-2?_s_id=cve |
| merkulove–Worker for Elementor | Missing Authorization vulnerability in merkulove Worker for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Worker for Elementor: from n/a through 1.0.10. | 2025-12-31 | 5.4 | CVE-2025-66144 | https://vdp.patchstack.com/database/wordpress/plugin/worker-elementor/vulnerability/wordpress-worker-for-elementor-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Worker for WPBakery | Missing Authorization vulnerability in merkulove Worker for WPBakery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Worker for WPBakery: from n/a through 1.1.1. | 2025-12-31 | 5.4 | CVE-2025-66145 | https://vdp.patchstack.com/database/wordpress/plugin/worker-wpbakery/vulnerability/wordpress-worker-for-wpbakery-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Logger for Elementor | Missing Authorization vulnerability in merkulove Logger for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Logger for Elementor: from n/a through 1.0.9. | 2025-12-31 | 5.4 | CVE-2025-66146 | https://vdp.patchstack.com/database/wordpress/plugin/logger-elementor/vulnerability/wordpress-logger-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Conformer for Elementor | Missing Authorization vulnerability in merkulove Conformer for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Conformer for Elementor: from n/a through 1.0.7. | 2025-12-31 | 5.4 | CVE-2025-66148 | https://vdp.patchstack.com/database/wordpress/plugin/conformer-elementor/vulnerability/wordpress-conformer-for-elementor-plugin-1-0-7-broken-access-control-vulnerability?_s_id=cve |
| merkulove–UnGrabber | Missing Authorization vulnerability in merkulove UnGrabber allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnGrabber: from n/a through 3.1.3. | 2025-12-31 | 5.4 | CVE-2025-66149 | https://vdp.patchstack.com/database/wordpress/plugin/ungrabber/vulnerability/wordpress-ungrabber-plugin-3-1-3-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Appender | Missing Authorization vulnerability in merkulove Appender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appender: from n/a through 1.1.1. | 2025-12-31 | 5.4 | CVE-2025-66150 | https://vdp.patchstack.com/database/wordpress/plugin/appender/vulnerability/wordpress-appender-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Countdowner for Elementor | Missing Authorization vulnerability in merkulove Countdowner for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Countdowner for Elementor: from n/a through 1.0.4. | 2025-12-31 | 5.4 | CVE-2025-66151 | https://vdp.patchstack.com/database/wordpress/plugin/countdowner-elementor/vulnerability/wordpress-countdowner-for-elementor-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Criptopayer for Elementor | Missing Authorization vulnerability in merkulove Criptopayer for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Criptopayer for Elementor: from n/a through 1.0.1. | 2025-12-31 | 5.4 | CVE-2025-66152 | https://vdp.patchstack.com/database/wordpress/plugin/criptopayer-elementor/vulnerability/wordpress-criptopayer-for-elementor-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Headinger for Elementor | Missing Authorization vulnerability in merkulove Headinger for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Headinger for Elementor: from n/a through 1.1.4. | 2025-12-31 | 5.4 | CVE-2025-66153 | https://vdp.patchstack.com/database/wordpress/plugin/headinger-elementor/vulnerability/wordpress-headinger-for-elementor-plugin-1-1-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Couponer for Elementor | Missing Authorization vulnerability in merkulove Couponer for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Couponer for Elementor: from n/a through 1.1.7. | 2025-12-31 | 5.4 | CVE-2025-66154 | https://vdp.patchstack.com/database/wordpress/plugin/couponer-elementor/vulnerability/wordpress-couponer-for-elementor-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Questionar for Elementor | Missing Authorization vulnerability in merkulove Questionar for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Questionar for Elementor: from n/a through 1.1.7. | 2025-12-31 | 5.4 | CVE-2025-66155 | https://vdp.patchstack.com/database/wordpress/plugin/questionar-elementor/vulnerability/wordpress-questionar-for-elementor-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Watcher for Elementor | Missing Authorization vulnerability in merkulove Watcher for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watcher for Elementor: from n/a through 1.0.9. | 2025-12-31 | 5.4 | CVE-2025-66156 | https://vdp.patchstack.com/database/wordpress/plugin/watcher-elementor/vulnerability/wordpress-watcher-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Slider for Elementor | Missing Authorization vulnerability in merkulove Slider for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slider for Elementor: from n/a through 1.0.10. | 2025-12-31 | 5.4 | CVE-2025-66157 | https://vdp.patchstack.com/database/wordpress/plugin/sliper-elementor/vulnerability/wordpress-sliper-for-elementor-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Gmaper for Elementor | Missing Authorization vulnerability in merkulove Gmaper for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gmaper for Elementor: from n/a through 1.0.9. | 2025-12-31 | 5.4 | CVE-2025-66158 | https://vdp.patchstack.com/database/wordpress/plugin/gmaper-elementor/vulnerability/wordpress-gmaper-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Walker for Elementor | Missing Authorization vulnerability in merkulove Walker for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Walker for Elementor: from n/a through 1.1.6. | 2025-12-31 | 5.4 | CVE-2025-66159 | https://vdp.patchstack.com/database/wordpress/plugin/walker-elementor/vulnerability/wordpress-walker-for-elementor-plugin-1-1-6-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Select Graphist for Elementor Graphist for Elementor | Missing Authorization vulnerability in merkulove Select Graphist for Elementor Graphist for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Select Graphist for Elementor Graphist for Elementor: from n/a through 1.2.10. | 2025-12-31 | 5.4 | CVE-2025-66160 | https://vdp.patchstack.com/database/wordpress/plugin/graphist-elementor/vulnerability/wordpress-select-graphist-for-elementor-graphist-for-elementor-plugin-1-2-10-broken-access-control-vulnerability?_s_id=cve |
| Esri–ArcGIS Server | ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files. | 2025-12-31 | 5.6 | CVE-2025-67706 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri–ArcGIS Server | ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files. | 2025-12-31 | 5.6 | CVE-2025-67707 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| SignalK–signalk-server | Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnaissance for further attacks. Version 2.19.0 patches the issue. | 2026-01-01 | 5.3 | CVE-2025-68273 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-fpf5-w967-rr2m https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 |
| ImageMagick–ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue. | 2025-12-30 | 5.3 | CVE-2025-68618 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p27m-hp98-6637 https://github.com/ImageMagick/ImageMagick/commit/6f431d445f3ddd609c004a1dde617b0a73e60beb |
| frappe–crm | Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted URLs in a website field, which were not sanitized, causing cross-site scripting. Version 1.56.2 fixes the issue. No known workarounds are available. | 2025-12-29 | 5.4 | CVE-2025-68928 | https://github.com/frappe/crm/security/advisories/GHSA-fm34-v6j7-chwc https://github.com/frappe/crm/commit/c5766d9989131d17d954e866bfc4b8d3b23e4f10 https://github.com/frappe/crm/releases/tag/v1.56.2 |
| thorsten–phpMyFAQ | phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities. When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. Version 4.0.16 contains a patch for the issue. | 2025-12-29 | 5.4 | CVE-2025-68951 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc https://github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c370 https://github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87 |
| ImageMagick–ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, in the WriteSVGImage function, using an int variable to store number_attributes caused an integer overflow. This, in turn, triggered a buffer overflow and caused a DoS attack. Version 7.1.2-12 fixes the issue. | 2025-12-30 | 5.3 | CVE-2025-69204 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hrh7-j8q2-4qcw https://github.com/ImageMagick/ImageMagick/commit/2c08c2311693759153c9aa99a6b2dcb5f985681e |
| Gitea–Gitea | In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists. | 2026-01-01 | 5.3 | CVE-2025-69413 | https://blog.gitea.com/release-of-1.25.2/ https://github.com/go-gitea/gitea/releases/tag/v1.25.2 https://github.com/go-gitea/gitea/issues/35984 https://github.com/go-gitea/gitea/pull/36002 |
| Plex–plex.tv backend | In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml. | 2026-01-02 | 5 | CVE-2025-69416 | https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md |
| Plex–plex.tv backend | In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint. | 2026-01-02 | 5 | CVE-2025-69417 | https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md |
| stefanberger–libtpms | libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available. | 2026-01-02 | 5.5 | CVE-2026-21444 | https://github.com/stefanberger/libtpms/security/advisories/GHSA-7jxr-4j3g-p34f https://github.com/stefanberger/libtpms/issues/541 https://github.com/stefanberger/libtpms/commit/33c9ff074cb16c1841ce7d7f33643c17c426743a |
| Mintplex-Labs–anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue. | 2026-01-03 | 5.3 | CVE-2026-21484 | https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-47vr-w3vm-69ch https://github.com/Mintplex-Labs/anything-llm/commit/e287fab56089cf8fcea9ba579a3ecdeca0daa313 |
| JM-DATA ONU–JF511-TV | JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to authenticated stored cross-site scripting (XSS) attacks, allowing attackers with authenticated access to inject malicious scripts that will be executed in other users’ browsers when they view the affected content. | 2025-12-30 | 4.3 | CVE-2022-50801 | Zero Science Lab Disclosure (ZSL-2022-5708) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Entry JM-DATA Vendor Homepage VulnCheck Advisory: JM-DATA ONU JF511-TV 1.0.67 Authenticated Stored Cross-Site Scripting (XSS) Vulnerability |
| PKrystian–Full-Stack-Bank | A vulnerability was detected in PKrystian Full-Stack-Bank up to bf73a0179e3ff07c0d7dc35297cea0be0e5b1317. This vulnerability affects unknown code of the component User Handler. Performing manipulation results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 25c9965a872c704f3a9475488dc5d3196902199a. It is suggested to install a patch to address this issue. | 2025-12-31 | 4.7 | CVE-2023-7331 | VDB-338650 | PKrystian Full-Stack-Bank User sql injection VDB-338650 | CTI Indicators (IOB, IOC, TTP) https://github.com/PKrystian/Full-Stack-Bank/pull/21 https://github.com/PKrystian/Full-Stack-Bank/commit/25c9965a872c704f3a9475488dc5d3196902199a |
| wpchill–Strong Testimonials | The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the ‘edit_rating’ function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen. | 2025-12-30 | 4.3 | CVE-2025-14426 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c83f48dd-9070-412d-b911-98581a81e29a?source=cve https://plugins.trac.wordpress.org/browser/strong-testimonials/tags/3.2.18/admin/class-strong-testimonials-post-editor.php#L379 https://plugins.trac.wordpress.org/browser/strong-testimonials/tags/3.2.18/admin/class-strong-testimonials-post-editor.php#L29 https://plugins.trac.wordpress.org/changeset/3416480/ |
| galdub–All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs My Sticky Elements | The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the ‘my_sticky_elements_bulks’ function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin. | 2026-01-01 | 4.3 | CVE-2025-14428 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b82ce74-11ac-4719-961d-a16717ce023b?source=cve https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L29 https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L1788 https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-front.php#L121 https://plugins.trac.wordpress.org/changeset/3423407/ |
| smub–Easy Digital Downloads eCommerce Payments and Subscriptions made easy | The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the ‘edd_redirect’ parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action. | 2025-12-31 | 4.3 | CVE-2025-14783 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c0fb43c-f576-412e-a144-4725356ed9a0?source=cve https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/users/lost-password.php#L187 https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/blocks/views/forms/lost-password.php#L24 https://plugins.trac.wordpress.org/changeset/3426524/easy-digital-downloads/trunk/includes/users/lost-password.php |
| JFrog–Artifactory (Workers) | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in JFrog Artifactory (Workers) allows Cross-Site Scripting (XSS).This issue affects Artifactory (Workers): from >=7.94.0 through <7.117.10. | 2026-01-04 | 4.9 | CVE-2025-14830 | https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories |
| BiggiDroid–Simple PHP CMS | A weakness has been identified in BiggiDroid Simple PHP CMS 1.0. Affected by this issue is some unknown functionality of the file /admin/editsite.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-29 | 4.7 | CVE-2025-15169 | VDB-338549 | BiggiDroid Simple PHP CMS editsite.php sql injection VDB-338549 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708845 | BiggiDroid Simple PHP CMS BiggiDroid 1.0 SQL Injection https://gitee.com/sun-huizhi/dazhi/issues/IDBDAY |
| Advaya Softech–GEMS ERP Portal | A security vulnerability has been detected in Advaya Softech GEMS ERP Portal up to 2.1. This affects an unknown part of the file /home.jsp?isError=true of the component Error Message Handler. The manipulation of the argument Message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-29 | 4.3 | CVE-2025-15170 | VDB-338550 | Advaya Softech GEMS ERP Portal Error Message home.jsp cross site scripting VDB-338550 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717590 | Advaya Softech GEMS ERP Portal 2.1 Cross Site Scripting https://syansec.in/video_poc/cve_2025.mp4 |
| code-projects–Content Management System | A security flaw has been discovered in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. This vulnerability affects unknown code of the file /admin/editposts.php. Performing manipulation of the argument image results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-12-29 | 4.7 | CVE-2025-15197 | VDB-338584 | code-projects/anirbandutta9 Content Management System/News-Buzz editposts.php unrestricted upload VDB-338584 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724721 | Code-projects Content Management System v1.0 Arbitrary file upload vulnerability https://github.com/Limingqian123/CVE/issues/7 |
| code-projects–Student File Management System | A vulnerability has been found in code-projects Student File Management System 1.0. The affected element is an unknown function of the file /download.php of the component File Download Handler. The manipulation of the argument store_id leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-12-30 | 4.3 | CVE-2025-15213 | VDB-338598 | code-projects Student File Management System File Download download.php improper authorization VDB-338598 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725080 | Code-Projects 学生文件管理系统 V1.0 越权 https://github.com/Bai-public/CVE/issues/5 https://code-projects.org/ |
| SohuTV–CacheCloud | A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. This affects the function init of the file src/main/java/com/sohu/cache/web/controller/LoginController.java. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-30 | 4.3 | CVE-2025-15220 | VDB-338605 | SohuTV CacheCloud LoginController.java init cross site scripting VDB-338605 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716320 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/379 |
| Philipinho–Simple-PHP-Blog | A vulnerability was found in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. Impacted is an unknown function of the file /login.php. Performing manipulation of the argument Username results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure and makes clear that the product is “[f]or educational purposes only”. | 2025-12-31 | 4.3 | CVE-2025-15223 | VDB-338608 | Philipinho Simple-PHP-Blog login.php cross site scripting VDB-338608 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710150 | Philipinho Simple-PHP-Blog 1.0 Improper Neutralization of Alternate XSS Syntax https://gitee.com/sun-huizhi/dazhi/issues/IDBUOY |
| 08CMS–Novel System | A security vulnerability has been detected in 08CMS Novel System up to 3.4. This issue affects some unknown processing of the file admina/mtpls.inc.php of the component Template Handler. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-12-30 | 4.7 | CVE-2025-15250 | VDB-338640 | 08CMS Novel System Template mtpls.inc.php code injection VDB-338640 | CTI Indicators (IOB, IOC, TTP, IOA) https://gitee.com/keneny/cve/issues/ID3DEM |
| BiggiDroid–Simple PHP CMS | A security flaw has been discovered in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/edit.php of the component Site Logo Handler. Performing manipulation of the argument image results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-12-30 | 4.7 | CVE-2025-15262 | VDB-338656 | BiggiDroid Simple PHP CMS Site Logo edit.php unrestricted upload VDB-338656 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725815 | BiggiDroid Simple PHP CMS 1.0 SQL Injection https://gitee.com/shanyaohei/black-yam/issues/IDGML9 |
| n/a–newbee-mall-plus | A vulnerability was determined in newbee-mall-plus 2.0.0. This impacts the function Upload of the file src/main/java/ltd/newbee/mall/controller/common/UploadController.java of the component Product Information Edit Page. This manipulation of the argument File causes unrestricted upload. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-30 | 4.7 | CVE-2025-15360 | VDB-338744 | newbee-mall-plus Product Information Edit UploadController.java upload unrestricted upload VDB-338744 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716785 | https://github.com/newbee-ltd/newbee-mall-plus newbee-mall-plus 2.0.0 Upload any file https://github.com/zyhzheng500-maker/cve/blob/main/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
| n/a–iCMS | A vulnerability was detected in iCMS up to 8.0.0. Affected is the function Save of the file app/config/ConfigAdmincp.php of the component POST Parameter Handler. The manipulation of the argument config results in code injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-31 | 4.7 | CVE-2025-15394 | VDB-339163 | iCMS POST Parameter ConfigAdmincp.php save code injection VDB-339163 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #719029 | ICMS https://www.icmsdev.com/ 8.0.0 Code Injection https://note-hxlab.wetolink.com/share/QWuWZeAmzUdm |
| n/a–PHPEMS | A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely. | 2026-01-01 | 4.3 | CVE-2025-15405 | VDB-339325 | PHPEMS cross-site request forgery VDB-339325 | CTI Indicators (IOB, IOC) Submit #728314 | PHPEMS <=11.0 Cross-Site Request Forgery https://byebydoggy.github.io/post/2025/1231-phpems-csrf-poc/ |
| go-sonic–sonic | A flaw has been found in go-sonic sonic up to 1.1.4. The affected element is the function FetchTheme of the file service/theme/git_fetcher.go of the component Theme Fetching API. Executing manipulation of the argument uri can lead to server-side request forgery. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-01 | 4.7 | CVE-2025-15414 | VDB-339335 | go-sonic Theme Fetching API git_fetcher.go FetchTheme server-side request forgery VDB-339335 | CTI Indicators (IOB, IOC, IOA) Submit #719789 | sonic https://github.com/go-sonic/sonic 1.1.4 Server-Side Request Forgery https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ#-span–strong-proof-of-concept—strong—span- |
| xnx3–wangmarket | A vulnerability has been found in xnx3 wangmarket up to 6.4. The impacted element is the function uploadImage of the file /sits/uploadImage.do of the component XML File Handler. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-01 | 4.7 | CVE-2025-15415 | VDB-339336 | xnx3 wangmarket XML File uploadImage.do uploadImage unrestricted upload VDB-339336 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721078 | xnx3 https://github.com/xnx3/wangmarket <=v6.4 Cross Site Scripting https://github.com/yuccun/CVE/blob/main/wangmarket-Upload2StoredXSS.md |
| n/a–PluXml | A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that “[w]e fix this issue in the next version 5.8.23”. A patch for it is ready. | 2026-01-02 | 4.7 | CVE-2025-15438 | VDB-339383 | PluXml Media Management medias.php __destruct deserialization VDB-339383 | CTI Indicators (IOB, IOC, IOA) Submit #713989 | PluXml 5.8.22 Deserialization Vulnerability https://note-hxlab.wetolink.com/share/9SJUnaDcJuqz |
| n/a–CRMEB | A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-04 | 4.7 | CVE-2025-15442 | VDB-339464 | CRMEB product_list sql injection VDB-339464 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721915 | crmeb v5.6.1 SQL Injection https://github.com/En0t5/vul/blob/main/crmeb/crmeb-export-product_list-SQL.md https://github.com/En0t5/vul/blob/main/crmeb/crmeb-export-product_list-SQL.md#poc |
| n/a–CRMEB | A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. Such manipulation of the argument cate_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-04 | 4.7 | CVE-2025-15443 | VDB-339465 | CRMEB product_export sql injection VDB-339465 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721916 | crmeb v5.6.1 SQL Injection https://github.com/En0t5/vul/blob/main/crmeb/crmeb-product-productExport-SQL.md https://github.com/En0t5/vul/blob/main/crmeb/crmeb-product-productExport-SQL.md#poc |
| Digages–Direct Payments WP | Missing Authorization vulnerability in Digages Direct Payments WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Direct Payments WP: from n/a through 1.3.0. | 2025-12-31 | 4.3 | CVE-2025-49339 | https://vdp.patchstack.com/database/wordpress/plugin/direct-payments-wp/vulnerability/wordpress-direct-payments-wp-plugin-1-3-0-broken-access-control-vulnerability?_s_id=cve |
| Digages–Direct Payments WP | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Digages Direct Payments WP allows Retrieve Embedded Sensitive Data.This issue affects Direct Payments WP: from n/a through 1.3.0. | 2025-12-31 | 4.3 | CVE-2025-49340 | https://vdp.patchstack.com/database/wordpress/plugin/direct-payments-wp/vulnerability/wordpress-direct-payments-wp-plugin-1-3-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| YoOhw Studio–Order Cancellation & Returns for WooCommerce | Authorization Bypass Through User-Controlled Key vulnerability in YoOhw Studio Order Cancellation & Returns for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Cancellation & Returns for WooCommerce: from n/a through 1.1.10. | 2025-12-31 | 4.3 | CVE-2025-49352 | https://vdp.patchstack.com/database/wordpress/plugin/wc-order-cancellation-return/vulnerability/wordpress-order-cancellation-returns-for-woocommerce-plugin-1-1-10-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mykola Lukin–Orders Chat for WooCommerce | Missing Authorization vulnerability in Mykola Lukin Orders Chat for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Orders Chat for WooCommerce: from n/a through 1.2.0. | 2025-12-31 | 4.3 | CVE-2025-49356 | https://vdp.patchstack.com/database/wordpress/plugin/orders-chat-for-woocommerce/vulnerability/wordpress-orders-chat-for-woocommerce-plugin-1-2-0-broken-access-control-vulnerability?_s_id=cve |
| Priority–Web | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) | 2025-12-29 | 4.8 | CVE-2025-55062 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0 |
| Priority–Web | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) | 2025-12-29 | 4.8 | CVE-2025-55063 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0 |
| Priority–Web | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) | 2025-12-29 | 4.8 | CVE-2025-55064 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0 |
| Appointify–Appointify | Cross-Site Request Forgery (CSRF) vulnerability in Appointify allows Cross Site Request Forgery.This issue affects Appointify: from n/a through 1.0.8. | 2025-12-31 | 4.3 | CVE-2025-59130 | https://vdp.patchstack.com/database/wordpress/plugin/appointify/vulnerability/wordpress-appointify-plugin-1-0-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Jthemes–Genemy | Server-Side Request Forgery (SSRF) vulnerability in Jthemes Genemy allows Server Side Request Forgery.This issue affects Genemy: from n/a through 1.6.6. | 2025-12-31 | 4.9 | CVE-2025-59138 | https://vdp.patchstack.com/database/wordpress/theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Fahad Mahmood–Easy Upload Files During Checkout | Missing Authorization vulnerability in Fahad Mahmood Easy Upload Files During Checkout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Upload Files During Checkout: from n/a through 3.0.0. | 2025-12-31 | 4.3 | CVE-2025-62078 | https://vdp.patchstack.com/database/wordpress/plugin/easy-upload-files-during-checkout/vulnerability/wordpress-easy-upload-files-during-checkout-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve |
| Channelize.io Team–Live Shopping & Shoppable Videos For WooCommerce | Cross-Site Request Forgery (CSRF) vulnerability in Channelize.Io Team Live Shopping & Shoppable Videos For WooCommerce allows Cross Site Request Forgery.This issue affects Live Shopping & Shoppable Videos For WooCommerce: from n/a through 2.2.0. | 2025-12-31 | 4.3 | CVE-2025-62080 | https://vdp.patchstack.com/database/wordpress/plugin/live-shopping-video-streams/vulnerability/wordpress-live-shopping-shoppable-videos-for-woocommerce-plugin-2-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WP Messiah–BoomDevs WordPress Coming Soon Plugin | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Messiah BoomDevs WordPress Coming Soon Plugin allows Retrieve Embedded Sensitive Data.This issue affects BoomDevs WordPress Coming Soon Plugin: from n/a through 1.0.4. | 2025-12-31 | 4.3 | CVE-2025-62083 | https://vdp.patchstack.com/database/wordpress/plugin/coming-soon-by-boomdevs/vulnerability/wordpress-boomdevs-wordpress-coming-soon-plugin-plugin-1-0-4-sensitive-data-exposure-vulnerability?_s_id=cve |
| Imdad Next Web–iNext Woo Pincode Checker | Cross-Site Request Forgery (CSRF) vulnerability in Imdad Next Web iNext Woo Pincode Checker allows Cross Site Request Forgery.This issue affects iNext Woo Pincode Checker: from n/a through 2.3.1. | 2025-12-31 | 4.3 | CVE-2025-62084 | https://vdp.patchstack.com/database/wordpress/plugin/inext-woo-pincode-checker/vulnerability/wordpress-inext-woo-pincode-checker-plugin-2-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Web Builder 143–Sticky Notes for WP Dashboard | Missing Authorization vulnerability in Web Builder 143 Sticky Notes for WP Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sticky Notes for WP Dashboard: from n/a through 1.2.4. | 2025-12-31 | 4.3 | CVE-2025-62087 | https://vdp.patchstack.com/database/wordpress/plugin/wb-sticky-notes/vulnerability/wordpress-sticky-notes-for-wp-dashboard-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| MERGADO–Mergado Pack | Cross-Site Request Forgery (CSRF) vulnerability in MERGADO Mergado Pack allows Cross Site Request Forgery.This issue affects Mergado Pack: from n/a through 4.2.0. | 2025-12-31 | 4.3 | CVE-2025-62089 | https://vdp.patchstack.com/database/wordpress/plugin/mergado-marketing-pack/vulnerability/wordpress-mergado-pack-plugin-4-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Approveme–Signature Add-On for Gravity Forms | Missing Authorization vulnerability in Approveme Signature Add-On for Gravity Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Signature Add-On for Gravity Forms: from n/a through 1.8.6. | 2025-12-31 | 4.3 | CVE-2025-62099 | https://vdp.patchstack.com/database/wordpress/plugin/gravity-signature-forms-add-on/vulnerability/wordpress-signature-add-on-for-gravity-forms-plugin-1-8-6-broken-access-control-vulnerability?_s_id=cve |
| Omid Shamloo–Pardakht Delkhah | Cross-Site Request Forgery (CSRF) vulnerability in Omid Shamloo Pardakht Delkhah allows Cross Site Request Forgery.This issue affects Pardakht Delkhah: from n/a through 3.0.0. | 2025-12-31 | 4.3 | CVE-2025-62101 | https://vdp.patchstack.com/database/wordpress/plugin/pardakht-delkhah/vulnerability/wordpress-pardakht-delkhah-plugin-3-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Merv Barrett–Import into Easy Property Listings | Cross-Site Request Forgery (CSRF) vulnerability in Merv Barrett Import into Easy Property Listings allows Cross Site Request Forgery.This issue affects Import into Easy Property Listings: from n/a through 2.2.1. | 2025-12-30 | 4.3 | CVE-2025-62112 | https://vdp.patchstack.com/database/wordpress/plugin/easy-property-listings-xml-csv-import/vulnerability/wordpress-import-into-easy-property-listings-plugin-2-2-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| emendo_seb–Co-marquage service-public.fr | Cross-Site Request Forgery (CSRF) vulnerability in emendo_seb Co-marquage service-public.Fr allows Cross Site Request Forgery.This issue affects Co-marquage service-public.Fr: from n/a through 0.5.77. | 2025-12-31 | 4.3 | CVE-2025-62113 | https://vdp.patchstack.com/database/wordpress/plugin/co-marquage-service-public/vulnerability/wordpress-co-marquage-service-public-fr-plugin-0-5-77-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ThemeBoy–Hide Plugins | Missing Authorization vulnerability in ThemeBoy Hide Plugins allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hide Plugins: from n/a through 1.0.4. | 2025-12-31 | 4.3 | CVE-2025-62115 | https://vdp.patchstack.com/database/wordpress/plugin/hide-plugins/vulnerability/wordpress-hide-plugins-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve |
| Ink themes–WP Gmail SMTP | Cross-Site Request Forgery (CSRF) vulnerability in Ink themes WP Gmail SMTP allows Cross Site Request Forgery.This issue affects WP Gmail SMTP: from n/a through 1.0.7. | 2025-12-31 | 4.3 | CVE-2025-62123 | https://vdp.patchstack.com/database/wordpress/plugin/wp-gmail-smtp/vulnerability/wordpress-wp-gmail-smtp-plugin-1-0-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| SiteLock–SiteLock Security | Missing Authorization vulnerability in SiteLock SiteLock Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security: from n/a through 5.0.1. | 2025-12-30 | 4.3 | CVE-2025-62128 | https://vdp.patchstack.com/database/wordpress/plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-1-broken-access-control-vulnerability?_s_id=cve |
| WPdiscover–Accordion Slider Gallery | Missing Authorization vulnerability in WPdiscover Accordion Slider Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion Slider Gallery: from n/a through 2.7. | 2025-12-31 | 4.3 | CVE-2025-62130 | https://vdp.patchstack.com/database/wordpress/plugin/accordion-slider-gallery/vulnerability/wordpress-accordion-slider-gallery-plugin-2-7-broken-access-control-vulnerability?_s_id=cve |
| Strategy11 Team–Tasty Recipes Lite | Missing Authorization vulnerability in Strategy11 Team Tasty Recipes Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tasty Recipes Lite: from n/a through 1.1.5. | 2025-12-31 | 4.3 | CVE-2025-62131 | https://vdp.patchstack.com/database/wordpress/plugin/tasty-recipes-lite/vulnerability/wordpress-tasty-recipes-lite-plugin-1-1-5-broken-access-control-vulnerability-2?_s_id=cve |
| Strategy11 Team–Tasty Recipes Lite | Missing Authorization vulnerability in Strategy11 Team Tasty Recipes Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tasty Recipes Lite: from n/a through 1.1.5. | 2025-12-31 | 4.3 | CVE-2025-62132 | https://vdp.patchstack.com/database/wordpress/plugin/tasty-recipes-lite/vulnerability/wordpress-tasty-recipes-lite-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve |
| Manidoraisamy–FormFacade | Cross-Site Request Forgery (CSRF) vulnerability in Manidoraisamy FormFacade allows Cross Site Request Forgery.This issue affects FormFacade: from n/a through 1.4.1. | 2025-12-31 | 4.3 | CVE-2025-62133 | https://vdp.patchstack.com/database/wordpress/plugin/formfacade/vulnerability/wordpress-formfacade-plugin-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| nicashmu–Post Video Players | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in nicashmu Post Video Players allows Retrieve Embedded Sensitive Data.This issue affects Post Video Players: from n/a through 1.163. | 2025-12-31 | 4.3 | CVE-2025-62143 | https://vdp.patchstack.com/database/wordpress/plugin/video-playlist-and-gallery-plugin/vulnerability/wordpress-post-video-players-plugin-1-163-sensitive-data-exposure-vulnerability?_s_id=cve |
| Eugen Bobrowski–Robots.txt rewrite | Cross-Site Request Forgery (CSRF) vulnerability in Eugen Bobrowski Robots.Txt rewrite allows Cross Site Request Forgery.This issue affects Robots.Txt rewrite: from n/a through 1.6.1. | 2025-12-31 | 4.3 | CVE-2025-62148 | https://vdp.patchstack.com/database/wordpress/plugin/robotstxt-rewrite/vulnerability/wordpress-robots-txt-rewrite-plugin-1-6-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Themesawesome–History Timeline | Missing Authorization vulnerability in Themesawesome History Timeline allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects History Timeline: from n/a through 1.0.6. | 2025-12-31 | 4.3 | CVE-2025-62150 | https://vdp.patchstack.com/database/wordpress/plugin/timeline-awesome/vulnerability/wordpress-history-timeline-plugin-1-0-6-broken-access-control-vulnerability?_s_id=cve |
| Recorp–AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One | Missing Authorization vulnerability in Recorp AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One: from n/a through 1.1.7. | 2025-12-31 | 4.3 | CVE-2025-62154 | https://vdp.patchstack.com/database/wordpress/plugin/ai-content-writing-assistant/vulnerability/wordpress-ai-content-writing-assistant-content-writer-chatgpt-image-generator-all-in-one-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve |
| Extend Themes–Vireo | Missing Authorization vulnerability in Extend Themes Vireo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vireo: from n/a through 1.0.24. | 2025-12-31 | 4.3 | CVE-2025-62751 | https://vdp.patchstack.com/database/wordpress/theme/vireo/vulnerability/wordpress-vireo-theme-1-0-24-broken-access-control-vulnerability?_s_id=cve |
| Alexander–AnyComment | Missing Authorization vulnerability in Alexander AnyComment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyComment: from n/a through 0.3.6. | 2025-12-31 | 4.3 | CVE-2025-62874 | https://vdp.patchstack.com/database/wordpress/plugin/anycomment/vulnerability/wordpress-anycomment-plugin-0-3-6-broken-access-control-vulnerability?_s_id=cve |
| Skynet Technologies USA LLC–All in One Accessibility | Missing Authorization vulnerability in Skynet Technologies USA LLC All in One Accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects All in One Accessibility: from n/a through 1.14. | 2025-12-31 | 4.3 | CVE-2025-63004 | https://vdp.patchstack.com/database/wordpress/plugin/all-in-one-accessibility/vulnerability/wordpress-all-in-one-accessibility-plugin-1-14-broken-access-control-vulnerability?_s_id=cve |
| Serhii Pasyuk–Gmedia Photo Gallery | Cross-Site Request Forgery (CSRF) vulnerability in Serhii Pasyuk Gmedia Photo Gallery allows Cross Site Request Forgery.This issue affects Gmedia Photo Gallery: from n/a through 1.24.1. | 2025-12-31 | 4.3 | CVE-2025-63014 | https://vdp.patchstack.com/database/wordpress/plugin/grand-media/vulnerability/wordpress-gmedia-photo-gallery-plugin-1-24-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Northern Beaches Websites–WP Custom Admin Interface | Missing Authorization vulnerability in Northern Beaches Websites WP Custom Admin Interface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Admin Interface: from n/a through 7.40. | 2025-12-31 | 4.3 | CVE-2025-63038 | https://vdp.patchstack.com/database/wordpress/plugin/wp-custom-admin-interface/vulnerability/wordpress-wp-custom-admin-interface-plugin-7-40-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal–Post Snippets | Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Post Snippets allows Cross Site Request Forgery.This issue affects Post Snippets: from n/a through 4.0.11. | 2025-12-31 | 4.3 | CVE-2025-63040 | https://vdp.patchstack.com/database/wordpress/plugin/post-snippets/vulnerability/wordpress-post-snippets-plugin-4-0-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Crocoblock–JetPopup | Authorization Bypass Through User-Controlled Key vulnerability in Crocoblock JetPopup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetPopup: from n/a through 2.0.20.1. | 2025-12-29 | 4.3 | CVE-2025-68502 | https://vdp.patchstack.com/database/wordpress/plugin/jet-popup/vulnerability/wordpress-jetpopup-plugin-2-0-20-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| HETWORKS–WordPress Image shrinker | Server-Side Request Forgery (SSRF) vulnerability in HETWORKS WordPress Image shrinker allows Server Side Request Forgery.This issue affects WordPress Image shrinker: from n/a through 1.1.0. | 2025-12-29 | 4.9 | CVE-2025-68893 | https://vdp.patchstack.com/database/wordpress/plugin/wp-image-shrinker/vulnerability/wordpress-wordpress-image-shrinker-plugin-1-1-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| ImageMagick–ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, Magick fails to check for circular references between two MVGs, leading to a stack overflow. This is a DoS vulnerability, and any situation that allows reading the mvg file will be affected. Version 7.1.2-12 fixes the issue. | 2025-12-30 | 4 | CVE-2025-68950 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7rvh-xqp3-pr8j https://github.com/ImageMagick/ImageMagick/commit/204718c2211903949dcfc0df8e65ed066b008dec |
| HemmeligOrg–Hemmelig.app | Hemmelig is a messing app with with client-side encryption and self-destructing messages. Prior to version 7.3.3, a Server-Side Request Forgery (SSRF) filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private IP addresses but can be bypassed using DNS rebinding or open redirect services. This allows an authenticated user to make the server initiate HTTP requests to internal network resources. Version 7.3.3 contains a patch for the issue. | 2025-12-29 | 4.3 | CVE-2025-69206 | https://github.com/HemmeligOrg/Hemmelig.app/security/advisories/GHSA-vvxf-wj5w-6gj5 https://github.com/HemmeligOrg/Hemmelig.app/commit/6c909e571d0797ee3bbd2c72e4eb767b57378228 |
| libsodium–libsodium | libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren’t in the main cryptographic group. | 2025-12-31 | 4.5 | CVE-2025-69277 | https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae https://00f.net/2025/12/30/libsodium-vulnerability/ https://news.ycombinator.com/item?id=46435614 https://ianix.com/pub/ed25519-deployment.html |
| makeplane–plane | Plane is an an open-source project management tool. In plane.io, a guest user doesn’t have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of users on a specific workspace that they joined. Since the `display_name` in the response is actually the handler of the email, a malicious guest can still identify admin users’ email addresses. Version 1.2.0 fixes this issue. | 2026-01-02 | 4.3 | CVE-2025-69284 | https://github.com/makeplane/plane/security/advisories/GHSA-7qx6-6739-c7qr |
| code-projects–Content Management System | A security vulnerability has been detected in code-projects Content Management System 1.0. Impacted is an unknown function of the file /admin/edit_posts.php. The manipulation of the argument image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2026-01-02 | 4.7 | CVE-2026-0566 | VDB-339378 | code-projects Content Management System edit_posts.php unrestricted upload VDB-339378 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729228 | Code-projects Content Management System v1.0 Arbitrary file upload vulnerability https://github.com/Limingqian123/CVE/issues/13 https://code-projects.org/ |
| yeqifu–warehouse | A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function createResponseEntity of the file warehousesrcmainjavacomyeqifusyscommonAppFileUtils.java. The manipulation of the argument path results in path traversal. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | 2026-01-02 | 4.3 | CVE-2026-0571 | VDB-339385 | yeqifu warehouse AppFileUtils.java createResponseEntity path traversal VDB-339385 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729331 | yeqifu warehouse aaf29962ba407d22d991781de28796ee7b4670e4 Arbitrary File Read https://github.com/5i1encee/Vul/blob/main/Arbitrary%20File%20Read%20Vulnerability%20in%20Project%20yeqifu%20warehouse.md https://github.com/5i1encee/Vul/blob/main/Arbitrary%20File%20Read%20Vulnerability%20in%20Project%20yeqifu%20warehouse.md#poc |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| elinicksic–Razgover | A security vulnerability has been detected in elinicksic Razgover up to db37dfc5c82f023a40f2f7834ded6633fb2b5262. This affects an unknown part of the file Chattify/send.php of the component Chat Message Handler. Such manipulation of the argument msg leads to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The name of the patch is 995dd89d0e3ec5522966724be23a5d58ca1bdac3. Applying a patch is advised to resolve this issue. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-31 | 3.5 | CVE-2019-25262 | VDB-338649 | elinicksic Razgover Chat Message send.php cross site scripting VDB-338649 | CTI Indicators (IOB, IOC, TTP, IOA) https://github.com/elinicksic/Razgover/commit/995dd89d0e3ec5522966724be23a5d58ca1bdac3 |
| SohuTV–CacheCloud | A vulnerability was identified in SohuTV CacheCloud up to 3.2.0. This affects the function index of the file src/main/java/com/sohu/cache/web/controller/ServerController.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 3.5 | CVE-2025-15171 | VDB-338556 | SohuTV CacheCloud ServerController.java index cross site scripting VDB-338556 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716304 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/367 https://github.com/sohutv/cachecloud/issues/367#issue-3733551662 |
| SohuTV–CacheCloud | A security flaw has been discovered in SohuTV CacheCloud up to 3.2.0. This impacts the function preview of the file src/main/java/com/sohu/cache/web/controller/RedisConfigTemplateController.java. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 3.5 | CVE-2025-15172 | VDB-338557 | SohuTV CacheCloud RedisConfigTemplateController.java preview cross site scripting VDB-338557 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716306 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/368 https://github.com/sohutv/cachecloud/issues/368#issue-3733556724 |
| SohuTV–CacheCloud | A weakness has been identified in SohuTV CacheCloud up to 3.2.0. Affected is the function advancedAnalysis of the file src/main/java/com/sohu/cache/web/controller/InstanceController.java. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 3.5 | CVE-2025-15173 | VDB-338558 | SohuTV CacheCloud InstanceController.java advancedAnalysis cross site scripting VDB-338558 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716307 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/369 https://github.com/sohutv/cachecloud/issues/369#issue-3733560985 |
| SohuTV–CacheCloud | A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. Affected by this vulnerability is the function doAppAuditList of the file src/main/java/com/sohu/cache/web/controller/AppManageController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 3.5 | CVE-2025-15174 | VDB-338559 | SohuTV CacheCloud AppManageController.java doAppAuditList cross site scripting VDB-338559 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716308 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/370 https://github.com/sohutv/cachecloud/issues/370#issue-3733566371 |
| SohuTV–CacheCloud | A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. Affected by this issue is the function doAppList/appCommandAnalysis of the file src/main/java/com/sohu/cache/web/controller/AppController.java. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 3.5 | CVE-2025-15175 | VDB-338560 | SohuTV CacheCloud AppController.java appCommandAnalysis cross site scripting VDB-338560 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716309 | SohuTV CacheCloud <=3.2.0 Reflected XSS Submit #716322 | SohuTV CacheCloud <=3.2.0 Reflected XSS (Duplicate) https://github.com/sohutv/cachecloud/issues/371 https://github.com/sohutv/cachecloud/issues/381 |
| n/a–GreenCMS | A vulnerability was found in GreenCMS up to 2.3. This affects an unknown part of the file /DataController.class.php of the component File Handler. Performing manipulation of the argument sqlFiles/zipFiles results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-29 | 3.8 | CVE-2025-15187 | VDB-338572 | GreenCMS File DataController.class.php path traversal VDB-338572 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721387 | https://github.com/GreenCMS/GreenCMS Greencms v2.3 Arbitrary File Removal Submit #724836 | https://github.com/GreenCMS/GreenCMS Greencms V2.3 Arbitrary File Removal (Duplicate) Submit #725143 | Greencms https://github.com/GreenCMS/GreenCMS V2.3 arbitrary file deletion (Duplicate) https://github.com/ueh1013/VULN/issues/4 https://github.com/ueh1013/VULN/issues/5 |
| SohuTV–CacheCloud | A flaw has been found in SohuTV CacheCloud up to 3.2.0. The impacted element is the function redirectNoPower of the file src/main/java/com/sohu/cache/web/controller/WebResourceController.java. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 3.5 | CVE-2025-15201 | VDB-338588 | SohuTV CacheCloud WebResourceController.java redirectNoPower cross site scripting VDB-338588 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716312 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/373 |
| SohuTV–CacheCloud | A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. Affected by this issue is the function doMachineList/doPodList of the file src/main/java/com/sohu/cache/web/controller/MachineManageController.java. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-30 | 3.5 | CVE-2025-15219 | VDB-338604 | SohuTV CacheCloud MachineManageController.java doPodList cross site scripting VDB-338604 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716318 | SohuTV CacheCloud <=3.2.0 Reflected XSS Submit #716319 | SohuTV CacheCloud <=3.2.0 Reflected XSS (Duplicate) https://github.com/sohutv/cachecloud/issues/377 https://github.com/sohutv/cachecloud/issues/378 |
| SohuTV–CacheCloud | A flaw has been found in SohuTV CacheCloud up to 3.2.0. This vulnerability affects the function index of the file src/main/java/com/sohu/cache/web/controller/AppDataMigrateController.java. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-30 | 3.5 | CVE-2025-15221 | VDB-338606 | SohuTV CacheCloud AppDataMigrateController.java index cross site scripting VDB-338606 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716321 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/380 |
| CloudPanel–Community Edition | A security vulnerability has been detected in CloudPanel Community Edition up to 2.5.1. The affected element is an unknown function of the file /admin/users of the component HTTP Header Handler. Such manipulation of the argument Referer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.5.2 is sufficient to fix this issue. Upgrading the affected component is recommended. | 2025-12-30 | 3.5 | CVE-2025-15241 | VDB-338631 | CloudPanel Community Edition HTTP Header users redirect VDB-338631 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725543 | CloudPanel CloudPanel Community Edition 2.5.1 URL Redirection to Untrusted Site (‘Open Redirect’) https://github.com/Stolichnayer/cloudpanel-open-redirect https://github.com/Stolichnayer/cloudpanel-open-redirect?tab=readme-ov-file#%EF%B8%8F-steps-to-reproduce https://github.com/cloudpanel-io/cloudpanel-ce/releases/tag/v2.5.2 |
| n/a–PHPEMS | A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function of the component Coupon Handler. Performing manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. The exploit is now public and may be used. | 2025-12-30 | 3.1 | CVE-2025-15242 | VDB-338632 | PHPEMS Coupon race condition VDB-338632 | CTI Indicators (IOB, IOC) Submit #725661 | PHPEMS <=11.0 Race Condition https://byebydoggy.github.io/post/2025/1229-phpems-coupon-recharge-race-condition-poc/ |
| n/a–PHPEMS | A vulnerability has been found in PHPEMS up to 11.0. This impacts an unknown function of the component Purchase Request Handler. The manipulation leads to race condition. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used. | 2025-12-30 | 3.7 | CVE-2025-15244 | VDB-338634 | PHPEMS Purchase Request race condition VDB-338634 | CTI Indicators (IOB, IOC) Submit #725727 | PHPEMS <=11.0 Race Condition https://byebydoggy.github.io/post/2025/1229-phpems-points-race-condition-poc/ |
| D-Link–DCS-850L | A vulnerability was found in D-Link DCS-850L 1.02.09. Affected is the function uploadfirmware of the component Firmware Update Service. The manipulation of the argument DownloadFile results in path traversal. The attack must originate from the local network. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-30 | 3.5 | CVE-2025-15245 | VDB-338635 | D-Link DCS-850L Firmware Update Service uploadfirmware path traversal VDB-338635 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725742 | D-Link DCS850L v1.02.09 Absolute Path Traversal https://tzh00203.notion.site/D-Link-DCS850L-v1-02-09-Path-Traversal-Vulnerability-in-Firmware-Update-2d8b5c52018a803abbc7e30e2858d084?source=copy_link https://www.dlink.com/ |
| sunhailin12315–product-review | A security flaw has been discovered in sunhailin12315 product-review 商品评价系统 up to 91ead6890b4065bb45b7602d0d73348e75cb4639. This affects an unknown part of the component Write a Review. Performing manipulation of the argument content results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. This product adopts a rolling release strategy to maintain continuous delivery The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-30 | 3.5 | CVE-2025-15248 | VDB-338638 | sunhailin12315 product-review 商品评价系统 Write a Review cross site scripting VDB-338638 | CTI Indicators (IOB, IOC, TTP, IOA) https://gitee.com/sunhailin12315/product-review/issues/ICK775 |
| zhujunliang3–work_platform | A weakness has been identified in zhujunliang3 work_platform up to 6bc5a50bb527ce27f7906d11ea6ec139beb79c31. This vulnerability affects unknown code of the component Content Handler. Executing manipulation can lead to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-30 | 3.5 | CVE-2025-15249 | VDB-338639 | zhujunliang3 work_platform Content cross site scripting VDB-338639 | CTI Indicators (IOB, IOC, TTP) https://gitee.com/zhujunliang3/work_platform/issues/ICLUJ2 |
| Edimax–BR-6208AC | A weakness has been identified in Edimax BR-6208AC 1.02/1.03. Affected by this issue is the function formALGSetup of the file /goform/formALGSetup of the component Web-based Configuration Interface. This manipulation of the argument wlan-url causes open redirect. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. Edimax confirms this issue: “The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security.” This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-30 | 3.5 | CVE-2025-15258 | VDB-338648 | Edimax BR-6208AC Web-based Configuration formALGSetup redirect VDB-338648 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722446 | Edimax BR-6208AC V2_1.02 Open Redirect https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Open-Redirect-Vulnerability-in-Web-formALGSetup-handler-2d3b5c52018a80188e9ae30d3cc8c3d1?source=copy_link |
| n/a–EyouCMS | A vulnerability was detected in EyouCMS up to 1.7.7. The affected element is an unknown function of the file application/home/model/Ask.php of the component Ask Module. Performing manipulation of the argument content results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. The vendor is “[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8”. | 2025-12-31 | 3.5 | CVE-2025-15374 | VDB-339082 | EyouCMS Ask Module Ask.php cross site scripting VDB-339082 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718480 | EyouCMS 1.7.7 Cross Site Scripting https://note-hxlab.wetolink.com/share/LNickWiRaFiF https://note-hxlab.wetolink.com/share/LNickWiRaFiF#-span–strong-proof-of-concept—strong—span- |
| Uasoft–badaso | A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-31 | 3.7 | CVE-2025-15398 | VDB-339207 | Uasoft badaso Token BadasoAuthController.php forgetPassword password recovery VDB-339207 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #720129 | badaso 2.9.7 Cryptographically Weak PRNG https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq#-span–strong-step-1–trigger-password-reset-for-victim–strong—span- |
| n/a–Open5GS | A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publicly available and might be used. The name of the patch is 465273d13ba5d47b274c38c9d1b07f04859178a1. A patch should be applied to remediate this issue. | 2026-01-01 | 3.3 | CVE-2025-15417 | VDB-339339 | Open5GS GTPv2-C F-TEID s11-handler.c sgwc_s11_handle_create_session_request denial of service VDB-339339 | CTI Indicators (IOB, IOC, IOA) Submit #727616 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4203 https://github.com/open5gs/open5gs/issues/4203#issuecomment-3681643498 https://github.com/open5gs/open5gs/issues/4203#issue-3719257558 https://github.com/open5gs/open5gs/commit/465273d13ba5d47b274c38c9d1b07f04859178a1 |
| n/a–Open5GS | A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing manipulation results in denial of service. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is named 4e913d21f2c032b187815f063dbab5ebe65fe83a. To fix this issue, it is recommended to deploy a patch. | 2026-01-01 | 3.3 | CVE-2025-15418 | VDB-339340 | Open5GS Bearer QoS IE Length types.c ogs_gtp2_parse_bearer_qos denial of service VDB-339340 | CTI Indicators (IOB, IOC, IOA) Submit #728043 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4217 https://github.com/open5gs/open5gs/issues/4217#issuecomment-3690767105 https://github.com/open5gs/open5gs/issues/4217#issue-3759615968 https://github.com/open5gs/open5gs/commit/4e913d21f2c032b187815f063dbab5ebe65fe83a |
| n/a–Open5GS | A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. Executing a manipulation can lead to denial of service. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5aaa09907e7b9e0a326265a5f08d56f54280b5f2. It is advisable to implement a patch to correct this issue. | 2026-01-02 | 3.3 | CVE-2025-15419 | VDB-339341 | Open5GS GTPv2-C Flow s5c-handler.c sgwc_s5c_handle_create_session_response denial of service VDB-339341 | CTI Indicators (IOB, IOC, IOA) Submit #728044 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4224 https://github.com/open5gs/open5gs/issues/4224#issuecomment-3698521008 https://github.com/open5gs/open5gs/issues/4224#issue-3766767406 https://github.com/open5gs/open5gs/commit/5aaa09907e7b9e0a326265a5f08d56f54280b5f2 |
| n/a–LigeroSmart | A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing manipulation of the argument REQUEST_URI results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. Upgrading to version 6.1.26 and 6.3 is able to mitigate this issue. The patch is named 264ac5b2be5b3c673ebd8cb862e673f5d300d9a7. The affected component should be upgraded. | 2026-01-02 | 3.5 | CVE-2025-15437 | VDB-339364 | LigeroSmart Environment Variable cross site scripting VDB-339364 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729021 | LigeroSmart 6.1.24 Cross Site Scripting https://github.com/LigeroSmart/ligerosmart/issues/278 https://github.com/LigeroSmart/ligerosmart/issues/278#issuecomment-3675129508 https://github.com/LigeroSmart/ligerosmart/commit/264ac5b2be5b3c673ebd8cb862e673f5d300d9a7 https://github.com/LigeroSmart/ligerosmart/releases/tag/6.1.26 |
| KDE–messagelib | KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API is not contacted in the messagelib default configuration. | 2025-12-31 | 3.4 | CVE-2025-69412 | https://github.com/KDE/messagelib/compare/v25.11.80…v25.11.90 https://github.com/KDE/messagelib/commit/01adef0482bb3d5c817433db5208620c84a992b3 https://developers.google.com/safe-browsing/v4 https://developers.google.com/safe-browsing/v4/lookup-api |
| Campcodes–Complete Online Beauty Parlor Management System | A vulnerability was determined in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/search-invoices.php. Executing manipulation of the argument searchdata can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-29 | 2.4 | CVE-2025-15188 | VDB-338573 | Campcodes Complete Online Beauty Parlor Management System search-invoices.php cross site scripting VDB-338573 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721868 | campcodes Complete Online Beauty Parlor Management System V1.0 Cross Site Scripting https://github.com/BUPT2025201/CVE/issues/1 https://www.campcodes.com/ |
| SohuTV–CacheCloud | A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. The affected element is the function getExceptionStatisticsByClient/getCommandStatisticsByClient/doIndex of the file src/main/java/com/sohu/cache/web/controller/AppClientDataShowController.java. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 2.4 | CVE-2025-15200 | VDB-338587 | SohuTV CacheCloud AppClientDataShowController.java doIndex cross site scripting VDB-338587 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716311 | SohuTV CacheCloud <=3.2.0 Reflected XSS Submit #716323 | SohuTV CacheCloud <=3.2.0 Reflected XSS (Duplicate) Submit #716324 | SohuTV CacheCloud <=3.2.0 Reflected XSS (Duplicate) https://github.com/sohutv/cachecloud/issues/372 https://github.com/sohutv/cachecloud/issues/382 |
| SohuTV–CacheCloud | A vulnerability has been found in SohuTV CacheCloud up to 3.2.0. This affects the function taskQueueList of the file src/main/java/com/sohu/cache/web/controller/TaskController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 2.4 | CVE-2025-15202 | VDB-338589 | SohuTV CacheCloud TaskController.java taskQueueList cross site scripting VDB-338589 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716313 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/374 |
| SohuTV–CacheCloud | A vulnerability was found in SohuTV CacheCloud up to 3.2.0. This impacts the function index of the file src/main/java/com/sohu/cache/web/controller/ResourceController.java. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 2.4 | CVE-2025-15203 | VDB-338590 | SohuTV CacheCloud ResourceController.java index cross site scripting VDB-338590 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716314 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/375 |
| SohuTV–CacheCloud | A vulnerability was determined in SohuTV CacheCloud up to 3.2.0. Affected is the function doQuartzList of the file src/main/java/com/sohu/cache/web/controller/QuartzManageController.java. Executing manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 2.4 | CVE-2025-15204 | VDB-338591 | SohuTV CacheCloud QuartzManageController.java doQuartzList cross site scripting VDB-338591 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716315 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/376 |
| Campcodes–Park Ticketing System | A vulnerability was found in Campcodes Park Ticketing System 1.0. The impacted element is the function save_pricing of the file admin_class.php. The manipulation of the argument name/ride results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-12-30 | 2.4 | CVE-2025-15214 | VDB-338599 | Campcodes Park Ticketing System admin_class.php save_pricing cross site scripting VDB-338599 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725104 | Campcodes Park Ticketing System v1.0 XSS Submit #728898 | campcodes Park Ticketing System V1.0 Cross Site Scripting (Duplicate) https://github.com/dobkill/CVE/issues/2 https://www.campcodes.com/ |
| youlaitech–vue3-element-admin | A weakness has been identified in youlaitech vue3-element-admin up to 3.4.0. This issue affects some unknown processing of the file src/views/system/notice/index.vue of the component Notice Handler. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-31 | 2.4 | CVE-2025-15372 | VDB-339080 | youlaitech vue3-element-admin Notice index.vue cross site scripting VDB-339080 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718345 | youlaitech vue3-element-admin <=v3.4.0 XSS https://github.com/AnalogyC0de/public_exp/blob/main/archives/vue3-element-admin/report.md https://github.com/AnalogyC0de/public_exp/blob/main/archives/vue3-element-admin/report.md#proof-of-concept |
| xnx3–wangmarket | A vulnerability was found in xnx3 wangmarket up to 6.4. This affects an unknown function of the file /siteVar/save.do of the component Add Global Variable Handler. The manipulation of the argument Remark/Variable Value results in cross site scripting. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-01 | 2.4 | CVE-2025-15416 | VDB-339337 | xnx3 wangmarket Add Global Variable save.do cross site scripting VDB-339337 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721080 | xnx3 https://github.com/xnx3/wangmarket <=v6.4 Cross Site Scripting https://github.com/yuccun/CVE/blob/main/wangmarket-Stored_Cross-Site_Scripting.md |
| The Tcpdump Group–libpcap | pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer. | 2025-12-31 | 1.9 | CVE-2025-11961 | https://github.com/the-tcpdump-group/libpcap/commit/b2d2f9a9a0581c40780bde509f7cc715920f1c02 |
| The Tcpdump Group–libpcap | On Windows only, if libpcap needs to convert a Windows error message to UTF-8 and the message includes characters that UTF-8 represents using 4 bytes, utf_16le_to_utf_8_truncated() can write data beyond the end of the provided buffer. | 2025-12-31 | 1.9 | CVE-2025-11964 | https://github.com/the-tcpdump-group/libpcap/commit/7fabf607f2319a36a0bd78444247180acb838e69 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Gargoyle–Gargoyle Router Management Utility | Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the ‘commands’ parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands. | 2025-12-31 | not yet calculated | CVE-2015-10145 | https://packetstorm.news/files/id/132149 https://www.gargoyle-router.com/ https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/ https://www.vulncheck.com/advisories/gargoyle-authenticated-os-command-execution-via-run-commands-sh |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mei: fix potential NULL-ptr deref after clone If cloning the SKB fails, don’t try to use it, but rather return as if we should pass it. Coverity CID: 1503456 | 2025-12-30 | not yet calculated | CVE-2022-50784 | https://git.kernel.org/stable/c/8b8e25073f3dab93554ee3d5b264f7c013ebd92a https://git.kernel.org/stable/c/0183b7c49cfdda91284505cbcdc7feecde48cbb9 https://git.kernel.org/stable/c/d3df49dda431f7ae4132a9a0ac25a5134c04e812 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fsi: occ: Prevent use after free Use get_device and put_device in the open and close functions to make sure the device doesn’t get freed while a file descriptor is open. Also, lock around the freeing of the device buffer and check the buffer before using it in the submit function. | 2025-12-30 | not yet calculated | CVE-2022-50785 | https://git.kernel.org/stable/c/1d5ad0a874ddfcee9f932f54b1d34cbe8b9ddcfe https://git.kernel.org/stable/c/3593e8efc9f0dac6be70bd5c964eadaa86bf2713 https://git.kernel.org/stable/c/d3e1e24604031b0d83b6c2d38f54eeea265cfcc0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: s5p-mfc: Clear workbit to handle error condition During error on CLOSE_INSTANCE command, ctx_work_bits was not getting cleared. During consequent mfc execution NULL pointer dereferencing of this context led to kernel panic. This patch fixes this issue by making sure to clear ctx_work_bits always. | 2025-12-30 | not yet calculated | CVE-2022-50786 | https://git.kernel.org/stable/c/12242bd13ce68acd571b2cce6ab302e154e8a4ee https://git.kernel.org/stable/c/640075400c7c577b0f5369b935e22a588773fafa https://git.kernel.org/stable/c/8ff64edf9d16e8c277dcc8189794763624e6b4b8 https://git.kernel.org/stable/c/ff27800c0a6d81571671b33f696109804d015409 https://git.kernel.org/stable/c/09c1fbbe532758e4046c20829f4c0c50b99332dc https://git.kernel.org/stable/c/bd1b72f0c39a0d791a087b4e643701a48328ba8e https://git.kernel.org/stable/c/d3f3c2fe54e30b0636496d842ffbb5ad3a547f9b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xhci: dbc: Fix memory leak in xhci_alloc_dbc() If DbC is already in use, then the allocated memory for the xhci_dbc struct doesn’t get freed before returning NULL, which leads to a memleak. | 2025-12-30 | not yet calculated | CVE-2022-50809 | https://git.kernel.org/stable/c/103b459590e1eb4d80b02761eb36c7cae1d9b58e https://git.kernel.org/stable/c/116d6a6964986ea7eb516daa36128d270f1f248d https://git.kernel.org/stable/c/69e67c804d09a6b1bcda1f4f242f151f813eeb4a https://git.kernel.org/stable/c/d591b32e519603524a35b172156db71df9116902 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rapidio: devices: fix missing put_device in mport_cdev_open When kfifo_alloc fails, the refcount of chdev->dev is left incremental. We should use put_device(&chdev->dev) to decrease the ref count of chdev->dev to avoid refcount leak. | 2025-12-30 | not yet calculated | CVE-2022-50810 | https://git.kernel.org/stable/c/6e4540e0970030e140998ce8847f5f0171b5afa1 https://git.kernel.org/stable/c/ae57222402bea455e60cc51d2f52ce73b63b7af8 https://git.kernel.org/stable/c/dfee9fe93dd34cd9d49520718f6ec2072de25e48 https://git.kernel.org/stable/c/bb7397f6312d2cbf05e415676ed5b1655cb82a34 https://git.kernel.org/stable/c/53915ecc43c5139d6cdd1caa4fdc9290b9597008 https://git.kernel.org/stable/c/a0d93aac54ce07a7cc71e90645d0cdabbda50450 https://git.kernel.org/stable/c/162433a96079bfa5ec748c486b4570f138d04fb5 https://git.kernel.org/stable/c/b596242585984b5f3085aa8f7a82c65640b384b6 https://git.kernel.org/stable/c/d5b6e6eba3af11cb2a2791fa36a2524990fcde1a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails Otherwise, meta buffers could be leaked. | 2025-12-30 | not yet calculated | CVE-2022-50811 | https://git.kernel.org/stable/c/091a8ca572a2e48554427feda78aa503e98c1028 https://git.kernel.org/stable/c/373b6f350aecf5dca2e7474f0b4ec8cca659f2f0 https://git.kernel.org/stable/c/d5d188b8f8b38d3d71dd05993874b4fc9284ce95 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6 A bad bug in clang’s implementation of -fzero-call-used-regs can result in NULL pointer dereferences (see the links above the check for more information). Restrict CONFIG_CC_HAS_ZERO_CALL_USED_REGS to either a supported GCC version or a clang newer than 15.0.6, which will catch both a theoretical 15.0.7 and the upcoming 16.0.0, which will both have the bug fixed. | 2025-12-30 | not yet calculated | CVE-2022-50812 | https://git.kernel.org/stable/c/8a4236456a3a402f6bb92aa7b75e7a3b4ef7a72c https://git.kernel.org/stable/c/0b202dfedb5aa2e7d07d849be33fa3a48c026926 https://git.kernel.org/stable/c/21ca0bfa11bbb9a9207f5d2104f47d3d71b4616e https://git.kernel.org/stable/c/d6a9fb87e9d18f3394a9845546bbe868efdccfd2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drivers: mcb: fix resource leak in mcb_probe() When probe hook function failed in mcb_probe(), it doesn’t put the device. Compiled test only. | 2025-12-30 | not yet calculated | CVE-2022-50813 | https://git.kernel.org/stable/c/531ac7b911a962b3b29565dad6ea6b5c3fad3317 https://git.kernel.org/stable/c/6f3467aa5712e6b5550e75a16454b3f17aa1f380 https://git.kernel.org/stable/c/e420ca85bf42a684ea729c505c07de6709500ed2 https://git.kernel.org/stable/c/68e54d9ee8222d7805a0b9d3e1c37b8cf3be536a https://git.kernel.org/stable/c/0d1c2c8db28919c4351000d7c1692f1767bdc4f7 https://git.kernel.org/stable/c/f3686e5e8de0a03c8e70e3ee0ce3078fed612909 https://git.kernel.org/stable/c/0a23dda78946f604ff752fe223c3c1f4fa6dd7b4 https://git.kernel.org/stable/c/0468a585710bbb807a1b9c31df54bcf564d28b2b https://git.kernel.org/stable/c/d7237462561fcd224fa687c56ccb68629f50fc0d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/zip – fix mismatch in get/set sgl_sge_nr KASAN reported this Bug: [17619.659757] BUG: KASAN: global-out-of-bounds in param_get_int+0x34/0x60 [17619.673193] Read of size 4 at addr fffff01332d7ed00 by task read_all/1507958 … [17619.698934] The buggy address belongs to the variable: [17619.708371] sgl_sge_nr+0x0/0xffffffffffffa300 [hisi_zip] There is a mismatch in hisi_zip when get/set the variable sgl_sge_nr. The type of sgl_sge_nr is u16, and get/set sgl_sge_nr by param_get/set_int. Replacing param_get/set_int to param_get/set_ushort can fix this bug. | 2025-12-30 | not yet calculated | CVE-2022-50814 | https://git.kernel.org/stable/c/d88b88514ef28515ccfa1f1787c2aedef75a79dd https://git.kernel.org/stable/c/272093471305261c4e07a2fc97c2d1e53cd56819 https://git.kernel.org/stable/c/f8a983d6e01b198320d310cb1326364d7d973b2a https://git.kernel.org/stable/c/5eaebd19fbb0e26e73a34f55d3b1dc310df0eb15 https://git.kernel.org/stable/c/d74f9340097a881869c4c22ca376654cc2516ecc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext2: Add sanity checks for group and filesystem size Add sanity check that filesystem size does not exceed the underlying device size and that group size is big enough so that metadata can fit into it. This avoid trying to mount some crafted filesystems with extremely large group counts. | 2025-12-30 | not yet calculated | CVE-2022-50815 | https://git.kernel.org/stable/c/40ff52527daec00cf1530c17a95636916ddd3b38 https://git.kernel.org/stable/c/321440079763998076b75e0c802524e2218a7d97 https://git.kernel.org/stable/c/d766f2d1e3e3bd44024a7f971ffcf8b8fbb7c5d2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: ensure sane device mtu in tunnels Another syzbot report [1] with no reproducer hints at a bug in ip6_gre tunnel (dev:ip6gretap0) Since ipv6 mcast code makes sure to read dev->mtu once and applies a sanity check on it (see commit b9b312a7a451 “ipv6: mcast: better catch silly mtu values”), a remaining possibility is that a layer is able to set dev->mtu to an underflowed value (high order bit set). This could happen indeed in ip6gre_tnl_link_config_route(), ip6_tnl_link_config() and ipip6_tunnel_bind_dev() Make sure to sanitize mtu value in a local variable before it is written once on dev->mtu, as lockless readers could catch wrong temporary value. [1] skbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0 tail:0xd8 end:0xc0 dev:ip6gretap0 ————[ cut here ]———— kernel BUG at net/core/skbuff.c:120 Internal error: Oops – BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 Workqueue: mld mld_ifc_work pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : skb_panic+0x4c/0x50 net/core/skbuff.c:116 lr : skb_panic+0x4c/0x50 net/core/skbuff.c:116 sp : ffff800020dd3b60 x29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800 x26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200 x23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38 x20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9 x17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80 x14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80 x11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00 x8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000 x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089 Call trace: skb_panic+0x4c/0x50 net/core/skbuff.c:116 skb_over_panic net/core/skbuff.c:125 [inline] skb_put+0xd4/0xdc net/core/skbuff.c:2049 ip6_mc_hdr net/ipv6/mcast.c:1714 [inline] mld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765 add_grhead net/ipv6/mcast.c:1851 [inline] add_grec+0xa20/0xae0 net/ipv6/mcast.c:1989 mld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115 mld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Code: 91011400 aa0803e1 a90027ea 94373093 (d4210000) | 2025-12-30 | not yet calculated | CVE-2022-50816 | https://git.kernel.org/stable/c/2bab6fa449d16af36d9c9518865f783a15f446c7 https://git.kernel.org/stable/c/78297d513157a31fd629626fe4cbb85a7dcbb94a https://git.kernel.org/stable/c/af51fc23a03f02b0c6df09ab0d60f23794436052 https://git.kernel.org/stable/c/44affe7ede596f078c4f2f41e0d160266ccda818 https://git.kernel.org/stable/c/ad3f1d9bf162c487d23df684852597961b745cae https://git.kernel.org/stable/c/ccd94bd4939690e24d13e23814bce7ed853a09f3 https://git.kernel.org/stable/c/d89d7ff01235f218dad37de84457717f699dee79 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: hsr: avoid possible NULL deref in skb_clone() syzbot got a crash [1] in skb_clone(), caused by a bug in hsr_get_untagged_frame(). When/if create_stripped_skb_hsr() returns NULL, we must not attempt to call skb_clone(). While we are at it, replace a WARN_ONCE() by netdev_warn_once(). [1] general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 1 PID: 754 Comm: syz-executor.0 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 RIP: 0010:skb_clone+0x108/0x3c0 net/core/skbuff.c:1641 Code: 93 02 00 00 49 83 7c 24 28 00 0f 85 e9 00 00 00 e8 5d 4a 29 fa 4c 8d 75 7e 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 84 c0 0f 85 9e 01 00 00 RSP: 0018:ffffc90003ccf4e0 EFLAGS: 00010207 RAX: dffffc0000000000 RBX: ffffc90003ccf5f8 RCX: ffffc9000c24b000 RDX: 000000000000000f RSI: ffffffff8751cb13 RDI: 0000000000000000 RBP: 0000000000000000 R08: 00000000000000f0 R09: 0000000000000140 R10: fffffbfff181d972 R11: 0000000000000000 R12: ffff888161fc3640 R13: 0000000000000a20 R14: 000000000000007e R15: ffffffff8dc5f620 FS: 00007feb621e4700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007feb621e3ff8 CR3: 00000001643a9000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> hsr_get_untagged_frame+0x4e/0x610 net/hsr/hsr_forward.c:164 hsr_forward_do net/hsr/hsr_forward.c:461 [inline] hsr_forward_skb+0xcca/0x1d50 net/hsr/hsr_forward.c:623 hsr_handle_frame+0x588/0x7c0 net/hsr/hsr_slave.c:69 __netif_receive_skb_core+0x9fe/0x38f0 net/core/dev.c:5379 __netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5483 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599 netif_receive_skb_internal net/core/dev.c:5685 [inline] netif_receive_skb+0x12f/0x8d0 net/core/dev.c:5744 tun_rx_batched+0x4ab/0x7a0 drivers/net/tun.c:1544 tun_get_user+0x2686/0x3a00 drivers/net/tun.c:1995 tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2025 call_write_iter include/linux/fs.h:2187 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x9e9/0xdd0 fs/read_write.c:584 ksys_write+0x127/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd | 2025-12-30 | not yet calculated | CVE-2022-50817 | https://git.kernel.org/stable/c/ff7ba766758313129794f150bbc4d351b5e17a53 https://git.kernel.org/stable/c/35ece858660eae13ee0242496a1956c39d29418e https://git.kernel.org/stable/c/c46f2e0fcd1ecfc6046e5cf785ff89f0572f94e4 https://git.kernel.org/stable/c/d8b57135fd9ffe9a5b445350a686442a531c5339 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix running_req for internal abort commands Disabling the remote phy for a SATA disk causes a hang: root@(none)$ more /sys/class/sas_phy/phy-0:0:8/target_port_protocols sata root@(none)$ echo 0 > sys/class/sas_phy/phy-0:0:8/enable root@(none)$ [ 67.855950] sas: ex 500e004aaaaaaa1f phy08 change count has changed [ 67.920585] sd 0:0:2:0: [sdc] Synchronizing SCSI cache [ 67.925780] sd 0:0:2:0: [sdc] Synchronize Cache(10) failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK [ 67.935094] sd 0:0:2:0: [sdc] Stopping disk [ 67.939305] sd 0:0:2:0: [sdc] Start/Stop Unit failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK … [ 123.998998] INFO: task kworker/u192:1:642 blocked for more than 30 seconds. [ 124.005960] Not tainted 6.0.0-rc1-205202-gf26f8f761e83 #218 [ 124.012049] “echo 0 > /proc/sys/kernel/hung_task_timeout_secs” disables this message. [ 124.019872] task:kworker/u192:1 state:D stack:0 pid: 642 ppid: 2 flags:0x00000008 [ 124.028223] Workqueue: 0000:04:00.0_event_q sas_port_event_worker [ 124.034319] Call trace: [ 124.036758] __switch_to+0x128/0x278 [ 124.040333] __schedule+0x434/0xa58 [ 124.043820] schedule+0x94/0x138 [ 124.047045] schedule_timeout+0x2fc/0x368 [ 124.051052] wait_for_completion+0xdc/0x200 [ 124.055234] __flush_workqueue+0x1a8/0x708 [ 124.059328] sas_porte_broadcast_rcvd+0xa8/0xc0 [ 124.063858] sas_port_event_worker+0x60/0x98 [ 124.068126] process_one_work+0x3f8/0x660 [ 124.072134] worker_thread+0x70/0x700 [ 124.075793] kthread+0x1a4/0x1b8 [ 124.079014] ret_from_fork+0x10/0x20 The issue is that the per-device running_req read in pm8001_dev_gone_notify() never goes to zero and we never make progress. This is caused by missing accounting for running_req for when an internal abort command completes. In commit 2cbbf489778e (“scsi: pm8001: Use libsas internal abort support”) we started to send internal abort commands as a proper sas_task. In this when we deliver a sas_task to HW the per-device running_req is incremented in pm8001_queue_command(). However it is never decremented for internal abort commnds, so decrement in pm8001_mpi_task_abort_resp(). | 2025-12-30 | not yet calculated | CVE-2022-50818 | https://git.kernel.org/stable/c/4e750e0d8e486569fcb7f4ba6f6471673ce7d8a2 https://git.kernel.org/stable/c/a62b9fc9775fbc8e666bb328f6e53c168054d6fe https://git.kernel.org/stable/c/d8c22c4697c11ed28062afe3c2b377025be11a23 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: udmabuf: Set ubuf->sg = NULL if the creation of sg table fails When userspace tries to map the dmabuf and if for some reason (e.g. OOM) the creation of the sg table fails, ubuf->sg needs to be set to NULL. Otherwise, when the userspace subsequently closes the dmabuf fd, we’d try to erroneously free the invalid sg table from release_udmabuf resulting in the following crash reported by syzbot: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 3609 Comm: syz-executor487 Not tainted 5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline] RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline] RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c 8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2 RSP: 0018:ffffc900037efd30 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000 RBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000 R13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000 FS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78 __dentry_kill+0x42b/0x640 fs/dcache.c:612 dentry_kill fs/dcache.c:733 [inline] dput+0x806/0xdb0 fs/dcache.c:913 __fput+0x39c/0x9d0 fs/file_table.c:333 task_work_run+0xdd/0x1a0 kernel/task_work.c:177 ptrace_notify+0x114/0x140 kernel/signal.c:2353 ptrace_report_syscall include/linux/ptrace.h:420 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline] syscall_exit_work kernel/entry/common.c:249 [inline] syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276 __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline] syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fc1c0c35b6b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b RDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006 RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c R13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140 </TASK> Modules linked in: —[ end trace 0000000000000000 ]— RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline] RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline] RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114 | 2025-12-30 | not yet calculated | CVE-2022-50819 | https://git.kernel.org/stable/c/bbe2f6f90310b3a0b5de4e0dc022b36faabfd718 https://git.kernel.org/stable/c/dfbed8c92eb853929f4fa676ba493391dab47be4 https://git.kernel.org/stable/c/fc285549f454c0f50f87ec945fc0bf44719c0fa4 https://git.kernel.org/stable/c/9861e43f097a50678041f973347b3a88f2da09cf https://git.kernel.org/stable/c/d9c04a1b7a15b5e74b2977461d9511e497f05d8f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf/arm_dmc620: Fix hotplug callback leak in dmc620_pmu_init() dmc620_pmu_init() won’t remove the callback added by cpuhp_setup_state_multi() when platform_driver_register() failed. Remove the callback by cpuhp_remove_multi_state() in fail path. Similar to the handling of arm_ccn_init() in commit 26242b330093 (“bus: arm-ccn: Prevent hotplug callback leak”) | 2025-12-30 | not yet calculated | CVE-2022-50820 | https://git.kernel.org/stable/c/b99fbe8d949a99fe456f08c7aad421327685aa50 https://git.kernel.org/stable/c/af170afa97e50d4169cfaa7ff4ec5d3841182641 https://git.kernel.org/stable/c/adf7c3bbcc819db6e95b6a61c9822230f0ef4778 https://git.kernel.org/stable/c/d9f564c966e63925aac4ba273a9319d7fb6f4b4e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Don’t leak netobj memory when gss_read_proxy_verf() fails | 2025-12-30 | not yet calculated | CVE-2022-50821 | https://git.kernel.org/stable/c/76f2497a2faa6a4e91efb94a7f55705b403273fd https://git.kernel.org/stable/c/aa91afe597401b78baa7d751c71eedb92c80bd4d https://git.kernel.org/stable/c/2cd6026e257362f030c8be57abaf7fc0049df60a https://git.kernel.org/stable/c/d01fa993eb7fbc305f0a9c3e8bfac6513efc13b6 https://git.kernel.org/stable/c/67eb848161c2799f2007968ea3bc87adb15c9567 https://git.kernel.org/stable/c/c9ded831e2552b9c3cab7e2591a190e94f9d29c0 https://git.kernel.org/stable/c/da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/restrack: Release MR restrack when delete The MR restrack also needs to be released when delete it, otherwise it cause memory leak as the task struct won’t be released. | 2025-12-30 | not yet calculated | CVE-2022-50822 | https://git.kernel.org/stable/c/13586753ae55146269a6dc8b216f17d86b81560c https://git.kernel.org/stable/c/37c90753079fc95d93cc31b79796dd2ae57ad018 https://git.kernel.org/stable/c/8731cb5c7820bef577bab4ff17691fbf61c671cb https://git.kernel.org/stable/c/dac153f2802db1ad46207283cb9b2aae3d707a45 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: clk: tegra: Fix refcount leak in tegra114_clock_init of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. | 2025-12-30 | not yet calculated | CVE-2022-50823 | https://git.kernel.org/stable/c/1f0e1cbbaffd729560716e9592aa5e609ea93bb6 https://git.kernel.org/stable/c/ce699dcdac2bfdb6b238f2517ba41d9623b15f46 https://git.kernel.org/stable/c/8cc87a9c142ae0e276a3ff9ce50f78a1668da36f https://git.kernel.org/stable/c/5984b1d66126b024ee77482602ac6e51b53f4116 https://git.kernel.org/stable/c/c01bfd23cc13a420b3f6a36bcab98410f49d480d https://git.kernel.org/stable/c/e7a57fb92af52c4da69cd947752e8946e5ada50a https://git.kernel.org/stable/c/8e1fe30253930c6a67385c19802c5ab8706a76d9 https://git.kernel.org/stable/c/a7d3fb5814c73d7d49913e4294f8f508a3038bb4 https://git.kernel.org/stable/c/db16a80c76ea395766913082b1e3f939dde29b2c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak In check_acpi_tpm2(), we get the TPM2 table just to make sure the table is there, not used after the init, so the acpi_put_table() should be added to release the ACPI memory. | 2025-12-30 | not yet calculated | CVE-2022-50824 | https://git.kernel.org/stable/c/8bc6c10d3f389693410adb14b4e9deec01ff6334 https://git.kernel.org/stable/c/de667a2704ae799f697fd45cf4317623d8c79fb7 https://git.kernel.org/stable/c/e027f3b9fabd2b410a4e6a7651e7a45b87019f23 https://git.kernel.org/stable/c/3b6c822238da9ee8984803355601bcc603d49cb5 https://git.kernel.org/stable/c/43135fb098126ef2cd6ed584900fd7bfa25f95ce https://git.kernel.org/stable/c/e0d1cf8ef84bb14a673215699fb8acc187aa2c4a https://git.kernel.org/stable/c/e60fa800a32a693d672b1a091424d780278c4587 https://git.kernel.org/stable/c/db9622f762104459ff87ecdf885cc42c18053fd9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: wusb3801: fix fwnode refcount leak in wusb3801_probe() I got the following report while doing fault injection test: OF: ERROR: memory leak, expected refcount 1 instead of 4, of_node_get()/of_node_put() unbalanced – destroy cset entry: attach overlay node /i2c/tcpc@60/connector If wusb3801_hw_init() fails, fwnode_handle_put() needs be called to avoid refcount leak. | 2025-12-30 | not yet calculated | CVE-2022-50825 | https://git.kernel.org/stable/c/de1e2eb7f102e3073714396414592a39efb66b3e https://git.kernel.org/stable/c/82d1211f673bbdc822eaf1dbcbf1f2ae06556964 https://git.kernel.org/stable/c/dc18a4c7b3bd447cef2395deeb1f6ac16dfaca0e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection() Calling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose() with a subdev state of NULL leads to a NULL pointer dereference. This can currently happen in imgu_subdev_set_selection() when the state passed in is NULL, as this method first gets pointers to both the “try” and “active” states and only then decides which to use. The same issue has been addressed for imgu_subdev_get_selection() with commit 30d03a0de650 (“ipu3-imgu: Fix NULL pointer dereference in active selection access”). However the issue still persists in imgu_subdev_set_selection(). Therefore, apply a similar fix as done in the aforementioned commit to imgu_subdev_set_selection(). To keep things a bit cleaner, introduce helper functions for “crop” and “compose” access and use them in both imgu_subdev_set_selection() and imgu_subdev_get_selection(). | 2025-12-30 | not yet calculated | CVE-2022-50826 | https://git.kernel.org/stable/c/fa6bbb4894b9b947063c6ff90018a954c5f9f4b3 https://git.kernel.org/stable/c/611d617bdb6c5d636a9861ec1c98e813fc8a5556 https://git.kernel.org/stable/c/5038ee677606106c91564f9c4557d808d14bad70 https://git.kernel.org/stable/c/dc608edf7d45ba0c2ad14c06eccd66474fec7847 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix memory leak in lpfc_create_port() Commit 5e633302ace1 (“scsi: lpfc: vmid: Add support for VMID in mailbox command”) introduced allocations for the VMID resources in lpfc_create_port() after the call to scsi_host_alloc(). Upon failure on the VMID allocations, the new code would branch to the ‘out’ label, which returns NULL without unwinding anything, thus skipping the call to scsi_host_put(). Fix the problem by creating a separate label ‘out_free_vmid’ to unwind the VMID resources and make the ‘out_put_shost’ label call only scsi_host_put(), as was done before the introduction of allocations for VMID. | 2025-12-30 | not yet calculated | CVE-2022-50827 | https://git.kernel.org/stable/c/9749595feb33a1a2b848800192224ffeed5346b4 https://git.kernel.org/stable/c/5ea1f195f51c2bb5915ccfb2b2885ca81ce9262b https://git.kernel.org/stable/c/dc8e483f684a24cc06e1d5fa958b54db58855093 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: clk: zynqmp: Fix stack-out-of-bounds in strncpy` “BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68” Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is longer than 15 bytes, string terminated NULL character will not be received by Linux. Add explicit NULL character at last byte to fix issues when clock name is longer. This fixes below bug reported by KASAN: ================================================================== BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68 Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3 Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT) Call trace: dump_backtrace+0x0/0x1e8 show_stack+0x14/0x20 dump_stack+0xd4/0x108 print_address_description.isra.0+0xbc/0x37c __kasan_report+0x144/0x198 kasan_report+0xc/0x18 __asan_load1+0x5c/0x68 strncpy+0x30/0x68 zynqmp_clock_probe+0x238/0x7b8 platform_drv_probe+0x6c/0xc8 really_probe+0x14c/0x418 driver_probe_device+0x74/0x130 __device_attach_driver+0xc4/0xe8 bus_for_each_drv+0xec/0x150 __device_attach+0x160/0x1d8 device_initial_probe+0x10/0x18 bus_probe_device+0xe0/0xf0 device_add+0x528/0x950 of_device_add+0x5c/0x80 of_platform_device_create_pdata+0x120/0x168 of_platform_bus_create+0x244/0x4e0 of_platform_populate+0x50/0xe8 zynqmp_firmware_probe+0x370/0x3a8 platform_drv_probe+0x6c/0xc8 really_probe+0x14c/0x418 driver_probe_device+0x74/0x130 device_driver_attach+0x94/0xa0 __driver_attach+0x70/0x108 bus_for_each_dev+0xe4/0x158 driver_attach+0x30/0x40 bus_add_driver+0x21c/0x2b8 driver_register+0xbc/0x1d0 __platform_driver_register+0x7c/0x88 zynqmp_firmware_driver_init+0x1c/0x24 do_one_initcall+0xa4/0x234 kernel_init_freeable+0x1b0/0x24c kernel_init+0x10/0x110 ret_from_fork+0x10/0x18 The buggy address belongs to the page: page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff page dumped because: kasan: bad access detected addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame: zynqmp_clock_probe+0x0/0x7b8 this frame has 3 objects: [32, 44) ‘response’ [64, 80) ‘ret_payload’ [96, 112) ‘name’ Memory state around the buggy address: ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2 >ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== | 2025-12-30 | not yet calculated | CVE-2022-50828 | https://git.kernel.org/stable/c/5dbfcf7b080306b65d9f756fadf46c9495793750 https://git.kernel.org/stable/c/d9e2585c3bcecb1c83febad31b9f450e93d2509e https://git.kernel.org/stable/c/0a07b13af04d0db7325018aaa83b5ffe864790c9 https://git.kernel.org/stable/c/d66fea97671fcb516bd6d34bcc033f650ac7ee91 https://git.kernel.org/stable/c/bce41e4ac6f5ca3b22a07e8cdadc12044bbf9d3b https://git.kernel.org/stable/c/dd80fb2dbf1cd8751efbe4e53e54056f56a9b115 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() It is possible that skb is freed in ath9k_htc_rx_msg(), then usb_submit_urb() fails and we try to free skb again. It causes use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes NULL but rx_buf is not freed and there can be a memory leak. The patch removes unnecessary nskb and makes skb processing more clear: it is supposed that ath9k_htc_rx_msg() either frees old skb or passes its managing to another callback function. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-12-30 | not yet calculated | CVE-2022-50829 | https://git.kernel.org/stable/c/5e8751a977a49a6e00cce1a8da5ca16da83f9c8c https://git.kernel.org/stable/c/f127c2b4c967025e5c3a4ce7e13b79135d46a33d https://git.kernel.org/stable/c/0c8dd2ea4b419da96ab4953e4967e9363e2f8a4f https://git.kernel.org/stable/c/988bd27de2484faf17afe0408db2e3d9e5ac61fc https://git.kernel.org/stable/c/98d9172822dc6f38138333941984bd759a89d419 https://git.kernel.org/stable/c/355f16f756aad0c95cdaa0c14a34ab4137d32815 https://git.kernel.org/stable/c/53b9bb1a00c4285ee7f58a11129dbea015db61bc https://git.kernel.org/stable/c/71fc0ad671a62c494d2aec731baeabd3bfe6c95d https://git.kernel.org/stable/c/dd95f2239fc846795fc926787c3ae0ca701c9840 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: auxdisplay: hd44780: Fix potential memory leak in hd44780_remove() hd44780_probe() allocates a memory chunk for hd with kzalloc() and makes “lcd->drvdata->hd44780” point to it. When we call hd44780_remove(), we should release all relevant memory and resource. But “lcd->drvdata ->hd44780” is not released, which will lead to a memory leak. We should release the “lcd->drvdata->hd44780” in hd44780_remove() to fix the memory leak bug. | 2025-12-30 | not yet calculated | CVE-2022-50830 | https://git.kernel.org/stable/c/8311961a1724bfc64390c539dedc31e067a80315 https://git.kernel.org/stable/c/6cd37f8232f5e169a723e1d5fbe3b2139c2ef763 https://git.kernel.org/stable/c/5d407911e605702ffcc0e97a6db546592ab27dd0 https://git.kernel.org/stable/c/ddf75a86aba2cfb7ec4497e8692b60c8c8fe0ee7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix potential memory leak in wilc_mac_xmit() The wilc_mac_xmit() returns NETDEV_TX_OK without freeing skb, add dev_kfree_skb() to fix it. Compile tested only. | 2025-12-30 | not yet calculated | CVE-2022-50832 | https://git.kernel.org/stable/c/a12610e83789c838493034e5c50ac5c903ad8c0d https://git.kernel.org/stable/c/a1e94fb4d09d0fcfeaa73aa49d787f06c42db7ee https://git.kernel.org/stable/c/5706d00fde3f1d5eb7296a4dfefb6aea35108224 https://git.kernel.org/stable/c/07dcd756e28f27e4f8fcd8b809ffa05a5cc5de2b https://git.kernel.org/stable/c/baef42df7de7c35ba60b75a5f96d1eb039f4d782 https://git.kernel.org/stable/c/deb962ec9e1c9a81babd3d37542ad4bd6ac3396e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works syzbot is reporting attempt to schedule hdev->cmd_work work from system_wq WQ into hdev->workqueue WQ which is under draining operation [1], for commit c8efcc2589464ac7 (“workqueue: allow chained queueing during destruction”) does not allow such operation. The check introduced by commit 877afadad2dce8aa (“Bluetooth: When HCI work queue is drained, only queue chained work”) was incomplete. Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}_timer works because hci_{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect the queuing operation with RCU read lock in order to avoid calling queue_delayed_work() after cancel_delayed_work() completed. | 2025-12-30 | not yet calculated | CVE-2022-50833 | https://git.kernel.org/stable/c/c4635cf3d845a7324c25c52d549b70c8bd7ad4c7 https://git.kernel.org/stable/c/3c6b036fe5c8ed8b6c4cbdc03605929882907ef0 https://git.kernel.org/stable/c/deee93d13d385103205879a8a0915036ecd83261 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfc: Fix potential resource leaks nfc_get_device() take reference for the device, add missing nfc_put_device() to release it when not need anymore. Also fix the style warnning by use error EOPNOTSUPP instead of ENOTSUPP. | 2025-12-30 | not yet calculated | CVE-2022-50834 | https://git.kernel.org/stable/c/277f0d0a9084e7454e5532c823a7a876a7b00af7 https://git.kernel.org/stable/c/d1d912e7f82d7216ba4e266048ec1d1f5ea93839 https://git.kernel.org/stable/c/d8e410315ad393b23520b5db0706be853589c548 https://git.kernel.org/stable/c/e0f5c962c066e769c187f037fedc883f8abd4e82 https://git.kernel.org/stable/c/b63bc2db244c1b57e36f16ea5f2a1becda413f68 https://git.kernel.org/stable/c/a743128fca394a43425020a4f287d3168d94d04f https://git.kernel.org/stable/c/b32f6bef248562bb5191ada527717ea50b319466 https://git.kernel.org/stable/c/df49908f3c52d211aea5e2a14a93bbe67a2cb3af |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: jbd2: add miss release buffer head in fc_do_one_pass() In fc_do_one_pass() miss release buffer head after use which will lead to reference count leak. | 2025-12-30 | not yet calculated | CVE-2022-50835 | https://git.kernel.org/stable/c/e65506ff181fc176088f32117d69b9cb1ddda777 https://git.kernel.org/stable/c/56fcd0788f0d9243c1754bd6f80b8b327c4afeee https://git.kernel.org/stable/c/27c7bd35135d5ab38b9138ecf186ce54a96c98d9 https://git.kernel.org/stable/c/1f48116cbd3404898c9022892e114dd7cc3063c1 https://git.kernel.org/stable/c/dfff66f30f66b9524b661f311bbed8ff3d2ca49f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev() The kfree() should be called when of_irq_get_byname() fails or devm_request_threaded_irq() fails in qcom_add_sysmon_subdev(), otherwise there will be a memory leak, so add kfree() to fix it. | 2025-12-30 | not yet calculated | CVE-2022-50836 | https://git.kernel.org/stable/c/27441fab2651cd909d8a5440ca079bc50245f427 https://git.kernel.org/stable/c/e4539eb5c0c342567183fe386d0699c8dab49490 https://git.kernel.org/stable/c/131c0a3ead78d45f0f39ddb42cf1bd9be26239b0 https://git.kernel.org/stable/c/1a62bebe0705556d37cfa8409ddc759b11d404f6 https://git.kernel.org/stable/c/ec97e9a5c2f25d2f9f9d7005e9ac67f23cc751cd https://git.kernel.org/stable/c/e01ce676aaef3b13d02343d7e70f9637d93a3367 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: tag_8021q: avoid leaking ctx on dsa_tag_8021q_register() error path If dsa_tag_8021q_setup() fails, for example due to the inability of the device to install a VLAN, the tag_8021q context of the switch will leak. Make sure it is freed on the error path. | 2025-12-30 | not yet calculated | CVE-2022-50837 | https://git.kernel.org/stable/c/09f30f394e832ed09859b6a80fdd20668a9104ff https://git.kernel.org/stable/c/39691d51af99f80efb9e365f94b8e0c791fa1a2f https://git.kernel.org/stable/c/14ed46a13aba42a6ddd85de6f6274090df3586a5 https://git.kernel.org/stable/c/e095493091e850d5292ad01d8fbf5cde1d89ac53 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: stream: purge sk_error_queue in sk_stream_kill_queues() Changheon Lee reported TCP socket leaks, with a nice repro. It seems we leak TCP sockets with the following sequence: 1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket. Each ACK will cook an skb put in error queue, from __skb_tstamp_tx(). __skb_tstamp_tx() is using skb_clone(), unless SOF_TIMESTAMPING_OPT_TSONLY was also requested. 2) If the application is also using MSG_ZEROCOPY, then we put in the error queue cloned skbs that had a struct ubuf_info attached to them. Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc() does a sock_hold(). As long as the cloned skbs are still in sk_error_queue, socket refcount is kept elevated. 3) Application closes the socket, while error queue is not empty. Since tcp_close() no longer purges the socket error queue, we might end up with a TCP socket with at least one skb in error queue keeping the socket alive forever. This bug can be (ab)used to consume all kernel memory and freeze the host. We need to purge the error queue, with proper synchronization against concurrent writers. | 2025-12-30 | not yet calculated | CVE-2022-50838 | https://git.kernel.org/stable/c/c8c1eec578a9ae2dc8f14a1846942a0b7bf29d1d https://git.kernel.org/stable/c/bab542cf56fc174c8447c00b73be99ffd66d2d39 https://git.kernel.org/stable/c/6f00bd0402a1e3d2d556afba57c045bd7931e4d3 https://git.kernel.org/stable/c/4f1d37ff4226eb99d6b69e9f4518e279e1a851bf https://git.kernel.org/stable/c/9062493811676ee0efe6c74d98f00ca38c4e17d4 https://git.kernel.org/stable/c/9da204cd67c4fe97e8aa465d10d5c2e7076f7f42 https://git.kernel.org/stable/c/8c330c36b3970d0917f48827fa6c7a9c75aa4602 https://git.kernel.org/stable/c/b458d349f8753f666233828ebd30df6f100cf7d5 https://git.kernel.org/stable/c/e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: jbd2: fix potential buffer head reference count leak As in ‘jbd2_fc_wait_bufs’ if buffer isn’t uptodate, will return -EIO without update ‘journal->j_fc_off’. But ‘jbd2_fc_release_bufs’ will release buffer head from ‘j_fc_off – 1’ if ‘bh’ is NULL will terminal release which will lead to buffer head buffer head reference count leak. To solve above issue, update ‘journal->j_fc_off’ before return -EIO. | 2025-12-30 | not yet calculated | CVE-2022-50839 | https://git.kernel.org/stable/c/7a33dde572fceb45d02d188e0213c47059401c93 https://git.kernel.org/stable/c/e7385c868ee038d6a0cb0e85c22d2741e7910fd5 https://git.kernel.org/stable/c/68ed9c76b2affd47177b92495446abb7262d0ef7 https://git.kernel.org/stable/c/9b073d73725366d886b711b74e058c02f51e7a0e https://git.kernel.org/stable/c/e0d5fc7a6d80ac2406c7dfc6bb625201d0250a8a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: snic: Fix possible UAF in snic_tgt_create() Smatch reports a warning as follows: drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn: ‘&tgt->list’ not removed from list If device_add() fails in snic_tgt_create(), tgt will be freed, but tgt->list will not be removed from snic->disc.tgt_list, then list traversal may cause UAF. Remove from snic->disc.tgt_list before free(). | 2025-12-30 | not yet calculated | CVE-2022-50840 | https://git.kernel.org/stable/c/f9d8b8ba0f1a16cde0b1fc9e80466df76b6db8ff https://git.kernel.org/stable/c/3772319e40527e6a5f2ec1d729e01f271d818f5c https://git.kernel.org/stable/c/3007f96ca20c848d0b1b052df6d2cb5ae5586e78 https://git.kernel.org/stable/c/6866154c23fba40888ad6d554cccd4bf2edb755e https://git.kernel.org/stable/c/ad27f74e901fc48729733c88818e6b96c813057d https://git.kernel.org/stable/c/1895e908b3ae66a5312fd1b2cdda2da82993dca7 https://git.kernel.org/stable/c/c7f0f8dab1ae5def57c1a8a9cafd6fabe1dc27cc https://git.kernel.org/stable/c/4141cd9e8b3379aea52a85d2c35f6eaf26d14e86 https://git.kernel.org/stable/c/e118df492320176af94deec000ae034cc92be754 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add overflow check for attribute size The offset addition could overflow and pass the used size check given an attribute with very large size (e.g., 0xffffff7f) while parsing MFT attributes. This could lead to out-of-bound memory R/W if we try to access the next attribute derived by Add2Ptr(attr, asize) [ 32.963847] BUG: unable to handle page fault for address: ffff956a83c76067 [ 32.964301] #PF: supervisor read access in kernel mode [ 32.964526] #PF: error_code(0x0000) – not-present page [ 32.964893] PGD 4dc01067 P4D 4dc01067 PUD 0 [ 32.965316] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 32.965727] CPU: 0 PID: 243 Comm: mount Not tainted 5.19.0+ #6 [ 32.966050] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 32.966628] RIP: 0010:mi_enum_attr+0x44/0x110 [ 32.967239] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a [ 32.968101] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283 [ 32.968364] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f [ 32.968651] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8 [ 32.968963] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f [ 32.969249] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000 [ 32.969870] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170 [ 32.970655] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000 [ 32.971098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 32.971378] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0 [ 32.972098] Call Trace: [ 32.972842] <TASK> [ 32.973341] ni_enum_attr_ex+0xda/0xf0 [ 32.974087] ntfs_iget5+0x1db/0xde0 [ 32.974386] ? slab_post_alloc_hook+0x53/0x270 [ 32.974778] ? ntfs_fill_super+0x4c7/0x12a0 [ 32.975115] ntfs_fill_super+0x5d6/0x12a0 [ 32.975336] get_tree_bdev+0x175/0x270 [ 32.975709] ? put_ntfs+0x150/0x150 [ 32.975956] ntfs_fs_get_tree+0x15/0x20 [ 32.976191] vfs_get_tree+0x2a/0xc0 [ 32.976374] ? capable+0x19/0x20 [ 32.976572] path_mount+0x484/0xaa0 [ 32.977025] ? putname+0x57/0x70 [ 32.977380] do_mount+0x80/0xa0 [ 32.977555] __x64_sys_mount+0x8b/0xe0 [ 32.978105] do_syscall_64+0x3b/0x90 [ 32.978830] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 32.979311] RIP: 0033:0x7fdab72e948a [ 32.980015] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 32.981251] RSP: 002b:00007ffd15b87588 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 32.981832] RAX: ffffffffffffffda RBX: 0000557de0aaf060 RCX: 00007fdab72e948a [ 32.982234] RDX: 0000557de0aaf260 RSI: 0000557de0aaf2e0 RDI: 0000557de0ab7ce0 [ 32.982714] RBP: 0000000000000000 R08: 0000557de0aaf280 R09: 0000000000000020 [ 32.983046] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000557de0ab7ce0 [ 32.983494] R13: 0000557de0aaf260 R14: 0000000000000000 R15: 00000000ffffffff [ 32.984094] </TASK> [ 32.984352] Modules linked in: [ 32.984753] CR2: ffff956a83c76067 [ 32.985911] —[ end trace 0000000000000000 ]— [ 32.986555] RIP: 0010:mi_enum_attr+0x44/0x110 [ 32.987217] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a [ 32.988232] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283 [ 32.988532] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f [ 32.988916] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8 [ 32.989356] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f [ 32.989994] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000 [ 32.990415] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170 [ 32.991011] FS: —truncated— | 2025-12-30 | not yet calculated | CVE-2022-50841 | https://git.kernel.org/stable/c/d4489ba8fb806e07b43eecca5e9af5865d94cbf6 https://git.kernel.org/stable/c/a1f0b873cf6ac1f00a749707d866494ed0708978 https://git.kernel.org/stable/c/0bb9f93ba63acfdb7c363d9f9fc2199fc6fa913d https://git.kernel.org/stable/c/e19c6277652efba203af4ecd8eed4bd30a0054c9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/virtio: Check whether transferred 2D BO is shmem Transferred 2D BO always must be a shmem BO. Add check for that to prevent NULL dereference if userspace passes a VRAM BO. | 2025-12-30 | not yet calculated | CVE-2022-50842 | https://git.kernel.org/stable/c/f134f261d76ae3d5ecf68db642eaa746ceb84cfb https://git.kernel.org/stable/c/f122bcb34f1a4b02ef3d95058d8fd1316ea03785 https://git.kernel.org/stable/c/989164305b933af06d69bb91044dafbd01025371 https://git.kernel.org/stable/c/36e133af33ea54193378b190cf92c47c12a43d34 https://git.kernel.org/stable/c/e473216b42aa1fd9fc6b94b608b42c210c655908 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm clone: Fix UAF in clone_dtr() Dm_clone also has the same UAF problem when dm_resume() and dm_destroy() are concurrent. Therefore, cancelling timer again in clone_dtr(). | 2025-12-30 | not yet calculated | CVE-2022-50843 | https://git.kernel.org/stable/c/520b56cfd9faee7683f081c3a38f11a81b13a68e https://git.kernel.org/stable/c/342cfd8426dff4228e6c714bcb9fc8295a2748dd https://git.kernel.org/stable/c/856edd0e92f3fe89606b704c86a93daedddfe6ec https://git.kernel.org/stable/c/b1ddb666073bb5f36390aaabaa1a4d48d78c52ed https://git.kernel.org/stable/c/9e113cd4f61f3b0000843b2d0a90ce8b40a1fcff https://git.kernel.org/stable/c/e4b5957c6f749a501c464f92792f1c8e26b61a94 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback With clang’s kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/gpu/drm/amd/amdgpu/../pm/swsmu/amdgpu_smu.c:3008:29: error: incompatible function pointer types initializing ‘int (*)(void *, uint32_t, long *, uint32_t)’ (aka ‘int (*)(void *, unsigned int, long *, unsigned int)’) with an expression of type ‘int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, uint32_t)’ (aka ‘int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, unsigned int)’) [-Werror,-Wincompatible-function-pointer-types-strict] .odn_edit_dpm_table = smu_od_edit_dpm_table, ^~~~~~~~~~~~~~~~~~~~~ 1 error generated. There are only two implementations of ->odn_edit_dpm_table() in ‘struct amd_pm_funcs’: smu_od_edit_dpm_table() and pp_odn_edit_dpm_table(). One has a second parameter type of ‘enum PP_OD_DPM_TABLE_COMMAND’ and the other uses ‘u32’. Ultimately, smu_od_edit_dpm_table() calls ->od_edit_dpm_table() from ‘struct pptable_funcs’ and pp_odn_edit_dpm_table() calls ->odn_edit_dpm_table() from ‘struct pp_hwmgr_func’, which both have a second parameter type of ‘enum PP_OD_DPM_TABLE_COMMAND’. Update the type parameter in both the prototype in ‘struct amd_pm_funcs’ and pp_odn_edit_dpm_table() to ‘enum PP_OD_DPM_TABLE_COMMAND’, which cleans up the warning. | 2025-12-30 | not yet calculated | CVE-2022-50844 | https://git.kernel.org/stable/c/f9084e9930db562bdcd47fa199a66fb45e16dab5 https://git.kernel.org/stable/c/24cba9d865157c9e23128fbcf8b86f5da9570edd https://git.kernel.org/stable/c/36217f676b55932a12d6732c95388150015fdee6 https://git.kernel.org/stable/c/e4d0ef752081e7aa6ffb7ccac11c499c732a2e05 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix inode leak in ext4_xattr_inode_create() on an error path There is issue as follows when do setxattr with inject fault: [localhost]# fsck.ext4 -fn /dev/sda e2fsck 1.46.6-rc1 (12-Sep-2022) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Unattached zero-length inode 15. Clear? no Unattached inode 15 Connect to /lost+found? no Pass 5: Checking group summary information /dev/sda: ********** WARNING: Filesystem still has errors ********** /dev/sda: 15/655360 files (0.0% non-contiguous), 66755/2621440 blocks This occurs in ‘ext4_xattr_inode_create()’. If ‘ext4_mark_inode_dirty()’ fails, dropping i_nlink of the inode is needed. Or will lead to inode leak. | 2025-12-30 | not yet calculated | CVE-2022-50845 | https://git.kernel.org/stable/c/0f709e08caffb41bbc9b38b9a4c1bd0769794007 https://git.kernel.org/stable/c/eab94a46560f68d4bcd15222701ced479f84f427 https://git.kernel.org/stable/c/9ef603086c5b796fde1c7f22a17d0fc826ba54cb https://git.kernel.org/stable/c/9882601ee689975c1c0076ee65bf222a2a35e535 https://git.kernel.org/stable/c/322cf639b0b7f137543072c55545adab782b3a25 https://git.kernel.org/stable/c/fdaaf45786dc8c17a72901021772520fceb18f8c https://git.kernel.org/stable/c/70e5b46beba64706430a87a6d516054225e8ac8a https://git.kernel.org/stable/c/e4db04f7d3dbbe16680e0ded27ea2a65b10f766a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: via-sdmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it’s not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path which will call mmc_free_host(). | 2025-12-30 | not yet calculated | CVE-2022-50846 | https://git.kernel.org/stable/c/076bcd2c93e16b05c10564e299d6e5d26a766d00 https://git.kernel.org/stable/c/12b8e81b77c05c658efd9cde3585bbd65ae39b59 https://git.kernel.org/stable/c/95025a8dd0ec015872f6c16473fe04d6264e68ca https://git.kernel.org/stable/c/f59ef2a47a228e51322ad76752a55a8917c56e38 https://git.kernel.org/stable/c/63400da6cd37a9793c19bb6aed7131b58b975a04 https://git.kernel.org/stable/c/0959cc1685eb19774300d43ef25e318b457b156b https://git.kernel.org/stable/c/0ec94795114edc7e24ec71849dce42bfa61dafa3 https://git.kernel.org/stable/c/ba91b413983a9235792523c6b9f7ba2586c4d75d https://git.kernel.org/stable/c/e4e46fb61e3bb4628170810d3f2b996b709b90d9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/bridge: it6505: Initialize AUX channel in it6505_i2c_probe During device boot, the HPD interrupt could be triggered before the DRM subsystem registers it6505 as a DRM bridge. In such cases, the driver tries to access AUX channel and causes NULL pointer dereference. Initializing the AUX channel earlier to prevent such error. | 2025-12-30 | not yet calculated | CVE-2022-50847 | https://git.kernel.org/stable/c/8ed8505803774fc3f36a432718036c21cc51e2ba https://git.kernel.org/stable/c/172d4d64075075f955e6e416915e3f287eec514a https://git.kernel.org/stable/c/e577d4b13064c337b83fe7edecb3f34e87144821 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drivers: dio: fix possible memory leak in dio_init() If device_register() returns error, the ‘dev’ and name needs be freed. Add a release function, and then call put_device() in the error path, so the name is freed in kobject_cleanup() and to the ‘dev’ is freed in release function. | 2025-12-30 | not yet calculated | CVE-2022-50848 | https://git.kernel.org/stable/c/affe3cea6b3148fa66796a48640664822ceccd48 https://git.kernel.org/stable/c/4b68caa95064ac464f1b261d08ac677e753d1088 https://git.kernel.org/stable/c/a524e7fed696a4dfef671e0fda3511bfd2dca0cf https://git.kernel.org/stable/c/da64e01da40c6b71a54144126da53cc3b27201ac https://git.kernel.org/stable/c/fce9890e1be4c0460dad850cc8c00414a9d25f0f https://git.kernel.org/stable/c/a0ead7e8da84f4c3759417b8e928b65e0207c646 https://git.kernel.org/stable/c/8e002b9fe831b27d4506df6fa60cb33ba0730ac3 https://git.kernel.org/stable/c/78fddc0ff971f9874d53c854818cc4aafa144114 https://git.kernel.org/stable/c/e63e99397b2613d50a5f4f02ed07307e67a190f1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP An oops can be induced by running ‘cat /proc/kcore > /dev/null’ on devices using pstore with the ram backend because kmap_atomic() assumes lowmem pages are accessible with __va(). Unable to handle kernel paging request at virtual address ffffff807ff2b000 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000 [ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] PREEMPT SMP Modules linked in: dm_integrity CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba Hardware name: Google Lazor (rev3 – 8) (DT) pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : __memcpy+0x110/0x260 lr : vread+0x194/0x294 sp : ffffffc013ee39d0 x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000 x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000 x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000 x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60 x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001 x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78 x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000 Call trace: __memcpy+0x110/0x260 read_kcore+0x584/0x778 proc_reg_read+0xb4/0xe4 During early boot, memblock reserves the pages for the ramoops reserved memory node in DT that would otherwise be part of the direct lowmem mapping. Pstore’s ram backend reuses those reserved pages to change the memory type (writeback or non-cached) by passing the pages to vmap() (see pfn_to_page() usage in persistent_ram_vmap() for more details) with specific flags. When read_kcore() starts iterating over the vmalloc region, it runs over the virtual address that vmap() returned for ramoops. In aligned_vread() the virtual address is passed to vmalloc_to_page() which returns the page struct for the reserved lowmem area. That lowmem page is passed to kmap_atomic(), which effectively calls page_to_virt() that assumes a lowmem page struct must be directly accessible with __va() and friends. These pages are mapped via vmap() though, and the lowmem mapping was never made, so accessing them via the lowmem virtual address oopses like above. Let’s side-step this problem by passing VM_IOREMAP to vmap(). This will tell vread() to not include the ramoops region in the kcore. Instead the area will look like a bunch of zeros. The alternative is to teach kmap() about vmalloc areas that intersect with lowmem. Presumably such a change isn’t a one-liner, and there isn’t much interest in inspecting the ramoops region in kcore files anyway, so the most expedient route is taken for now. | 2025-12-30 | not yet calculated | CVE-2022-50849 | https://git.kernel.org/stable/c/1579bed1613802a323a1e14567faa95c149e105e https://git.kernel.org/stable/c/fdebcc33b663d2e8da937653ddfbfc1315047eaa https://git.kernel.org/stable/c/6d9460214e363e1f3d0756ee5d947e76e3e6f86c https://git.kernel.org/stable/c/4d3126f242a0090342ffe925c35fb4f4252b7562 https://git.kernel.org/stable/c/295f59cd2cdeed841850d02dddde3a122cbf6fc6 https://git.kernel.org/stable/c/ebc73c4f266281e2cad1a372ecd81572d95375b6 https://git.kernel.org/stable/c/69dbff7d2681c55a4d979fd9b75576303e69979f https://git.kernel.org/stable/c/2f82381d0681b10f9ddd27be98c27363b5a3cd1c https://git.kernel.org/stable/c/e6b842741b4f39007215fd7e545cb55aa3d358a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ipr: Fix WARNING in ipr_init() ipr_init() will not call unregister_reboot_notifier() when pci_register_driver() fails, which causes a WARNING. Call unregister_reboot_notifier() when pci_register_driver() fails. notifier callback ipr_halt [ipr] already registered WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29 notifier_chain_register+0x16d/0x230 Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks agpgart cfbft CPU: 3 PID: 299 Comm: modprobe Tainted: G W 6.1.0-rc1-00190-g39508d23b672-dirty #332 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:notifier_chain_register+0x16d/0x230 Call Trace: <TASK> __blocking_notifier_chain_register+0x73/0xb0 ipr_init+0x30/0x1000 [ipr] do_one_initcall+0xdb/0x480 do_init_module+0x1cf/0x680 load_module+0x6a50/0x70a0 __do_sys_finit_module+0x12f/0x1c0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd | 2025-12-30 | not yet calculated | CVE-2022-50850 | https://git.kernel.org/stable/c/020b66023712b1cc42c6ab8b76e4ec13efe4a092 https://git.kernel.org/stable/c/e965c4a60c1daa6e24355e35d78ca8e9f195196f https://git.kernel.org/stable/c/5debd337f534b122f7c5eac6557a41b5636c9b51 https://git.kernel.org/stable/c/eccbec017c95b9b9ecd4c05c6f5234d1487c72cc https://git.kernel.org/stable/c/f4ba143b04a17559f2c85e18b47db117f40d8cf3 https://git.kernel.org/stable/c/e59da172059f05c594fda03a9e8a3a0e1f5116c0 https://git.kernel.org/stable/c/8c739021b2022fbc40f71d3fa2e9162beef0c84a https://git.kernel.org/stable/c/4399a8632e5f8f1f695d91d992c7d418fb451f07 https://git.kernel.org/stable/c/e6f108bffc3708ddcff72324f7d40dfcd0204894 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa: fix the crash in unmap a large memory While testing in vIOMMU, sometimes Guest will unmap very large memory, which will cause the crash. To fix this, add a new function vhost_vdpa_general_unmap(). This function will only unmap the memory that saved in iotlb. Call Trace: [ 647.820144] ————[ cut here ]———— [ 647.820848] kernel BUG at drivers/iommu/intel/iommu.c:1174! [ 647.821486] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 647.822082] CPU: 10 PID: 1181 Comm: qemu-system-x86 Not tainted 6.0.0-rc1home_lulu_2452_lulu7_vhost+ #62 [ 647.823139] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qem4 [ 647.824365] RIP: 0010:domain_unmap+0x48/0x110 [ 647.825424] Code: 48 89 fb 8d 4c f6 1e 39 c1 0f 4f c8 83 e9 0c 83 f9 3f 7f 18 48 89 e8 48 d3 e8 48 85 c0 75 59 [ 647.828064] RSP: 0018:ffffae5340c0bbf0 EFLAGS: 00010202 [ 647.828973] RAX: 0000000000000001 RBX: ffff921793d10540 RCX: 000000000000001b [ 647.830083] RDX: 00000000080000ff RSI: 0000000000000001 RDI: ffff921793d10540 [ 647.831214] RBP: 0000000007fc0100 R08: ffffae5340c0bcd0 R09: 0000000000000003 [ 647.832388] R10: 0000007fc0100000 R11: 0000000000100000 R12: 00000000080000ff [ 647.833668] R13: ffffae5340c0bcd0 R14: ffff921793d10590 R15: 0000008000100000 [ 647.834782] FS: 00007f772ec90640(0000) GS:ffff921ce7a80000(0000) knlGS:0000000000000000 [ 647.836004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 647.836990] CR2: 00007f02c27a3a20 CR3: 0000000101b0c006 CR4: 0000000000372ee0 [ 647.838107] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 647.839283] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 647.840666] Call Trace: [ 647.841437] <TASK> [ 647.842107] intel_iommu_unmap_pages+0x93/0x140 [ 647.843112] __iommu_unmap+0x91/0x1b0 [ 647.844003] iommu_unmap+0x6a/0x95 [ 647.844885] vhost_vdpa_unmap+0x1de/0x1f0 [vhost_vdpa] [ 647.845985] vhost_vdpa_process_iotlb_msg+0xf0/0x90b [vhost_vdpa] [ 647.847235] ? _raw_spin_unlock+0x15/0x30 [ 647.848181] ? _copy_from_iter+0x8c/0x580 [ 647.849137] vhost_chr_write_iter+0xb3/0x430 [vhost] [ 647.850126] vfs_write+0x1e4/0x3a0 [ 647.850897] ksys_write+0x53/0xd0 [ 647.851688] do_syscall_64+0x3a/0x90 [ 647.852508] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 647.853457] RIP: 0033:0x7f7734ef9f4f [ 647.854408] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 76 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c8 [ 647.857217] RSP: 002b:00007f772ec8f040 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 647.858486] RAX: ffffffffffffffda RBX: 00000000fef00000 RCX: 00007f7734ef9f4f [ 647.859713] RDX: 0000000000000048 RSI: 00007f772ec8f090 RDI: 0000000000000010 [ 647.860942] RBP: 00007f772ec8f1a0 R08: 0000000000000000 R09: 0000000000000000 [ 647.862206] R10: 0000000000000001 R11: 0000000000000293 R12: 0000000000000010 [ 647.863446] R13: 0000000000000002 R14: 0000000000000000 R15: ffffffff01100000 [ 647.864692] </TASK> [ 647.865458] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs v] [ 647.874688] —[ end trace 0000000000000000 ]— | 2025-12-30 | not yet calculated | CVE-2022-50851 | https://git.kernel.org/stable/c/26b7400c89b81e2f6de4f224ba1fdf06f293de31 https://git.kernel.org/stable/c/8b258a31c2e8d4d4e42be70a7c6ca35a5afbff0d https://git.kernel.org/stable/c/e794070af224ade46db368271896b2685ff4f96b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix use after free in mt7921_acpi_read() Don’t dereference “sar_root” after it has been freed. | 2025-12-30 | not yet calculated | CVE-2022-50852 | https://git.kernel.org/stable/c/3ed0b382cb36f6dac9f93b3a5533cfcd699409a5 https://git.kernel.org/stable/c/e7de4b4979bd8d313ec837931dde936653ca82ea |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: NFSv4: Fix a credential leak in _nfs4_discover_trunking() | 2025-12-30 | not yet calculated | CVE-2022-50853 | https://git.kernel.org/stable/c/c6aca4c7ba8f6d40a0cfeeb09160dd8efdf97c64 https://git.kernel.org/stable/c/dfad5d5e7511933c2ae3d12a8131840074c5a73d https://git.kernel.org/stable/c/b247a9828f6607d41189fa6c2a3be754d33cae86 https://git.kernel.org/stable/c/e83458fce080dc23c25353a1af90bfecf79c7369 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfc: virtual_ncidev: Fix memory leak in virtual_nci_send() skb should be free in virtual_nci_send(), otherwise kmemleak will report memleak. Steps for reproduction (simulated in qemu): cd tools/testing/selftests/nci make ./nci_dev BUG: memory leak unreferenced object 0xffff888107588000 (size 208): comm “nci_dev”, pid 206, jiffies 4294945376 (age 368.248s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: [<000000008d94c8fd>] __alloc_skb+0x1da/0x290 [<00000000278bc7f8>] nci_send_cmd+0xa3/0x350 [<0000000081256a22>] nci_reset_req+0x6b/0xa0 [<000000009e721112>] __nci_request+0x90/0x250 [<000000005d556e59>] nci_dev_up+0x217/0x5b0 [<00000000e618ce62>] nfc_dev_up+0x114/0x220 [<00000000981e226b>] nfc_genl_dev_up+0x94/0xe0 [<000000009bb03517>] genl_family_rcv_msg_doit.isra.14+0x228/0x2d0 [<00000000b7f8c101>] genl_rcv_msg+0x35c/0x640 [<00000000c94075ff>] netlink_rcv_skb+0x11e/0x350 [<00000000440cfb1e>] genl_rcv+0x24/0x40 [<0000000062593b40>] netlink_unicast+0x43f/0x640 [<000000001d0b13cc>] netlink_sendmsg+0x73a/0xbf0 [<000000003272487f>] __sys_sendto+0x324/0x370 [<00000000ef9f1747>] __x64_sys_sendto+0xdd/0x1b0 [<000000001e437841>] do_syscall_64+0x3f/0x90 | 2025-12-30 | not yet calculated | CVE-2022-50854 | https://git.kernel.org/stable/c/88e879c9f59511174ef0ab1a3c9c83e2dbf8a213 https://git.kernel.org/stable/c/2c46a9a5f0b1c7341aa67667801079f3ff571678 https://git.kernel.org/stable/c/e840d8f4a1b323973052a1af5ad4edafcde8ae3d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: prevent leak of lsm program after failed attach In [0], we added the ability to bpf_prog_attach LSM programs to cgroups, but in our validation to make sure the prog is meant to be attached to BPF_LSM_CGROUP, we return too early if the check fails. This results in lack of decrementing prog’s refcnt (through bpf_prog_put) leaving the LSM program alive past the point of the expected lifecycle. This fix allows for the decrement to take place. [0] https://lore.kernel.org/all/20220628174314.1216643-4-sdf@google.com/ | 2025-12-30 | not yet calculated | CVE-2022-50855 | https://git.kernel.org/stable/c/82b39df5ddb298daaf6dc504032ff7eb027fa106 https://git.kernel.org/stable/c/6a1504dd36cd9a0a69250d61da8bdb17b29f1fe8 https://git.kernel.org/stable/c/e89f3edffb860a0f54a9ed16deadb7a4a1fa3862 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix xid leak in cifs_ses_add_channel() Before return, should free the xid, otherwise, the xid will be leaked. | 2025-12-30 | not yet calculated | CVE-2022-50856 | https://git.kernel.org/stable/c/7286f875510486fdc2fc426b7c826262e2283a65 https://git.kernel.org/stable/c/847301f0ee1c29f34cc48547ce1071990f24969c https://git.kernel.org/stable/c/db2a8b6c17e128d91f35d836c569f4a6bda4471b https://git.kernel.org/stable/c/e909d054bdea75ef1ec48c18c5936affdaecbb2c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rapidio: rio: fix possible name leak in rio_register_mport() If device_register() returns error, the name allocated by dev_set_name() need be freed. It should use put_device() to give up the reference in the error path, so that the name can be freed in kobject_cleanup(), and list_del() is called to delete the port from rio_mports. | 2025-12-30 | not yet calculated | CVE-2022-50857 | https://git.kernel.org/stable/c/0a71344f99289250e4d5b8adbac76f444485c840 https://git.kernel.org/stable/c/117fede82e9d6ea3de30746d500eb5edc2eb8310 https://git.kernel.org/stable/c/a73a626c0510d203e369aeb26c4d6ec9c75af027 https://git.kernel.org/stable/c/1bbad5793f404cf218757e3beb600eca6080330f https://git.kernel.org/stable/c/97d9eb45ffa67ffa112a6659953321b8f7db0065 https://git.kernel.org/stable/c/a47de2fd3f88a7788be19f94ade72c2244a98045 https://git.kernel.org/stable/c/4ddbeae5f224d924cf0b12460dda88c7480aa452 https://git.kernel.org/stable/c/9abba4aa60874c5216fc8de7dededadc791de696 https://git.kernel.org/stable/c/e92a216d16bde65d21a3227e0fb2aa0794576525 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: alcor: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and calling mmc_free_host() in the error path. | 2025-12-30 | not yet calculated | CVE-2022-50858 | https://git.kernel.org/stable/c/289c964fe182ce755044a6cd57698072e12ffa6f https://git.kernel.org/stable/c/4a6e5d0222804a3eaf2ea4cf893f412e7cf98cb2 https://git.kernel.org/stable/c/29c5b4da41f35108136d843c7432885c78cf8272 https://git.kernel.org/stable/c/48dc06333d75f41c2ce9ba954bc3231324b45914 https://git.kernel.org/stable/c/60fafcf2fb7ee9a4125dc9a86eeb9d490acf23e2 https://git.kernel.org/stable/c/e93d1468f429475a753d6baa79b853b7ee5ef8c0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message Commit d5c7076b772a (“smb3: add smb3.1.1 to default dialect list”) extend the dialects from 3 to 4, but forget to decrease the extended length when specific the dialect, then the message length is larger than expected. This maybe leak some info through network because not initialize the message body. After apply this patch, the VALIDATE_NEGOTIATE_INFO message length is reduced from 28 bytes to 26 bytes. | 2025-12-30 | not yet calculated | CVE-2022-50859 | https://git.kernel.org/stable/c/d0050ec3ebbcb3451df9a65b8460be9b9e02e80c https://git.kernel.org/stable/c/9312e04b6c6bc46354ecd0cc82052a2b3df0b529 https://git.kernel.org/stable/c/60480291c1fcafad8425d93f771b5bcc2bd398b4 https://git.kernel.org/stable/c/943eb0ede74ecd609fdfd3f0b83e0d237613e526 https://git.kernel.org/stable/c/fada9b8c95c77bb46b89e18117405bc90fce9f74 https://git.kernel.org/stable/c/e98ecc6e94f4e6d21c06660b0f336df02836694f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix memleak in alloc_ns() After changes in commit a1bd627b46d1 (“apparmor: share profile name on replacement”), the hname member of struct aa_policy is not valid slab object, but a subset of that, it can not be freed by kfree_sensitive(), use aa_policy_destroy() to fix it. | 2025-12-30 | not yet calculated | CVE-2022-50860 | https://git.kernel.org/stable/c/9a32aa87a25d800b2c6f47bc2749a7bfd9a486f3 https://git.kernel.org/stable/c/5f509fa740b17307f0cba412485072f632d5af36 https://git.kernel.org/stable/c/0250cf8d37bb5201a117177afd24dc73a1c81657 https://git.kernel.org/stable/c/12695b4b76d437b9c0182a6f7dfb2248013a9daf https://git.kernel.org/stable/c/e9e6fa49dbab6d84c676666f3fe7d360497fd65b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: Finish converting the NFSv2 GETACL result encoder The xdr_stream conversion inadvertently left some code that set the page_len of the send buffer. The XDR stream encoders should handle this automatically now. This oversight adds garbage past the end of the Reply message. Clients typically ignore the garbage, but NFSD does not need to send it, as it leaks stale memory contents onto the wire. | 2025-12-30 | not yet calculated | CVE-2022-50861 | https://git.kernel.org/stable/c/a20b0abab966a189a79aba6ebf41f59024a3224d https://git.kernel.org/stable/c/5030d4d2bf8b6f6f3d16401ab92a88bc5aa2377a https://git.kernel.org/stable/c/d5b867fd2d7f79630b1a2906a7bb4f4b75bf297a https://git.kernel.org/stable/c/2b825efb0577a32a872e872a869e0947cf9dd6d3 https://git.kernel.org/stable/c/ea5021e911d3479346a75ac9b7d9dcd751b0fb99 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: prevent decl_tag from being referenced in func_proto Syzkaller was able to hit the following issue: ————[ cut here ]———— WARNING: CPU: 0 PID: 3609 at kernel/bpf/btf.c:1946 btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946 Modules linked in: CPU: 0 PID: 3609 Comm: syz-executor361 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 RIP: 0010:btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946 Code: ef e8 7f 8e e4 ff 41 83 ff 0b 77 28 f6 44 24 10 18 75 3f e8 6d 91 e4 ff 44 89 fe bf 0e 00 00 00 e8 20 8e e4 ff e8 5b 91 e4 ff <0f> 0b 45 31 f6 e9 98 02 00 00 41 83 ff 12 74 18 e8 46 91 e4 ff 44 RSP: 0018:ffffc90003cefb40 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: ffff8880259c0000 RSI: ffffffff81968415 RDI: 0000000000000005 RBP: ffff88801270ca00 R08: 0000000000000005 R09: 000000000000000e R10: 0000000000000011 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000011 R14: ffff888026ee6424 R15: 0000000000000011 FS: 000055555641b300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000f2e258 CR3: 000000007110e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> btf_func_proto_check kernel/bpf/btf.c:4447 [inline] btf_check_all_types kernel/bpf/btf.c:4723 [inline] btf_parse_type_sec kernel/bpf/btf.c:4752 [inline] btf_parse kernel/bpf/btf.c:5026 [inline] btf_new_fd+0x1926/0x1e70 kernel/bpf/btf.c:6892 bpf_btf_load kernel/bpf/syscall.c:4324 [inline] __sys_bpf+0xb7d/0x4cf0 kernel/bpf/syscall.c:5010 __do_sys_bpf kernel/bpf/syscall.c:5069 [inline] __se_sys_bpf kernel/bpf/syscall.c:5067 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:5067 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f0fbae41c69 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc8aeb6228 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0fbae41c69 RDX: 0000000000000020 RSI: 0000000020000140 RDI: 0000000000000012 RBP: 00007f0fbae05e10 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000246 R12: 00007f0fbae05ea0 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Looks like it tries to create a func_proto which return type is decl_tag. For the details, see Martin’s spot on analysis in [0]. 0: https://lore.kernel.org/bpf/CAKH8qBuQDLva_hHxxBuZzyAcYNO4ejhovz6TQeVSk8HY-2SO6g@mail.gmail.com/T/#mea6524b3fcd6298347432226e81b1e6155efc62c | 2025-12-30 | not yet calculated | CVE-2022-50862 | https://git.kernel.org/stable/c/e9dbb4c539d058852b76937dcd7347d3f38054f2 https://git.kernel.org/stable/c/ea68376c8bed5cd156900852aada20c3a0874d17 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: free unused skb to prevent memory leak This avoid potential memory leak under power saving mode. | 2025-12-30 | not yet calculated | CVE-2022-50863 | https://git.kernel.org/stable/c/d4b4f6ff8ff1b87d25977423cf38fb61744d0023 https://git.kernel.org/stable/c/216c59b66f2d0c428a4fdaa24dc28cd6be4a2bf6 https://git.kernel.org/stable/c/eae672f386049146058b9e5d3d33e9e4af9dca1d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix shift-out-of-bounds due to too large exponent of block size If field s_log_block_size of superblock data is corrupted and too large, init_nilfs() and load_nilfs() still can trigger a shift-out-of-bounds warning followed by a kernel panic (if panic_on_warn is set): shift exponent 38973 is too large for 32-bit type ‘int’ Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ubsan_epilogue+0xb/0x50 __ubsan_handle_shift_out_of_bounds.cold.12+0x17b/0x1f5 init_nilfs.cold.11+0x18/0x1d [nilfs2] nilfs_mount+0x9b5/0x12b0 [nilfs2] … This fixes the issue by adding and using a new helper function for getting block size with sanity check. | 2025-12-30 | not yet calculated | CVE-2022-50864 | https://git.kernel.org/stable/c/ec93b5430ec0f60877a5388bb023d60624f9ab9f https://git.kernel.org/stable/c/8b6ef451b5701b37d9a5905534595776a662edfc https://git.kernel.org/stable/c/ddb6615a168f97b91175e00eda4c644741cf531c https://git.kernel.org/stable/c/a16731fa1b96226c75bbf18e73513b14fc318360 https://git.kernel.org/stable/c/ebeccaaef67a4895d2496ab8d9c2fb8d89201211 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tcp: fix a signed-integer-overflow bug in tcp_add_backlog() The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and in tcp_add_backlog(), the variable limit is caculated by adding sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value of int and overflow. This patch reduces the limit budget by halving the sndbuf to solve this issue since ACK packets are much smaller than the payload. | 2025-12-30 | not yet calculated | CVE-2022-50865 | https://git.kernel.org/stable/c/9d04b4d0feee12bce6bfe37f30d8e953d3c30368 https://git.kernel.org/stable/c/4f23cb2be530785db284a685d1b1c30224d8a538 https://git.kernel.org/stable/c/a85d39f14aa8a71e29cfb5eb5de02878a8779898 https://git.kernel.org/stable/c/28addf029417d53b1df062b4c87feb7bc033cb5f https://git.kernel.org/stable/c/ec791d8149ff60c40ad2074af3b92a39c916a03f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: pxa: fix null-pointer dereference in filter() kasprintf() would return NULL pointer when kmalloc() fail to allocate. Need to check the return pointer before calling strcmp(). | 2025-12-30 | not yet calculated | CVE-2022-50866 | https://git.kernel.org/stable/c/3ec75e0ea9550b8f2e531172f2e67ba9d5227ec3 https://git.kernel.org/stable/c/5b510a82740d2a42a75b5661b402bcaf8ae22cd5 https://git.kernel.org/stable/c/0abd1d78317a3a2dfe00b203fbf14ee7df537e0a https://git.kernel.org/stable/c/a8baccb79de2f48a2083d51febf627eb50ce1898 https://git.kernel.org/stable/c/21a1409e8cf73053b54f7860548e3043dfa351a9 https://git.kernel.org/stable/c/83baa509396a742e0ce145b09fde1ce0a948f49a https://git.kernel.org/stable/c/9fb9b3b67a5b8669296d6372cd901ef86557e6f6 https://git.kernel.org/stable/c/21b92cf41952577a95bfa430e39478cbd66e42a7 https://git.kernel.org/stable/c/ec7bf231aaa1bdbcb69d23bc50c753c80fb22429 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: Fix kvzalloc vs state_kcalloc usage adreno_show_object() is a trap! It will re-allocate the pointer it is passed on first call, when the data is ascii85 encoded, using kvmalloc/ kvfree(). Which means the data *passed* to it must be kvmalloc’d, ie. we cannot use the state_kcalloc() helper. This partially reverts commit ec8f1813bf8d (“drm/msm/a6xx: Replace kcalloc() with kvzalloc()”), but adds the missing kvfree() to fix the memory leak that was present previously. And adds a warning comment. Patchwork: https://patchwork.freedesktop.org/patch/507014/ | 2025-12-30 | not yet calculated | CVE-2022-50867 | https://git.kernel.org/stable/c/4b1bbc0571a5d7ee10f754186dc3d619b9ced5c1 https://git.kernel.org/stable/c/83d18e9d9c0150d98dc24e3642ea93f5e245322c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hwrng: amd – Fix PCI device refcount leak for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() for the normal and error path. | 2025-12-30 | not yet calculated | CVE-2022-50868 | https://git.kernel.org/stable/c/f1c97f72ffd504f49882774e2ab689d982dc7afc https://git.kernel.org/stable/c/526c316948819d3ecd2bb20fe5e2580c51a1b760 https://git.kernel.org/stable/c/e246f5eff26055bdcb61a2cc99c50af72a19680f https://git.kernel.org/stable/c/1199f8e02941b326c60ab71a63002b7c80e38212 https://git.kernel.org/stable/c/5998e5c30e839f73e62cb29e0d9617b0d16ccba3 https://git.kernel.org/stable/c/2b79a5e560779b35e1164d57ae35c48b43373082 https://git.kernel.org/stable/c/cb348c7908631dd9f60083a0a1542eab055d3edf https://git.kernel.org/stable/c/2e10ecd012ae2b2a374b34f307e9bc1e6096c03d https://git.kernel.org/stable/c/ecadb5b0111ea19fc7c240bb25d424a94471eb7d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds in r_page When PAGE_SIZE is 64K, if read_log_page is called by log_read_rst for the first time, the size of *buffer would be equal to DefaultLogPageSize(4K).But for *buffer operations like memcpy, if the memory area size(n) which being assigned to buffer is larger than 4K (log->page_size(64K) or bytes(64K-page_off)), it will cause an out of boundary error. Call trace: […] kasan_report+0x44/0x130 check_memory_region+0xf8/0x1a0 memcpy+0xc8/0x100 ntfs_read_run_nb+0x20c/0x460 read_log_page+0xd0/0x1f4 log_read_rst+0x110/0x75c log_replay+0x1e8/0x4aa0 ntfs_loadlog_and_replay+0x290/0x2d0 ntfs_fill_super+0x508/0xec0 get_tree_bdev+0x1fc/0x34c […] Fix this by setting variable r_page to NULL in log_read_rst. | 2025-12-30 | not yet calculated | CVE-2022-50869 | https://git.kernel.org/stable/c/ed686e7a26dd19ae6b46bb662f735acfa88ff7bc https://git.kernel.org/stable/c/bf86a640a34947d92062996e1a75b9cd9d83dd19 https://git.kernel.org/stable/c/6d076293e5bffdf897ea5f975669206e09beed6a https://git.kernel.org/stable/c/ecfbd57cf9c5ca225184ae266ce44ae473792132 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: avoid device tree lookups in rtas_os_term() rtas_os_term() is called during panic. Its behavior depends on a couple of conditions in the /rtas node of the device tree, the traversal of which entails locking and local IRQ state changes. If the kernel panics while devtree_lock is held, rtas_os_term() as currently written could hang. Instead of discovering the relevant characteristics at panic time, cache them in file-static variables at boot. Note the lookup for “ibm,extended-os-term” is converted to of_property_read_bool() since it is a boolean property, not an RTAS function token. [mpe: Incorporate suggested change from Nick] | 2025-12-30 | not yet calculated | CVE-2022-50870 | https://git.kernel.org/stable/c/e23822c7381c59d9e42e65771b6e17c71ed30ea7 https://git.kernel.org/stable/c/06a07fbb32b3a23eec20a42b1e64474da0a3b33e https://git.kernel.org/stable/c/c2fa91abf22a705cf02f886cd99cff41f4ceda60 https://git.kernel.org/stable/c/f2167f10fcca68ab9ae3f8d94d2c704c5541ac69 https://git.kernel.org/stable/c/d8939315b7342860df143afe0adda6212cdd3193 https://git.kernel.org/stable/c/698e682c849e356fb47a8be47ca8baa817cf31e0 https://git.kernel.org/stable/c/464d10e8d797454e16a173ef1292a446b2adf21c https://git.kernel.org/stable/c/ed2213bfb192ab51f09f12e9b49b5d482c6493f3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Fix qmi_msg_handler data structure initialization qmi_msg_handler is required to be null terminated by QMI module. There might be a case where a handler for a msg id is not present in the handlers array which can lead to infinite loop while searching the handler and therefore out of bound access in qmi_invoke_handler(). Hence update the initialization in qmi_msg_handler data structure. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 | 2025-12-30 | not yet calculated | CVE-2022-50871 | https://git.kernel.org/stable/c/d5d71de448f36e34592f7c81b5e300d3e8dbb735 https://git.kernel.org/stable/c/a10e1530c424bb277b4edc7def0195857a548495 https://git.kernel.org/stable/c/ed3725e15a154ebebf44e0c34806c57525483f92 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ARM: OMAP2+: Fix memory leak in realtime_counter_init() The “sys_clk” resource is malloced by clk_get(), it is not released when the function return. | 2025-12-30 | not yet calculated | CVE-2022-50872 | https://git.kernel.org/stable/c/5f9aedabce3404dd8bb769822fc11317c55fbdc1 https://git.kernel.org/stable/c/e3a6af3059e4f83d1a986a3180eb1e04f99c9e64 https://git.kernel.org/stable/c/8041f9a2a958277f95926560dc85910aecd48c0b https://git.kernel.org/stable/c/4862c41d5f3bee1ec64c979c82bd8cfe96b78f7d https://git.kernel.org/stable/c/10fcdad2b9f3f424873714eb8713a3e6f7ab84bb https://git.kernel.org/stable/c/98df4bdf3b010c23cc3c542d0c303016e5fceb40 https://git.kernel.org/stable/c/4f7ad1b08533247c4bf29217ba499ea4138cc2c1 https://git.kernel.org/stable/c/ed8167cbf65c2b6ff6faeb0f96ded4d6d581e1ac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove In vp_vdpa_remove(), the code kfree(&vp_vdpa_mgtdev->mgtdev.id_table) uses a reference of pointer as the argument of kfree, which is the wrong pointer and then may hit crash like this: Unable to handle kernel paging request at virtual address 00ffff003363e30c Internal error: Oops: 96000004 [#1] SMP Call trace: rb_next+0x20/0x5c ext4_readdir+0x494/0x5c4 [ext4] iterate_dir+0x168/0x1b4 __se_sys_getdents64+0x68/0x170 __arm64_sys_getdents64+0x24/0x30 el0_svc_common.constprop.0+0x7c/0x1bc do_el0_svc+0x2c/0x94 el0_svc+0x20/0x30 el0_sync_handler+0xb0/0xb4 el0_sync+0x160/0x180 Code: 54000220 f9400441 b4000161 aa0103e0 (f9400821) SMP: stopping secondary CPUs Starting crashdump kernel… | 2025-12-30 | not yet calculated | CVE-2022-50873 | https://git.kernel.org/stable/c/8fe12680b2c731201519935013ec9219c93ec540 https://git.kernel.org/stable/c/6ccc891f36d0c20ee220551caabdcd3886ec584b https://git.kernel.org/stable/c/ed843d6ed7310a27cf7c8ee0a82a482eed0cb4a6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Fix refcount leak in erdma_mmap rdma_user_mmap_entry_get() take reference, we should release it when not need anymore, add the missing rdma_user_mmap_entry_put() in the error path to fix it. | 2025-12-30 | not yet calculated | CVE-2022-50874 | https://git.kernel.org/stable/c/8372207b009d6abdd60bb05624640bd86386599f https://git.kernel.org/stable/c/410f0f46ffca4d0102470c1e0c747ecfece4204c https://git.kernel.org/stable/c/ee84146c05ad2316b9a7222d0ec4413e0bf30eeb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop() When kmalloc() fail to allocate memory in kasprintf(), fn_1 or fn_2 will be NULL, and strcmp() will cause null pointer dereference. | 2025-12-30 | not yet calculated | CVE-2022-50875 | https://git.kernel.org/stable/c/9ec5781879b4535ad59b5354b385825378e45618 https://git.kernel.org/stable/c/2b4af99b44861646013821019dd13a4ac48c0219 https://git.kernel.org/stable/c/ce1b3a41e7964cb8dd56a702a95dd90ad27f51cd https://git.kernel.org/stable/c/ab5bb7bbacf531de8e32912cc2e21f906113cee8 https://git.kernel.org/stable/c/71d88c7453ec3d2ceff98e18ce4d6354abd3b5b6 https://git.kernel.org/stable/c/ee9d7a0e754568180a2f8ebc4aad226278a9116f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix musb_gadget.c rxstate overflow bug The usb function device call musb_gadget_queue() adds the passed request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz) and (is_buffer_mapped(req) return false),the rxstate() will copy all data in fifo to request->buf which may cause request->buf out of bounds. Fix it by add the length check : fifocnt = min_t(unsigned, request->length – request->actual, fifocnt); | 2025-12-30 | not yet calculated | CVE-2022-50876 | https://git.kernel.org/stable/c/826f84ab04a5cafe484ea9c2c85a3930068e5cb7 https://git.kernel.org/stable/c/a1008c8b9f357691ce6a8fdb8f157aecb2d79167 https://git.kernel.org/stable/c/7c80f3a918ba9aa26fb699ee887064ec3af0396a https://git.kernel.org/stable/c/d6afcab1b48f4051211c50145b9e91be3b1b42c9 https://git.kernel.org/stable/c/acf0006f2b2b2ca672988875fd154429aafb2a9b https://git.kernel.org/stable/c/3c84c7f592c4ba38f54ddaddd0115acc443025db https://git.kernel.org/stable/c/a9ccd2ab1becf5dcb6d57e9fcd981f5eaa606c96 https://git.kernel.org/stable/c/523313881f0aa5cbbdb548ce575b6e58b202bd76 https://git.kernel.org/stable/c/eea4c860c3b366369eff0489d94ee4f0571d467d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: broadcom: bcm4908_enet: update TX stats after actual transmission Queueing packets doesn’t guarantee their transmission. Update TX stats after hardware confirms consuming submitted data. This also fixes a possible race and NULL dereference. bcm4908_enet_start_xmit() could try to access skb after freeing it in the bcm4908_enet_poll_tx(). | 2025-12-30 | not yet calculated | CVE-2022-50877 | https://git.kernel.org/stable/c/c9589e18a60c55c76772a38117ef9a16b942e56b https://git.kernel.org/stable/c/2adedc80faec243ede55355e57142110d6f46e08 https://git.kernel.org/stable/c/ef3556ee16c68735ec69bd08df41d1cd83b14ad3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init() A NULL check for bridge->encoder shows that it may be NULL, but it already been dereferenced on all paths leading to the check. 812 if (!bridge->encoder) { Dereference the pointer bridge->encoder. 810 drm_connector_attach_encoder(<9611->connector, bridge->encoder); | 2025-12-30 | not yet calculated | CVE-2022-50878 | https://git.kernel.org/stable/c/3959e8faf8bf6bea619e8856c736db64e6eced37 https://git.kernel.org/stable/c/a29f7427041a943484f916157c43c46d3bbf25d4 https://git.kernel.org/stable/c/b2e4323e0020213f44dca6ffc815d66aef39f6f6 https://git.kernel.org/stable/c/912f84e15e94ab87f5a7156aa1870090373d8304 https://git.kernel.org/stable/c/ef8886f321c5dab8124b9153d25afa2a71d05323 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: objtool: Fix SEGFAULT find_insn() will return NULL in case of failure. Check insn in order to avoid a kernel Oops for NULL pointer dereference. | 2025-12-30 | not yet calculated | CVE-2022-50879 | https://git.kernel.org/stable/c/418ef921cce2d7415fab7e3e93529227f239e4bb https://git.kernel.org/stable/c/0af0e115ff59d638f45416a004cdd8edb38db40c https://git.kernel.org/stable/c/23a249b1185cdd5bfb6971d1608ba49e589f2288 https://git.kernel.org/stable/c/38b9415abbd703438ebbc6fb74990bd0fbddc5b9 https://git.kernel.org/stable/c/fcee8a2d4db404a93e690d79e7273b6ef9d33575 https://git.kernel.org/stable/c/efb11fdb3e1a9f694fa12b70b21e69e55ec59c36 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() When peer delete failed in a disconnect operation, use-after-free detected by KFENCE in below log. It is because for each vdev_id and address, it has only one struct ath10k_peer, it is allocated in ath10k_peer_map_event(). When connected to an AP, it has more than one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the array peer_map of struct ath10k will be set muti-elements to the same ath10k_peer in ath10k_peer_map_event(). When peer delete failed in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer id in array peer_map of struct ath10k, and then use-after-free happened for the 2nd peer id because they map to the same ath10k_peer. And clean up all peers in array peer_map for the ath10k_peer, then user-after-free disappeared peer map event log: [ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e [ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33 [ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166 peer unmap event log: [ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING) [ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone) [ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166 use-after-free log: [21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING) [21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110 [21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed [21713.799968] ================================================================== [21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.799991] [21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69): [21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.800041] drv_sta_state+0x115/0x677 [mac80211] [21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211] [21713.800076] __sta_info_flush+0x11d/0x162 [mac80211] [21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] [21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] [21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] [21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211] [21713.800161] genl_rcv_msg+0x38e/0x3be [21713.800166] netlink_rcv_skb+0x89/0xf7 [21713.800171] genl_rcv+0x28/0x36 [21713.800176] netlink_unicast+0x179/0x24b [21713.800181] netlink_sendmsg+0x3a0/0x40e [21713.800187] sock_sendmsg+0x72/0x76 [21713.800192] ____sys_sendmsg+0x16d/0x1e3 [21713.800196] ___sys_sendmsg+0x95/0xd1 [21713.800200] __sys_sendmsg+0x85/0xbf [21713.800205] do_syscall_64+0x43/0x55 [21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [21713.800213] [21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k [21713.800219] [21713.800224] allocated by task 13 on cpu 0 at 21705.501373s: [21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core] [21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core] [21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core] [21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core] [21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d —truncated— | 2025-12-30 | not yet calculated | CVE-2022-50880 | https://git.kernel.org/stable/c/15604ab67179ae27ea3c7fb24b6df32b143257c4 https://git.kernel.org/stable/c/2d6259715c9597a6cfa25db8911683eb0073b1c6 https://git.kernel.org/stable/c/f12fc305c127bd07bb50373e29c6037696f916a8 https://git.kernel.org/stable/c/4494ec1c0bb850eaa80fed98e5b041d961011d3e https://git.kernel.org/stable/c/08faf07717be0c88b02b5aa45aad2225dfcdd2dc https://git.kernel.org/stable/c/54a3201f3c1ff813523937da78b5fa7649dbab71 https://git.kernel.org/stable/c/2bf916418d2141b810c40812433ab4ecfd3c2934 https://git.kernel.org/stable/c/38245f2d62cd4d1f38a763a7b4045ab4565b30a0 https://git.kernel.org/stable/c/f020d9570a04df0762a2ac5c50cf1d8c511c9164 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect() This patch fixes a use-after-free in ath9k that occurs in ath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access ‘drv_priv’ that has already been freed by ieee80211_free_hw(), called by ath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before ieee80211_free_hw(). Note that urbs from the driver should be killed before freeing ‘wmi’ with ath9k_destroy_wmi() as their callbacks will access ‘wmi’. Found by a modified version of syzkaller. ================================================================== BUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40 Read of size 8 at addr ffff8881069132a0 by task kworker/0:1/7 CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack_lvl+0x8e/0xd1 print_address_description.constprop.0.cold+0x93/0x334 ? ath9k_destroy_wmi+0x38/0x40 ? ath9k_destroy_wmi+0x38/0x40 kasan_report.cold+0x83/0xdf ? ath9k_destroy_wmi+0x38/0x40 ath9k_destroy_wmi+0x38/0x40 ath9k_hif_usb_disconnect+0x329/0x3f0 ? ath9k_hif_usb_suspend+0x120/0x120 ? usb_disable_interface+0xfc/0x180 usb_unbind_interface+0x19b/0x7e0 ? usb_autoresume_device+0x50/0x50 device_release_driver_internal+0x44d/0x520 bus_remove_device+0x2e5/0x5a0 device_del+0x5b2/0xe30 ? __device_link_del+0x370/0x370 ? usb_remove_ep_devs+0x43/0x80 ? remove_intf_ep_devs+0x112/0x1a0 usb_disable_device+0x1e3/0x5a0 usb_disconnect+0x267/0x870 hub_event+0x168d/0x3950 ? rcu_read_lock_sched_held+0xa1/0xd0 ? hub_port_debounce+0x2e0/0x2e0 ? check_irq_usage+0x860/0xf20 ? drain_workqueue+0x281/0x360 ? lock_release+0x640/0x640 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 process_one_work+0x92b/0x1460 ? pwq_dec_nr_in_flight+0x330/0x330 ? rwlock_bug.part.0+0x90/0x90 worker_thread+0x95/0xe00 ? __kthread_parkme+0x115/0x1e0 ? process_one_work+0x1460/0x1460 kthread+0x3a1/0x480 ? set_kthread_struct+0x120/0x120 ret_from_fork+0x1f/0x30 The buggy address belongs to the page: page:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913 flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635 prep_new_page+0x1aa/0x240 get_page_from_freelist+0x159a/0x27c0 __alloc_pages+0x2da/0x6a0 alloc_pages+0xec/0x1e0 kmalloc_order+0x39/0xf0 kmalloc_order_trace+0x19/0x120 __kmalloc+0x308/0x390 wiphy_new_nm+0x6f5/0x1dd0 ieee80211_alloc_hw_nm+0x36d/0x2230 ath9k_htc_probe_device+0x9d/0x1e10 ath9k_htc_hw_init+0x34/0x50 ath9k_hif_usb_firmware_cb+0x25f/0x4e0 request_firmware_work_func+0x131/0x240 process_one_work+0x92b/0x1460 worker_thread+0x95/0xe00 kthread+0x3a1/0x480 page last free stack trace: free_pcp_prepare+0x3d3/0x7f0 free_unref_page+0x1e/0x3d0 device_release+0xa4/0x240 kobject_put+0x186/0x4c0 put_device+0x20/0x30 ath9k_htc_disconnect_device+0x1cf/0x2c0 ath9k_htc_hw_deinit+0x26/0x30 ath9k_hif_usb_disconnect+0x2d9/0x3f0 usb_unbind_interface+0x19b/0x7e0 device_release_driver_internal+0x44d/0x520 bus_remove_device+0x2e5/0x5a0 device_del+0x5b2/0xe30 usb_disable_device+0x1e3/0x5a0 usb_disconnect+0x267/0x870 hub_event+0x168d/0x3950 process_one_work+0x92b/0x1460 Memory state around the buggy address: ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888 —truncated— | 2025-12-30 | not yet calculated | CVE-2022-50881 | https://git.kernel.org/stable/c/99ff971b62e5bd5dee65bbe9777375206f5db791 https://git.kernel.org/stable/c/634a5471a6bd774c0d0fa448dfa6ec593e899ec9 https://git.kernel.org/stable/c/1f137c634a8c8faba648574f687805641e62f92e https://git.kernel.org/stable/c/de15e8bbd9eb26fe94a06d0ec7be82dc490eb729 https://git.kernel.org/stable/c/f099c5c9e2ba08a379bd354a82e05ef839ae29ac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix memory leak in uvc_gpio_parse Previously the unit buffer was allocated before checking the IRQ for privacy GPIO. In case of error, the unit buffer was leaked. Allocate the unit buffer after the IRQ to avoid it. Addresses-Coverity-ID: 1474639 (“Resource leak”) | 2025-12-30 | not yet calculated | CVE-2022-50882 | https://git.kernel.org/stable/c/6c5da92103bddd1f0c36cb69446ff7cae3043986 https://git.kernel.org/stable/c/deb8f32ae4b10a48c433f2da1b1159521ac24674 https://git.kernel.org/stable/c/4a7ae8d982a89b3b43b36ec7d62a2e3d06ffa16e https://git.kernel.org/stable/c/f0f078457f18f10696888f8d0e6aba9deb9cde92 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent decl_tag from being referenced in func_proto arg Syzkaller managed to hit another decl_tag issue: btf_func_proto_check kernel/bpf/btf.c:4506 [inline] btf_check_all_types kernel/bpf/btf.c:4734 [inline] btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763 btf_parse kernel/bpf/btf.c:5042 [inline] btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709 bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342 __sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034 __do_sys_bpf kernel/bpf/syscall.c:5093 [inline] __se_sys_bpf kernel/bpf/syscall.c:5091 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091 do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48 This seems similar to commit ea68376c8bed (“bpf: prevent decl_tag from being referenced in func_proto”) but for the argument. | 2025-12-30 | not yet calculated | CVE-2022-50883 | https://git.kernel.org/stable/c/3f3d54962a032581996edda8e6bcbf7a30371234 https://git.kernel.org/stable/c/e6d276dcc9204f95632580c43d66c52ca502d7ec https://git.kernel.org/stable/c/f17472d4599697d701aa239b4c475a506bccfd19 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm: Prevent drm_copy_field() to attempt copying a NULL pointer There are some struct drm_driver fields that are required by drivers since drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION. But it can be possible that a driver has a bug and did not set some of the fields, which leads to drm_copy_field() attempting to copy a NULL pointer: [ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ +0.010955] Mem abort info: [ +0.002835] ESR = 0x0000000096000004 [ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits [ +0.005395] SET = 0, FnV = 0 [ +0.003113] EA = 0, S1PTW = 0 [ +0.003182] FSC = 0x04: level 0 translation fault [ +0.004964] Data abort info: [ +0.002919] ISV = 0, ISS = 0x00000004 [ +0.003886] CM = 0, WnR = 0 [ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000 [ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ +0.006925] Internal error: Oops: 96000004 [#1] SMP … [ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ +0.007061] pc : __pi_strlen+0x14/0x150 [ +0.003895] lr : drm_copy_field+0x30/0x1a4 [ +0.004156] sp : ffff8000094b3a50 [ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040 [ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040 [ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000 [ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000 [ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40 [ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8 [ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141 [ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000 [ +0.007240] Call trace: [ +0.002475] __pi_strlen+0x14/0x150 [ +0.003537] drm_version+0x84/0xac [ +0.003448] drm_ioctl_kernel+0xa8/0x16c [ +0.003975] drm_ioctl+0x270/0x580 [ +0.003448] __arm64_sys_ioctl+0xb8/0xfc [ +0.003978] invoke_syscall+0x78/0x100 [ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4 [ +0.004767] do_el0_svc+0x38/0x4c [ +0.003357] el0_svc+0x34/0x100 [ +0.003185] el0t_64_sync_handler+0x11c/0x150 [ +0.004418] el0t_64_sync+0x190/0x194 [ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02) [ +0.006180] —[ end trace 0000000000000000 ]— | 2025-12-30 | not yet calculated | CVE-2022-50884 | https://git.kernel.org/stable/c/d213914386a0ede76a4549b41de30192fb92c595 https://git.kernel.org/stable/c/ee9885cd936aad88f84d0cf90bf9a70e83e42a97 https://git.kernel.org/stable/c/8052612b9d08048ebbebcb572894670b4ac07d2f https://git.kernel.org/stable/c/cdde55f97298e5bb9af6d41c9303a3ec545a370e https://git.kernel.org/stable/c/c28a8082b25ce4ec94999e10a30c50d20bd44a25 https://git.kernel.org/stable/c/ca163e389f0ae096a4e1e19f0a95e60ed80b4e31 https://git.kernel.org/stable/c/2d6708ea5c2033ff53267feff1876a717689989f https://git.kernel.org/stable/c/6cf5e9356b2d856403ee480f987f3ea64dbf8d8c https://git.kernel.org/stable/c/f6ee30407e883042482ad4ad30da5eaba47872ee |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed There is a null-ptr-deref when mount.cifs over rdma: BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] Read of size 8 at addr 0000000000000018 by task mount.cifs/3046 CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 kasan_report+0xad/0x130 rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] execute_in_process_context+0x25/0x90 __rxe_cleanup+0x101/0x1d0 [rdma_rxe] rxe_create_qp+0x16a/0x180 [rdma_rxe] create_qp.part.0+0x27d/0x340 ib_create_qp_kernel+0x73/0x160 rdma_create_qp+0x100/0x230 _smbd_get_connection+0x752/0x20f0 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The root cause of the issue is the socket create failed in rxe_qp_init_req(). So move the reset rxe_qp_do_cleanup() after the NULL ptr check. | 2025-12-30 | not yet calculated | CVE-2022-50885 | https://git.kernel.org/stable/c/ee24de095569935eba600f7735e8e8ddea5b418e https://git.kernel.org/stable/c/7340ca9f782be6fbe3f64a134dc112772764f766 https://git.kernel.org/stable/c/bd7106a6004f1077a365ca7f5a99c7a708e20714 https://git.kernel.org/stable/c/6bb5a62bfd624039b05157745c234068508393a9 https://git.kernel.org/stable/c/f64f08b9e6fb305a25dd75329e06ae342b9ce336 https://git.kernel.org/stable/c/5b924632d84a60bc0c7fe6e9bbbce99d03908957 https://git.kernel.org/stable/c/821f9a18210f6b9fd6792471714c799607b25db4 https://git.kernel.org/stable/c/f67376d801499f4fa0838c18c1efcad8840e550d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: toshsd: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, free_irq() also needs be called. | 2025-12-30 | not yet calculated | CVE-2022-50886 | https://git.kernel.org/stable/c/34ae492f8d172f0bd193c24cad588b35419ea47a https://git.kernel.org/stable/c/3329e7b7132ca727263fb0ee214cf52cc6dcaaad https://git.kernel.org/stable/c/4f6cb1c685f9e20a4a9fa565e442f5af4dad70ff https://git.kernel.org/stable/c/3dbb69a0242c31ea4c9eee22b1c41b515fe509a0 https://git.kernel.org/stable/c/aabbedcb6c9a72d12d35dc672e83f0c8064d8a61 https://git.kernel.org/stable/c/6444079767b68b1fbed0e7668081146e80dcb719 https://git.kernel.org/stable/c/647e370dd0ef7e212d8d014bda748e461eab2e8c https://git.kernel.org/stable/c/bfd77b194c94aefbde4efc30ddf8607dd9244672 https://git.kernel.org/stable/c/f670744a316ea983113a65313dcd387b5a992444 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() I got the the following report: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced – destroy cset entry: attach overlay node /i2c/pmic@62/regulators/exten In of_get_regulator(), the node is returned from of_parse_phandle() with refcount incremented, after using it, of_node_put() need be called. | 2025-12-30 | not yet calculated | CVE-2022-50887 | https://git.kernel.org/stable/c/0e88505ac0a6ae97746bcdbd4b042ee9f20455ae https://git.kernel.org/stable/c/4dfcf5087db9a34a300d6b99009232d4537c3e6a https://git.kernel.org/stable/c/3ac888db0f67813d91373a9a61c840f815cd4ec9 https://git.kernel.org/stable/c/d39937f8de641c44a337cec4a2e5d3e8add20a7d https://git.kernel.org/stable/c/f48c474efe05cf9ce5e535b5e0ddd710e963936c https://git.kernel.org/stable/c/cda1895f3b7f324ece1614308a815a3994983b97 https://git.kernel.org/stable/c/2b93c58adddd98812ad928bbc2063038f3df1ffd https://git.kernel.org/stable/c/2f98469c3141f8e42ba11075a273fb795bbad57f https://git.kernel.org/stable/c/f2b41b748c19962b82709d9f23c6b2b0ce9d2f91 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio() q6v5_wcss_init_mmio() will call platform_get_resource_byname() that may fail and return NULL. devm_ioremap() will use res->start as input, which may causes null-ptr-deref. Check the ret value of platform_get_resource_byname() to avoid the null-ptr-deref. | 2025-12-30 | not yet calculated | CVE-2022-50888 | https://git.kernel.org/stable/c/098ebb9089c4eedea09333f912d105fa63377496 https://git.kernel.org/stable/c/3afa88ae9911b65702a3aca9d92ea23fe496e56f https://git.kernel.org/stable/c/0903a87490a9ed456ac765a84dcc484c1ee42c32 https://git.kernel.org/stable/c/f360e2b275efbb745ba0af8b47d9ef44221be586 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm integrity: Fix UAF in dm_integrity_dtr() Dm_integrity also has the same UAF problem when dm_resume() and dm_destroy() are concurrent. Therefore, cancelling timer again in dm_integrity_dtr(). | 2025-12-30 | not yet calculated | CVE-2022-50889 | https://git.kernel.org/stable/c/792e51aac376cfb5bd527c2a30826223b82dd177 https://git.kernel.org/stable/c/a506b5c92757b034034ef683e667bffc456c600b https://git.kernel.org/stable/c/9215b25f2e105032114e9b92c9783a2a84ee8af9 https://git.kernel.org/stable/c/9f8e1e54a3a424c6c4fb8742e094789d3ec91e42 https://git.kernel.org/stable/c/b6c93cd61afab061d80cc842333abca97b289774 https://git.kernel.org/stable/c/f50cb2cbabd6c4a60add93d72451728f86e4791c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix possible memory leak in smb2_lock() argv needs to be free when setup_async_work fails or when the current process is woken up. | 2025-12-30 | not yet calculated | CVE-2023-54162 | https://git.kernel.org/stable/c/bfe8372ef2dbdce97f13b21d76e2080ddeef5a79 https://git.kernel.org/stable/c/6bf555ed8938444466c3d7f3252eb874a518f293 https://git.kernel.org/stable/c/11d38f8a0c19763e34d2093b5ecb640e012cb2d2 https://git.kernel.org/stable/c/d3ca9f7aeba793d74361d88a8800b2f205c9236b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: fix iso_conn related locking and validity issues sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations that check/update sk_state and access conn should hold lock_sock, otherwise they can race. The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock, which is how it is in connect/disconnect_cfm -> iso_conn_del -> iso_chan_del. Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock around updating sk_state and conn. iso_conn_del must not occur during iso_connect_cis/bis, as it frees the iso_conn. Hold hdev->lock longer to prevent that. This should not reintroduce the issue fixed in commit 241f51931c35 (“Bluetooth: ISO: Avoid circular locking dependency”), since the we acquire locks in order. We retain the fix in iso_sock_connect to release lock_sock before iso_connect_* acquires hdev->lock. Similarly for commit 6a5ad251b7cd (“Bluetooth: ISO: Fix possible circular locking dependency”). We retain the fix in iso_conn_ready to not acquire iso_conn_lock before lock_sock. iso_conn_add shall return iso_conn with valid hcon. Make it so also when reusing an old CIS connection waiting for disconnect timeout (see __iso_sock_close where conn->hcon is set to NULL). Trace with iso_conn_del after iso_chan_add in iso_connect_cis: =============================================================== iso_sock_create:771: sock 00000000be9b69b7 iso_sock_init:693: sk 000000004dff667e iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1 iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_connect:875: sk 000000004dff667e iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e __iso_chan_add:214: conn 00000000daf8625e iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12 iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16 iso_sock_clear_timer:117: sock 000000004dff667e state 3 <Note: sk_state is BT_BOUND (3), so iso_connect_cis is still running at this point> iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16 hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535 hci_conn_unlink:1102: hci0: hcon 000000007b65d182 hci_chan_list_flush:2780: hcon 000000007b65d182 iso_sock_getsockopt:1376: sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getsockopt:1376: sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1 __iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7 <Note: sk_state is BT_CONNECT (5), even though iso_chan_del sets BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it must be that iso_chan_del occurred between iso_chan_add and end of iso_connect_cis.> BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth =============================================================== Trace with iso_conn_del before iso_chan_add in iso_connect_cis: =============================================================== iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da … iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504 hci_dev_put:1487: hci0 orig refcnt 21 hci_event_packet:7607: hci0: e —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54164 | https://git.kernel.org/stable/c/e969bfed84c1f88dc722a678ee08488e86f0ec1a https://git.kernel.org/stable/c/88ad50f2b843a510bd7c922c0a4e2484aff9d645 https://git.kernel.org/stable/c/d40ae85ee62e3666f45bc61864b22121346f88ef |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: zsmalloc: move LRU update from zs_map_object() to zs_malloc() Under memory pressure, we sometimes observe the following crash: [ 5694.832838] ————[ cut here ]———— [ 5694.842093] list_del corruption, ffff888014b6a448->next is LIST_POISON1 (dead000000000100) [ 5694.858677] WARNING: CPU: 33 PID: 418824 at lib/list_debug.c:47 __list_del_entry_valid+0x42/0x80 [ 5694.961820] CPU: 33 PID: 418824 Comm: fuse_counters.s Kdump: loaded Tainted: G S 5.19.0-0_fbk3_rc3_hoangnhatpzsdynshrv41_10870_g85a9558a25de #1 [ 5694.990194] Hardware name: Wiwynn Twin Lakes MP/Twin Lakes Passive MP, BIOS YMM16 05/24/2021 [ 5695.007072] RIP: 0010:__list_del_entry_valid+0x42/0x80 [ 5695.017351] Code: 08 48 83 c2 22 48 39 d0 74 24 48 8b 10 48 39 f2 75 2c 48 8b 51 08 b0 01 48 39 f2 75 34 c3 48 c7 c7 55 d7 78 82 e8 4e 45 3b 00 <0f> 0b eb 31 48 c7 c7 27 a8 70 82 e8 3e 45 3b 00 0f 0b eb 21 48 c7 [ 5695.054919] RSP: 0018:ffffc90027aef4f0 EFLAGS: 00010246 [ 5695.065366] RAX: 41fe484987275300 RBX: ffff888008988180 RCX: 0000000000000000 [ 5695.079636] RDX: ffff88886006c280 RSI: ffff888860060480 RDI: ffff888860060480 [ 5695.093904] RBP: 0000000000000002 R08: 0000000000000000 R09: ffffc90027aef370 [ 5695.108175] R10: 0000000000000000 R11: ffffffff82fdf1c0 R12: 0000000010000002 [ 5695.122447] R13: ffff888014b6a448 R14: ffff888014b6a420 R15: 00000000138dc240 [ 5695.136717] FS: 00007f23a7d3f740(0000) GS:ffff888860040000(0000) knlGS:0000000000000000 [ 5695.152899] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5695.164388] CR2: 0000560ceaab6ac0 CR3: 000000001c06c001 CR4: 00000000007706e0 [ 5695.178659] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 5695.192927] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 5695.207197] PKRU: 55555554 [ 5695.212602] Call Trace: [ 5695.217486] <TASK> [ 5695.221674] zs_map_object+0x91/0x270 [ 5695.229000] zswap_frontswap_store+0x33d/0x870 [ 5695.237885] ? do_raw_spin_lock+0x5d/0xa0 [ 5695.245899] __frontswap_store+0x51/0xb0 [ 5695.253742] swap_writepage+0x3c/0x60 [ 5695.261063] shrink_page_list+0x738/0x1230 [ 5695.269255] shrink_lruvec+0x5ec/0xcd0 [ 5695.276749] ? shrink_slab+0x187/0x5f0 [ 5695.284240] ? mem_cgroup_iter+0x6e/0x120 [ 5695.292255] shrink_node+0x293/0x7b0 [ 5695.299402] do_try_to_free_pages+0xea/0x550 [ 5695.307940] try_to_free_pages+0x19a/0x490 [ 5695.316126] __folio_alloc+0x19ff/0x3e40 [ 5695.323971] ? __filemap_get_folio+0x8a/0x4e0 [ 5695.332681] ? walk_component+0x2a8/0xb50 [ 5695.340697] ? generic_permission+0xda/0x2a0 [ 5695.349231] ? __filemap_get_folio+0x8a/0x4e0 [ 5695.357940] ? walk_component+0x2a8/0xb50 [ 5695.365955] vma_alloc_folio+0x10e/0x570 [ 5695.373796] ? walk_component+0x52/0xb50 [ 5695.381634] wp_page_copy+0x38c/0xc10 [ 5695.388953] ? filename_lookup+0x378/0xbc0 [ 5695.397140] handle_mm_fault+0x87f/0x1800 [ 5695.405157] do_user_addr_fault+0x1bd/0x570 [ 5695.413520] exc_page_fault+0x5d/0x110 [ 5695.421017] asm_exc_page_fault+0x22/0x30 After some investigation, I have found the following issue: unlike other zswap backends, zsmalloc performs the LRU list update at the object mapping time, rather than when the slot for the object is allocated. This deviation was discussed and agreed upon during the review process of the zsmalloc writeback patch series: https://lore.kernel.org/lkml/Y3flcAXNxxrvy3ZH@cmpxchg.org/ Unfortunately, this introduces a subtle bug that occurs when there is a concurrent store and reclaim, which interleave as follows: zswap_frontswap_store() shrink_worker() zs_malloc() zs_zpool_shrink() spin_lock(&pool->lock) zs_reclaim_page() zspage = find_get_zspage() spin_unlock(&pool->lock) spin_lock(&pool->lock) zspage = list_first_entry(&pool->lru) —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54165 | https://git.kernel.org/stable/c/e95adf7486f2cb5f1bb303113ca30460951923e9 https://git.kernel.org/stable/c/d461aac924b937bcb4fd0ca1242b3ef6868ecddd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: igc: Fix Kernel Panic during ndo_tx_timeout callback The Xeon validation group has been carrying out some loaded tests with various HW configurations, and they have seen some transmit queue time out happening during the test. This will cause the reset adapter function to be called by igc_tx_timeout(). Similar race conditions may arise when the interface is being brought down and up in igc_reinit_locked(), an interrupt being generated, and igc_clean_tx_irq() being called to complete the TX. When the igc_tx_timeout() function is invoked, this patch will turn off all TX ring HW queues during igc_down() process. TX ring HW queues will be activated again during the igc_configure_tx_ring() process when performing the igc_up() procedure later. This patch also moved existing igc_disable_tx_ring_hw() to avoid using forward declaration. Kernel trace: [ 7678.747813] ————[ cut here ]———— [ 7678.757914] NETDEV WATCHDOG: enp1s0 (igc): transmit queue 2 timed out [ 7678.770117] WARNING: CPU: 0 PID: 13 at net/sched/sch_generic.c:525 dev_watchdog+0x1ae/0x1f0 [ 7678.784459] Modules linked in: xt_conntrack nft_chain_nat xt_MASQUERADE xt_addrtype nft_compat nf_tables nfnetlink br_netfilter bridge stp llc overlay dm_mod emrcha(PO) emriio(PO) rktpm(PO) cegbuf_mod(PO) patch_update(PO) se(PO) sgx_tgts(PO) mktme(PO) keylocker(PO) svtdx(PO) svfs_pci_hotplug(PO) vtd_mod(PO) davemem(PO) svmabort(PO) svindexio(PO) usbx2(PO) ehci_sched(PO) svheartbeat(PO) ioapic(PO) sv8259(PO) svintr(PO) lt(PO) pcierootport(PO) enginefw_mod(PO) ata(PO) smbus(PO) spiflash_cdf(PO) arden(PO) dsa_iax(PO) oobmsm_punit(PO) cpm(PO) svkdb(PO) ebg_pch(PO) pch(PO) sviotargets(PO) svbdf(PO) svmem(PO) svbios(PO) dram(PO) svtsc(PO) targets(PO) superio(PO) svkernel(PO) cswitch(PO) mcf(PO) pentiumIII_mod(PO) fs_svfs(PO) mdevdefdb(PO) svfs_os_services(O) ixgbe mdio mdio_devres libphy emeraldrapids_svdefs(PO) regsupport(O) libnvdimm nls_cp437 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core snd_pcm snd_timer isst_if_mbox_pci [ 7678.784496] input_leds isst_if_mmio sg snd isst_if_common soundcore wmi button sad9(O) drm fuse backlight configfs efivarfs ip_tables x_tables vmd sdhci led_class rtl8150 r8152 hid_generic pegasus mmc_block usbhid mmc_core hid megaraid_sas ixgb igb i2c_algo_bit ice i40e hpsa scsi_transport_sas e1000e e1000 e100 ax88179_178a usbnet xhci_pci sd_mod xhci_hcd t10_pi crc32c_intel crc64_rocksoft igc crc64 crc_t10dif usbcore crct10dif_generic ptp crct10dif_common usb_common pps_core [ 7679.200403] RIP: 0010:dev_watchdog+0x1ae/0x1f0 [ 7679.210201] Code: 28 e9 53 ff ff ff 4c 89 e7 c6 05 06 42 b9 00 01 e8 17 d1 fb ff 44 89 e9 4c 89 e6 48 c7 c7 40 ad fb 81 48 89 c2 e8 52 62 82 ff <0f> 0b e9 72 ff ff ff 65 8b 05 80 7d 7c 7e 89 c0 48 0f a3 05 0a c1 [ 7679.245438] RSP: 0018:ffa00000001f7d90 EFLAGS: 00010282 [ 7679.256021] RAX: 0000000000000000 RBX: ff11000109938440 RCX: 0000000000000000 [ 7679.268710] RDX: ff11000361e26cd8 RSI: ff11000361e1b880 RDI: ff11000361e1b880 [ 7679.281314] RBP: ffa00000001f7da8 R08: ff1100035f8fffe8 R09: 0000000000027ffb [ 7679.293840] R10: 0000000000001f0a R11: ff1100035f840000 R12: ff11000109938000 [ 7679.306276] R13: 0000000000000002 R14: dead000000000122 R15: ffa00000001f7e18 [ 7679.318648] FS: 0000000000000000(0000) GS:ff11000361e00000(0000) knlGS:0000000000000000 [ 7679.332064] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 7679.342757] CR2: 00007ffff7fca168 CR3: 000000013b08a006 CR4: 0000000000471ef8 [ 7679.354984] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 7679.367207] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 7679.379370] PKRU: 55555554 [ 7679.386446] Call Trace: [ 7679.393152] <TASK> [ 7679.399363] ? __pfx_dev_watchdog+0x10/0x10 [ 7679.407870] call_timer_fn+0x31/0x110 [ 7679.415698] e —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54166 | https://git.kernel.org/stable/c/feba294c454a51bb1e80dd2ff038e335f07ae481 https://git.kernel.org/stable/c/c09df09241fdd6aa5b94a5243369662a13ec608a https://git.kernel.org/stable/c/c12554d97fcd954d5c66bcd016586732cf240d0b https://git.kernel.org/stable/c/d4a7ce642100765119a872d4aba1bf63e3a22c8a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: m68k: mm: Move initrd phys_to_virt handling after paging_init() When booting with an initial ramdisk on platforms where physical memory does not start at address zero (e.g. on Amiga): initrd: 0ef0602c – 0f800000 Zone ranges: DMA [mem 0x0000000008000000-0x000000f7ffffffff] Normal empty Movable zone start for each node Early memory node ranges node 0: [mem 0x0000000008000000-0x000000000f7fffff] Initmem setup node 0 [mem 0x0000000008000000-0x000000000f7fffff] Unable to handle kernel access at virtual address (ptrval) Oops: 00000000 Modules linked in: PC: [<00201d3c>] memcmp+0x28/0x56 As phys_to_virt() relies on m68k_memoffset and module_fixup(), it must not be called before paging_init(). Hence postpone the phys_to_virt handling for the initial ramdisk until after calling paging_init(). While at it, reduce #ifdef clutter by using IS_ENABLED() instead. | 2025-12-30 | not yet calculated | CVE-2023-54167 | https://git.kernel.org/stable/c/ceb089e2337f810d3594d310953d9af4783f660a https://git.kernel.org/stable/c/58662cfb459150b9c0c22d20cddaea439b3844bd https://git.kernel.org/stable/c/d4b97925e87eb133e400fe4a482d750c74ce392f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Prevent shift wrapping in set_user_sq_size() The ucmd->log_sq_bb_count variable is controlled by the user so this shift can wrap. Fix it by using check_shl_overflow() in the same way that it was done in commit 515f60004ed9 (“RDMA/hns: Prevent undefined behavior in hns_roce_set_user_sq_size()”). | 2025-12-30 | not yet calculated | CVE-2023-54168 | https://git.kernel.org/stable/c/3d5ae269c4bd392ec1edbfb3bd031b8f42d7feff https://git.kernel.org/stable/c/8feca625900777e02a449e53fe4121339934c38a https://git.kernel.org/stable/c/9ad3221c86cc9c6305594b742d4a72dfbd4ea579 https://git.kernel.org/stable/c/9911be2155720221a4f1f722b22bd0e2388d8bcf https://git.kernel.org/stable/c/3ce0df3493277b9df275cb8455d9c677ae701230 https://git.kernel.org/stable/c/196a6df08b08699ace4ce70e1efcdd9081b6565f https://git.kernel.org/stable/c/a183905869e692b6b7805b7472235585eff8e429 https://git.kernel.org/stable/c/d50b3c73f1ac20dabc53dc6e9d64ce9c79a331eb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix memory leak in mlx5e_ptp_open When kvzalloc_node or kvzalloc failed in mlx5e_ptp_open, the memory pointed by “c” or “cparams” is not freed, which can lead to a memory leak. Fix by freeing the array in the error path. | 2025-12-30 | not yet calculated | CVE-2023-54169 | https://git.kernel.org/stable/c/4892e1e548b5bd6524c1c89df06e4849df26fc20 https://git.kernel.org/stable/c/83a8f7337a14cdb215c76a8f4cf3f3be8b59177d https://git.kernel.org/stable/c/7035e3ae600c4e9cb3dc220c24dd77112ddff8b1 https://git.kernel.org/stable/c/d543b649ffe58a0cb4b6948b3305069c5980a1fa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: keys: Fix linking a duplicate key to a keyring’s assoc_array When making a DNS query inside the kernel using dns_query(), the request code can in rare cases end up creating a duplicate index key in the assoc_array of the destination keyring. It is eventually found by a BUG_ON() check in the assoc_array implementation and results in a crash. Example report: [2158499.700025] kernel BUG at ../lib/assoc_array.c:652! [2158499.700039] invalid opcode: 0000 [#1] SMP PTI [2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 [2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] [2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 [2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f [2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 [2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 [2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 [2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 [2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 [2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 [2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 [2158499.700702] Call Trace: [2158499.700741] ? key_alloc+0x447/0x4b0 [2158499.700768] ? __key_link_begin+0x43/0xa0 [2158499.700790] __key_link_begin+0x43/0xa0 [2158499.700814] request_key_and_link+0x2c7/0x730 [2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] [2158499.700873] ? key_default_cmp+0x20/0x20 [2158499.700898] request_key_tag+0x43/0xa0 [2158499.700926] dns_query+0x114/0x2ca [dns_resolver] [2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] [2158499.701164] ? scnprintf+0x49/0x90 [2158499.701190] ? __switch_to_asm+0x40/0x70 [2158499.701211] ? __switch_to_asm+0x34/0x70 [2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] [2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] [2158499.701632] process_one_work+0x1f8/0x3e0 [2158499.701658] worker_thread+0x2d/0x3f0 [2158499.701682] ? process_one_work+0x3e0/0x3e0 [2158499.701703] kthread+0x10d/0x130 [2158499.701723] ? kthread_park+0xb0/0xb0 [2158499.701746] ret_from_fork+0x1f/0x40 The situation occurs as follows: * Some kernel facility invokes dns_query() to resolve a hostname, for example, “abcdef”. The function registers its global DNS resolver cache as current->cred.thread_keyring and passes the query to request_key_net() -> request_key_tag() -> request_key_and_link(). * Function request_key_and_link() creates a keyring_search_context object. Its match_data.cmp method gets set via a call to type->match_preparse() (resolves to dns_resolver_match_preparse()) to dns_resolver_cmp(). * Function request_key_and_link() continues and invokes search_process_keyrings_rcu() which returns that a given key was not found. The control is then passed to request_key_and_link() -> construct_alloc_key(). * Concurrently to that, a second task similarly makes a DNS query for “abcdef.” and its result gets inserted into the DNS resolver cache. * Back on the first task, function construct_alloc_key() first runs __key_link_begin() to determine an assoc_array_edit operation to insert a new key. Index keys in the array are compared exactly as-is, using keyring_compare_object(). The operation —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54170 | https://git.kernel.org/stable/c/65bd66a794bfa059375ec834885bb610d75c0182 https://git.kernel.org/stable/c/0a6b0ca58685be34979236f83f2b322635b80b32 https://git.kernel.org/stable/c/9aecfebea24fe6071ace5cc9fd6d690b87276bbb https://git.kernel.org/stable/c/00edfa6d4fe022942e2f2e6f3294ff13ef78b15c https://git.kernel.org/stable/c/e091bb55af9a930801f83df78195a908a76e1479 https://git.kernel.org/stable/c/d55901522f96082a43b9842d34867363c0cdbac5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Fix memory leak of iter->temp when reading trace_pipe kmemleak reports: unreferenced object 0xffff88814d14e200 (size 256): comm “cat”, pid 336, jiffies 4294871818 (age 779.490s) hex dump (first 32 bytes): 04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00 ……………. 0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff ………Z…… backtrace: [<ffffffff9bdff18f>] __kmalloc+0x4f/0x140 [<ffffffff9bc9238b>] trace_find_next_entry+0xbb/0x1d0 [<ffffffff9bc9caef>] trace_print_lat_context+0xaf/0x4e0 [<ffffffff9bc94490>] print_trace_line+0x3e0/0x950 [<ffffffff9bc95499>] tracing_read_pipe+0x2d9/0x5a0 [<ffffffff9bf03a43>] vfs_read+0x143/0x520 [<ffffffff9bf04c2d>] ksys_read+0xbd/0x160 [<ffffffff9d0f0edf>] do_syscall_64+0x3f/0x90 [<ffffffff9d2000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 when reading file ‘trace_pipe’, ‘iter->temp’ is allocated or relocated in trace_find_next_entry() but not freed before ‘trace_pipe’ is closed. To fix it, free ‘iter->temp’ in tracing_release_pipe(). | 2025-12-30 | not yet calculated | CVE-2023-54171 | https://git.kernel.org/stable/c/1a1e793e021d75cd0accd8f329ec9456e5cd105e https://git.kernel.org/stable/c/954792db9f61b6c0b8a94b8831fed5f146014029 https://git.kernel.org/stable/c/be970e22c53d5572b2795b79da9716ada937023b https://git.kernel.org/stable/c/3f42d57a76e7e96585f08855554e002218cbca0c https://git.kernel.org/stable/c/d5a821896360cc8b93a15bd888fabc858c038dc0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction On hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs with ConfigVersion 9.3 or later support IBT in the guest. However, current versions of Hyper-V have a bug in that there’s not an ENDBR64 instruction at the beginning of the hypercall page. Since hypercalls are made with an indirect call to the hypercall page, all hypercall attempts fail with an exception and Linux panics. A Hyper-V fix is in progress to add ENDBR64. But guard against the Linux panic by clearing X86_FEATURE_IBT if the hypercall page doesn’t start with ENDBR. The VM will boot and run without IBT. If future Linux 32-bit kernels were to support IBT, additional hypercall page hackery would be needed to make IBT work for such kernels in a Hyper-V VM. | 2025-12-30 | not yet calculated | CVE-2023-54172 | https://git.kernel.org/stable/c/98cccbd0a19a161971bc7f7feb10577adc62c400 https://git.kernel.org/stable/c/73626b70b361ddda7c380e52c236aa4f2487c402 https://git.kernel.org/stable/c/d5ace2a776442d80674eff9ed42e737f7dd95056 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Disable preemption in bpf_event_output We received report [1] of kernel crash, which is caused by using nesting protection without disabled preemption. The bpf_event_output can be called by programs executed by bpf_prog_run_array_cg function that disabled migration but keeps preemption enabled. This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like: BUG: kernel NULL pointer dereference, address: 0000000000000001 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) – not-present page … ? perf_output_sample+0x12a/0x9a0 ? finish_task_switch.isra.0+0x81/0x280 ? perf_event_output+0x66/0xa0 ? bpf_event_output+0x13a/0x190 ? bpf_event_output_data+0x22/0x40 ? bpf_prog_dfc84bbde731b257_cil_sock4_connect+0x40a/0xacb ? xa_load+0x87/0xe0 ? __cgroup_bpf_run_filter_sock_addr+0xc1/0x1a0 ? release_sock+0x3e/0x90 ? sk_setsockopt+0x1a1/0x12f0 ? udp_pre_connect+0x36/0x50 ? inet_dgram_connect+0x93/0xa0 ? __sys_connect+0xb4/0xe0 ? udp_setsockopt+0x27/0x40 ? __pfx_udp_push_pending_frames+0x10/0x10 ? __sys_setsockopt+0xdf/0x1a0 ? __x64_sys_connect+0xf/0x20 ? do_syscall_64+0x3a/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc Fixing this by disabling preemption in bpf_event_output. [1] https://github.com/cilium/cilium/issues/26756 | 2025-12-30 | not yet calculated | CVE-2023-54173 | https://git.kernel.org/stable/c/3048cb0dc0cc9dc74ed93690dffef00733bcad5b https://git.kernel.org/stable/c/c81bdf8f9f2b002d217c3d5357cdea9f2b82ff90 https://git.kernel.org/stable/c/36dd8ca330b76585640ed32255a3c99f901e1502 https://git.kernel.org/stable/c/063c9ce8e74e07bf94f99cd13146f42867875e8b https://git.kernel.org/stable/c/d62cc390c2e99ae267ffe4b8d7e2e08b6c758c32 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd group->iommufd is not initialized for the iommufd_ctx_put() [20018.331541] BUG: kernel NULL pointer dereference, address: 0000000000000000 [20018.377508] RIP: 0010:iommufd_ctx_put+0x5/0x10 [iommufd] … [20018.476483] Call Trace: [20018.479214] <TASK> [20018.481555] vfio_group_fops_unl_ioctl+0x506/0x690 [vfio] [20018.487586] __x64_sys_ioctl+0x6a/0xb0 [20018.491773] ? trace_hardirqs_on+0xc5/0xe0 [20018.496347] do_syscall_64+0x67/0x90 [20018.500340] entry_SYSCALL_64_after_hwframe+0x4b/0xb5 | 2025-12-30 | not yet calculated | CVE-2023-54174 | https://git.kernel.org/stable/c/8f24eef598ce7cce0bbefe0ec642bcc031d0f528 https://git.kernel.org/stable/c/d649c34cb916b015fdcb487e51409fcc5caeca8d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path The xiic_xfer() function gets a runtime PM reference when the function is entered. This reference is released when the function is exited. There is currently one error path where the function exits directly, which leads to a leak of the runtime PM reference. Make sure that this error path also releases the runtime PM reference. | 2025-12-30 | not yet calculated | CVE-2023-54175 | https://git.kernel.org/stable/c/2d320d9de7d31c0eb279b3f8a02cf1af473a3737 https://git.kernel.org/stable/c/72cb227a368cf286efb8ce1e741e8c7085747b4d https://git.kernel.org/stable/c/06e661a259978305c0015f6f33d14477a0cfbe8f https://git.kernel.org/stable/c/6027d84c073e26cb1b32a90d69c5fbad57776406 https://git.kernel.org/stable/c/688fdfc458bfa651dca39c736d39c1b7520af0e8 https://git.kernel.org/stable/c/d663d93bb47e7ab45602b227701022d8aa16040a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: stricter state check in mptcp_worker As reported by Christoph, the mptcp protocol can run the worker when the relevant msk socket is in an unexpected state: connect() // incoming reset + fastclose // the mptcp worker is scheduled mptcp_disconnect() // msk is now CLOSED listen() mptcp_worker() Leading to the following splat: divide error: 0000 [#1] PREEMPT SMP CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018 RSP: 0018:ffffc900000b3c98 EFLAGS: 00010293 RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004 RBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000 R10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tcp_select_window net/ipv4/tcp_output.c:262 [inline] __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345 tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459 mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline] mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705 process_one_work+0x3bd/0x950 kernel/workqueue.c:2390 worker_thread+0x5b/0x610 kernel/workqueue.c:2537 kthread+0x138/0x170 kernel/kthread.c:376 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308 </TASK> This change addresses the issue explicitly checking for bad states before running the mptcp worker. | 2025-12-30 | not yet calculated | CVE-2023-54176 | https://git.kernel.org/stable/c/f0b4a4086cf27240fc621a560da9735159049dcc https://git.kernel.org/stable/c/aff9099e9c51f15c8def05c75b2b73e8487b5d54 https://git.kernel.org/stable/c/19ea79e87af32c2b3c6fc49bd84efeb35ca57678 https://git.kernel.org/stable/c/d6a0443733434408f2cbd4c53fea6910599bab9e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: quota: fix warning in dqgrab() There’s issue as follows when do fault injection: WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 Modules linked in: CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 RIP: 0010:dquot_disable+0x13b7/0x18c0 RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dquot_load_quota_sb+0xd53/0x1060 dquot_resume+0x172/0x230 ext4_reconfigure+0x1dc6/0x27b0 reconfigure_super+0x515/0xa90 __x64_sys_fsconfig+0xb19/0xd20 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Above issue may happens as follows: ProcessA ProcessB ProcessC sys_fsconfig vfs_fsconfig_locked reconfigure_super ext4_remount dquot_suspend -> suspend all type quota sys_fsconfig vfs_fsconfig_locked reconfigure_super ext4_remount dquot_resume ret = dquot_load_quota_sb add_dquot_ref do_open -> open file O_RDWR vfs_open do_dentry_open get_write_access atomic_inc_unless_negative(&inode->i_writecount) ext4_file_open dquot_file_open dquot_initialize __dquot_initialize dqget atomic_inc(&dquot->dq_count); __dquot_initialize __dquot_initialize dqget if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) ext4_acquire_dquot -> Return error DQ_ACTIVE_B flag isn’t set dquot_disable invalidate_dquots if (atomic_read(&dquot->dq_count)) dqgrab WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) -> Trigger warning In the above scenario, ‘dquot->dq_flags’ has no DQ_ACTIVE_B is normal when dqgrab(). To solve above issue just replace the dqgrab() use in invalidate_dquots() with atomic_inc(&dquot->dq_count). | 2025-12-30 | not yet calculated | CVE-2023-54177 | https://git.kernel.org/stable/c/6478eabc92274efae6269da7c515ba2b4c8e88d8 https://git.kernel.org/stable/c/965bad2bf1afef64ec16249da676dc7310cca32e https://git.kernel.org/stable/c/3f378783c47b5749317ea008d8c931d6d3986d8f https://git.kernel.org/stable/c/cbaebbba722cb9738c55903efce11f51cdd97bee https://git.kernel.org/stable/c/579d814de87c3cac69c9b261efa165d07cde3357 https://git.kernel.org/stable/c/6432843debe1ec7d76c5b2f76c67f9c5df22436e https://git.kernel.org/stable/c/6f4e543d277a12dfeff027e6ab24a170e1bfc160 https://git.kernel.org/stable/c/d6a95db3c7ad160bc16b89e36449705309b52bcb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name() when kmalloc() fail to allocate memory in kasprintf(), name or full_name will be NULL, strcmp() will cause null pointer dereference. | 2025-12-30 | not yet calculated | CVE-2023-54178 | https://git.kernel.org/stable/c/c364fa869b33ca42a263bf91c22fce7e6c61d479 https://git.kernel.org/stable/c/0b7d715511915a1b39f5fdcbe57a7922dfd66513 https://git.kernel.org/stable/c/dadf0d0dfcc81cdcb27ba5426676d13a9e4fb925 https://git.kernel.org/stable/c/f41c65f8d05be734898cbe72af59a401b97d298a https://git.kernel.org/stable/c/ea5bc6f5aa099e3e84d037282836234ad77cba88 https://git.kernel.org/stable/c/43cc228099c514467b8074d7ede6673cef9f33b9 https://git.kernel.org/stable/c/c74ae8124f9687062dd99858f34c9d027ddd73da https://git.kernel.org/stable/c/2dd8ee9de71ad8447f8459fb01dade7f6c7132da https://git.kernel.org/stable/c/d6ce4f0ea19c32f10867ed93d8386924326ab474 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Array index may go out of bound Klocwork reports array ‘vha->host_str’ of size 16 may use index value(s) 16..19. Use snprintf() instead of sprintf(). | 2025-12-30 | not yet calculated | CVE-2023-54179 | https://git.kernel.org/stable/c/e697f466bf61280b7e996c9ea096d7ec371c31ea https://git.kernel.org/stable/c/ea64c727f20123342020257cfa956fbfbd6d12ff https://git.kernel.org/stable/c/bcd773969a87d9802053c0db5be84abd6594a024 https://git.kernel.org/stable/c/748d8f8698a2f48ffe32dd7b35dbab1810ed1f82 https://git.kernel.org/stable/c/2b3bdef089b920b4a19fefb4f4e6dda56a4bb583 https://git.kernel.org/stable/c/e934737e18ff069a66cd53cd7f7a0b34ae2c24fe https://git.kernel.org/stable/c/d721b591b95cf3f290f8a7cbe90aa2ee0368388d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: handle case when repair happens with dev-replace [BUG] There is a bug report that a BUG_ON() in btrfs_repair_io_failure() (originally repair_io_failure() in v6.0 kernel) got triggered when replacing a unreliable disk: BTRFS warning (device sda1): csum failed root 257 ino 2397453 off 39624704 csum 0xb0d18c75 expected csum 0x4dae9c5e mirror 3 kernel BUG at fs/btrfs/extent_io.c:2380! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 9 PID: 3614331 Comm: kworker/u257:2 Tainted: G OE 6.0.0-5-amd64 #1 Debian 6.0.10-2 Hardware name: Micro-Star International Co., Ltd. MS-7C60/TRX40 PRO WIFI (MS-7C60), BIOS 2.70 07/01/2021 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] RIP: 0010:repair_io_failure+0x24a/0x260 [btrfs] Call Trace: <TASK> clean_io_failure+0x14d/0x180 [btrfs] end_bio_extent_readpage+0x412/0x6e0 [btrfs] ? __switch_to+0x106/0x420 process_one_work+0x1c7/0x380 worker_thread+0x4d/0x380 ? rescuer_thread+0x3a0/0x3a0 kthread+0xe9/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 [CAUSE] Before the BUG_ON(), we got some read errors from the replace target first, note the mirror number (3, which is beyond RAID1 duplication, thus it’s read from the replace target device). Then at the BUG_ON() location, we are trying to writeback the repaired sectors back the failed device. The check looks like this: ret = btrfs_map_block(fs_info, BTRFS_MAP_WRITE, logical, &map_length, &bioc, mirror_num); if (ret) goto out_counter_dec; BUG_ON(mirror_num != bioc->mirror_num); But inside btrfs_map_block(), we can modify bioc->mirror_num especially for dev-replace: if (dev_replace_is_ongoing && mirror_num == map->num_stripes + 1 && !need_full_stripe(op) && dev_replace->tgtdev != NULL) { ret = get_extra_mirror_from_replace(fs_info, logical, *length, dev_replace->srcdev->devid, &mirror_num, &physical_to_patch_in_first_stripe); patch_the_first_stripe_for_dev_replace = 1; } Thus if we’re repairing the replace target device, we’re going to trigger that BUG_ON(). But in reality, the read failure from the replace target device may be that, our replace hasn’t reached the range we’re reading, thus we’re reading garbage, but with replace running, the range would be properly filled later. Thus in that case, we don’t need to do anything but let the replace routine to handle it. [FIX] Instead of a BUG_ON(), just skip the repair if we’re repairing the device replace target device. | 2025-12-30 | not yet calculated | CVE-2023-54180 | https://git.kernel.org/stable/c/a7018b40b49c37fb55736499f790ec0d2b381ae4 https://git.kernel.org/stable/c/53e9d6851b56626885476a2966194ba994f8bb4b https://git.kernel.org/stable/c/d73a27b86fc722c28a26ec64002e3a7dc86d1c07 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix issue in verifying allow_ptr_leaks After we converted the capabilities of our networking-bpf program from cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program failed to start. Because it failed the bpf verifier, and the error log is “R3 pointer comparison prohibited”. A simple reproducer as follows, SEC(“cls-ingress”) int ingress(struct __sk_buff *skb) { struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); if ((long)(iph + 1) > (long)skb->data_end) return TC_ACT_STOLEN; return TC_ACT_OK; } Per discussion with Yonghong and Alexei [1], comparison of two packet pointers is not a pointer leak. This patch fixes it. Our local kernel is 6.1.y and we expect this fix to be backported to 6.1.y, so stable is CCed. [1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/ | 2025-12-30 | not yet calculated | CVE-2023-54181 | https://git.kernel.org/stable/c/c96c67991aac6401b4c6996093bccb704bb2ea4b https://git.kernel.org/stable/c/5927f0172d2809d8fc09c1ba667280b0387e9f73 https://git.kernel.org/stable/c/acfdc8b77016c8e648aadc283177546c88083dd3 https://git.kernel.org/stable/c/d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to check readonly condition correctly With below case, it can mount multi-device image w/ rw option, however one of secondary device is set as ro, later update will cause panic, so let’s introduce f2fs_dev_is_readonly(), and check multi-devices rw status in f2fs_remount() w/ it in order to avoid such inconsistent mount status. mkfs.f2fs -c /dev/zram1 /dev/zram0 -f blockdev –setro /dev/zram1 mount -t f2fs dev/zram0 /mnt/f2fs mount: /mnt/f2fs: WARNING: source write-protected, mounted read-only. mount -t f2fs -o remount,rw mnt/f2fs dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=8192 kernel BUG at fs/f2fs/inline.c:258! RIP: 0010:f2fs_write_inline_data+0x23e/0x2d0 [f2fs] Call Trace: f2fs_write_single_data_page+0x26b/0x9f0 [f2fs] f2fs_write_cache_pages+0x389/0xa60 [f2fs] __f2fs_write_data_pages+0x26b/0x2d0 [f2fs] f2fs_write_data_pages+0x2e/0x40 [f2fs] do_writepages+0xd3/0x1b0 __writeback_single_inode+0x5b/0x420 writeback_sb_inodes+0x236/0x5a0 __writeback_inodes_wb+0x56/0xf0 wb_writeback+0x2a3/0x490 wb_do_writeback+0x2b2/0x330 wb_workfn+0x6a/0x260 process_one_work+0x270/0x5e0 worker_thread+0x52/0x3e0 kthread+0xf4/0x120 ret_from_fork+0x29/0x50 | 2025-12-30 | not yet calculated | CVE-2023-54182 | https://git.kernel.org/stable/c/e2759a59a4cc96af712084e9db7065c858c4fe9f https://git.kernel.org/stable/c/e05d63f8b48aad4613bd582c945bee41e2dd7255 https://git.kernel.org/stable/c/da8c535b28696017e5d1532d12ea78e836432d9e https://git.kernel.org/stable/c/d78dfefcde9d311284434560d69c0478c55a657e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link() If fwnode_graph_get_remote_endpoint() fails, ‘fwnode’ is known to be NULL, so fwnode_handle_put() is a no-op. Release the reference taken from a previous fwnode_graph_get_port_parent() call instead. Also handle fwnode_graph_get_port_parent() failures. In order to fix these issues, add an error handling path to the function and the needed gotos. | 2025-12-30 | not yet calculated | CVE-2023-54183 | https://git.kernel.org/stable/c/2342942331e1f034ff58f293e10d0d9b7581601f https://git.kernel.org/stable/c/4bc5ffaf8ac4f3e7a1fcd10a0a0e7b022b694877 https://git.kernel.org/stable/c/d8a8f75fce049bdb3144b607deefe51e996b9660 https://git.kernel.org/stable/c/caf058833b6f3fe7beabf738110f79bb987c8fff https://git.kernel.org/stable/c/25afb3e03bf8ab02567af4b6ffbfd6250a91a9f8 https://git.kernel.org/stable/c/ed1696f7f92e8404940d51dec80a123aa18163a8 https://git.kernel.org/stable/c/e8a1cd87bb9fa3149ee112ecb8058908dc9b520e https://git.kernel.org/stable/c/d7b13edd4cb4bfa335b6008ab867ac28582d3e5c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsit: Free cmds before session free Commands from recovery entries are freed after session has been closed. That leads to use-after-free at command free or NPE with such call trace: Time2Retain timer expired for SID: 1, cleaning up iSCSI session. BUG: kernel NULL pointer dereference, address: 0000000000000140 RIP: 0010:sbitmap_queue_clear+0x3a/0xa0 Call Trace: target_release_cmd_kref+0xd1/0x1f0 [target_core_mod] transport_generic_free_cmd+0xd1/0x180 [target_core_mod] iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod] iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod] iscsit_close_session+0x13a/0x140 [iscsi_target_mod] iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod] call_timer_fn+0x24/0x140 Move cleanup of recovery enrties to before session freeing. | 2025-12-30 | not yet calculated | CVE-2023-54184 | https://git.kernel.org/stable/c/89f5055f9b0b57c7e7f02e32df95ef401f809b71 https://git.kernel.org/stable/c/4621e24c9257c6379343bf0c11b473817cf7edcd https://git.kernel.org/stable/c/1911cca5916b6e106de7afa3ec0a38447158216c https://git.kernel.org/stable/c/a7a4def6c7046e090bb10c6d550fdeb487db98ba https://git.kernel.org/stable/c/4ce221d295f53e6c6b835ab33181e735482c9aac https://git.kernel.org/stable/c/d8990b5a4d065f38f35d69bcd627ec5a7f8330ca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: remove BUG_ON()’s in add_new_free_space() At add_new_free_space() we have these BUG_ON()’s that are there to deal with any failure to add free space to the in memory free space cache. Such failures are mostly -ENOMEM that should be very rare. However there’s no need to have these BUG_ON()’s, we can just return any error to the caller and all callers and their upper call chain are already dealing with errors. So just make add_new_free_space() return any errors, while removing the BUG_ON()’s, and returning the total amount of added free space to an optional u64 pointer argument. | 2025-12-30 | not yet calculated | CVE-2023-54185 | https://git.kernel.org/stable/c/23e72231f8281505883514b23709076e234d4f27 https://git.kernel.org/stable/c/f775ceb0cb530e4a469b718fb2a24843071087f5 https://git.kernel.org/stable/c/d8ccbd21918fd7fa6ce3226cffc22c444228e8ad |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: fix pin_assignment_show This patch fixes negative indexing of buf array in pin_assignment_show when get_current_pin_assignments returns 0 i.e. no compatible pin assignments are found. BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c … Call trace: dump_backtrace+0x110/0x204 dump_stack_lvl+0x84/0xbc print_report+0x358/0x974 kasan_report+0x9c/0xfc __do_kernel_fault+0xd4/0x2d4 do_bad_area+0x48/0x168 do_tag_check_fault+0x24/0x38 do_mem_abort+0x6c/0x14c el1_abort+0x44/0x68 el1h_64_sync_handler+0x64/0xa4 el1h_64_sync+0x78/0x7c pin_assignment_show+0x26c/0x33c dev_attr_show+0x50/0xc0 | 2025-12-30 | not yet calculated | CVE-2023-54186 | https://git.kernel.org/stable/c/0e61a7432fcd4bca06f05b7f1c7d7cb461880fe2 https://git.kernel.org/stable/c/4f9c0a7c272626cb6716ffc7800e8c73260cdce6 https://git.kernel.org/stable/c/ff466f77d0a56719979c4234abd412abd98eae8f https://git.kernel.org/stable/c/fc0e18f95c88435bd8a1ceb540243cd7fbcd9781 https://git.kernel.org/stable/c/08bd1be1c716fd50a7df48f82dcbc59a103082b5 https://git.kernel.org/stable/c/54ee23e4ab263a495ace1eed43d3883212ece17f https://git.kernel.org/stable/c/d8f28269dd4bf9b55c3fb376ae31512730a96fce |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix potential corruption when moving a directory F2FS has the same issue in ext4_rename causing crash revealed by xfstests/generic/707. See also commit 0813299c586b (“ext4: Fix possible corruption when moving a directory”) | 2025-12-30 | not yet calculated | CVE-2023-54187 | https://git.kernel.org/stable/c/3e77036246123ff710fa2661dcaa12a45284f09b https://git.kernel.org/stable/c/957904f531fd857a92743b11fbc9c9ffdf7f3207 https://git.kernel.org/stable/c/8f57f3e112cf1d16682b6ff9c31c72f40f7da9c9 https://git.kernel.org/stable/c/8a0b544b7caedfbc05065b6377fd1d8bf7ef5e70 https://git.kernel.org/stable/c/f20191100952013f0916418cdaed0ab55c7b634c https://git.kernel.org/stable/c/0a76082a4a32a90d1ef33dee8b400efc082b4b6f https://git.kernel.org/stable/c/d94772154e524b329a168678836745d2773a6e02 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: apple-admac: Fix ‘current_tx’ not getting freed In terminate_all we should queue up all submitted descriptors to be freed. We do that for the content of the ‘issued’ and ‘submitted’ lists, but the ‘current_tx’ descriptor falls through the cracks as it’s removed from the ‘issued’ list once it gets assigned to be the current descriptor. Explicitly queue up freeing of the ‘current_tx’ descriptor to address a memory leak that is otherwise present. | 2025-12-30 | not yet calculated | CVE-2023-54188 | https://git.kernel.org/stable/c/b7abd535881a48587961c2099b1d2933ebd42c4b https://git.kernel.org/stable/c/fd4d88e68c75caf5c6f8293a36bc3ae289e0369e https://git.kernel.org/stable/c/d9503be5a100c553731c0e8a82c7b4201e8a970c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. | 2025-12-30 | not yet calculated | CVE-2023-54189 | https://git.kernel.org/stable/c/8430a8e8e85420d4cb51dcb08b0278ab194ea82f https://git.kernel.org/stable/c/a14cb307267ba7a1715403e071bdc4deda77eef5 https://git.kernel.org/stable/c/38a9d7dac3ad25323145b4aaea3b5f434f50011d https://git.kernel.org/stable/c/f57ba91a46d3fc52bfdac9cca5cf5572ec7afd6d https://git.kernel.org/stable/c/2a764a2facd9dd88a69777200f65dfd0182765dc https://git.kernel.org/stable/c/065c81ae5817b245bb9feb6d54e027702740b49a https://git.kernel.org/stable/c/d97038d5ec2062733c1e016caf9baaf68cf64ea1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: leds: led-core: Fix refcount leak in of_led_get() class_find_device_by_of_node() calls class_find_device(), it will take the reference, use the put_device() to drop the reference when not need anymore. | 2025-12-30 | not yet calculated | CVE-2023-54190 | https://git.kernel.org/stable/c/1d6101d9222e1ca8c01b3fa9ebf0dcf7bcd82564 https://git.kernel.org/stable/c/690efcb5827c3bacbf1de90cd14907b91bf8cb7b https://git.kernel.org/stable/c/d880981b82223f9bf128dfdd2424abb0c658f345 https://git.kernel.org/stable/c/ddf3e82164afd9381b1d52c9f00b3878f7b6d308 https://git.kernel.org/stable/c/da1afe8e6099980fe1e2fd7436dca284af9d3f29 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix memory leak in mt7996_mcu_exit Always purge mcu skb queues in mt7996_mcu_exit routine even if mt7996_firmware_state fails. | 2025-12-30 | not yet calculated | CVE-2023-54191 | https://git.kernel.org/stable/c/b539d35e13e5d6b3dca76271261106b2356aa64c https://git.kernel.org/stable/c/da5b4d93e141b52c5a71d0c41a042d1bcaf70d2e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix null pointer panic in tracepoint in __replace_atomic_write_block We got a kernel panic if old_addr is NULL. https://bugzilla.kernel.org/show_bug.cgi?id=217266 BUG: kernel NULL pointer dereference, address: 0000000000000000 Call Trace: <TASK> f2fs_commit_atomic_write+0x619/0x990 [f2fs a1b985b80f5babd6f3ea778384908880812bfa43] __f2fs_ioctl+0xd8e/0x4080 [f2fs a1b985b80f5babd6f3ea778384908880812bfa43] ? vfs_write+0x2ae/0x3f0 ? vfs_write+0x2ae/0x3f0 __x64_sys_ioctl+0x91/0xd0 do_syscall_64+0x5c/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f69095fe53f | 2025-12-30 | not yet calculated | CVE-2023-54192 | https://git.kernel.org/stable/c/424f8cdc0ad29e4940be96dcc0b935ba497adeda https://git.kernel.org/stable/c/1424358cd66c49460493293497b54cb72e0213cc https://git.kernel.org/stable/c/e2bbefc1741cb0732c13652be173da02f25611d1 https://git.kernel.org/stable/c/da6ea0b050fa720302b56fbb59307e7c7531a342 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_api: remove block_cb from driver_list before freeing Error handler of tcf_block_bind() frees the whole bo->cb_list on error. However, by that time the flow_block_cb instances are already in the driver list because driver ndo_setup_tc() callback is called before that up the call chain in tcf_block_offload_cmd(). This leaves dangling pointers to freed objects in the list and causes use-after-free[0]. Fix it by also removing flow_block_cb instances from driver_list before deallocating them. [0]: [ 279.868433] ================================================================== [ 279.869964] BUG: KASAN: slab-use-after-free in flow_block_cb_setup_simple+0x631/0x7c0 [ 279.871527] Read of size 8 at addr ffff888147e2bf20 by task tc/2963 [ 279.873151] CPU: 6 PID: 2963 Comm: tc Not tainted 6.3.0-rc6+ #4 [ 279.874273] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 279.876295] Call Trace: [ 279.876882] <TASK> [ 279.877413] dump_stack_lvl+0x33/0x50 [ 279.878198] print_report+0xc2/0x610 [ 279.878987] ? flow_block_cb_setup_simple+0x631/0x7c0 [ 279.879994] kasan_report+0xae/0xe0 [ 279.880750] ? flow_block_cb_setup_simple+0x631/0x7c0 [ 279.881744] ? mlx5e_tc_reoffload_flows_work+0x240/0x240 [mlx5_core] [ 279.883047] flow_block_cb_setup_simple+0x631/0x7c0 [ 279.884027] tcf_block_offload_cmd.isra.0+0x189/0x2d0 [ 279.885037] ? tcf_block_setup+0x6b0/0x6b0 [ 279.885901] ? mutex_lock+0x7d/0xd0 [ 279.886669] ? __mutex_unlock_slowpath.constprop.0+0x2d0/0x2d0 [ 279.887844] ? ingress_init+0x1c0/0x1c0 [sch_ingress] [ 279.888846] tcf_block_get_ext+0x61c/0x1200 [ 279.889711] ingress_init+0x112/0x1c0 [sch_ingress] [ 279.890682] ? clsact_init+0x2b0/0x2b0 [sch_ingress] [ 279.891701] qdisc_create+0x401/0xea0 [ 279.892485] ? qdisc_tree_reduce_backlog+0x470/0x470 [ 279.893473] tc_modify_qdisc+0x6f7/0x16d0 [ 279.894344] ? tc_get_qdisc+0xac0/0xac0 [ 279.895213] ? mutex_lock+0x7d/0xd0 [ 279.896005] ? __mutex_lock_slowpath+0x10/0x10 [ 279.896910] rtnetlink_rcv_msg+0x5fe/0x9d0 [ 279.897770] ? rtnl_calcit.isra.0+0x2b0/0x2b0 [ 279.898672] ? __sys_sendmsg+0xb5/0x140 [ 279.899494] ? do_syscall_64+0x3d/0x90 [ 279.900302] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 279.901337] ? kasan_save_stack+0x2e/0x40 [ 279.902177] ? kasan_save_stack+0x1e/0x40 [ 279.903058] ? kasan_set_track+0x21/0x30 [ 279.903913] ? kasan_save_free_info+0x2a/0x40 [ 279.904836] ? ____kasan_slab_free+0x11a/0x1b0 [ 279.905741] ? kmem_cache_free+0x179/0x400 [ 279.906599] netlink_rcv_skb+0x12c/0x360 [ 279.907450] ? rtnl_calcit.isra.0+0x2b0/0x2b0 [ 279.908360] ? netlink_ack+0x1550/0x1550 [ 279.909192] ? rhashtable_walk_peek+0x170/0x170 [ 279.910135] ? kmem_cache_alloc_node+0x1af/0x390 [ 279.911086] ? _copy_from_iter+0x3d6/0xc70 [ 279.912031] netlink_unicast+0x553/0x790 [ 279.912864] ? netlink_attachskb+0x6a0/0x6a0 [ 279.913763] ? netlink_recvmsg+0x416/0xb50 [ 279.914627] netlink_sendmsg+0x7a1/0xcb0 [ 279.915473] ? netlink_unicast+0x790/0x790 [ 279.916334] ? iovec_from_user.part.0+0x4d/0x220 [ 279.917293] ? netlink_unicast+0x790/0x790 [ 279.918159] sock_sendmsg+0xc5/0x190 [ 279.918938] ____sys_sendmsg+0x535/0x6b0 [ 279.919813] ? import_iovec+0x7/0x10 [ 279.920601] ? kernel_sendmsg+0x30/0x30 [ 279.921423] ? __copy_msghdr+0x3c0/0x3c0 [ 279.922254] ? import_iovec+0x7/0x10 [ 279.923041] ___sys_sendmsg+0xeb/0x170 [ 279.923854] ? copy_msghdr_from_user+0x110/0x110 [ 279.924797] ? ___sys_recvmsg+0xd9/0x130 [ 279.925630] ? __perf_event_task_sched_in+0x183/0x470 [ 279.926656] ? ___sys_sendmsg+0x170/0x170 [ 279.927529] ? ctx_sched_in+0x530/0x530 [ 279.928369] ? update_curr+0x283/0x4f0 [ 279.929185] ? perf_event_update_userpage+0x570/0x570 [ 279.930201] ? __fget_light+0x57/0x520 [ 279.931023] ? __switch_to+0x53d/0xe70 [ 27 —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54193 | https://git.kernel.org/stable/c/cc5fe387c6294d0471cb7ed064efac97fac65ccc https://git.kernel.org/stable/c/7311c8be3755611bf6edea4dfbeb190b4bdd489f https://git.kernel.org/stable/c/cb145932fcf6814e7e95e467eb70e7849a845ae9 https://git.kernel.org/stable/c/55866fe3fded3ce94ac3fc1bb3dfce654282f483 https://git.kernel.org/stable/c/26aec72429a05e917d574eca0efc5306c63a8862 https://git.kernel.org/stable/c/7b7a74ed303d532fb73ae4b1697f16a0fea89cd0 https://git.kernel.org/stable/c/da94a7781fc3c92e7df7832bc2746f4d39bc624e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree The call stack shown below is a scenario in the Linux 4.19 kernel. Allocating memory failed where exfat fs use kmalloc_array due to system memory fragmentation, while the u-disk was inserted without recognition. Devices such as u-disk using the exfat file system are pluggable and may be insert into the system at any time. However, long-term running systems cannot guarantee the continuity of physical memory. Therefore, it’s necessary to address this issue. Binder:2632_6: page allocation failure: order:4, mode:0x6040c0(GFP_KERNEL|__GFP_COMP), nodemask=(null) Call trace: [242178.097582] dump_backtrace+0x0/0x4 [242178.097589] dump_stack+0xf4/0x134 [242178.097598] warn_alloc+0xd8/0x144 [242178.097603] __alloc_pages_nodemask+0x1364/0x1384 [242178.097608] kmalloc_order+0x2c/0x510 [242178.097612] kmalloc_order_trace+0x40/0x16c [242178.097618] __kmalloc+0x360/0x408 [242178.097624] load_alloc_bitmap+0x160/0x284 [242178.097628] exfat_fill_super+0xa3c/0xe7c [242178.097635] mount_bdev+0x2e8/0x3a0 [242178.097638] exfat_fs_mount+0x40/0x50 [242178.097643] mount_fs+0x138/0x2e8 [242178.097649] vfs_kern_mount+0x90/0x270 [242178.097655] do_mount+0x798/0x173c [242178.097659] ksys_mount+0x114/0x1ac [242178.097665] __arm64_sys_mount+0x24/0x34 [242178.097671] el0_svc_common+0xb8/0x1b8 [242178.097676] el0_svc_handler+0x74/0x90 [242178.097681] el0_svc+0x8/0x340 By analyzing the exfat code,we found that continuous physical memory is not required here,so kvmalloc_array is used can solve this problem. | 2025-12-30 | not yet calculated | CVE-2023-54194 | https://git.kernel.org/stable/c/79d16a84ea41272dfcb0c00f9798ddd0edd8098d https://git.kernel.org/stable/c/8a34a242cf03211cc89f68308d149b793f63c479 https://git.kernel.org/stable/c/1427a7e96fb90d0896f74f5bcd21feb03cc7c3d0 https://git.kernel.org/stable/c/0c5c3e8a2550b6b2a304b45f260296db9c09df96 https://git.kernel.org/stable/c/daf60d6cca26e50d65dac374db92e58de745ad26 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix timeout of a call that hasn’t yet been granted a channel afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may get stalled in the background waiting for a connection to become available); it then calls rxrpc_kernel_set_max_life() to set the timeouts – but that starts the call timer so the call timer might then expire before we get a connection assigned – leading to the following oops if the call stalled: BUG: kernel NULL pointer dereference, address: 0000000000000000 … CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701 RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157 … Call Trace: <TASK> rxrpc_send_ACK+0x50/0x13b rxrpc_input_call_event+0x16a/0x67d rxrpc_io_thread+0x1b6/0x45f ? _raw_spin_unlock_irqrestore+0x1f/0x35 ? rxrpc_input_packet+0x519/0x519 kthread+0xe7/0xef ? kthread_complete_and_exit+0x1b/0x1b ret_from_fork+0x22/0x30 Fix this by noting the timeouts in struct rxrpc_call when the call is created. The timer will be started when the first packet is transmitted. It shouldn’t be possible to trigger this directly from userspace through AF_RXRPC as sendmsg() will return EBUSY if the call is in the waiting-for-conn state if it dropped out of the wait due to a signal. | 2025-12-30 | not yet calculated | CVE-2023-54195 | https://git.kernel.org/stable/c/92128a7170a220b5126d09a1c1954a3a8d46cef3 https://git.kernel.org/stable/c/72f4a9f3f447948cf86dffe1c4a4c8a429ab9666 https://git.kernel.org/stable/c/db099c625b13a74d462521a46d98a8ce5b53af5d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix NULL pointer dereference in ‘ni_write_inode’ Syzbot found the following issue: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000016 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000 [0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] pc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 lr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226 sp : ffff8000126c3800 x29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000 x26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000 x23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000 x20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0 x17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500 x14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500 x11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500 x8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744 evict+0xec/0x334 fs/inode.c:665 iput_final fs/inode.c:1748 [inline] iput+0x2c4/0x324 fs/inode.c:1774 ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660 ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278 ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100 lookup_open fs/namei.c:3413 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x804/0x11c4 fs/namei.c:3688 do_filp_open+0xdc/0x1b8 fs/namei.c:3718 do_sys_openat2+0xb8/0x22c fs/open.c:1311 do_sys_open fs/open.c:1327 [inline] __do_sys_openat fs/open.c:1343 [inline] __se_sys_openat fs/open.c:1338 [inline] __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t_64_sync+0x18c/0x190 Code: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14) —[ end trace 0000000000000000 ]— Above issue may happens as follows: ntfs_new_inode mi_init mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); –>failed to allocate memory if (!mi->mrec) return -ENOMEM; iput iput_final evict ntfs_evict_inode ni_write_inode is_rec_inuse(ni->mi.mrec)-> As ‘ni->mi.mrec’ is NULL trigger NULL-ptr-deref To solve above issue if new inode failed make inode bad before call ‘iput()’ in ‘ntfs_new_inode()’. | 2025-12-30 | not yet calculated | CVE-2023-54196 | https://git.kernel.org/stable/c/6d3d3283e6b4fb3f3ee05dac30ee1461930b8103 https://git.kernel.org/stable/c/329fc4d3f73d865b25f2ee4eafafb040ace37ad5 https://git.kernel.org/stable/c/1c5cffe0d662fb2de7b63176c2582abb69b5f538 https://git.kernel.org/stable/c/db2a3cc6a3481076da6344cc62a80a4e2525f36f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Revert “Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work” This reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f. This patch introduces a possible null-ptr-def problem. Revert it. And the fixed bug by this patch have resolved by commit 73f7b171b7c0 (“Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition”). | 2025-12-30 | not yet calculated | CVE-2023-54197 | https://git.kernel.org/stable/c/3b4ed52009723f7dfca7a8ca95163bfb441bfb76 https://git.kernel.org/stable/c/70a104588e3131415e559c06deb834ce259a285a https://git.kernel.org/stable/c/de0ffb5145c9f418ad76f00e58d4b91c680410b2 https://git.kernel.org/stable/c/0837d10f6c37a47a0c73bccf1e39513613a2fcc2 https://git.kernel.org/stable/c/a789192f366147a0fbb395650079906d1d04e0b9 https://git.kernel.org/stable/c/952030c914b5f2288609efe868537afcff7a3f51 https://git.kernel.org/stable/c/8f83fa62614c282dd5d1211a0dd99c6a0a515b81 https://git.kernel.org/stable/c/d8d7ce037d9a8f1f0714ece268c4c2c50845bbc3 https://git.kernel.org/stable/c/db2bf510bd5d57f064d9e1db395ed86a08320c54 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tty: fix out-of-bounds access in tty_driver_lookup_tty() When specifying an invalid console= device like console=tty3270, tty_driver_lookup_tty() returns the tty struct without checking whether index is a valid number. To reproduce: qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio -kernel ../linux-build-x86/arch/x86/boot/bzImage -append “console=ttyS0 console=tty3270” This crashes with: [ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef [ 0.771265] #PF: supervisor read access in kernel mode [ 0.771773] #PF: error_code(0x0000) – not-present page [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI [ 0.774878] RIP: 0010:tty_open+0x268/0x6f0 [ 0.784013] chrdev_open+0xbd/0x230 [ 0.784444] ? cdev_device_add+0x80/0x80 [ 0.784920] do_dentry_open+0x1e0/0x410 [ 0.785389] path_openat+0xca9/0x1050 [ 0.785813] do_filp_open+0xaa/0x150 [ 0.786240] file_open_name+0x133/0x1b0 [ 0.786746] filp_open+0x27/0x50 [ 0.787244] console_on_rootfs+0x14/0x4d [ 0.787800] kernel_init_freeable+0x1e4/0x20d [ 0.788383] ? rest_init+0xc0/0xc0 [ 0.788881] kernel_init+0x11/0x120 [ 0.789356] ret_from_fork+0x22/0x30 | 2025-12-30 | not yet calculated | CVE-2023-54198 | https://git.kernel.org/stable/c/3df6f492f500a16c231f07ccc6f6ed1302caddf9 https://git.kernel.org/stable/c/b79109d6470aaae7062998353e3a19449055829d https://git.kernel.org/stable/c/953a4a352a0c185460ae1449e4c6e6658e55fdfc https://git.kernel.org/stable/c/84ea44dc3e4ecb2632586238014bf6722aa5843b https://git.kernel.org/stable/c/f9d9d25ad1f0d060eaf297a2f7f03b5855a45561 https://git.kernel.org/stable/c/765566110eb0da3cf60198b0165ecceeaafa6444 https://git.kernel.org/stable/c/fcfeaa570f7a5c2d5f4f14931909531ff18b7fde https://git.kernel.org/stable/c/db4df8e9d79e7d37732c1a1b560958e8dadfefa1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup() Fix the below kernel panic due to null pointer access: [ 18.504431] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000048 [ 18.513464] Mem abort info: [ 18.516346] ESR = 0x0000000096000005 [ 18.520204] EC = 0x25: DABT (current EL), IL = 32 bits [ 18.525706] SET = 0, FnV = 0 [ 18.528878] EA = 0, S1PTW = 0 [ 18.532117] FSC = 0x05: level 1 translation fault [ 18.537138] Data abort info: [ 18.540110] ISV = 0, ISS = 0x00000005 [ 18.544060] CM = 0, WnR = 0 [ 18.547109] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000112826000 [ 18.553738] [0000000000000048] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 18.562690] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP **Snip** [ 18.696758] Call trace: [ 18.699278] adreno_gpu_cleanup+0x30/0x88 [ 18.703396] a6xx_destroy+0xc0/0x130 [ 18.707066] a6xx_gpu_init+0x308/0x424 [ 18.710921] adreno_bind+0x178/0x288 [ 18.714590] component_bind_all+0xe0/0x214 [ 18.718797] msm_drm_bind+0x1d4/0x614 [ 18.722566] try_to_bring_up_aggregate_device+0x16c/0x1b8 [ 18.728105] __component_add+0xa0/0x158 [ 18.732048] component_add+0x20/0x2c [ 18.735719] adreno_probe+0x40/0xc0 [ 18.739300] platform_probe+0xb4/0xd4 [ 18.743068] really_probe+0xfc/0x284 [ 18.746738] __driver_probe_device+0xc0/0xec [ 18.751129] driver_probe_device+0x48/0x110 [ 18.755421] __device_attach_driver+0xa8/0xd0 [ 18.759900] bus_for_each_drv+0x90/0xdc [ 18.763843] __device_attach+0xfc/0x174 [ 18.767786] device_initial_probe+0x20/0x2c [ 18.772090] bus_probe_device+0x40/0xa0 [ 18.776032] deferred_probe_work_func+0x94/0xd0 [ 18.780686] process_one_work+0x190/0x3d0 [ 18.784805] worker_thread+0x280/0x3d4 [ 18.788659] kthread+0x104/0x1c0 [ 18.791981] ret_from_fork+0x10/0x20 [ 18.795654] Code: f9400408 aa0003f3 aa1f03f4 91142015 (f9402516) [ 18.801913] —[ end trace 0000000000000000 ]— [ 18.809039] Kernel panic – not syncing: Oops: Fatal exception Patchwork: https://patchwork.freedesktop.org/patch/515605/ | 2025-12-30 | not yet calculated | CVE-2023-54199 | https://git.kernel.org/stable/c/65a8b6d129cfcf63a2b8a36a63d275479ba6a217 https://git.kernel.org/stable/c/b26bd7791f3cdf3c3318162b1d40c9d1910facca https://git.kernel.org/stable/c/399d01375659c273fb6ad9ccfb6e92bc5b891e0d https://git.kernel.org/stable/c/7af606b9eb11d6cdf767cabbddc326e20d0d4702 https://git.kernel.org/stable/c/5fef23c1c0edceb44d16e64e7818f27d48b5bc38 https://git.kernel.org/stable/c/dbeedbcb268d055d8895aceca427f897e12c2b50 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always release netdev hooks from notifier This reverts “netfilter: nf_tables: skip netdev events generated on netns removal”. The problem is that when a veth device is released, the veth release callback will also queue the peer netns device for removal. Its possible that the peer netns is also slated for removal. In this case, the device memory is already released before the pre_exit hook of the peer netns runs: BUG: KASAN: slab-use-after-free in nf_hook_entry_head+0x1b8/0x1d0 Read of size 8 at addr ffff88812c0124f0 by task kworker/u8:1/45 Workqueue: netns cleanup_net Call Trace: nf_hook_entry_head+0x1b8/0x1d0 __nf_unregister_net_hook+0x76/0x510 nft_netdev_unregister_hooks+0xa0/0x220 __nft_release_hook+0x184/0x490 nf_tables_pre_exit_net+0x12f/0x1b0 .. Order is: 1. First netns is released, veth_dellink() queues peer netns device for removal 2. peer netns is queued for removal 3. peer netns device is released, unreg event is triggered 4. unreg event is ignored because netns is going down 5. pre_exit hook calls nft_netdev_unregister_hooks but device memory might be free’d already. | 2025-12-30 | not yet calculated | CVE-2023-54200 | https://git.kernel.org/stable/c/8d56f00c61f67b450fbbdcb874855e60ad92c560 https://git.kernel.org/stable/c/30e4b13b1bfbdf3bf3b27036d8209ea1b9f0d880 https://git.kernel.org/stable/c/94032527efbac13be702c76afb9d872c0cca7a43 https://git.kernel.org/stable/c/dc1c9fd4a8bbe1e06add9053010b652449bfe411 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix wrong resources deallocation order When trying to destroy QP or CQ, we first decrease the refcount and potentially free memory regions allocated for the object and then request the device to destroy the object. If the device fails, the object isn’t fully destroyed so the user/IB core can try to destroy the object again which will lead to underflow when trying to decrease an already zeroed refcount. Deallocate resources in reverse order of allocating them to safely free them. | 2025-12-30 | not yet calculated | CVE-2023-54201 | https://git.kernel.org/stable/c/cf38960386f3cc4abf395e556af915e4babcafd2 https://git.kernel.org/stable/c/e79db2f51a564fd4daa3e508b987df5e81c34b20 https://git.kernel.org/stable/c/24f9884971f9b34915b67baacf7350a3f6f19ea4 https://git.kernel.org/stable/c/dc202c57e9a1423aed528e4b8dc949509cd32191 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915: fix race condition UAF in i915_perf_add_config_ioctl Userspace can guess the id value and try to race oa_config object creation with config remove, resulting in a use-after-free if we dereference the object after unlocking the metrics_lock. For that reason, unlocking the metrics_lock must be done after we are done dereferencing the object. [tursulin: Manually added stable tag.] (cherry picked from commit 49f6f6483b652108bcb73accd0204a464b922395) | 2025-12-30 | not yet calculated | CVE-2023-54202 | https://git.kernel.org/stable/c/6eeb1cba4c9dc47656ea328afa34953c28783d8c https://git.kernel.org/stable/c/240b1502708858b5e3f10b6dc5ca3f148a322fef https://git.kernel.org/stable/c/7eb98f5ac551863efe8be810cea1cd5411d677b1 https://git.kernel.org/stable/c/dc30c011469165d57af9adac5baff7d767d20e5c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr When smb1 mount fails, KASAN detect slab-out-of-bounds in init_smb2_rsp_hdr like the following one. For smb1 negotiate(56bytes) , init_smb2_rsp_hdr() for smb2 is called. The issue occurs while handling smb1 negotiate as smb2 server operations. Add smb server operations for smb1 (get_cmd_val, init_rsp_hdr, allocate_rsp_buf, check_user_session) to handle smb1 negotiate so that smb2 server operation does not handle it. [ 411.400423] CIFS: VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers [ 411.400452] CIFS: Attempting to mount \192.168.45.139homes [ 411.479312] ksmbd: init_smb2_rsp_hdr : 492 [ 411.479323] ================================================================== [ 411.479327] BUG: KASAN: slab-out-of-bounds in init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479369] Read of size 16 at addr ffff888488ed0734 by task kworker/14:1/199 [ 411.479379] CPU: 14 PID: 199 Comm: kworker/14:1 Tainted: G OE 6.1.21 #3 [ 411.479386] Hardware name: ASUSTeK COMPUTER INC. Z10PA-D8 Series/Z10PA-D8 Series, BIOS 3801 08/23/2019 [ 411.479390] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 411.479425] Call Trace: [ 411.479428] <TASK> [ 411.479432] dump_stack_lvl+0x49/0x63 [ 411.479444] print_report+0x171/0x4a8 [ 411.479452] ? kasan_complete_mode_report_info+0x3c/0x200 [ 411.479463] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479497] kasan_report+0xb4/0x130 [ 411.479503] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479537] kasan_check_range+0x149/0x1e0 [ 411.479543] memcpy+0x24/0x70 [ 411.479550] init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479585] handle_ksmbd_work+0x109/0x760 [ksmbd] [ 411.479616] ? _raw_spin_unlock_irqrestore+0x50/0x50 [ 411.479624] ? smb3_encrypt_resp+0x340/0x340 [ksmbd] [ 411.479656] process_one_work+0x49c/0x790 [ 411.479667] worker_thread+0x2b1/0x6e0 [ 411.479674] ? process_one_work+0x790/0x790 [ 411.479680] kthread+0x177/0x1b0 [ 411.479686] ? kthread_complete_and_exit+0x30/0x30 [ 411.479692] ret_from_fork+0x22/0x30 [ 411.479702] </TASK> | 2025-12-30 | not yet calculated | CVE-2023-54203 | https://git.kernel.org/stable/c/921536046bd165efeb07beef5630aff35cd6a489 https://git.kernel.org/stable/c/a8334a0c535d0f0b4d64926c8fe0922ed98f7d43 https://git.kernel.org/stable/c/99a51c673b1d2d0b5a972353401b77612d9cc713 https://git.kernel.org/stable/c/dc8289f912387c3bcfbc5d2db29c8947fa207c11 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: sunplus: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, 1. the memory allocated in mmc_alloc_host() will be leaked 2. null-ptr-deref will happen when calling mmc_remove_host() in remove function spmmc_drv_remove() because deleting not added device. Fix this by checking the return value of mmc_add_host(). Moreover, I fixed the error handling path of spmmc_drv_probe() to clean up. | 2025-12-30 | not yet calculated | CVE-2023-54204 | https://git.kernel.org/stable/c/741a951f41929f39cae70c66d86d0754d3129d0a https://git.kernel.org/stable/c/dce6d8f985fa1ef5c2af47f4f86ea65511b78656 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain of_irq_find_parent() returns a node pointer with refcount incremented, We should use of_node_put() on it when not needed anymore. Add missing of_node_put() to avoid refcount leak. | 2025-12-30 | not yet calculated | CVE-2023-54205 | https://git.kernel.org/stable/c/95ab6d7905ebb52dc2ed6357c38e536753824068 https://git.kernel.org/stable/c/8ab860dd8717a7e4a143988885fea0d7e5a9412e https://git.kernel.org/stable/c/af54707c0ccab52b3d532402436ea101011a9299 https://git.kernel.org/stable/c/601be03fa8b81747a154bdef9b559411a5b921e8 https://git.kernel.org/stable/c/9ae053d1eb87875d56f95b6a123a69827225a70e https://git.kernel.org/stable/c/dcef18c8ac40aa85bb339f64c1dd31dd458b06fb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: fix filter idr initialization The cited commit moved idr initialization too early in fl_change() which allows concurrent users to access the filter that is still being initialized and is in inconsistent state, which, in turn, can cause NULL pointer dereference [0]. Since there is no obvious way to fix the ordering without reverting the whole cited commit, alternative approach taken to first insert NULL pointer into idr in order to allocate the handle but still cause fl_get() to return NULL and prevent concurrent users from seeing the filter while providing miss-to-action infrastructure with valid handle id early in fl_change(). [ 152.434728] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN [ 152.436163] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 152.437269] CPU: 4 PID: 3877 Comm: tc Not tainted 6.3.0-rc4+ #5 [ 152.438110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 152.439644] RIP: 0010:fl_dump_key+0x8b/0x1d10 [cls_flower] [ 152.440461] Code: 01 f2 02 f2 c7 40 08 04 f2 04 f2 c7 40 0c 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 00 01 00 00 48 89 c8 48 c1 e8 03 <0f> b6 04 10 84 c0 74 08 3c 03 0f 8e 98 19 00 00 8b 13 85 d2 74 57 [ 152.442885] RSP: 0018:ffff88817a28f158 EFLAGS: 00010246 [ 152.443851] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 152.444826] RDX: dffffc0000000000 RSI: ffffffff8500ae80 RDI: ffff88810a987900 [ 152.445791] RBP: ffff888179d88240 R08: ffff888179d8845c R09: ffff888179d88240 [ 152.446780] R10: ffffed102f451e48 R11: 00000000fffffff2 R12: ffff88810a987900 [ 152.447741] R13: ffffffff8500ae80 R14: ffff88810a987900 R15: ffff888149b3c738 [ 152.448756] FS: 00007f5eb2a34800(0000) GS:ffff88881ec00000(0000) knlGS:0000000000000000 [ 152.449888] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 152.450685] CR2: 000000000046ad19 CR3: 000000010b0bd006 CR4: 0000000000370ea0 [ 152.451641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 152.452628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 152.453588] Call Trace: [ 152.454032] <TASK> [ 152.454447] ? netlink_sendmsg+0x7a1/0xcb0 [ 152.455109] ? sock_sendmsg+0xc5/0x190 [ 152.455689] ? ____sys_sendmsg+0x535/0x6b0 [ 152.456320] ? ___sys_sendmsg+0xeb/0x170 [ 152.456916] ? do_syscall_64+0x3d/0x90 [ 152.457529] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 152.458321] ? ___sys_sendmsg+0xeb/0x170 [ 152.458958] ? __sys_sendmsg+0xb5/0x140 [ 152.459564] ? do_syscall_64+0x3d/0x90 [ 152.460122] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 152.460852] ? fl_dump_key_options.part.0+0xea0/0xea0 [cls_flower] [ 152.461710] ? _raw_spin_lock+0x7a/0xd0 [ 152.462299] ? _raw_read_lock_irq+0x30/0x30 [ 152.462924] ? nla_put+0x15e/0x1c0 [ 152.463480] fl_dump+0x228/0x650 [cls_flower] [ 152.464112] ? fl_tmplt_dump+0x210/0x210 [cls_flower] [ 152.464854] ? __kmem_cache_alloc_node+0x1a7/0x330 [ 152.465592] ? nla_put+0x15e/0x1c0 [ 152.466160] tcf_fill_node+0x515/0x9a0 [ 152.466766] ? tc_setup_offload_action+0xf0/0xf0 [ 152.467463] ? __alloc_skb+0x13c/0x2a0 [ 152.468067] ? __build_skb_around+0x330/0x330 [ 152.468814] ? fl_get+0x107/0x1a0 [cls_flower] [ 152.469503] tc_del_tfilter+0x718/0x1330 [ 152.470115] ? is_bpf_text_address+0xa/0x20 [ 152.470765] ? tc_ctl_chain+0xee0/0xee0 [ 152.471335] ? __kernel_text_address+0xe/0x30 [ 152.471948] ? unwind_get_return_address+0x56/0xa0 [ 152.472639] ? __thaw_task+0x150/0x150 [ 152.473218] ? arch_stack_walk+0x98/0xf0 [ 152.473839] ? __stack_depot_save+0x35/0x4c0 [ 152.474501] ? stack_trace_save+0x91/0xc0 [ 152.475119] ? security_capable+0x51/0x90 [ 152.475741] rtnetlink_rcv_msg+0x2c1/0x9d0 [ 152.476387] ? rtnl_calcit.isra.0+0x2b0/0x2b0 [ 152.477042] —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54206 | https://git.kernel.org/stable/c/253a3a324e0ebc2825de76a0f5f17b8383b2023d https://git.kernel.org/stable/c/dd4f6bbfa646f258e5bcdfac57a5c413d687f588 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Correct devm device reference for hidinput input_dev name Reference the HID device rather than the input device for the devm allocation of the input_dev name. Referencing the input_dev would lead to a use-after-free when the input_dev was unregistered and subsequently fires a uevent that depends on the name. At the point of firing the uevent, the name would be freed by devres management. Use devm_kasprintf to simplify the logic for allocating memory and formatting the input_dev name string. | 2025-12-30 | not yet calculated | CVE-2023-54207 | https://git.kernel.org/stable/c/f283805d984343b2f216e2f4c6c7af265b9542ae https://git.kernel.org/stable/c/4c2707dfee5847dc0b5ecfbe512c29c93832fdc4 https://git.kernel.org/stable/c/58f0d1c0e494a88f301bf455da7df4366f179bbb https://git.kernel.org/stable/c/dd613a4e45f8d35f49a63a2064e5308fa5619e29 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: ov5675: Fix memleak in ov5675_init_controls() There is a kmemleak when testing the media/i2c/ov5675.c with bpf mock device: AssertionError: unreferenced object 0xffff888107362160 (size 16): comm “python3”, pid 277, jiffies 4294832798 (age 20.722s) hex dump (first 16 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: [<00000000abe7d67c>] __kmalloc_node+0x44/0x1b0 [<000000008a725aac>] kvmalloc_node+0x34/0x180 [<000000009a53cd11>] v4l2_ctrl_handler_init_class+0x11d/0x180 [videodev] [<0000000055b46db0>] ov5675_probe+0x38b/0x897 [ov5675] [<00000000153d886c>] i2c_device_probe+0x28d/0x680 [<000000004afb7e8f>] really_probe+0x17c/0x3f0 [<00000000ff2f18e4>] __driver_probe_device+0xe3/0x170 [<000000000a001029>] driver_probe_device+0x49/0x120 [<00000000e39743c7>] __device_attach_driver+0xf7/0x150 [<00000000d32fd070>] bus_for_each_drv+0x114/0x180 [<000000009083ac41>] __device_attach+0x1e5/0x2d0 [<0000000015b4a830>] bus_probe_device+0x126/0x140 [<000000007813deaf>] device_add+0x810/0x1130 [<000000007becb867>] i2c_new_client_device+0x386/0x540 [<000000007f9cf4b4>] of_i2c_register_device+0xf1/0x110 [<00000000ebfdd032>] of_i2c_notify+0xfc/0x1f0 ov5675_init_controls() won’t clean all the allocated resources in fail path, which may causes the memleaks. Add v4l2_ctrl_handler_free() to prevent memleak. | 2025-12-30 | not yet calculated | CVE-2023-54208 | https://git.kernel.org/stable/c/086a80b842bcb621d6c4eedad20683f1f674d0c2 https://git.kernel.org/stable/c/bcae9115a163198dce9126aa8bedc1c007ec30ed https://git.kernel.org/stable/c/ba54908ae8225d58f1830edb394d4153bcb7d0aa https://git.kernel.org/stable/c/49b849824b9862f177fc77fc92ef95ec54566ecf https://git.kernel.org/stable/c/7a36a6be694df87d019663863b922913947b42af https://git.kernel.org/stable/c/dd74ed6c213003533e3abf4c204374ef01d86978 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: block: fix blktrace debugfs entries leakage Commit 99d055b4fd4b (“block: remove per-disk debugfs files in blk_unregister_queue”) moves blk_trace_shutdown() from blk_release_queue() to blk_unregister_queue(), this is safe if blktrace is created through sysfs, however, there is a regression in corner case. blktrace can still be enabled after del_gendisk() through ioctl if the disk is opened before del_gendisk(), and if blktrace is not shutdown through ioctl before closing the disk, debugfs entries will be leaked. Fix this problem by shutdown blktrace in disk_release(), this is safe because blk_trace_remove() is reentrant. | 2025-12-30 | not yet calculated | CVE-2023-54209 | https://git.kernel.org/stable/c/aa07e56c6a9c7558165690d14eed4fe8babf34fb https://git.kernel.org/stable/c/7149e57cf01184fba175589f8fbe9fbf33be02e1 https://git.kernel.org/stable/c/942e81650b81b4ca62f1d8c61de455c9e7c7e6ca https://git.kernel.org/stable/c/dd7de3704af9989b780693d51eaea49a665bd9c2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor() KASAN reports that there’s a use-after-free in hci_remove_adv_monitor(). Trawling through the disassembly, you can see that the complaint is from the access in bt_dev_dbg() under the HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because msft_remove_monitor() can end up freeing the monitor structure. Specifically: hci_remove_adv_monitor() -> msft_remove_monitor() -> msft_remove_monitor_sync() -> msft_le_cancel_monitor_advertisement_cb() -> hci_free_adv_monitor() Let’s fix the problem by just stashing the relevant data when it’s still valid. | 2025-12-30 | not yet calculated | CVE-2023-54210 | https://git.kernel.org/stable/c/0d4d6b083da9b033ddccef72d77f373c819ae3ea https://git.kernel.org/stable/c/bf00c2c8f6254f44ac041aa9a311ae9e0caf692b https://git.kernel.org/stable/c/de6dfcefd107667ce2dbedf4d9337f5ed557a4a1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Fix warning in trace_buffered_event_disable() Warning happened in trace_buffered_event_disable() at WARN_ON_ONCE(!trace_buffered_event_ref) Call Trace: ? __warn+0xa5/0x1b0 ? trace_buffered_event_disable+0x189/0x1b0 __ftrace_event_enable_disable+0x19e/0x3e0 free_probe_data+0x3b/0xa0 unregister_ftrace_function_probe_func+0x6b8/0x800 event_enable_func+0x2f0/0x3d0 ftrace_process_regex.isra.0+0x12d/0x1b0 ftrace_filter_write+0xe6/0x140 vfs_write+0x1c9/0x6f0 […] The cause of the warning is in __ftrace_event_enable_disable(), trace_buffered_event_enable() was called once while trace_buffered_event_disable() was called twice. Reproduction script show as below, for analysis, see the comments: “` #!/bin/bash cd /sys/kernel/tracing/ # 1. Register a ‘disable_event’ command, then: # 1) SOFT_DISABLED_BIT was set; # 2) trace_buffered_event_enable() was called first time; echo ‘cmdline_proc_show:disable_event:initcall:initcall_finish’ > set_ftrace_filter # 2. Enable the event registered, then: # 1) SOFT_DISABLED_BIT was cleared; # 2) trace_buffered_event_disable() was called first time; echo 1 > events/initcall/initcall_finish/enable # 3. Try to call into cmdline_proc_show(), then SOFT_DISABLED_BIT was # set again!!! cat /proc/cmdline # 4. Unregister the ‘disable_event’ command, then: # 1) SOFT_DISABLED_BIT was cleared again; # 2) trace_buffered_event_disable() was called second time!!! echo ‘!cmdline_proc_show:disable_event:initcall:initcall_finish’ > set_ftrace_filter “` To fix it, IIUC, we can change to call trace_buffered_event_enable() at fist time soft-mode enabled, and call trace_buffered_event_disable() at last time soft-mode disabled. | 2025-12-30 | not yet calculated | CVE-2023-54211 | https://git.kernel.org/stable/c/1488d782c9e43087a3f341b8186cd25f3cf75583 https://git.kernel.org/stable/c/b4f4ab423107dc1ba8e9cc6488c645be6403d3f5 https://git.kernel.org/stable/c/cdcc35e6454133feb61561b4e0d0c80e52cbc2ba https://git.kernel.org/stable/c/a6d2fd1703cdc8ecfc3e73987e0fb7474ae2b074 https://git.kernel.org/stable/c/813cede7b2f5a4b1b75d2d4bb4e705cc8e063b20 https://git.kernel.org/stable/c/a3a3c7bddab9b6c5690b20796ef5e332b8c48afb https://git.kernel.org/stable/c/528c9d73153754defb748f0b96ad33308668d817 https://git.kernel.org/stable/c/dea499781a1150d285c62b26659f62fb00824fce |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: USB: sisusbvga: Add endpoint checks The syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver: ————[ cut here ]———— usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Code: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 <0f> 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7 RSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95 RBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003 R13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600 FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline] sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379 sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline] sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline] sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177 sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869 … The problem was caused by the fact that the driver does not check whether the endpoints it uses are actually present and have the appropriate types. This can be fixed by adding a simple check of the endpoints. | 2025-12-30 | not yet calculated | CVE-2023-54213 | https://git.kernel.org/stable/c/bccb2ccb65515dc66a8001f99f4dcba8a45987f9 https://git.kernel.org/stable/c/a8f980ecb0112100366c64e0404d9dd1dcbd2fcd https://git.kernel.org/stable/c/a730feb672c7d7c5f7414c3715f8e3fa844e5a9b https://git.kernel.org/stable/c/ccef03c5113506d27dd6530d3a9ef5715c068e13 https://git.kernel.org/stable/c/43f569fd0699c4240a5c96e5ba1a0844a595afca https://git.kernel.org/stable/c/d5dba4b7bf904143702fb4be641802ee2e9c95aa https://git.kernel.org/stable/c/0f9028b6ffaa98bff7c479cccf2558247e295534 https://git.kernel.org/stable/c/df05a9b05e466a46725564528b277d0c570d0104 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix potential user-after-free This fixes all instances of which requires to allocate a buffer calling alloc_skb which may release the chan lock and reacquire later which makes it possible that the chan is disconnected in the meantime. | 2025-12-30 | not yet calculated | CVE-2023-54214 | https://git.kernel.org/stable/c/b2fde8cb2a25125111f2144604e0e7c0ebcc4bba https://git.kernel.org/stable/c/a6a7d1541fefddf7ca0cfb34c1bff63ff809cc49 https://git.kernel.org/stable/c/60aaccf16d1e099c16bebfb96428ae762cb528f7 https://git.kernel.org/stable/c/b8ed41cc04fb74005aa51d17865ca3d022760335 https://git.kernel.org/stable/c/31a288a4df7f6a28e65da22a4ab2add4a963738e https://git.kernel.org/stable/c/64e28ecf44e46de9f01915a4146706a21c3469d2 https://git.kernel.org/stable/c/994e3e18908f5c4a12d07b44018e6aa85f071048 https://git.kernel.org/stable/c/df5703348813235874d851934e957c3723d71644 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-vdpa: Fix cpumask memory leak in virtio_vdpa_find_vqs() Free the cpumask allocated by create_affinity_masks() before returning from the function. | 2025-12-30 | not yet calculated | CVE-2023-54215 | https://git.kernel.org/stable/c/fa450621efab58121fe8e57f7a7b80fee6e0bae1 https://git.kernel.org/stable/c/df9557046440b0a62250fee3169a8f6a139f55a6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, Fix using eswitch mapping in nic mode Cited patch is using the eswitch object mapping pool while in nic mode where it isn’t initialized. This results in the trace below [0]. Fix that by using either nic or eswitch object mapping pool depending if eswitch is enabled or not. [0]: [ 826.446057] ================================================================== [ 826.446729] BUG: KASAN: slab-use-after-free in mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233 [ 826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G W 6.3.0-rc6+ #1 [ 826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 826.449785] Call Trace: [ 826.450052] <TASK> [ 826.450302] dump_stack_lvl+0x33/0x50 [ 826.450650] print_report+0xc2/0x610 [ 826.450998] ? __virt_addr_valid+0xb1/0x130 [ 826.451385] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.451935] kasan_report+0xae/0xe0 [ 826.452276] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.452829] mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.453368] ? __kmalloc_node+0x5a/0x120 [ 826.453733] esw_add_restore_rule+0x20f/0x270 [mlx5_core] [ 826.454288] ? mlx5_eswitch_add_send_to_vport_meta_rule+0x260/0x260 [mlx5_core] [ 826.455011] ? mutex_unlock+0x80/0xd0 [ 826.455361] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210 [ 826.455862] ? mapping_add+0x2cb/0x440 [mlx5_core] [ 826.456425] mlx5e_tc_action_miss_mapping_get+0x139/0x180 [mlx5_core] [ 826.457058] ? mlx5e_tc_update_skb_nic+0xb0/0xb0 [mlx5_core] [ 826.457636] ? __kasan_kmalloc+0x77/0x90 [ 826.458000] ? __kmalloc+0x57/0x120 [ 826.458336] mlx5_tc_ct_flow_offload+0x325/0xe40 [mlx5_core] [ 826.458916] ? ct_kernel_enter.constprop.0+0x48/0xa0 [ 826.459360] ? mlx5_tc_ct_parse_action+0xf0/0xf0 [mlx5_core] [ 826.459933] ? mlx5e_mod_hdr_attach+0x491/0x520 [mlx5_core] [ 826.460507] ? mlx5e_mod_hdr_get+0x12/0x20 [mlx5_core] [ 826.461046] ? mlx5e_tc_attach_mod_hdr+0x154/0x170 [mlx5_core] [ 826.461635] mlx5e_configure_flower+0x969/0x2110 [mlx5_core] [ 826.462217] ? _raw_spin_lock_bh+0x85/0xe0 [ 826.462597] ? __mlx5e_add_fdb_flow+0x750/0x750 [mlx5_core] [ 826.463163] ? kasan_save_stack+0x2e/0x40 [ 826.463534] ? down_read+0x115/0x1b0 [ 826.463878] ? down_write_killable+0x110/0x110 [ 826.464288] ? tc_setup_action.part.0+0x9f/0x3b0 [ 826.464701] ? mlx5e_is_uplink_rep+0x4c/0x90 [mlx5_core] [ 826.465253] ? mlx5e_tc_reoffload_flows_work+0x130/0x130 [mlx5_core] [ 826.465878] tc_setup_cb_add+0x112/0x250 [ 826.466247] fl_hw_replace_filter+0x230/0x310 [cls_flower] [ 826.466724] ? fl_hw_destroy_filter+0x1a0/0x1a0 [cls_flower] [ 826.467212] fl_change+0x14e1/0x2030 [cls_flower] [ 826.467636] ? sock_def_readable+0x89/0x120 [ 826.468019] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower] [ 826.468509] ? kasan_unpoison+0x23/0x50 [ 826.468873] ? get_random_u16+0x180/0x180 [ 826.469244] ? __radix_tree_lookup+0x2b/0x130 [ 826.469640] ? fl_get+0x7b/0x140 [cls_flower] [ 826.470042] ? fl_mask_put+0x200/0x200 [cls_flower] [ 826.470478] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210 [ 826.470973] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower] [ 826.471427] tc_new_tfilter+0x644/0x1050 [ 826.471795] ? tc_get_tfilter+0x860/0x860 [ 826.472170] ? __thaw_task+0x130/0x130 [ 826.472525] ? arch_stack_walk+0x98/0xf0 [ 826.472892] ? cap_capable+0x9f/0xd0 [ 826.473235] ? security_capable+0x47/0x60 [ 826.473608] rtnetlink_rcv_msg+0x1d5/0x550 [ 826.473985] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 826.474383] ? __stack_depot_save+0x35/0x4c0 [ 826.474779] ? kasan_save_stack+0x2e/0x40 [ 826.475149] ? kasan_save_stack+0x1e/0x40 [ 826.475518] ? __kasan_record_aux_stack+0x9f/0xb0 [ 826.475939] ? task_work_add+0x77/0x1c0 [ 826.476305] netlink_rcv_skb+0xe0/0x210 —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54216 | https://git.kernel.org/stable/c/4150441c010dec36abc389828e2e4758bd8ad4b3 https://git.kernel.org/stable/c/dfa1e46d6093831b9d49f0f350227a1d13644a2f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Revert “drm/msm: Add missing check and destroy for alloc_ordered_workqueue” This reverts commit 643b7d0869cc7f1f7a5ac7ca6bd25d88f54e31d0. A recent patch that tried to fix up the msm_drm_init() paths with respect to the workqueue but only ended up making things worse: First, the newly added calls to msm_drm_uninit() on early errors would trigger NULL-pointer dereferences, for example, as the kms pointer would not have been initialised. (Note that these paths were also modified by a second broken error handling patch which in effect cancelled out this part when merged.) Second, the newly added allocation sanity check would still leak the previously allocated drm device. Instead of trying to salvage what was badly broken (and clearly not tested), let’s revert the bad commit so that clean and backportable fixes can be added in its place. Patchwork: https://patchwork.freedesktop.org/patch/525107/ | 2025-12-30 | not yet calculated | CVE-2023-54217 | https://git.kernel.org/stable/c/9078b434587722a6f2958dc1d536af6e39634db9 https://git.kernel.org/stable/c/dfa70344d1b5f5ff08525a8c872c8dd5e82fc5d9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs(). KCSAN found a data race in sock_recv_cmsgs() where the read access to sk->sk_stamp needs READ_ONCE(). BUG: KCSAN: data-race in packet_recvmsg / packet_recvmsg write (marked) to 0xffff88803c81f258 of 8 bytes by task 19171 on cpu 0: sock_write_timestamp include/net/sock.h:2670 [inline] sock_recv_cmsgs include/net/sock.h:2722 [inline] packet_recvmsg+0xb97/0xd00 net/packet/af_packet.c:3489 sock_recvmsg_nosec net/socket.c:1019 [inline] sock_recvmsg+0x11a/0x130 net/socket.c:1040 sock_read_iter+0x176/0x220 net/socket.c:1118 call_read_iter include/linux/fs.h:1845 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x5e0/0x630 fs/read_write.c:470 ksys_read+0x163/0x1a0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x41/0x50 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffff88803c81f258 of 8 bytes by task 19183 on cpu 1: sock_recv_cmsgs include/net/sock.h:2721 [inline] packet_recvmsg+0xb64/0xd00 net/packet/af_packet.c:3489 sock_recvmsg_nosec net/socket.c:1019 [inline] sock_recvmsg+0x11a/0x130 net/socket.c:1040 sock_read_iter+0x176/0x220 net/socket.c:1118 call_read_iter include/linux/fs.h:1845 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x5e0/0x630 fs/read_write.c:470 ksys_read+0x163/0x1a0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x41/0x50 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0xffffffffc4653600 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 19183 Comm: syz-executor.5 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 | 2025-12-30 | not yet calculated | CVE-2023-54218 | https://git.kernel.org/stable/c/fd28692fa182d25e8d26bc1db506648839fde245 https://git.kernel.org/stable/c/564c3150ad357d571a0de7d8b644aa1f7e6e21b7 https://git.kernel.org/stable/c/d7343f8de019ebb55b2b6ef79b971f6ceb361a99 https://git.kernel.org/stable/c/d06f67b2b8dcd00d995c468428b6bccebc5762d8 https://git.kernel.org/stable/c/de260d1e02cde39d317066835ee6e5234fc9f5a8 https://git.kernel.org/stable/c/7145f2309d649ad6273b9f66448321b9b4c523c8 https://git.kernel.org/stable/c/8319220054e5ea5f506d8d4c4b5e234f668ffc3b https://git.kernel.org/stable/c/dfd9248c071a3710c24365897459538551cb7167 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Revert “IB/isert: Fix incorrect release of isert connection” Commit: 699826f4e30a (“IB/isert: Fix incorrect release of isert connection”) is causing problems on OPA when DEVICE_REMOVAL is happening. ————[ cut here ]———— WARNING: CPU: 52 PID: 2117247 at drivers/infiniband/core/cq.c:359 ib_cq_pool_cleanup+0xac/0xb0 [ib_core] Modules linked in: nfsd nfs_acl target_core_user uio tcm_fc libfc scsi_transport_fc tcm_loop target_core_pscsi target_core_iblock target_core_file rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill rpcrdma rdma_ucm ib_srpt sunrpc ib_isert iscsi_target_mod target_core_mod opa_vnic ib_iser libiscsi ib_umad scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm hfi1(-) rdmavt ib_uverbs intel_rapl_msr intel_rapl_common sb_edac ib_core x86_pkg_temp_thermal intel_powerclamp coretemp i2c_i801 mxm_wmi rapl iTCO_wdt ipmi_si iTCO_vendor_support mei_me ipmi_devintf mei intel_cstate ioatdma intel_uncore i2c_smbus joydev pcspkr lpc_ich ipmi_msghandler acpi_power_meter acpi_pad xfs libcrc32c sr_mod sd_mod cdrom t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel drm_kms_helper drm_shmem_helper ahci libahci ghash_clmulni_intel igb drm libata dca i2c_algo_bit wmi fuse CPU: 52 PID: 2117247 Comm: modprobe Not tainted 6.5.0-rc1+ #1 Hardware name: Intel Corporation S2600CWR/S2600CW, BIOS SE5C610.86B.01.01.0014.121820151719 12/18/2015 RIP: 0010:ib_cq_pool_cleanup+0xac/0xb0 [ib_core] Code: ff 48 8b 43 40 48 8d 7b 40 48 83 e8 40 4c 39 e7 75 b3 49 83 c4 10 4d 39 fc 75 94 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc <0f> 0b eb a1 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f RSP: 0018:ffffc10bea13fc80 EFLAGS: 00010206 RAX: 000000000000010c RBX: ffff9bf5c7e66c00 RCX: 000000008020001d RDX: 000000008020001e RSI: fffff175221f9900 RDI: ffff9bf5c7e67640 RBP: ffff9bf5c7e67600 R08: ffff9bf5c7e64400 R09: 000000008020001d R10: 0000000040000000 R11: 0000000000000000 R12: ffff9bee4b1e8a18 R13: dead000000000122 R14: dead000000000100 R15: ffff9bee4b1e8a38 FS: 00007ff1e6d38740(0000) GS:ffff9bfd9fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005652044ecc68 CR3: 0000000889b5c005 CR4: 00000000001706e0 Call Trace: <TASK> ? __warn+0x80/0x130 ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] ? report_bug+0x195/0x1a0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] disable_device+0x9d/0x160 [ib_core] __ib_unregister_device+0x42/0xb0 [ib_core] ib_unregister_device+0x22/0x30 [ib_core] rvt_unregister_device+0x20/0x90 [rdmavt] hfi1_unregister_ib_device+0x16/0xf0 [hfi1] remove_one+0x55/0x1a0 [hfi1] pci_device_remove+0x36/0xa0 device_release_driver_internal+0x193/0x200 driver_detach+0x44/0x90 bus_remove_driver+0x69/0xf0 pci_unregister_driver+0x2a/0xb0 hfi1_mod_cleanup+0xc/0x3c [hfi1] __do_sys_delete_module.constprop.0+0x17a/0x2f0 ? exit_to_user_mode_prepare+0xc4/0xd0 ? syscall_trace_enter.constprop.0+0x126/0x1a0 do_syscall_64+0x5c/0x90 ? syscall_exit_to_user_mode+0x12/0x30 ? do_syscall_64+0x69/0x90 ? syscall_exit_work+0x103/0x130 ? syscall_exit_to_user_mode+0x12/0x30 ? do_syscall_64+0x69/0x90 ? exc_page_fault+0x65/0x150 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7ff1e643f5ab Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007ffec9103cc8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 00005615267fdc50 RCX: 00007ff1e643f5ab RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615267fdcb8 RBP: 00005615267fdc50 R08: 0000000000000000 R09: 0000000000000000 R10: 00007ff1e659eac0 R11: 0000000000000206 R12: 00005615267fdcb8 R13: 00000000000 —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54219 | https://git.kernel.org/stable/c/77e90bd53019d4d4c9e25552b5efb06dfd8c3c82 https://git.kernel.org/stable/c/a277b736309f923d9baff0ef166d694d348a5b96 https://git.kernel.org/stable/c/9b6296861a5a9d58aacd72c249a68b073c78bfb4 https://git.kernel.org/stable/c/aa950b9835f2d004b071fd220459edd3cd0a3603 https://git.kernel.org/stable/c/1bb42aca7a9611c1991a790834e2a65f3345c5e8 https://git.kernel.org/stable/c/3f39698e7e842abc9bd2bd97bf5eeda4543db758 https://git.kernel.org/stable/c/4082b59705ee9e3912eaa9e15abda8e76039b681 https://git.kernel.org/stable/c/a3189341e2f609d48f730b18c8bbbf6783233477 https://git.kernel.org/stable/c/dfe261107c080709459c32695847eec96238852b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: serial: 8250: Fix oops for port->pm on uart_change_pm() Unloading a hardware specific 8250 driver can produce error “Unable to handle kernel paging request at virtual address” about ten seconds after unloading the driver. This happens on uart_hangup() calling uart_change_pm(). Turns out commit 04e82793f068 (“serial: 8250: Reinit port->pm on port specific driver unbind”) was only a partial fix. If the hardware specific driver has initialized port->pm function, we need to clear port->pm too. Just reinitializing port->ops does not do this. Otherwise serial8250_pm() will call port->pm() instead of serial8250_do_pm(). | 2025-12-30 | not yet calculated | CVE-2023-54220 | https://git.kernel.org/stable/c/66f3e55960698c874b0598277913b478ecd29573 https://git.kernel.org/stable/c/720a297b334e85d34099e83d1f375b92c3efedd6 https://git.kernel.org/stable/c/b653289ca6460a6552c8590b75dfa84a0140a46b https://git.kernel.org/stable/c/bd70d0b28010d560a8be96b44fea86fe2ba016ae https://git.kernel.org/stable/c/18e27df4f2b4e257c317ba8076f31a888f6cc64b https://git.kernel.org/stable/c/0c05493341d6f2097f75f0a5dbb7b53a9e8c5f6c https://git.kernel.org/stable/c/375806616f8c772c33d40e112530887b37c1a816 https://git.kernel.org/stable/c/dfe2aeb226fd5e19b0ee795f4f6ed8bc494c1534 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe In function probe(), it returns directly without unregistered hws when error occurs. Fix this by adding ‘goto unregister_hws;’ on line 295 and line 310. Use devm_kzalloc() instead of kzalloc() to automatically free the memory using devm_kfree() when error occurs. Replace of_iomap() with devm_of_iomap() to automatically handle the unused ioremap region and delete ‘iounmap(anatop_base);’ in unregister_hws. | 2025-12-30 | not yet calculated | CVE-2023-54221 | https://git.kernel.org/stable/c/280a5ff665e12d1e0c54c20cedc9c5008aa686a5 https://git.kernel.org/stable/c/fac9c624138c4bc021d7a8ee3b974c9e10926d92 https://git.kernel.org/stable/c/d17c16a2b2a6589c45b0bfb1b9914da80b72d89e https://git.kernel.org/stable/c/e02ba11b457647050cb16e7cad16cec3c252fade |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: hte: tegra-194: Fix off by one in tegra_hte_map_to_line_id() The “map_sz” is the number of elements in the “m” array so the > comparison needs to be changed to >= to prevent an out of bounds read. | 2025-12-30 | not yet calculated | CVE-2023-54222 | https://git.kernel.org/stable/c/fed87ce073c7b9f4f255105f90bd930df06d18a7 https://git.kernel.org/stable/c/aedc364a7c9cd2fb45b4f7c0a41c98365369ff46 https://git.kernel.org/stable/c/2a488602e3f09ef9e50feb5448ae46515a6fa789 https://git.kernel.org/stable/c/e078180d66848a6a890daf0a3ce28dc43cc66790 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix invalid buffer access for legacy rq The below crash can be encountered when using xdpsock in rx mode for legacy rq: the buffer gets released in the XDP_REDIRECT path, and then once again in the driver. This fix sets the flag to avoid releasing on the driver side. XSK handling of buffers for legacy rq was relying on the caller to set the skip release flag. But the referenced fix started using fragment counts for pages instead of the skip flag. Crash log: general protection fault, probably for non-canonical address 0xffff8881217e3a: 0000 [#1] SMP CPU: 0 PID: 14 Comm: ksoftirqd/0 Not tainted 6.5.0-rc1+ #31 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:bpf_prog_03b13f331978c78c+0xf/0x28 Code: … RSP: 0018:ffff88810082fc98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888138404901 RCX: c0ffffc900027cbc RDX: ffffffffa000b514 RSI: 00ffff8881217e32 RDI: ffff888138404901 RBP: ffff88810082fc98 R08: 0000000000091100 R09: 0000000000000006 R10: 0000000000000800 R11: 0000000000000800 R12: ffffc9000027a000 R13: ffff8881217e2dc0 R14: ffff8881217e2910 R15: ffff8881217e2f00 FS: 0000000000000000(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564cb2e2cde0 CR3: 000000010e603004 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? die_addr+0x32/0x80 ? exc_general_protection+0x192/0x390 ? asm_exc_general_protection+0x22/0x30 ? 0xffffffffa000b514 ? bpf_prog_03b13f331978c78c+0xf/0x28 mlx5e_xdp_handle+0x48/0x670 [mlx5_core] ? dev_gro_receive+0x3b5/0x6e0 mlx5e_xsk_skb_from_cqe_linear+0x6e/0x90 [mlx5_core] mlx5e_handle_rx_cqe+0x55/0x100 [mlx5_core] mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core] mlx5e_napi_poll+0x45e/0x6b0 [mlx5_core] __napi_poll+0x25/0x1a0 net_rx_action+0x28a/0x300 __do_softirq+0xcd/0x279 ? sort_range+0x20/0x20 run_ksoftirqd+0x1a/0x20 smpboot_thread_fn+0xa2/0x130 kthread+0xc9/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> Modules linked in: mlx5_ib mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay zram zsmalloc fuse [last unloaded: mlx5_core] —[ end trace 0000000000000000 ]— | 2025-12-30 | not yet calculated | CVE-2023-54223 | https://git.kernel.org/stable/c/58a113a35846d9a5bd759beb332e551e28451f09 https://git.kernel.org/stable/c/e0f52298fee449fec37e3e3c32df60008b509b16 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix lockdep splat and potential deadlock after failure running delayed items When running delayed items we are holding a delayed node’s mutex and then we will attempt to modify a subvolume btree to insert/update/delete the delayed items. However if have an error during the insertions for example, btrfs_insert_delayed_items() may return with a path that has locked extent buffers (a leaf at the very least), and then we attempt to release the delayed node at __btrfs_run_delayed_items(), which requires taking the delayed node’s mutex, causing an ABBA type of deadlock. This was reported by syzbot and the lockdep splat is the following: WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted —————————————————— syz-executor.2/13257 is trying to acquire lock: ffff88801835c0c0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256 but task is already holding lock: ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{3:3}: __lock_release kernel/locking/lockdep.c:5475 [inline] lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781 up_write+0x79/0x580 kernel/locking/rwsem.c:1625 btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline] btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239 search_leaf fs/btrfs/ctree.c:1986 [inline] btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230 btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376 btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline] btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline] __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111 __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153 flush_space+0x269/0xe70 fs/btrfs/space-info.c:723 btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078 process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600 worker_thread+0xa63/0x1210 kernel/workqueue.c:2751 kthread+0x2b8/0x350 kernel/kthread.c:389 ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 -> #0 (&delayed_node->mutex){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603 __mutex_lock kernel/locking/mutex.c:747 [inline] mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799 __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline] __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156 btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276 btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988 vfs_fsync_range fs/sync.c:188 [inline] vfs_fsync fs/sync.c:202 [inline] do_fsync fs/sync.c:212 [inline] __do_sys_fsync fs/sync.c:220 [inline] __se_sys_fsync fs/sync.c:218 [inline] __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info that —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54224 | https://git.kernel.org/stable/c/779c3cf2749c7a7bad6f839cb2954a25ba92f4d6 https://git.kernel.org/stable/c/32247b9526bfdaeef85f7339d9b4f913c7370f92 https://git.kernel.org/stable/c/36d918da3f1bf749178c7daf471a3be1730ed3ca https://git.kernel.org/stable/c/e110f8911ddb93e6f55da14ccbbe705397b30d0b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipa: only reset hashed tables when supported Last year, the code that manages GSI channel transactions switched from using spinlock-protected linked lists to using indexes into the ring buffer used for a channel. Recently, Google reported seeing transaction reference count underflows occasionally during shutdown. Doug Anderson found a way to reproduce the issue reliably, and bisected the issue to the commit that eliminated the linked lists and the lock. The root cause was ultimately determined to be related to unused transactions being committed as part of the modem shutdown cleanup activity. Unused transactions are not normally expected (except in error cases). The modem uses some ranges of IPA-resident memory, and whenever it shuts down we zero those ranges. In ipa_filter_reset_table() a transaction is allocated to zero modem filter table entries. If hashing is not supported, hashed table memory should not be zeroed. But currently nothing prevents that, and the result is an unused transaction. Something similar occurs when we zero routing table entries for the modem. By preventing any attempt to clear hashed tables when hashing is not supported, the reference count underflow is avoided in this case. Note that there likely remains an issue with properly freeing unused transactions (if they occur due to errors). This patch addresses only the underflows that Google originally reported. | 2025-12-30 | not yet calculated | CVE-2023-54225 | https://git.kernel.org/stable/c/50c24f0c940728792c8bdf65c1eaf6b91b3b0dcd https://git.kernel.org/stable/c/c00af3a818cc573e10100cc6770f0e47befa1fa4 https://git.kernel.org/stable/c/e11ec2b868af2b351c6c1e2e50eb711cc5423a10 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix data races around sk->sk_shutdown. KCSAN found a data race around sk->sk_shutdown where unix_release_sock() and unix_shutdown() update it under unix_state_lock(), OTOH unix_poll() and unix_dgram_poll() read it locklessly. We need to annotate the writes and reads with WRITE_ONCE() and READ_ONCE(). BUG: KCSAN: data-race in unix_poll / unix_release_sock write to 0xffff88800d0f8aec of 1 bytes by task 264 on cpu 0: unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631 unix_release+0x59/0x80 net/unix/af_unix.c:1042 __sock_release+0x7d/0x170 net/socket.c:653 sock_close+0x19/0x30 net/socket.c:1397 __fput+0x179/0x5e0 fs/file_table.c:321 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x116/0x1a0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffff88800d0f8aec of 1 bytes by task 222 on cpu 1: unix_poll+0xa3/0x2a0 net/unix/af_unix.c:3170 sock_poll+0xcf/0x2b0 net/socket.c:1385 vfs_poll include/linux/poll.h:88 [inline] ep_item_poll.isra.0+0x78/0xc0 fs/eventpoll.c:855 ep_send_events fs/eventpoll.c:1694 [inline] ep_poll fs/eventpoll.c:1823 [inline] do_epoll_wait+0x6c4/0xea0 fs/eventpoll.c:2258 __do_sys_epoll_wait fs/eventpoll.c:2270 [inline] __se_sys_epoll_wait fs/eventpoll.c:2265 [inline] __x64_sys_epoll_wait+0xcc/0x190 fs/eventpoll.c:2265 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0x00 -> 0x03 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 222 Comm: dbus-broker Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 | 2025-12-30 | not yet calculated | CVE-2023-54226 | https://git.kernel.org/stable/c/1c488f4e95b498c977fbeae784983eb4cf6085e8 https://git.kernel.org/stable/c/196528ad484443627779540697f4fb0ef0e01c52 https://git.kernel.org/stable/c/8307e372e7445ec7d3cd2ff107ce5078eaa02815 https://git.kernel.org/stable/c/a41559ae3681975f1ced815d8d4c983b6b938499 https://git.kernel.org/stable/c/e410895892f99700ce54347d42c8dbe962eea9f4 https://git.kernel.org/stable/c/f237f79b63c9242450e6869adcd2c10445859f28 https://git.kernel.org/stable/c/e1d09c2c2f5793474556b60f83900e088d0d366d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix tags leak when shrink nr_hw_queues Although we don’t need to realloc set->tags[] when shrink nr_hw_queues, we need to free them. Or these tags will be leaked. How to reproduce: 1. mount -t configfs configfs /mnt 2. modprobe null_blk nr_devices=0 submit_queues=8 3. mkdir /mnt/nullb/nullb0 4. echo 1 > /mnt/nullb/nullb0/power 5. echo 4 > /mnt/nullb/nullb0/submit_queues 6. rmdir /mnt/nullb/nullb0 In step 4, will alloc 9 tags (8 submit queues and 1 poll queue), then in step 5, new_nr_hw_queues = 5 (4 submit queues and 1 poll queue). At last in step 6, only these 5 tags are freed, the other 4 tags leaked. | 2025-12-30 | not yet calculated | CVE-2023-54227 | https://git.kernel.org/stable/c/c0ef7493e68b8896806a2f598fcffbaa97333405 https://git.kernel.org/stable/c/e1dd7bc93029024af5688253b0c05181d6e01f8e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: raa215300: Fix resource leak in case of error The clk_register_clkdev() allocates memory by calling vclkdev_alloc() and this memory is not freed in the error path. Similarly, resources allocated by clk_register_fixed_rate() are not freed in the error path. Fix these issues by using devm_clk_hw_register_fixed_rate() and devm_clk_hw_register_clkdev(). After this, the static variable clk is not needed. Replace it with local variable hw in probe() and drop calling clk_unregister_fixed_rate() from raa215300_rtc_unregister_device(). | 2025-12-30 | not yet calculated | CVE-2023-54228 | https://git.kernel.org/stable/c/2bf2d2ac9e67184dc99275875a6452ca6e3027ff https://git.kernel.org/stable/c/e21ac64e669e960688e79bf5babeed63132dac8a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix registration of 6Ghz-only phy without the full channel range Because of what seems to be a typo, a 6Ghz-only phy for which the BDF does not allow the 7115Mhz channel will fail to register: WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954 Modules linked in: ath11k_pci sbsa_gwdt CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9 Hardware name: Freebox V7R Board (DT) Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : wiphy_register+0x914/0x954 lr : ieee80211_register_hw+0x67c/0xc10 sp : ffffff800b123aa0 x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418 x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168 x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014 x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718 x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006 x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284 x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: wiphy_register+0x914/0x954 ieee80211_register_hw+0x67c/0xc10 ath11k_mac_register+0x7c4/0xe10 ath11k_core_qmi_firmware_ready+0x1f4/0x570 ath11k_qmi_driver_event_work+0x198/0x590 process_one_work+0x1b8/0x328 worker_thread+0x6c/0x414 kthread+0x100/0x104 ret_from_fork+0x10/0x20 —[ end trace 0000000000000000 ]— ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22 ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22 ath11k_pci 0002:01:00.0: failed to create pdev core: -22 | 2025-12-30 | not yet calculated | CVE-2023-54229 | https://git.kernel.org/stable/c/532f8bac60419eb28158770470b9bb655de207c8 https://git.kernel.org/stable/c/f97832620d7f320bea81707f34631371e87a419b https://git.kernel.org/stable/c/8d1342108c2bf11aaaf293becfc010ecdb6170d9 https://git.kernel.org/stable/c/32ca096e712a78b2f0d2e48d33dc0caaba9f9866 https://git.kernel.org/stable/c/e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: amba: bus: fix refcount leak commit 5de1540b7bc4 (“drivers/amba: create devices from device tree”) increases the refcount of of_node, but not releases it in amba_device_release, so there is refcount leak. By using of_node_put to avoid refcount leak. | 2025-12-30 | not yet calculated | CVE-2023-54230 | https://git.kernel.org/stable/c/94e398df32e850f26828690ee62f7441979583cc https://git.kernel.org/stable/c/9062ce0ccbd82fbe81cc839a512c0ad90847e01c https://git.kernel.org/stable/c/03db4fe7917bb160eeccf3968835475fa32b7e10 https://git.kernel.org/stable/c/9baf2278b3eed2c50112169121257d8a6ee0606c https://git.kernel.org/stable/c/4f1807fddd9bf175ee5e14fffc6b6106e4b297ef https://git.kernel.org/stable/c/81ff633a88be2482c163d3acd2801d501261ce6a https://git.kernel.org/stable/c/206fadb7278ceac7593dd0b945a77b9df856a674 https://git.kernel.org/stable/c/8b60a706166de5de82314494704c2419e7657bf8 https://git.kernel.org/stable/c/e312cbdc11305568554a9e18a2ea5c2492c183f3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix memory leak in wx_setup_rx_resources When wx_alloc_page_pool() failed in wx_setup_rx_resources(), it doesn’t release DMA buffer. Add dma_free_coherent() in the error path to release the DMA buffer. | 2025-12-30 | not yet calculated | CVE-2023-54231 | https://git.kernel.org/stable/c/2371e1ecd445baf793a74db00ea6b2a2bc13c4c0 https://git.kernel.org/stable/c/e315e7b83a22043bffee450437d7089ef373cbf6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: m68k: Only force 030 bus error if PC not in exception table __get_kernel_nofault() does copy data in supervisor mode when forcing a task backtrace log through /proc/sysrq_trigger. This is expected cause a bus error exception on e.g. NULL pointer dereferencing when logging a kernel task has no workqueue associated. This bus error ought to be ignored. Our 030 bus error handler is ill equipped to deal with this: Whenever ssw indicates a kernel mode access on a data fault, we don’t even attempt to handle the fault and instead always send a SEGV signal (or panic). As a result, the check for exception handling at the fault PC (buried in send_sig_fault() which gets called from do_page_fault() eventually) is never used. In contrast, both 040 and 060 access error handlers do not care whether a fault happened on supervisor mode access, and will call do_page_fault() on those, ultimately honoring the exception table. Add a check in bus_error030 to call do_page_fault() in case we do have an entry for the fault PC in our exception table. I had attempted a fix for this earlier in 2019 that did rely on testing pagefault_disabled() (see link below) to achieve the same thing, but this patch should be more generic. Tested on 030 Atari Falcon. | 2025-12-30 | not yet calculated | CVE-2023-54232 | https://git.kernel.org/stable/c/1a6059f5ed57f48edfe7159404ff7d538d9d405b https://git.kernel.org/stable/c/f55cb52ec98b22125f5bda36391edb8894f7e8cf https://git.kernel.org/stable/c/2100e374251a8fc00cce1916cfc50f3cb652cbe3 https://git.kernel.org/stable/c/df1da53a7e98f0b2a0eb2241c154f148f2f2c1d8 https://git.kernel.org/stable/c/8bf8d5dade4c5e1d8a2386f29253ed28b5d87735 https://git.kernel.org/stable/c/54fa25ffab2b700df5abd58c136d64a912c53953 https://git.kernel.org/stable/c/ec15405b80fc15ffc87a23d01378ae061c1aba07 https://git.kernel.org/stable/c/e36a82bebbf7da814530d5a179bef9df5934b717 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: avoid a NULL dereference with unsupported widgets If an IPC4 topology contains an unsupported widget, its .module_info field won’t be set, then sof_ipc4_route_setup() will cause a kernel Oops trying to dereference it. Add a check for such cases. | 2025-12-30 | not yet calculated | CVE-2023-54233 | https://git.kernel.org/stable/c/170818974e9732506195c6302743856cc8bdfd6f https://git.kernel.org/stable/c/e3720f92e0237921da537e47a0b24e27899203f8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix missing mrioc->evtack_cmds initialization Commit c1af985d27da (“scsi: mpi3mr: Add Event acknowledgment logic”) introduced an array mrioc->evtack_cmds but initialization of the array elements was missed. They are just zero cleared. The function mpi3mr_complete_evt_ack() refers host_tag field of the elements. Due to the zero value of the host_tag field, the function calls clear_bit() for mrico->evtack_cmds_bitmap with wrong bit index. This results in memory access to invalid address and “BUG: KASAN: use-after-free”. This BUG was observed at eHBA-9600 firmware update to version 8.3.1.0. To fix it, add the missing initialization of mrioc->evtack_cmds. | 2025-12-30 | not yet calculated | CVE-2023-54234 | https://git.kernel.org/stable/c/4e0dfdb48a824deac3dfbc67fb856ef2aee13529 https://git.kernel.org/stable/c/67989091e11a974003ddf2ec39bc613df8eadd83 https://git.kernel.org/stable/c/e39ea831ebad4ab15c4748cb62a397a8abcca36e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/DOE: Fix destroy_work_on_stack() race The following debug object splat was observed in testing: ODEBUG: free active (active state 0) object: 0000000097d23782 object type: work_struct hint: doe_statemachine_work+0x0/0x510 WARNING: CPU: 1 PID: 71 at lib/debugobjects.c:514 debug_print_object+0x7d/0xb0 … Workqueue: pci 0000:36:00.0 DOE [1 doe_statemachine_work RIP: 0010:debug_print_object+0x7d/0xb0 … Call Trace: ? debug_print_object+0x7d/0xb0 ? __pfx_doe_statemachine_work+0x10/0x10 debug_object_free.part.0+0x11b/0x150 doe_statemachine_work+0x45e/0x510 process_one_work+0x1d4/0x3c0 This occurs because destroy_work_on_stack() was called after signaling the completion in the calling thread. This creates a race between destroy_work_on_stack() and the task->work struct going out of scope in pci_doe(). Signal the work complete after destroying the work struct. This is safe because signal_task_complete() is the final thing the work item does and the workqueue code is careful not to access the work struct after. | 2025-12-30 | not yet calculated | CVE-2023-54235 | https://git.kernel.org/stable/c/d96799ee3b78962c80e4b6653734f488f999ca09 https://git.kernel.org/stable/c/c4f9c0a3a6df143f2e1092823b7fa9e07d6ab57f https://git.kernel.org/stable/c/19cf3ba16dcc2ef059dcf010072d4f96d76486e0 https://git.kernel.org/stable/c/e3a3a097eaebaf234a482b4d2f9f18fe989208c1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/net_failover: fix txq exceeding warning The failover txq is inited as 16 queues. when a packet is transmitted from the failover device firstly, the failover device will select the queue which is returned from the primary device if the primary device is UP and running. If the primary device txq is bigger than the default 16, it can lead to the following warning: eth0 selects TX queue 18, but real number of TX queues is 16 The warning backtrace is: [ 32.146376] CPU: 18 PID: 9134 Comm: chronyd Tainted: G E 6.2.8-1.el7.centos.x86_64 #1 [ 32.147175] Hardware name: Red Hat KVM, BIOS 1.10.2-3.el7_4.1 04/01/2014 [ 32.147730] Call Trace: [ 32.147971] <TASK> [ 32.148183] dump_stack_lvl+0x48/0x70 [ 32.148514] dump_stack+0x10/0x20 [ 32.148820] netdev_core_pick_tx+0xb1/0xe0 [ 32.149180] __dev_queue_xmit+0x529/0xcf0 [ 32.149533] ? __check_object_size.part.0+0x21c/0x2c0 [ 32.149967] ip_finish_output2+0x278/0x560 [ 32.150327] __ip_finish_output+0x1fe/0x2f0 [ 32.150690] ip_finish_output+0x2a/0xd0 [ 32.151032] ip_output+0x7a/0x110 [ 32.151337] ? __pfx_ip_finish_output+0x10/0x10 [ 32.151733] ip_local_out+0x5e/0x70 [ 32.152054] ip_send_skb+0x19/0x50 [ 32.152366] udp_send_skb.isra.0+0x163/0x3a0 [ 32.152736] udp_sendmsg+0xba8/0xec0 [ 32.153060] ? __folio_memcg_unlock+0x25/0x60 [ 32.153445] ? __pfx_ip_generic_getfrag+0x10/0x10 [ 32.153854] ? sock_has_perm+0x85/0xa0 [ 32.154190] inet_sendmsg+0x6d/0x80 [ 32.154508] ? inet_sendmsg+0x6d/0x80 [ 32.154838] sock_sendmsg+0x62/0x70 [ 32.155152] ____sys_sendmsg+0x134/0x290 [ 32.155499] ___sys_sendmsg+0x81/0xc0 [ 32.155828] ? _get_random_bytes.part.0+0x79/0x1a0 [ 32.156240] ? ip4_datagram_release_cb+0x5f/0x1e0 [ 32.156649] ? get_random_u16+0x69/0xf0 [ 32.156989] ? __fget_light+0xcf/0x110 [ 32.157326] __sys_sendmmsg+0xc4/0x210 [ 32.157657] ? __sys_connect+0xb7/0xe0 [ 32.157995] ? __audit_syscall_entry+0xce/0x140 [ 32.158388] ? syscall_trace_enter.isra.0+0x12c/0x1a0 [ 32.158820] __x64_sys_sendmmsg+0x24/0x30 [ 32.159171] do_syscall_64+0x38/0x90 [ 32.159493] entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix that by reducing txq number as the non-existent primary-dev does. | 2025-12-30 | not yet calculated | CVE-2023-54236 | https://git.kernel.org/stable/c/105cc268328231d5c2bfcbd03f265cec444a3492 https://git.kernel.org/stable/c/f032e125149d914e542548c17ebd613851031368 https://git.kernel.org/stable/c/2d5cebf57296f0189a61482035ad420384eedead https://git.kernel.org/stable/c/c942f5cd63b7c2e73fe06744185a34b03267595b https://git.kernel.org/stable/c/44d250c22209c680f61befbc2ac326da5452da01 https://git.kernel.org/stable/c/e3cbdcb0fbb61045ef3ce0e072927cc41737f787 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/smc: fix potential panic dues to unprotected smc_llc_srv_add_link() There is a certain chance to trigger the following panic: PID: 5900 TASK: ffff88c1c8af4100 CPU: 1 COMMAND: “kworker/1:48” #0 [ffff9456c1cc79a0] machine_kexec at ffffffff870665b7 #1 [ffff9456c1cc79f0] __crash_kexec at ffffffff871b4c7a #2 [ffff9456c1cc7ab0] crash_kexec at ffffffff871b5b60 #3 [ffff9456c1cc7ac0] oops_end at ffffffff87026ce7 #4 [ffff9456c1cc7ae0] page_fault_oops at ffffffff87075715 #5 [ffff9456c1cc7b58] exc_page_fault at ffffffff87ad0654 #6 [ffff9456c1cc7b80] asm_exc_page_fault at ffffffff87c00b62 [exception RIP: ib_alloc_mr+19] RIP: ffffffffc0c9cce3 RSP: ffff9456c1cc7c38 RFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000004 RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88c1ea281d00 R8: 000000020a34ffff R9: ffff88c1350bbb20 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000010 R14: ffff88c1ab040a50 R15: ffff88c1ea281d00 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffff9456c1cc7c60] smc_ib_get_memory_region at ffffffffc0aff6df [smc] #8 [ffff9456c1cc7c88] smcr_buf_map_link at ffffffffc0b0278c [smc] #9 [ffff9456c1cc7ce0] __smc_buf_create at ffffffffc0b03586 [smc] The reason here is that when the server tries to create a second link, smc_llc_srv_add_link() has no protection and may add a new link to link group. This breaks the security environment protected by llc_conf_mutex. | 2025-12-30 | not yet calculated | CVE-2023-54237 | https://git.kernel.org/stable/c/f2f46de98c11d41ac8d22765f47ba54ce5480a5b https://git.kernel.org/stable/c/0c764cc271d3aa6528ae1b3394babf34ac01f775 https://git.kernel.org/stable/c/e40b801b3603a8f90b46acbacdea3505c27f01c0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mlx5: fix skb leak while fifo resync and push During ptp resync operation SKBs were poped from the fifo but were never freed neither by napi_consume nor by dev_kfree_skb_any. Add call to napi_consume_skb to properly free SKBs. Another leak was happening because mlx5e_skb_fifo_has_room() had an error in the check. Comparing free running counters works well unless C promotes the types to something wider than the counter. In this case counters are u16 but the result of the substraction is promouted to int and it causes wrong result (negative value) of the check when producer have already overlapped but consumer haven’t yet. Explicit cast to u16 fixes the issue. | 2025-12-30 | not yet calculated | CVE-2023-54238 | https://git.kernel.org/stable/c/234cffda95e1049f58e8ec136ef105c633f0ed19 https://git.kernel.org/stable/c/68504c66d08c70fb92799722e25a932d311d74fd https://git.kernel.org/stable/c/e435941b1da1a0be4ff8a7ae425774c76a5ac514 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd: Check for uptr overflow syzkaller found that setting up a map with a user VA that wraps past zero can trigger WARN_ONs, particularly from pin_user_pages weirdly returning 0 due to invalid arguments. Prevent creating a pages with a uptr and size that would math overflow. WARNING: CPU: 0 PID: 518 at drivers/iommu/iommufd/pages.c:793 pfn_reader_user_pin+0x2e6/0x390 Modules linked in: CPU: 0 PID: 518 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:pfn_reader_user_pin+0x2e6/0x390 Code: b1 11 e9 25 fe ff ff e8 28 e4 0f ff 31 ff 48 89 de e8 2e e6 0f ff 48 85 db 74 0a e8 14 e4 0f ff e9 4d ff ff ff e8 0a e4 0f ff <0f> 0b bb f2 ff ff ff e9 3c ff ff ff e8 f9 e3 0f ff ba 01 00 00 00 RSP: 0018:ffffc90000f9fa30 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff821e2b72 RDX: 0000000000000000 RSI: ffff888014184680 RDI: 0000000000000002 RBP: ffffc90000f9fa78 R08: 00000000000000ff R09: 0000000079de6f4e R10: ffffc90000f9f790 R11: ffff888014185418 R12: ffffc90000f9fc60 R13: 0000000000000002 R14: ffff888007879800 R15: 0000000000000000 FS: 00007f4227555740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000043 CR3: 000000000e748005 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> pfn_reader_next+0x14a/0x7b0 ? interval_tree_double_span_iter_update+0x11a/0x140 pfn_reader_first+0x140/0x1b0 iopt_pages_rw_slow+0x71/0x280 ? __this_cpu_preempt_check+0x20/0x30 iopt_pages_rw_access+0x2b2/0x5b0 iommufd_access_rw+0x19f/0x2f0 iommufd_test+0xd11/0x16f0 ? write_comp_data+0x2f/0x90 iommufd_fops_ioctl+0x206/0x330 __x64_sys_ioctl+0x10e/0x160 ? __pfx_iommufd_fops_ioctl+0x10/0x10 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc | 2025-12-30 | not yet calculated | CVE-2023-54239 | https://git.kernel.org/stable/c/800963e7eb001ada8cf2418f159fb649694467f1 https://git.kernel.org/stable/c/e4395701330fc4aee530905039516fe770b81417 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all() rule_locs is allocated in ethtool_get_rxnfc and the size is determined by rule_cnt from user space. So rule_cnt needs to be check before using rule_locs to avoid NULL pointer dereference. | 2025-12-30 | not yet calculated | CVE-2023-54240 | https://git.kernel.org/stable/c/7776591e5ae2befff86579f68916a171971c6aab https://git.kernel.org/stable/c/751b2e22a188b0c306029d094da29b6b8de31430 https://git.kernel.org/stable/c/653fbddbdfc6673bba01b13dae5a4384ad8f92ec https://git.kernel.org/stable/c/75f2de75c1182e80708c932418e4895dbc88b68f https://git.kernel.org/stable/c/072324cfab9b96071c0782f51f53cc5aea1e9d5b https://git.kernel.org/stable/c/ff5faed5f5487b0fd2b640ba1304f82a5ebaab42 https://git.kernel.org/stable/c/fe0195fe48f85182bc7e7eabcad925bd3cbc10f5 https://git.kernel.org/stable/c/e4c79810755f66c9a933ca810da2724133b1165a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: MIPS: KVM: Fix NULL pointer dereference After commit 45c7e8af4a5e3f0bea4ac209 (“MIPS: Remove KVM_TE support”) we get a NULL pointer dereference when creating a KVM guest: [ 146.243409] Starting KVM with MIPS VZ extensions [ 149.849151] CPU 3 Unable to handle kernel paging request at virtual address 0000000000000300, epc == ffffffffc06356ec, ra == ffffffffc063568c [ 149.849177] Oops[#1]: [ 149.849182] CPU: 3 PID: 2265 Comm: qemu-system-mip Not tainted 6.4.0-rc3+ #1671 [ 149.849188] Hardware name: THTF CX TL630 Series/THTF-LS3A4000-7A1000-ML4A, BIOS KL4.1F.TF.D.166.201225.R 12/25/2020 [ 149.849192] $ 0 : 0000000000000000 000000007400cce0 0000000000400004 ffffffff8119c740 [ 149.849209] $ 4 : 000000007400cce1 000000007400cce1 0000000000000000 0000000000000000 [ 149.849221] $ 8 : 000000240058bb36 ffffffff81421ac0 0000000000000000 0000000000400dc0 [ 149.849233] $12 : 9800000102a07cc8 ffffffff80e40e38 0000000000000001 0000000000400dc0 [ 149.849245] $16 : 0000000000000000 9800000106cd0000 9800000106cd0000 9800000100cce000 [ 149.849257] $20 : ffffffffc0632b28 ffffffffc05b31b0 9800000100ccca00 0000000000400000 [ 149.849269] $24 : 9800000106cd09ce ffffffff802f69d0 [ 149.849281] $28 : 9800000102a04000 9800000102a07cd0 98000001106a8000 ffffffffc063568c [ 149.849293] Hi : 00000335b2111e66 [ 149.849295] Lo : 6668d90061ae0ae9 [ 149.849298] epc : ffffffffc06356ec kvm_vz_vcpu_setup+0xc4/0x328 [kvm] [ 149.849324] ra : ffffffffc063568c kvm_vz_vcpu_setup+0x64/0x328 [kvm] [ 149.849336] Status: 7400cce3 KX SX UX KERNEL EXL IE [ 149.849351] Cause : 1000000c (ExcCode 03) [ 149.849354] BadVA : 0000000000000300 [ 149.849357] PrId : 0014c004 (ICT Loongson-3) [ 149.849360] Modules linked in: kvm nfnetlink_queue nfnetlink_log nfnetlink fuse sha256_generic libsha256 cfg80211 rfkill binfmt_misc vfat fat snd_hda_codec_hdmi input_leds led_class snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_pcm snd_timer snd serio_raw xhci_pci radeon drm_suballoc_helper drm_display_helper xhci_hcd ip_tables x_tables [ 149.849432] Process qemu-system-mip (pid: 2265, threadinfo=00000000ae2982d2, task=0000000038e09ad4, tls=000000ffeba16030) [ 149.849439] Stack : 9800000000000003 9800000100ccca00 9800000100ccc000 ffffffffc062cef4 [ 149.849453] 9800000102a07d18 c89b63a7ab338e00 0000000000000000 ffffffff811a0000 [ 149.849465] 0000000000000000 9800000106cd0000 ffffffff80e59938 98000001106a8920 [ 149.849476] ffffffff80e57f30 ffffffffc062854c ffffffff811a0000 9800000102bf4240 [ 149.849488] ffffffffc05b0000 ffffffff80e3a798 000000ff78000000 000000ff78000010 [ 149.849500] 0000000000000255 98000001021f7de0 98000001023f0078 ffffffff81434000 [ 149.849511] 0000000000000000 0000000000000000 9800000102ae0000 980000025e92ae28 [ 149.849523] 0000000000000000 c89b63a7ab338e00 0000000000000001 ffffffff8119dce0 [ 149.849535] 000000ff78000010 ffffffff804f3d3c 9800000102a07eb0 0000000000000255 [ 149.849546] 0000000000000000 ffffffff8049460c 000000ff78000010 0000000000000255 [ 149.849558] … [ 149.849565] Call Trace: [ 149.849567] [<ffffffffc06356ec>] kvm_vz_vcpu_setup+0xc4/0x328 [kvm] [ 149.849586] [<ffffffffc062cef4>] kvm_arch_vcpu_create+0x184/0x228 [kvm] [ 149.849605] [<ffffffffc062854c>] kvm_vm_ioctl+0x64c/0xf28 [kvm] [ 149.849623] [<ffffffff805209c0>] sys_ioctl+0xc8/0x118 [ 149.849631] [<ffffffff80219eb0>] syscall_common+0x34/0x58 The root cause is the deletion of kvm_mips_commpage_init() leaves vcpu ->arch.cop0 NULL. So fix it by making cop0 from a pointer to an embedded object. | 2025-12-30 | not yet calculated | CVE-2023-54241 | https://git.kernel.org/stable/c/cd517f9a9d07d41f4f3593b1da3982261e09d162 https://git.kernel.org/stable/c/bd9cf2a5f9e1b2229ad22f21de6f6ad1a9c8858e https://git.kernel.org/stable/c/6b9fb255d53759e3ea9b30067cb55091df1caf06 https://git.kernel.org/stable/c/e4de2057698636c0ee709e545d19b169d2069fa3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: block, bfq: Fix division by zero error on zero wsum When the weighted sum is zero the calculation of limit causes a division by zero error. Fix this by continuing to the next level. This was discovered by running as root: stress-ng –ioprio 0 Fixes divison by error oops: [ 521.450556] divide error: 0000 [#1] SMP NOPTI [ 521.450766] CPU: 2 PID: 2684464 Comm: stress-ng-iopri Not tainted 6.2.1-1280.native #1 [ 521.451117] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 [ 521.451627] RIP: 0010:bfqq_request_over_limit+0x207/0x400 [ 521.451875] Code: 01 48 8d 0c c8 74 0b 48 8b 82 98 00 00 00 48 8d 0c c8 8b 85 34 ff ff ff 48 89 ca 41 0f af 41 50 48 d1 ea 48 98 48 01 d0 31 d2 <48> f7 f1 41 39 41 48 89 85 34 ff ff ff 0f 8c 7b 01 00 00 49 8b 44 [ 521.452699] RSP: 0018:ffffb1af84eb3948 EFLAGS: 00010046 [ 521.452938] RAX: 000000000000003c RBX: 0000000000000000 RCX: 0000000000000000 [ 521.453262] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb1af84eb3978 [ 521.453584] RBP: ffffb1af84eb3a30 R08: 0000000000000001 R09: ffff8f88ab8a4ba0 [ 521.453905] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f88ab8a4b18 [ 521.454224] R13: ffff8f8699093000 R14: 0000000000000001 R15: ffffb1af84eb3970 [ 521.454549] FS: 00005640b6b0b580(0000) GS:ffff8f88b3880000(0000) knlGS:0000000000000000 [ 521.454912] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 521.455170] CR2: 00007ffcbcae4e38 CR3: 00000002e46de001 CR4: 0000000000770ee0 [ 521.455491] PKRU: 55555554 [ 521.455619] Call Trace: [ 521.455736] <TASK> [ 521.455837] ? bfq_request_merge+0x3a/0xc0 [ 521.456027] ? elv_merge+0x115/0x140 [ 521.456191] bfq_limit_depth+0xc8/0x240 [ 521.456366] __blk_mq_alloc_requests+0x21a/0x2c0 [ 521.456577] blk_mq_submit_bio+0x23c/0x6c0 [ 521.456766] __submit_bio+0xb8/0x140 [ 521.457236] submit_bio_noacct_nocheck+0x212/0x300 [ 521.457748] submit_bio_noacct+0x1a6/0x580 [ 521.458220] submit_bio+0x43/0x80 [ 521.458660] ext4_io_submit+0x23/0x80 [ 521.459116] ext4_do_writepages+0x40a/0xd00 [ 521.459596] ext4_writepages+0x65/0x100 [ 521.460050] do_writepages+0xb7/0x1c0 [ 521.460492] __filemap_fdatawrite_range+0xa6/0x100 [ 521.460979] file_write_and_wait_range+0xbf/0x140 [ 521.461452] ext4_sync_file+0x105/0x340 [ 521.461882] __x64_sys_fsync+0x67/0x100 [ 521.462305] ? syscall_exit_to_user_mode+0x2c/0x1c0 [ 521.462768] do_syscall_64+0x3b/0xc0 [ 521.463165] entry_SYSCALL_64_after_hwframe+0x5a/0xc4 [ 521.463621] RIP: 0033:0x5640b6c56590 [ 521.464006] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 71 70 0e 00 00 74 17 b8 4a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c | 2025-12-30 | not yet calculated | CVE-2023-54242 | https://git.kernel.org/stable/c/1655cfc85250a224b0d9486c8136baeea33b9b5c https://git.kernel.org/stable/c/c0346a59d719461248c6dc6f21c9e55ef836b66f https://git.kernel.org/stable/c/e53413f8deedf738a6782cc14cc00bd5852ccf18 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: ebtables: fix table blob use-after-free We are not allowed to return an error at this point. Looking at the code it looks like ret is always 0 at this point, but its not. t = find_table_lock(net, repl->name, &ret, &ebt_mutex); … this can return a valid table, with ret != 0. This bug causes update of table->private with the new blob, but then frees the blob right away in the caller. Syzbot report: BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74 Workqueue: netns cleanup_net Call Trace: kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613 … ip(6)tables appears to be ok (ret should be 0 at this point) but make this more obvious. | 2025-12-30 | not yet calculated | CVE-2023-54243 | https://git.kernel.org/stable/c/9060abce3305ab2354c892c09d5689df51486df5 https://git.kernel.org/stable/c/dbb3cbbf03b3c52cb390fabec357f1e4638004f5 https://git.kernel.org/stable/c/3dd6ac973351308d4117eda32298a9f1d68764fd https://git.kernel.org/stable/c/cda0e0243bd3c04008fcd37a46b0269fb3c49249 https://git.kernel.org/stable/c/e58a171d35e32e6e8c37cfe0e8a94406732a331f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: Fix oops when removing custom query handlers When removing custom query handlers, the handler might still be used inside the EC query workqueue, causing a kernel oops if the module holding the callback function was already unloaded. Fix this by flushing the EC query workqueue when removing custom query handlers. Tested on a Acer Travelmate 4002WLMi | 2025-12-30 | not yet calculated | CVE-2023-54244 | https://git.kernel.org/stable/c/130e3eac51912f2c866e7d035992ede25f8feac0 https://git.kernel.org/stable/c/0d528a7c421b1f1772fc1d29370b3b5fc0f42b19 https://git.kernel.org/stable/c/ccae2233e9935a038a35fe8cfd703df905f700e7 https://git.kernel.org/stable/c/066b90bca755f0b876e7b027b75d1796861d6db0 https://git.kernel.org/stable/c/f4a573eed6377d356f835a4b00099d5dacee0da0 https://git.kernel.org/stable/c/86a159fd5bdb01ec34b160cfda1a313b616d9302 https://git.kernel.org/stable/c/fd2c99e81ae0dbdd62a154ef9c77fc01715cc020 https://git.kernel.org/stable/c/e5b492c6bb900fcf9722e05f4a10924410e170c1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds When we run syzkaller we get below Out of Bound. “KASAN: slab-out-of-bounds Read in regcache_flat_read” Below is the backtrace of the issue: dump_backtrace+0x0/0x4c8 show_stack+0x34/0x44 dump_stack_lvl+0xd8/0x118 print_address_description+0x30/0x2d8 kasan_report+0x158/0x198 __asan_report_load4_noabort+0x44/0x50 regcache_flat_read+0x10c/0x110 regcache_read+0xf4/0x180 _regmap_read+0xc4/0x278 _regmap_update_bits+0x130/0x290 regmap_update_bits_base+0xc0/0x15c snd_soc_component_update_bits+0xa8/0x22c snd_soc_component_write_field+0x68/0xd4 tx_macro_digital_mute+0xec/0x140 Actually There is no need to have decimator with 32 bits. By limiting the variable with short type u8 issue is resolved. | 2025-12-30 | not yet calculated | CVE-2023-54245 | https://git.kernel.org/stable/c/da35a4e6eee5d73886312e85322a6e97df901987 https://git.kernel.org/stable/c/57f9a9a232bde7abfe49c3072b29a255da9ba891 https://git.kernel.org/stable/c/b0cd740a31412340fead50e69e4fe9bc3781c754 https://git.kernel.org/stable/c/e5e7e398f6bb7918dab0612eb6991f7bae95520d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle() The rcuscale.holdoff module parameter can be used to delay the start of rcu_scale_writer() kthread. However, the hung-task timeout will trigger when the timeout specified by rcuscale.holdoff is greater than hung_task_timeout_secs: runqemu kvm nographic slirp qemuparams=”-smp 4 -m 2048M” bootparams=”rcuscale.shutdown=0 rcuscale.holdoff=300″ [ 247.071753] INFO: task rcu_scale_write:59 blocked for more than 122 seconds. [ 247.072529] Not tainted 6.4.0-rc1-00134-gb9ed6de8d4ff #7 [ 247.073400] “echo 0 > /proc/sys/kernel/hung_task_timeout_secs” disables this message. [ 247.074331] task:rcu_scale_write state:D stack:30144 pid:59 ppid:2 flags:0x00004000 [ 247.075346] Call Trace: [ 247.075660] <TASK> [ 247.075965] __schedule+0x635/0x1280 [ 247.076448] ? __pfx___schedule+0x10/0x10 [ 247.076967] ? schedule_timeout+0x2dc/0x4d0 [ 247.077471] ? __pfx_lock_release+0x10/0x10 [ 247.078018] ? enqueue_timer+0xe2/0x220 [ 247.078522] schedule+0x84/0x120 [ 247.078957] schedule_timeout+0x2e1/0x4d0 [ 247.079447] ? __pfx_schedule_timeout+0x10/0x10 [ 247.080032] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.080591] ? __pfx_process_timeout+0x10/0x10 [ 247.081163] ? __pfx_sched_set_fifo_low+0x10/0x10 [ 247.081760] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.082287] rcu_scale_writer+0x6b1/0x7f0 [ 247.082773] ? mark_held_locks+0x29/0xa0 [ 247.083252] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.083865] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.084412] kthread+0x179/0x1c0 [ 247.084759] ? __pfx_kthread+0x10/0x10 [ 247.085098] ret_from_fork+0x2c/0x50 [ 247.085433] </TASK> This commit therefore replaces schedule_timeout_uninterruptible() with schedule_timeout_idle(). | 2025-12-30 | not yet calculated | CVE-2023-54246 | https://git.kernel.org/stable/c/55887adc76e19aec9763186e2c1d0a3481d20e96 https://git.kernel.org/stable/c/4f03fba096bfded90e0d71eba8839a46922164d1 https://git.kernel.org/stable/c/83ed0cdb6ae0383dd14b02375c353773836884ed https://git.kernel.org/stable/c/9416dccb31fdb190d25d57e97674f232651f6560 https://git.kernel.org/stable/c/e60c122a1614b4f65b29a7bef9d83b9fd30e937a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Silence a warning in btf_type_id_size() syzbot reported a warning in [1] with the following stacktrace: WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 … RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 … Call Trace: <TASK> map_check_btf kernel/bpf/syscall.c:1024 [inline] map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198 __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040 __do_sys_bpf kernel/bpf/syscall.c:5162 [inline] __se_sys_bpf kernel/bpf/syscall.c:5160 [inline] __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd With the following btf [1] DECL_TAG ‘a’ type_id=4 component_idx=-1 [2] PTR ‘(anon)’ type_id=0 [3] TYPE_TAG ‘a’ type_id=2 [4] VAR ‘a’ type_id=3, linkage=static and when the bpf_attr.btf_key_type_id = 1 (DECL_TAG), the following WARN_ON_ONCE in btf_type_id_size() is triggered: if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) && !btf_type_is_var(size_type))) return NULL; Note that ‘return NULL’ is the correct behavior as we don’t want a DECL_TAG type to be used as a btf_{key,value}_type_id even for the case like ‘DECL_TAG -> STRUCT’. So there is no correctness issue here, we just want to silence warning. To silence the warning, I added DECL_TAG as one of kinds in btf_type_nosize() which will cause btf_type_id_size() returning NULL earlier without the warning. [1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/ | 2025-12-30 | not yet calculated | CVE-2023-54247 | https://git.kernel.org/stable/c/61f4bd46a03a81865aca3bcbad2f7b7032fb3160 https://git.kernel.org/stable/c/7c4f5ab63e7962812505cbd38cc765168a223acb https://git.kernel.org/stable/c/e6c2f594ed961273479505b42040782820190305 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add check for kmemdup Since the kmemdup may return NULL pointer, it should be better to add check for the return value in order to avoid NULL pointer dereference. | 2025-12-30 | not yet calculated | CVE-2023-54248 | https://git.kernel.org/stable/c/952bbfcedbf895963509861e55a6e4fc105eb842 https://git.kernel.org/stable/c/7898db22ed6cee909513cf4935b5f9f0298b74f0 https://git.kernel.org/stable/c/9f36704a58adade3b0216f8a3fa5503db4517208 https://git.kernel.org/stable/c/cdcdfd57f4c701f832787da1309cc6687917d783 https://git.kernel.org/stable/c/e6c3cef24cb0d045f99d5cb039b344874e3cfd74 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bus: mhi: ep: Only send -ENOTCONN status if client driver is available For the STOP and RESET commands, only send the channel disconnect status -ENOTCONN if client driver is available. Otherwise, it will result in null pointer dereference. | 2025-12-30 | not yet calculated | CVE-2023-54249 | https://git.kernel.org/stable/c/353aea15d6edbd4e69e039356a1bd3e641f7d952 https://git.kernel.org/stable/c/860ad591056d7e4dc30bc130b6ec6e6d70930c85 https://git.kernel.org/stable/c/e6cebcc27519dcf1652e604c73b9fd4f416987c0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: avoid out of bounds access in decode_preauth_ctxt() Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within the SMB request boundary; deassemble_neg_contexts() only checks that the eight byte smb2_neg_context header + (client controlled) DataLength are within the packet boundary, which is insufficient. Checking for sizeof(struct smb2_preauth_neg_context) is overkill given that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt. | 2025-12-30 | not yet calculated | CVE-2023-54250 | https://git.kernel.org/stable/c/39f5b4b313b445c980a2a295bed28228c29228ed https://git.kernel.org/stable/c/a2f6ded41bec1d3be643c80a5eb97f1680309001 https://git.kernel.org/stable/c/f02edb9debbd36f44efa7567031485892c7df60d https://git.kernel.org/stable/c/e7067a446264a7514fa1cfaa4052cdb6803bc6a2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX. syzkaller found zero division error [0] in div_s64_rem() called from get_cycle_time_elapsed(), where sched->cycle_time is the divisor. We have tests in parse_taprio_schedule() so that cycle_time will never be 0, and actually cycle_time is not 0 in get_cycle_time_elapsed(). The problem is that the types of divisor are different; cycle_time is s64, but the argument of div_s64_rem() is s32. syzkaller fed this input and 0x100000000 is cast to s32 to be 0. @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000} We use s64 for cycle_time to cast it to ktime_t, so let’s keep it and set max for cycle_time. While at it, we prevent overflow in setup_txtime() and add another test in parse_taprio_schedule() to check if cycle_time overflows. Also, we add a new tdc test case for this issue. [0]: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:div_s64_rem include/linux/math64.h:42 [inline] RIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline] RIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344 Code: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10 RSP: 0018:ffffc90000acf260 EFLAGS: 00010206 RAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000 RBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934 R10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800 R13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> get_packet_txtime net/sched/sch_taprio.c:508 [inline] taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577 taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658 dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732 __dev_xmit_skb net/core/dev.c:3821 [inline] __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169 dev_queue_xmit include/linux/netdevice.h:3088 [inline] neigh_resolve_output net/core/neighbour.c:1552 [inline] neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532 neigh_output include/net/neighbour.h:544 [inline] ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135 __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196 ip6_finish_output net/ipv6/ip6_output.c:207 [inline] NF_HOOK_COND include/linux/netfilter.h:292 [inline] ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228 dst_output include/net/dst.h:458 [inline] NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303 ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508 ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666 addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175 process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597 worker_thread+0x60f/0x1240 kernel/workqueue.c:2748 kthread+0x2fe/0x3f0 kernel/kthread.c:389 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308 </TASK> Modules linked in: | 2025-12-30 | not yet calculated | CVE-2023-54251 | https://git.kernel.org/stable/c/f04f6d9b3b060f7e11219a65a76da65f1489e391 https://git.kernel.org/stable/c/0b45af982a4df0b14fb8669ee2a871cfdfa6a39c https://git.kernel.org/stable/c/57b3fe08ae06ef11af007b4a182629b12a961e30 https://git.kernel.org/stable/c/e739718444f7bf2fa3d70d101761ad83056ca628 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings My previous commit introduced a memory leak where the item allocated from tlmi_setting was not freed. This commit also renames it to avoid confusion with the similarly name variable in the same function. | 2025-12-30 | not yet calculated | CVE-2023-54252 | https://git.kernel.org/stable/c/cccdb30935c82be805d3362a15680b95d5cb3ee0 https://git.kernel.org/stable/c/081da7b1c881828244b93b3befb7c18389f696bb https://git.kernel.org/stable/c/43fc0342bac1808fda2b76184e43414727111c6b https://git.kernel.org/stable/c/e7d796fccdc8d17c2d21817ebe4c7bf5bbfe5433 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: set page extent mapped after read_folio in relocate_one_page One of the CI runs triggered the following panic assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229 ————[ cut here ]———— kernel BUG at fs/btrfs/subpage.c:229! Internal error: Oops – BUG: 00000000f2000800 [#1] SMP CPU: 0 PID: 923660 Comm: btrfs Not tainted 6.5.0-rc3+ #1 pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=–) pc : btrfs_subpage_assert+0xbc/0xf0 lr : btrfs_subpage_assert+0xbc/0xf0 sp : ffff800093213720 x29: ffff800093213720 x28: ffff8000932138b4 x27: 000000000c280000 x26: 00000001b5d00000 x25: 000000000c281000 x24: 000000000c281fff x23: 0000000000001000 x22: 0000000000000000 x21: ffffff42b95bf880 x20: ffff42b9528e0000 x19: 0000000000001000 x18: ffffffffffffffff x17: 667274622f736620 x16: 6e69202c65746176 x15: 0000000000000028 x14: 0000000000000003 x13: 00000000002672d7 x12: 0000000000000000 x11: ffffcd3f0ccd9204 x10: ffffcd3f0554ae50 x9 : ffffcd3f0379528c x8 : ffff800093213428 x7 : 0000000000000000 x6 : ffffcd3f091771e8 x5 : ffff42b97f333948 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff42b9556cde80 x0 : 000000000000004f Call trace: btrfs_subpage_assert+0xbc/0xf0 btrfs_subpage_set_dirty+0x38/0xa0 btrfs_page_set_dirty+0x58/0x88 relocate_one_page+0x204/0x5f0 relocate_file_extent_cluster+0x11c/0x180 relocate_data_extent+0xd0/0xf8 relocate_block_group+0x3d0/0x4e8 btrfs_relocate_block_group+0x2d8/0x490 btrfs_relocate_chunk+0x54/0x1a8 btrfs_balance+0x7f4/0x1150 btrfs_ioctl+0x10f0/0x20b8 __arm64_sys_ioctl+0x120/0x11d8 invoke_syscall.constprop.0+0x80/0xd8 do_el0_svc+0x6c/0x158 el0_svc+0x50/0x1b0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x194/0x198 Code: 91098021 b0007fa0 91346000 97e9c6d2 (d4210000) This is the same problem outlined in 17b17fcd6d44 (“btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand”) , and the fix is the same. I originally looked for the same pattern elsewhere in our code, but mistakenly skipped over this code because I saw the page cache readahead before we set_page_extent_mapped, not realizing that this was only in the !page case, that we can still end up with a !uptodate page and then do the btrfs_read_folio further down. The fix here is the same as the above mentioned patch, move the set_page_extent_mapped call to after the btrfs_read_folio() block to make sure that we have the subpage blocksize stuff setup properly before using the page. | 2025-12-30 | not yet calculated | CVE-2023-54253 | https://git.kernel.org/stable/c/08daa38ca212d87f77beae839bc9be71079c7abf https://git.kernel.org/stable/c/9d1e020ed9649cf140fcfafd052cfdcce9e9d67d https://git.kernel.org/stable/c/e7f1326cc24e22b38afc3acd328480a1183f9e79 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Don’t leak a resource on eviction error On eviction errors other than -EMULTIHOP we were leaking a resource. Fix. v2: – Avoid yet another goto (Andi Shyti) | 2025-12-30 | not yet calculated | CVE-2023-54254 | https://git.kernel.org/stable/c/7738335d73d0686ec8995e0448e5d1b48cffb2a4 https://git.kernel.org/stable/c/e9c44738cb1f537b177cc1beabcf6913690460cd https://git.kernel.org/stable/c/6aea0032380bbb1efebd598ad733d16925167921 https://git.kernel.org/stable/c/e8188c461ee015ba0b9ab2fc82dbd5ebca5a5532 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: sh: dma: Fix DMA channel offset calculation Various SoCs of the SH3, SH4 and SH4A family, which use this driver, feature a differing number of DMA channels, which can be distributed between up to two DMAC modules. The existing implementation fails to correctly accommodate for all those variations, resulting in wrong channel offset calculations and leading to kernel panics. Rewrite dma_base_addr() in order to properly calculate channel offsets in a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that the correct DMAC module base is selected for the DMAOR register. | 2025-12-30 | not yet calculated | CVE-2023-54255 | https://git.kernel.org/stable/c/bca700b48c72f4ffeee977a2ed0eb4a6b4b7b8ad https://git.kernel.org/stable/c/479380acfa63247b5ac62476138f847aefc62692 https://git.kernel.org/stable/c/4989627157735c1f1619f08e5bc1592418e7c878 https://git.kernel.org/stable/c/d1c946552af299f4fa85bf7da15e328123771128 https://git.kernel.org/stable/c/196f6c71905aa384c0177acf194a1144d480333b https://git.kernel.org/stable/c/8fb11fa4805699c6b73a9c8a9d45807f9874abe3 https://git.kernel.org/stable/c/e9e33faea104381bac80ac79328f0540fc2969f2 https://git.kernel.org/stable/c/e82e47584847129a20b8c9f4a1dcde09374fb0e0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: macb: fix a memory corruption in extended buffer descriptor mode For quite some time we were chasing a bug which looked like a sudden permanent failure of networking and mmc on some of our devices. The bug was very sensitive to any software changes and even more to any kernel debug options. Finally we got a setup where the problem was reproducible with CONFIG_DMA_API_DEBUG=y and it revealed the issue with the rx dma: [ 16.992082] ————[ cut here ]———— [ 16.996779] DMA-API: macb ff0b0000.ethernet: device driver tries to free DMA memory it has not allocated [device address=0x0000000875e3e244] [size=1536 bytes] [ 17.011049] WARNING: CPU: 0 PID: 85 at kernel/dma/debug.c:1011 check_unmap+0x6a0/0x900 [ 17.018977] Modules linked in: xxxxx [ 17.038823] CPU: 0 PID: 85 Comm: irq/55-8000f000 Not tainted 5.4.0 #28 [ 17.045345] Hardware name: xxxxx [ 17.049528] pstate: 60000005 (nZCv daif -PAN -UAO) [ 17.054322] pc : check_unmap+0x6a0/0x900 [ 17.058243] lr : check_unmap+0x6a0/0x900 [ 17.062163] sp : ffffffc010003c40 [ 17.065470] x29: ffffffc010003c40 x28: 000000004000c03c [ 17.070783] x27: ffffffc010da7048 x26: ffffff8878e38800 [ 17.076095] x25: ffffff8879d22810 x24: ffffffc010003cc8 [ 17.081407] x23: 0000000000000000 x22: ffffffc010a08750 [ 17.086719] x21: ffffff8878e3c7c0 x20: ffffffc010acb000 [ 17.092032] x19: 0000000875e3e244 x18: 0000000000000010 [ 17.097343] x17: 0000000000000000 x16: 0000000000000000 [ 17.102647] x15: ffffff8879e4a988 x14: 0720072007200720 [ 17.107959] x13: 0720072007200720 x12: 0720072007200720 [ 17.113261] x11: 0720072007200720 x10: 0720072007200720 [ 17.118565] x9 : 0720072007200720 x8 : 000000000000022d [ 17.123869] x7 : 0000000000000015 x6 : 0000000000000098 [ 17.129173] x5 : 0000000000000000 x4 : 0000000000000000 [ 17.134475] x3 : 00000000ffffffff x2 : ffffffc010a1d370 [ 17.139778] x1 : b420c9d75d27bb00 x0 : 0000000000000000 [ 17.145082] Call trace: [ 17.147524] check_unmap+0x6a0/0x900 [ 17.151091] debug_dma_unmap_page+0x88/0x90 [ 17.155266] gem_rx+0x114/0x2f0 [ 17.158396] macb_poll+0x58/0x100 [ 17.161705] net_rx_action+0x118/0x400 [ 17.165445] __do_softirq+0x138/0x36c [ 17.169100] irq_exit+0x98/0xc0 [ 17.172234] __handle_domain_irq+0x64/0xc0 [ 17.176320] gic_handle_irq+0x5c/0xc0 [ 17.179974] el1_irq+0xb8/0x140 [ 17.183109] xiic_process+0x5c/0xe30 [ 17.186677] irq_thread_fn+0x28/0x90 [ 17.190244] irq_thread+0x208/0x2a0 [ 17.193724] kthread+0x130/0x140 [ 17.196945] ret_from_fork+0x10/0x20 [ 17.200510] —[ end trace 7240980785f81d6f ]— [ 237.021490] ————[ cut here ]———— [ 237.026129] DMA-API: exceeded 7 overlapping mappings of cacheline 0x0000000021d79e7b [ 237.033886] WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:499 add_dma_entry+0x214/0x240 [ 237.041802] Modules linked in: xxxxx [ 237.061637] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.4.0 #28 [ 237.068941] Hardware name: xxxxx [ 237.073116] pstate: 80000085 (Nzcv daIf -PAN -UAO) [ 237.077900] pc : add_dma_entry+0x214/0x240 [ 237.081986] lr : add_dma_entry+0x214/0x240 [ 237.086072] sp : ffffffc010003c30 [ 237.089379] x29: ffffffc010003c30 x28: ffffff8878a0be00 [ 237.094683] x27: 0000000000000180 x26: ffffff8878e387c0 [ 237.099987] x25: 0000000000000002 x24: 0000000000000000 [ 237.105290] x23: 000000000000003b x22: ffffffc010a0fa00 [ 237.110594] x21: 0000000021d79e7b x20: ffffffc010abe600 [ 237.115897] x19: 00000000ffffffef x18: 0000000000000010 [ 237.121201] x17: 0000000000000000 x16: 0000000000000000 [ 237.126504] x15: ffffffc010a0fdc8 x14: 0720072007200720 [ 237.131807] x13: 0720072007200720 x12: 0720072007200720 [ 237.137111] x11: 0720072007200720 x10: 0720072007200720 [ 237.142415] x9 : 0720072007200720 x8 : 0000000000000259 [ 237.147718] x7 : 0000000000000001 x6 : 0000000000000000 [ 237.15302 —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54257 | https://git.kernel.org/stable/c/dd7a49a3eaf723a01b2fdf153f98450a82b0b0fe https://git.kernel.org/stable/c/82e626af24683e01211abe66cec27a387f8f17c9 https://git.kernel.org/stable/c/7169d1638824c4bf7e0fe0baad381ddec861fa70 https://git.kernel.org/stable/c/1bec9da233f779e7b6954ee07ad7e6d8f2a4dd83 https://git.kernel.org/stable/c/7ccc58a1a75601c936069d4a0741940623990ade https://git.kernel.org/stable/c/9412a9bf5952cdf5d0f736cc1e8c68fd366c2d47 https://git.kernel.org/stable/c/5dcf3a6843d0d7cc76960fbe8511d425f217744c https://git.kernel.org/stable/c/e8b74453555872851bdd7ea43a7c0ec39659834f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential oops in cifs_oplock_break With deferred close we can have closes that race with lease breaks, and so with the current checks for whether to send the lease response, oplock_response(), this can mean that an unmount (kill_sb) can occur just before we were checking if the tcon->ses is valid. See below: [Fri Aug 4 04:12:50 2023] RIP: 0010:cifs_oplock_break+0x1f7/0x5b0 [cifs] [Fri Aug 4 04:12:50 2023] Code: 7d a8 48 8b 7d c0 c0 e9 02 48 89 45 b8 41 89 cf e8 3e f5 ff ff 4c 89 f7 41 83 e7 01 e8 82 b3 03 f2 49 8b 45 50 48 85 c0 74 5e <48> 83 78 60 00 74 57 45 84 ff 75 52 48 8b 43 98 48 83 eb 68 48 39 [Fri Aug 4 04:12:50 2023] RSP: 0018:ffffb30607ddbdf8 EFLAGS: 00010206 [Fri Aug 4 04:12:50 2023] RAX: 632d223d32612022 RBX: ffff97136944b1e0 RCX: 0000000080100009 [Fri Aug 4 04:12:50 2023] RDX: 0000000000000001 RSI: 0000000080100009 RDI: ffff97136944b188 [Fri Aug 4 04:12:50 2023] RBP: ffffb30607ddbe58 R08: 0000000000000001 R09: ffffffffc08e0900 [Fri Aug 4 04:12:50 2023] R10: 0000000000000001 R11: 000000000000000f R12: ffff97136944b138 [Fri Aug 4 04:12:50 2023] R13: ffff97149147c000 R14: ffff97136944b188 R15: 0000000000000000 [Fri Aug 4 04:12:50 2023] FS: 0000000000000000(0000) GS:ffff9714f7c00000(0000) knlGS:0000000000000000 [Fri Aug 4 04:12:50 2023] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [Fri Aug 4 04:12:50 2023] CR2: 00007fd8de9c7590 CR3: 000000011228e000 CR4: 0000000000350ef0 [Fri Aug 4 04:12:50 2023] Call Trace: [Fri Aug 4 04:12:50 2023] <TASK> [Fri Aug 4 04:12:50 2023] process_one_work+0x225/0x3d0 [Fri Aug 4 04:12:50 2023] worker_thread+0x4d/0x3e0 [Fri Aug 4 04:12:50 2023] ? process_one_work+0x3d0/0x3d0 [Fri Aug 4 04:12:50 2023] kthread+0x12a/0x150 [Fri Aug 4 04:12:50 2023] ? set_kthread_struct+0x50/0x50 [Fri Aug 4 04:12:50 2023] ret_from_fork+0x22/0x30 [Fri Aug 4 04:12:50 2023] </TASK> To fix this change the ordering of the checks before sending the oplock_response to first check if the openFileList is empty. | 2025-12-30 | not yet calculated | CVE-2023-54258 | https://git.kernel.org/stable/c/b99f490ea87ebcca3a429fd8837067feb56a4c7c https://git.kernel.org/stable/c/5ee28bcfbaacf289eb25c662a2862542ea6ce6a7 https://git.kernel.org/stable/c/6b67a6d2e50634fe127e656147c81915955e9f5e https://git.kernel.org/stable/c/e8f5f849ffce24490eb9449e98312b66c0dba76f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: soundwire: bus: Fix unbalanced pm_runtime_put() causing usage count underflow This reverts commit 443a98e649b4 (“soundwire: bus: use pm_runtime_resume_and_get()”) Change calls to pm_runtime_resume_and_get() back to pm_runtime_get_sync(). This fixes a usage count underrun caused by doing a pm_runtime_put() even though pm_runtime_resume_and_get() returned an error. The three affected functions ignore -EACCES error from trying to get pm_runtime, and carry on, including a put at the end of the function. But pm_runtime_resume_and_get() does not increment the usage count if it returns an error. So in the -EACCES case you must not call pm_runtime_put(). The documentation for pm_runtime_get_sync() says: “Consider using pm_runtime_resume_and_get() … as this is likely to result in cleaner code.” In this case I don’t think it results in cleaner code because the pm_runtime_put() at the end of the function would have to be conditional on the return value from pm_runtime_resume_and_get() at the top of the function. pm_runtime_get_sync() doesn’t have this problem because it always increments the count, so always needs a put. The code can just flow through and do the pm_runtime_put() unconditionally. | 2025-12-30 | not yet calculated | CVE-2023-54259 | https://git.kernel.org/stable/c/4e5e9da139c007dfc397a159093b4c4187ee67fa https://git.kernel.org/stable/c/203aa4374c433159f163acde2d0bd4118f23bbaf https://git.kernel.org/stable/c/e9537962519e88969f5f69cd0571eb4f6984403c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix lost destroy smbd connection when MR allocate failed If the MR allocate failed, the smb direct connection info is NULL, then smbd_destroy() will directly return, then the connection info will be leaked. Let’s set the smb direct connection info to the server before call smbd_destroy(). | 2025-12-30 | not yet calculated | CVE-2023-54260 | https://git.kernel.org/stable/c/d303e25887127364a6765eaf7ac68aa2bac518a9 https://git.kernel.org/stable/c/324c0c34fff1affd436e509325cb46739209704e https://git.kernel.org/stable/c/caac205e0d5b44c4c23a10c6c0976d50ebe16ac2 https://git.kernel.org/stable/c/46cd6c639cddba2bd2d810ceb16bb20374ad75b0 https://git.kernel.org/stable/c/c51ae01104b318bf15f3c5097faba5c72addba7a https://git.kernel.org/stable/c/04b7e13b8a13264282f874db5378fc3d3253cfac https://git.kernel.org/stable/c/e9d3401d95d62a9531082cd2453ed42f2740e3fd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Add missing gfx11 MQD manager callbacks mqd_stride function was introduced in commit 2f77b9a242a2 (“drm/amdkfd: Update MQD management on multi XCC setup”) but not assigned for gfx11. Fixes a NULL dereference in debugfs. | 2025-12-30 | not yet calculated | CVE-2023-54261 | https://git.kernel.org/stable/c/399b73d6b7720a9eae68a333193b53ed4f432fe5 https://git.kernel.org/stable/c/e9dca969b2426702a73719ab9207e43c6d80b581 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don’t clone flow post action attributes second time The code already clones post action attributes in mlx5e_clone_flow_attr_for_post_act(). Creating another copy in mlx5e_tc_post_act_add() is a erroneous leftover from original implementation. Instead, assign handle->attribute to post_attr provided by the caller. Note that cloning the attribute second time is not just wasteful but also causes issues like second copy not being properly updated in neigh update code which leads to following use-after-free: Feb 21 09:02:00 c-237-177-40-045 kernel: BUG: KASAN: use-after-free in mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_report+0xbb/0x1a0 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30 Feb 21 09:02:00 c-237-177-40-045 kernel: __kasan_kmalloc+0x7a/0x90 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_free_info+0x2a/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: ____kasan_slab_free+0x11a/0x1b0 Feb 21 09:02:00 c-237-177-40-045 kernel: page dumped because: kasan: bad access detected Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 8833): SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0xf2ff71), err(-22) Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0 enp8s0f0: Failed to add post action rule Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5e_tc_encap_flows_add:190:(pid 8833): Failed to update flow post acts, -22 Feb 21 09:02:00 c-237-177-40-045 kernel: Call Trace: Feb 21 09:02:00 c-237-177-40-045 kernel: <TASK> Feb 21 09:02:00 c-237-177-40-045 kernel: dump_stack_lvl+0x57/0x7d Feb 21 09:02:00 c-237-177-40-045 kernel: print_report+0x170/0x471 Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_report+0xbb/0x1a0 Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: ? __module_address.part.0+0x62/0x200 Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_stub_create_flow_table+0xd0/0xd0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: ? __raw_spin_lock_init+0x3b/0x110 Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_cmd_create_fte+0x80/0xb0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: add_rule_fg+0xe80/0x19c0 [mlx5_core] — Feb 21 09:02:00 c-237-177-40-045 kernel: Allocated by task 13476: Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30 Feb 21 09:02:00 c-237-177-40-045 kernel: __kasan_kmalloc+0x7a/0x90 Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_packet_reformat_alloc+0x7b/0x230 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_tc_tun_create_header_ipv4+0x977/0xf10 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_attach_encap+0x15b4/0x1e10 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: post_process_attr+0x305/0xa30 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_tc_add_fdb_flow+0x4c0/0xcf0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_configure_flower+0xcaa/0x4b90 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_rep_setup_tc_cls_flower+0x99/0x1b0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_rep_setup_tc_cb+0x133/0x1e0 [mlx5_core] — Feb 21 09:02:00 c-237-177-40-045 kernel: Freed by task 8833: Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_s —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54262 | https://git.kernel.org/stable/c/c382b693ffcb1f1ebf60d76ab9dedfe9ea13eedf https://git.kernel.org/stable/c/8fd1dac646e6b08d03e3f1ad3c5b34255b1e08e8 https://git.kernel.org/stable/c/2d57a514f9ab7d2d40f49b02d93edfcec8c78a9e https://git.kernel.org/stable/c/e9fce818fe003b6c527f25517b9ac08eb4661b5d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP Fixes OOPS on boards with ANX9805 DP encoders. | 2025-12-30 | not yet calculated | CVE-2023-54263 | https://git.kernel.org/stable/c/92d48ce21645267c574268678131cd2b648dad0f https://git.kernel.org/stable/c/ea293f823a8805735d9e00124df81a8f448ed1ae |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/sysv: Null check to prevent null-ptr-deref bug sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on that leads to the null-ptr-deref bug. | 2025-12-30 | not yet calculated | CVE-2023-54264 | https://git.kernel.org/stable/c/e976988bc245ec3768cc0f76bed7d05488a7dd0f https://git.kernel.org/stable/c/baa60c66a310c50785289b0ede6fdce8ec3219c7 https://git.kernel.org/stable/c/0a44ceba77c3267f8505dda102a59367dc24caee https://git.kernel.org/stable/c/7f740bc696d4617f8ee44565e8ac0d36278a1e91 https://git.kernel.org/stable/c/afd9a31b5aa4b3747f382d44a7b03b7b5d0b7635 https://git.kernel.org/stable/c/1416eebaad80bdc85ad9f97f27242011b031e2a9 https://git.kernel.org/stable/c/e28f376dd8dfcc4e880ac101184132bc08703f6e https://git.kernel.org/stable/c/ea2b62f305893992156a798f665847e0663c9f41 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix an uninit variable access bug in __ip6_make_skb() Syzbot reported a bug as following: ===================================================== BUG: KMSAN: uninit-value in arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] BUG: KMSAN: uninit-value in arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] BUG: KMSAN: uninit-value in atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] BUG: KMSAN: uninit-value in __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 ip6_finish_skb include/net/ipv6.h:1122 [inline] ip6_push_pending_frames+0x10e/0x550 net/ipv6/ip6_output.c:1987 rawv6_push_pending_frames+0xb12/0xb90 net/ipv6/raw.c:579 rawv6_sendmsg+0x297e/0x2e60 net/ipv6/raw.c:922 inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 __sys_sendmsg net/socket.c:2559 [inline] __do_sys_sendmsg net/socket.c:2568 [inline] __se_sys_sendmsg net/socket.c:2566 [inline] __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook mm/slab.h:766 [inline] slab_alloc_node mm/slub.c:3452 [inline] __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491 __do_kmalloc_node mm/slab_common.c:967 [inline] __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988 kmalloc_reserve net/core/skbuff.c:492 [inline] __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565 alloc_skb include/linux/skbuff.h:1270 [inline] __ip6_append_data+0x51c1/0x6bb0 net/ipv6/ip6_output.c:1684 ip6_append_data+0x411/0x580 net/ipv6/ip6_output.c:1854 rawv6_sendmsg+0x2882/0x2e60 net/ipv6/raw.c:915 inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 __sys_sendmsg net/socket.c:2559 [inline] __do_sys_sendmsg net/socket.c:2568 [inline] __se_sys_sendmsg net/socket.c:2566 [inline] __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd It is because icmp6hdr does not in skb linear region under the scenario of SOCK_RAW socket. Access icmp6_hdr(skb)->icmp6_type directly will trigger the uninit variable access bug. Use a local variable icmp6_type to carry the correct value in different scenarios. | 2025-12-30 | not yet calculated | CVE-2023-54265 | https://git.kernel.org/stable/c/165370522cc48127da564a08584a7391e6341908 https://git.kernel.org/stable/c/f394f690a30a5ec0413c62777a058eaf3d6e10d5 https://git.kernel.org/stable/c/0cf600ca1bdf1d52df977516ee6cee0cadb1f6b1 https://git.kernel.org/stable/c/605b056d63302ae84eb136e88d4df49124bd5e0d https://git.kernel.org/stable/c/d65ff2fe877c471aa6e79efa7bd8ff66e147c317 https://git.kernel.org/stable/c/2c9cefc142c1dc2759e19a92d3b2b3715e985beb https://git.kernel.org/stable/c/02ed5700f40445af02d1c97db25ffc2d04971d9f https://git.kernel.org/stable/c/ea30388baebcce37fd594d425a65037ca35e59e8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer() ‘read’ is freed when it is known to be NULL, but not when a read error occurs. Revert the logic to avoid a small leak, should a m920x_read() call fail. | 2025-12-30 | not yet calculated | CVE-2023-54266 | https://git.kernel.org/stable/c/809623fedc31f4e74039d93bb75a8993635d7534 https://git.kernel.org/stable/c/c0178e938f110cdf6937f26975c0c951dbb1d9db https://git.kernel.org/stable/c/75d6ef197c488cd852493b4a419274e3489da79d https://git.kernel.org/stable/c/d13a84874a2e0236c9325b3adc8e126d0888ad6b https://git.kernel.org/stable/c/7ca7cd02114ac8caa6b0a64734b9af6be1559353 https://git.kernel.org/stable/c/2b6e20ef0585a467c24c7e4fde28518e5b33225a https://git.kernel.org/stable/c/4feed3dfca722c6d74865a37cab853c58e6aa190 https://git.kernel.org/stable/c/2cc9f11aeae2887a4db25c27323fc445f4b49e86 https://git.kernel.org/stable/c/ea9ef6c2e001c5dc94bee35ebd1c8a98621cf7b8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT lppaca_shared_proc() takes a pointer to the lppaca which is typically accessed through get_lppaca(). With DEBUG_PREEMPT enabled, this leads to checking if preemption is enabled, for example: BUG: using smp_processor_id() in preemptible [00000000] code: grep/10693 caller is lparcfg_data+0x408/0x19a0 CPU: 4 PID: 10693 Comm: grep Not tainted 6.5.0-rc3 #2 Call Trace: dump_stack_lvl+0x154/0x200 (unreliable) check_preemption_disabled+0x214/0x220 lparcfg_data+0x408/0x19a0 … This isn’t actually a problem however, as it does not matter which lppaca is accessed, the shared proc state will be the same. vcpudispatch_stats_procfs_init() already works around this by disabling preemption, but the lparcfg code does not, erroring any time /proc/powerpc/lparcfg is accessed with DEBUG_PREEMPT enabled. Instead of disabling preemption on the caller side, rework lppaca_shared_proc() to not take a pointer and instead directly access the lppaca, bypassing any potential preemption checks. [mpe: Rework to avoid needing a definition in paca.h and lppaca.h] | 2025-12-30 | not yet calculated | CVE-2023-54267 | https://git.kernel.org/stable/c/953c54dfdc5d3eb7243ed902b50acb5ea1db4355 https://git.kernel.org/stable/c/2935443dc9c28499223d8c881474259e4b998f2a https://git.kernel.org/stable/c/4c8568cf4c45b415854195c8832b557cdefba57a https://git.kernel.org/stable/c/3c5e8e666794d7dde6d14ea846c6c04f2bb34900 https://git.kernel.org/stable/c/f45ee5c074013a0fbfce77a5af5efddb01f5d4f4 https://git.kernel.org/stable/c/eac030b22ea12cdfcbb2e941c21c03964403c63f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: debugobjects: Don’t wake up kswapd from fill_pool() syzbot is reporting a lockdep warning in fill_pool() because the allocation from debugobjects is using GFP_ATOMIC, which is (__GFP_HIGH | __GFP_KSWAPD_RECLAIM) and therefore tries to wake up kswapd, which acquires kswapd_wait::lock. Since fill_pool() might be called with arbitrary locks held, fill_pool() should not assume that acquiring kswapd_wait::lock is safe. Use __GFP_HIGH instead and remove __GFP_NORETRY as it is pointless for !__GFP_DIRECT_RECLAIM allocation. | 2025-12-30 | not yet calculated | CVE-2023-54268 | https://git.kernel.org/stable/c/be646802b3dc408c4dc72a3ac32c3f4a0282414d https://git.kernel.org/stable/c/fd673079749bac97bb30f1461df079e6c8e86511 https://git.kernel.org/stable/c/aee97eec77029270866c704f66cdf2881cbd2fe1 https://git.kernel.org/stable/c/d7fff52c99d52f180d8bef95d8ed8fec6343889c https://git.kernel.org/stable/c/4c088d30a72d9b8f9c6ae9362222942e4075cb00 https://git.kernel.org/stable/c/eb799279fb1f9c63c520fe8c1c41cb9154252db6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: double free xprt_ctxt while still in use When an RPC request is deferred, the rq_xprt_ctxt pointer is moved out of the svc_rqst into the svc_deferred_req. When the deferred request is revisited, the pointer is copied into the new svc_rqst – and also remains in the svc_deferred_req. In the (rare?) case that the request is deferred a second time, the old svc_deferred_req is reused – it still has all the correct content. However in that case the rq_xprt_ctxt pointer is NOT cleared so that when xpo_release_xprt is called, the ctxt is freed (UDP) or possible added to a free list (RDMA). When the deferred request is revisited for a second time, it will reference this ctxt which may be invalid, and the free the object a second time which is likely to oops. So change svc_defer() to *always* clear rq_xprt_ctxt, and assert that the value is now stored in the svc_deferred_req. | 2025-12-30 | not yet calculated | CVE-2023-54269 | https://git.kernel.org/stable/c/7851771789e87108a92697194105ef0c9307dc5e https://git.kernel.org/stable/c/fd86534872f445f54dc01e7db001e25eadf063a8 https://git.kernel.org/stable/c/e0c648627322a4c7e018e5c7f837c3c03e297dbb https://git.kernel.org/stable/c/eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: usb: siano: Fix use after free bugs caused by do_submit_urb There are UAF bugs caused by do_submit_urb(). One of the KASan reports is shown below: [ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 [ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 [ 36.408316] [ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8 [ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.416157] Workqueue: 0x0 (events) [ 36.417654] Call Trace: [ 36.418546] <TASK> [ 36.419320] dump_stack_lvl+0x96/0xd0 [ 36.420522] print_address_description+0x75/0x350 [ 36.421992] print_report+0x11b/0x250 [ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 [ 36.424806] ? __virt_addr_valid+0xcf/0x170 [ 36.426069] ? worker_thread+0x4a2/0x890 [ 36.427355] kasan_report+0x131/0x160 [ 36.428556] ? worker_thread+0x4a2/0x890 [ 36.430053] worker_thread+0x4a2/0x890 [ 36.431297] ? worker_clr_flags+0x90/0x90 [ 36.432479] kthread+0x166/0x190 [ 36.433493] ? kthread_blkcg+0x50/0x50 [ 36.434669] ret_from_fork+0x22/0x30 [ 36.435923] </TASK> [ 36.436684] [ 36.437215] Allocated by task 24: [ 36.438289] kasan_set_track+0x50/0x80 [ 36.439436] __kasan_kmalloc+0x89/0xa0 [ 36.440566] smsusb_probe+0x374/0xc90 [ 36.441920] usb_probe_interface+0x2d1/0x4c0 [ 36.443253] really_probe+0x1d5/0x580 [ 36.444539] __driver_probe_device+0xe3/0x130 [ 36.446085] driver_probe_device+0x49/0x220 [ 36.447423] __device_attach_driver+0x19e/0x1b0 [ 36.448931] bus_for_each_drv+0xcb/0x110 [ 36.450217] __device_attach+0x132/0x1f0 [ 36.451470] bus_probe_device+0x59/0xf0 [ 36.452563] device_add+0x4ec/0x7b0 [ 36.453830] usb_set_configuration+0xc63/0xe10 [ 36.455230] usb_generic_driver_probe+0x3b/0x80 [ 36.456166] printk: console [ttyGS0] disabled [ 36.456569] usb_probe_device+0x90/0x110 [ 36.459523] really_probe+0x1d5/0x580 [ 36.461027] __driver_probe_device+0xe3/0x130 [ 36.462465] driver_probe_device+0x49/0x220 [ 36.463847] __device_attach_driver+0x19e/0x1b0 [ 36.465229] bus_for_each_drv+0xcb/0x110 [ 36.466466] __device_attach+0x132/0x1f0 [ 36.467799] bus_probe_device+0x59/0xf0 [ 36.469010] device_add+0x4ec/0x7b0 [ 36.470125] usb_new_device+0x863/0xa00 [ 36.471374] hub_event+0x18c7/0x2220 [ 36.472746] process_one_work+0x34c/0x5b0 [ 36.474041] worker_thread+0x4b7/0x890 [ 36.475216] kthread+0x166/0x190 [ 36.476267] ret_from_fork+0x22/0x30 [ 36.477447] [ 36.478160] Freed by task 24: [ 36.479239] kasan_set_track+0x50/0x80 [ 36.480512] kasan_save_free_info+0x2b/0x40 [ 36.481808] ____kasan_slab_free+0x122/0x1a0 [ 36.483173] __kmem_cache_free+0xc4/0x200 [ 36.484563] smsusb_term_device+0xcd/0xf0 [ 36.485896] smsusb_probe+0xc85/0xc90 [ 36.486976] usb_probe_interface+0x2d1/0x4c0 [ 36.488303] really_probe+0x1d5/0x580 [ 36.489498] __driver_probe_device+0xe3/0x130 [ 36.491140] driver_probe_device+0x49/0x220 [ 36.492475] __device_attach_driver+0x19e/0x1b0 [ 36.493988] bus_for_each_drv+0xcb/0x110 [ 36.495171] __device_attach+0x132/0x1f0 [ 36.496617] bus_probe_device+0x59/0xf0 [ 36.497875] device_add+0x4ec/0x7b0 [ 36.498972] usb_set_configuration+0xc63/0xe10 [ 36.500264] usb_generic_driver_probe+0x3b/0x80 [ 36.501740] usb_probe_device+0x90/0x110 [ 36.503084] really_probe+0x1d5/0x580 [ 36.504241] __driver_probe_device+0xe3/0x130 [ 36.505548] driver_probe_device+0x49/0x220 [ 36.506766] __device_attach_driver+0x19e/0x1b0 [ 36.508368] bus_for_each_drv+0xcb/0x110 [ 36.509646] __device_attach+0x132/0x1f0 [ 36.510911] bus_probe_device+0x59/0xf0 [ 36.512103] device_add+0x4ec/0x7b0 [ 36.513215] usb_new_device+0x863/0xa00 [ 36.514736] hub_event+0x18c7/0x2220 [ 36.516130] process_one_work+ —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54270 | https://git.kernel.org/stable/c/c379272ea9c2ee36f0a1327b0fb8889c975093f7 https://git.kernel.org/stable/c/1477b00ff582970df110fc9e15a5e2021acb9222 https://git.kernel.org/stable/c/a41bb59eff7a58a6772f84a5b70ad7ec26dad074 https://git.kernel.org/stable/c/42f8ba8355682f6c4125b75503cac0cef4ac91d3 https://git.kernel.org/stable/c/114f768e7314ca9e1fdbebe11267c4403e89e7f2 https://git.kernel.org/stable/c/479796534a450fd44189080d51bebefa3b42c6fc https://git.kernel.org/stable/c/19aadf0eb70edae7180285dbb9bfa237d1ddb34d https://git.kernel.org/stable/c/ebad8e731c1c06adf04621d6fd327b860c0861b5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init blk-iocost sometimes causes the following crash: BUG: kernel NULL pointer dereference, address: 00000000000000e0 … RIP: 0010:_raw_spin_lock+0x17/0x30 Code: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0 <f0> 0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00 RSP: 0018:ffffc900023b3d40 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001 RDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0 RBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003 R10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000 R13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600 FS: 00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0 Call Trace: <TASK> ioc_weight_write+0x13d/0x410 cgroup_file_write+0x7a/0x130 kernfs_fop_write_iter+0xf5/0x170 vfs_write+0x298/0x370 ksys_write+0x5f/0xb0 __x64_sys_write+0x1b/0x20 do_syscall_64+0x3d/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This happens because iocg->ioc is NULL. The field is initialized by ioc_pd_init() and never cleared. The NULL deref is caused by blkcg_activate_policy() installing blkg_policy_data before initializing it. blkcg_activate_policy() was doing the following: 1. Allocate pd’s for all existing blkg’s and install them in blkg->pd[]. 2. Initialize all pd’s. 3. Online all pd’s. blkcg_activate_policy() only grabs the queue_lock and may release and re-acquire the lock as allocation may need to sleep. ioc_weight_write() grabs blkcg->lock and iterates all its blkg’s. The two can race and if ioc_weight_write() runs during #1 or between #1 and #2, it can encounter a pd which is not initialized yet, leading to crash. The crash can be reproduced with the following script: #!/bin/bash echo +io > /sys/fs/cgroup/cgroup.subtree_control systemd-run –unit touch-sda –scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct echo 100 > /sys/fs/cgroup/system.slice/io.weight bash -c “echo ‘8:0 enable=1’ > /sys/fs/cgroup/io.cost.qos” & sleep .2 echo 100 > /sys/fs/cgroup/system.slice/io.weight with the following patch applied: > diff –git a/block/blk-cgroup.c b/block/blk-cgroup.c > index fc49be622e05..38d671d5e10c 100644 > — a/block/blk-cgroup.c > +++ b/block/blk-cgroup.c > @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol) > pd->online = false; > } > > + if (system_state == SYSTEM_RUNNING) { > + spin_unlock_irq(&q->queue_lock); > + ssleep(1); > + spin_lock_irq(&q->queue_lock); > + } > + > /* all allocated, init in the same order */ > if (pol->pd_init_fn) > list_for_each_entry_reverse(blkg, &q->blkg_list, q_node) I don’t see a reason why all pd’s should be allocated, initialized and onlined together. The only ordering requirement is that parent blkgs to be initialized and onlined before children, which is guaranteed from the walking order. Let’s fix the bug by allocating, initializing and onlining pd for each blkg and holding blkcg->lock over initialization and onlining. This ensures that an installed blkg is always fully initialized and onlined removing the the race window. | 2025-12-30 | not yet calculated | CVE-2023-54271 | https://git.kernel.org/stable/c/e39ef7880d1057b2ebcdb013405f4d84a257db23 https://git.kernel.org/stable/c/7d63c6f9765339dcfc34b7365ced7c518012e4fe https://git.kernel.org/stable/c/ec14a87ee1999b19d8b7ed0fa95fea80644624ae |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix a possible null-pointer dereference in ni_clear() In a previous commit c1006bd13146, ni->mi.mrec in ni_write_inode() could be NULL, and thus a NULL check is added for this variable. However, in the same call stack, ni->mi.mrec can be also dereferenced in ni_clear(): ntfs_evict_inode(inode) ni_write_inode(inode, …) ni = ntfs_i(inode); is_rec_inuse(ni->mi.mrec) -> Add a NULL check by previous commit ni_clear(ntfs_i(inode)) is_rec_inuse(ni->mi.mrec) -> No check Thus, a possible null-pointer dereference may exist in ni_clear(). To fix it, a NULL check is added in this function. | 2025-12-30 | not yet calculated | CVE-2023-54272 | https://git.kernel.org/stable/c/20f9bfc664d6a478f9a5bbc0c380f80f7a1a06c6 https://git.kernel.org/stable/c/39c6312009574ca73865354133ca222e7753a71b https://git.kernel.org/stable/c/e7675f85a92233136c630000a0b7cf97826705da https://git.kernel.org/stable/c/ec275bf9693d19cc0fdce8436f4c425ced86f6e7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix leak of dev tracker At the stage of direction checks, the netdev reference tracker is already initialized, but released with wrong *_put() call. | 2025-12-30 | not yet calculated | CVE-2023-54273 | https://git.kernel.org/stable/c/7d16c515059b3746f2d6a24a74c3ba786a68c2a1 https://git.kernel.org/stable/c/ec8f32ad9a65a8cbb465b69e154aaec9d2fe45c4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/srpt: Add a check for valid ‘mad_agent’ pointer When unregistering MAD agent, srpt module has a non-null check for ‘mad_agent’ pointer before invoking ib_unregister_mad_agent(). This check can pass if ‘mad_agent’ variable holds an error value. The ‘mad_agent’ can have an error value for a short window when srpt_add_one() and srpt_remove_one() is executed simultaneously. In srpt module, added a valid pointer check for ‘sport->mad_agent’ before unregistering MAD agent. This issue can hit when RoCE driver unregisters ib_device Stack Trace: ———— BUG: kernel NULL pointer dereference, address: 000000000000004d PGD 145003067 P4D 145003067 PUD 2324fe067 PMD 0 Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 4459 Comm: kworker/u80:0 Kdump: loaded Tainted: P Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.5.4 01/13/2020 Workqueue: bnxt_re bnxt_re_task [bnxt_re] RIP: 0010:_raw_spin_lock_irqsave+0x19/0x40 Call Trace: ib_unregister_mad_agent+0x46/0x2f0 [ib_core] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready ? __schedule+0x20b/0x560 srpt_unregister_mad_agent+0x93/0xd0 [ib_srpt] srpt_remove_one+0x20/0x150 [ib_srpt] remove_client_context+0x88/0xd0 [ib_core] bond0: (slave p2p1): link status definitely up, 100000 Mbps full duplex disable_device+0x8a/0x160 [ib_core] bond0: active interface up! ? kernfs_name_hash+0x12/0x80 (NULL device *): Bonding Info Received: rdev: 000000006c0b8247 __ib_unregister_device+0x42/0xb0 [ib_core] (NULL device *): Master: mode: 4 num_slaves:2 ib_unregister_device+0x22/0x30 [ib_core] (NULL device *): Slave: id: 105069936 name:p2p1 link:0 state:0 bnxt_re_stopqps_and_ib_uninit+0x83/0x90 [bnxt_re] bnxt_re_alloc_lag+0x12e/0x4e0 [bnxt_re] | 2025-12-30 | not yet calculated | CVE-2023-54274 | https://git.kernel.org/stable/c/8ec6acdb9b6a80eeb13e778dfedb5d72a88f14fe https://git.kernel.org/stable/c/00cc21e32ea1b8ebbabf5d645da9378d986bf8ba https://git.kernel.org/stable/c/4323aaedeba32076e652aad056afd7885bb96bb7 https://git.kernel.org/stable/c/5f6ef2a574b0e0e0ea46ed0022575442df9d0bf9 https://git.kernel.org/stable/c/b713623bfef8cb1df9c769a3887fa10db63d1c54 https://git.kernel.org/stable/c/eca5cd9474cd26d62f9756f536e2e656d3f62f3a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Fix memory leak in ath11k_peer_rx_frag_setup crypto_alloc_shash() allocates resources, which should be released by crypto_free_shash(). When ath11k_peer_find() fails, there has memory leak. Add missing crypto_free_shash() to fix this. | 2025-12-30 | not yet calculated | CVE-2023-54275 | https://git.kernel.org/stable/c/137963e3b95776f1d57c62f249a93fe47e019a22 https://git.kernel.org/stable/c/53c8a256e5d3f31d80186de03a3d2a7f747b2aa0 https://git.kernel.org/stable/c/e596b36e15a7158b0bb2d55077b6b381ee41020c https://git.kernel.org/stable/c/64a78ec4f4579798d8e885aca9bdd707bca6b16b https://git.kernel.org/stable/c/ed3f83b3459a67a3ab9d806490ac304b567b1c2d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net Commit f5f9d4a314da (“nfsd: move reply cache initialization into nfsd startup”) moved the initialization of the reply cache into nfsd startup, but didn’t account for the stats counters, which can be accessed before nfsd is ever started. The result can be a NULL pointer dereference when someone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still shut down. This is a regression and a user-triggerable oops in the right situation: – non-x86_64 arch – /proc/fs/nfsd is mounted in the namespace – nfsd is not started in the namespace – unprivileged user calls “cat /proc/fs/nfsd/reply_cache_stats” Although this is easy to trigger on some arches (like aarch64), on x86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the fixed_percpu_data. That struct looks just enough like a newly initialized percpu var to allow nfsd_reply_cache_stats_show to access it without Oopsing. Move the initialization of the per-net+per-cpu reply-cache counters back into nfsd_init_net, while leaving the rest of the reply cache allocations to be done at nfsd startup time. Kudos to Eirik who did most of the legwork to track this down. | 2025-12-30 | not yet calculated | CVE-2023-54276 | https://git.kernel.org/stable/c/3025d489f9c8984d1bf5916c4a20097ed80fca5c https://git.kernel.org/stable/c/8549384d0f65981761fe2077d04fa2a8d37b54e0 https://git.kernel.org/stable/c/66a178177b2b3bb1d71e854c5e7bbb320eb0e566 https://git.kernel.org/stable/c/768c408594b52d8531e1a8ab62e5620c19213e73 https://git.kernel.org/stable/c/ed9ab7346e908496816cffdecd46932035f66e2e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: Fix endpoint check The syzbot fuzzer detected a problem in the udlfb driver, caused by an endpoint not having the expected type: usb 1-1: Read EDID byte 0 failed: -71 usb 1-1: Unable to get valid EDID from device/display ————[ cut here ]———— usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 … Call Trace: <TASK> dlfb_submit_urb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980 dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315 dlfb_ops_set_par+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111 dlfb_usb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743 The current approach for this issue failed to catch the problem because it only checks for the existence of a bulk-OUT endpoint; it doesn’t check whether this endpoint is the one that the driver will actually use. We can fix the problem by instead checking that the endpoint used by the driver does exist and is bulk-OUT. | 2025-12-30 | not yet calculated | CVE-2023-54277 | https://git.kernel.org/stable/c/1522dc58bff87af79461b96d90ec122e9e726004 https://git.kernel.org/stable/c/58ecc165abdaed85447455e6dc396758e8c6f219 https://git.kernel.org/stable/c/9e12c58a5ece41be72157cef348576b135c9fc72 https://git.kernel.org/stable/c/c8fdf7feca77cd99e25ef0a1e9e72dfc83add8ef https://git.kernel.org/stable/c/e19383e5dee5adbf3d19f3f210f440a88d1b7dde https://git.kernel.org/stable/c/ed9de4ed39875706607fb08118a58344ae6c5f42 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: s390/vmem: split pages when debug pagealloc is enabled Since commit bb1520d581a3 (“s390/mm: start kernel with DAT enabled”) the kernel crashes early during boot when debug pagealloc is enabled: mem auto-init: stack:off, heap alloc:off, heap free:off addressing exception: 0005 ilc:2 [#1] SMP DEBUG_PAGEALLOC Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0-rc3-09759-gc5666c912155 #630 [..] Krnl Code: 00000000001325f6: ec5600248064 cgrj %r5,%r6,8,000000000013263e 00000000001325fc: eb880002000c srlg %r8,%r8,2 #0000000000132602: b2210051 ipte %r5,%r1,%r0,0 >0000000000132606: b90400d1 lgr %r13,%r1 000000000013260a: 41605008 la %r6,8(%r5) 000000000013260e: a7db1000 aghi %r13,4096 0000000000132612: b221006d ipte %r6,%r13,%r0,0 0000000000132616: e3d0d0000171 lay %r13,4096(%r13) Call Trace: __kernel_map_pages+0x14e/0x320 __free_pages_ok+0x23a/0x5a8) free_low_memory_core_early+0x214/0x2c8 memblock_free_all+0x28/0x58 mem_init+0xb6/0x228 mm_core_init+0xb6/0x3b0 start_kernel+0x1d2/0x5a8 startup_continue+0x36/0x40 Kernel panic – not syncing: Fatal exception: panic_on_oops This is caused by using large mappings on machines with EDAT1/EDAT2. Add the code to split the mappings into 4k pages if debug pagealloc is enabled by CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT or the debug_pagealloc kernel command line option. | 2025-12-30 | not yet calculated | CVE-2023-54278 | https://git.kernel.org/stable/c/601e467e29a960f7ab7ec4075afc6a68c3532a65 https://git.kernel.org/stable/c/edc1e4b6e26536868ef819a735e04a5b32c10589 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: MIPS: fw: Allow firmware to pass a empty env fw_getenv will use env entry to determine style of env, however it is legal for firmware to just pass a empty list. Check if first entry exist before running strchr to avoid null pointer dereference. | 2025-12-30 | not yet calculated | CVE-2023-54279 | https://git.kernel.org/stable/c/f334b31625683418aaa2a335470eec950a95a254 https://git.kernel.org/stable/c/830181ddced5a05a711dc9da8043203b1f33a77e https://git.kernel.org/stable/c/0f91290774c798199ba4b8df93de5c3156b5163d https://git.kernel.org/stable/c/47e61cadc7a5f3dffd42d2d6fda81be163f1ab82 https://git.kernel.org/stable/c/3ef93b7bd9e042db240843f24a80e14da38c6830 https://git.kernel.org/stable/c/a6b54af407873227caef6262e992f5422cdcb6ae https://git.kernel.org/stable/c/ad79828f133e98585ab2236cad04a55eb7141bbe https://git.kernel.org/stable/c/aeed787bbbbe1b842beec9a065a36c915226f704 https://git.kernel.org/stable/c/ee1809ed7bc456a72dc8410b475b73021a3a68d5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential race when tree connecting ipc Protect access of TCP_Server_Info::hostname when building the ipc tree name as it might get freed in cifsd thread and thus causing an use-after-free bug in __tree_connect_dfs_target(). Also, while at it, update status of IPC tcon on success and then avoid any extra tree connects. | 2025-12-30 | not yet calculated | CVE-2023-54280 | https://git.kernel.org/stable/c/536ec71ba060a02fabe8e22cecb82fe7b3a8708b https://git.kernel.org/stable/c/553476df55a111e6a66ad9155256aec0ec1b7ad0 https://git.kernel.org/stable/c/ee20d7c6100752eaf2409d783f4f1449c29ea33d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before inode lookup during the ino lookup ioctl During the ino lookup ioctl we can end up calling btrfs_iget() to get an inode reference while we are holding on a root’s btree. If btrfs_iget() needs to lookup the inode from the root’s btree, because it’s not currently loaded in memory, then it will need to lock another or the same path in the same root btree. This may result in a deadlock and trigger the following lockdep splat: WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted —————————————————— syz-executor277/5012 is trying to acquire lock: ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 but task is already holding lock: ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{3:3}: down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302 btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955 btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline] btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338 btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline] open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494 btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154 btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 fc_mount fs/namespace.c:1112 [inline] vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142 btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 do_new_mount+0x28f/0xae0 fs/namespace.c:3335 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd -> #0 (btrfs-tree-01){++++}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline] btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281 btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline] btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412 btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline] btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716 btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline] btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105 btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54281 | https://git.kernel.org/stable/c/7390bb377b5fb3be23cb021e0f184d1f576be7d6 https://git.kernel.org/stable/c/380bbd46d61c894a8dcaace09e54bc7426d81014 https://git.kernel.org/stable/c/50e385d98b2a52480836ea41c142b81eeeb277af https://git.kernel.org/stable/c/6fdce81e425be112f1ca129776f4041afeaad413 https://git.kernel.org/stable/c/ee34a82e890a7babb5585daf1a6dd7d4d1cf142a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: tuners: qt1010: replace BUG_ON with a regular error BUG_ON is unnecessary here, and in addition it confuses smatch. Replacing this with an error return help resolve this smatch warning: drivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow ‘i2c_data’ 34 <= 34 | 2025-12-30 | not yet calculated | CVE-2023-54282 | https://git.kernel.org/stable/c/6cae780862d221106626b2b5fb21a197f398c6ec https://git.kernel.org/stable/c/f844bc3a47d8d1c55a4a9cfca38c538e9df7e678 https://git.kernel.org/stable/c/641e60223971e95472a2a9646b1e7f94d441de45 https://git.kernel.org/stable/c/2ae53dd15eef90d34fc084b5b2305a67bb675a26 https://git.kernel.org/stable/c/48bb6a9fa5cb150ac2a22b3c779c96bc0ed21071 https://git.kernel.org/stable/c/257092cb544c7843376b3e161f789e666ef06c98 https://git.kernel.org/stable/c/1a6bf53fffe0b7ebe2a0f402b44f14f90cffd164 https://git.kernel.org/stable/c/ee630b29ea44d1851bb6c903f400956604834463 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Address KCSAN report on bpf_lru_list KCSAN reported a data-race when accessing node->ref. Although node->ref does not have to be accurate, take this chance to use a more common READ_ONCE() and WRITE_ONCE() pattern instead of data_race(). There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). This patch also adds bpf_lru_node_clear_ref() to do the WRITE_ONCE(node->ref, 0) also. ================================================================== BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: __bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] __bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] __bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] __htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __do_sys_bpf kernel/bpf/syscall.c:5096 [inline] __se_sys_bpf kernel/bpf/syscall.c:5094 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] __htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __do_sys_bpf kernel/bpf/syscall.c:5096 [inline] __se_sys_bpf kernel/bpf/syscall.c:5094 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x01 -> 0x00 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 ================================================================== | 2025-12-30 | not yet calculated | CVE-2023-54283 | https://git.kernel.org/stable/c/6eaef1b1d8720053eb1b6e7a3ff8b2ff0716bb90 https://git.kernel.org/stable/c/a89d14410ea0352420f03cddc67e0002dcc8f9a5 https://git.kernel.org/stable/c/e09a285ea1e859d4cc6cb689d8d5d7c1f7c7c0d5 https://git.kernel.org/stable/c/b6d9a4062c944ad095b34dc112bf646a84156f60 https://git.kernel.org/stable/c/819ca25444b377935faa2dbb0aa3547519b5c80f https://git.kernel.org/stable/c/c006fe361cfd947f51a56793deddf891e5cbfef8 https://git.kernel.org/stable/c/6e5e83b56f50fbd1c8f7dca7df7d72c67be25571 https://git.kernel.org/stable/c/ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: av7110: prevent underflow in write_ts_to_decoder() The buf[4] value comes from the user via ts_play(). It is a value in the u8 range. The final length we pass to av7110_ipack_instant_repack() is “len – (buf[4] + 1) – 4” so add a check to ensure that the length is not negative. It’s not clear that passing a negative len value does anything bad necessarily, but it’s not best practice. With the new bounds checking the “if (!len)” condition is no longer possible or required so remove that. | 2025-12-30 | not yet calculated | CVE-2023-54284 | https://git.kernel.org/stable/c/6680af5be9f08d830567e9118f76d3e64684db8f https://git.kernel.org/stable/c/6606e2404ee9e20a3ae5b42fc3660d41b739ed3e https://git.kernel.org/stable/c/620b983589e0223876bf1463b01100a9c67b56ba https://git.kernel.org/stable/c/86ba65e5357bfbb6c082f68b265a292ee1bdde1d https://git.kernel.org/stable/c/ca4ce92e3ec9fd3c7c936b912b95c53331d5159c https://git.kernel.org/stable/c/423350af9e27f005611bd881b1df2cab66de943d https://git.kernel.org/stable/c/77eeb4732135c18c2fdfab80839645b393f3e774 https://git.kernel.org/stable/c/7b93ab60fe9ed04be0ff155bc30ad39dea23e22b https://git.kernel.org/stable/c/eed9496a0501357aa326ddd6b71408189ed872eb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iomap: Fix possible overflow condition in iomap_write_delalloc_scan folio_next_index() returns an unsigned long value which left shifted by PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead use folio_pos(folio) + folio_size(folio), which does this correctly. | 2025-12-30 | not yet calculated | CVE-2023-54285 | https://git.kernel.org/stable/c/5c281b0c5d18c8eeb1cfd5023f4adb153e6d1240 https://git.kernel.org/stable/c/eee2d2e6ea5550118170dbd5bb1316ceb38455fb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace A received TKIP key may be up to 32 bytes because it may contain MIC rx/tx keys too. These are not used by iwl and copying these over overflows the iwl_keyinfo.key field. Add a check to not copy more data to iwl_keyinfo.key then will fit. This fixes backtraces like this one: memcpy: detected field-spanning write (size 32) of single field “sta_cmd.key.key” at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16) WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm] <snip> Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017 RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm] <snip> Call Trace: <TASK> iwl_set_dynamic_key+0x1f0/0x220 [iwldvm] iwlagn_mac_set_key+0x1e4/0x280 [iwldvm] drv_set_key+0xa4/0x1b0 [mac80211] ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211] ieee80211_key_replace+0x22d/0x8e0 [mac80211] <snip> | 2025-12-30 | not yet calculated | CVE-2023-54286 | https://git.kernel.org/stable/c/76b5ea43ad2fb4f726ddfaff839430a706e7d7c2 https://git.kernel.org/stable/c/3ed3c1c2fc3482b72e755820261779cd2e2c5a3e https://git.kernel.org/stable/c/fa57021262e998e2229d6383b1081638df2fe238 https://git.kernel.org/stable/c/91ad1ab3cc7e981cb6d6ee100686baed64e1277e https://git.kernel.org/stable/c/87940e4030e4705e1f3fd2bbb1854eae8308314b https://git.kernel.org/stable/c/57189c885149825be8eb8c3524b5af017fdeb941 https://git.kernel.org/stable/c/6cd644f66b43709816561d63e0173cb0c7aab159 https://git.kernel.org/stable/c/ef16799640865f937719f0771c93be5dca18adc6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tty: serial: imx: disable Ageing Timer interrupt request irq There maybe pending USR interrupt before requesting irq, however uart_add_one_port has not executed, so there will be kernel panic: [ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre ss 0000000000000080 [ 0.802701] Mem abort info: [ 0.805367] ESR = 0x0000000096000004 [ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.814033] SET = 0, FnV = 0 [ 0.816950] EA = 0, S1PTW = 0 [ 0.819950] FSC = 0x04: level 0 translation fault [ 0.824617] Data abort info: [ 0.827367] ISV = 0, ISS = 0x00000004 [ 0.831033] CM = 0, WnR = 0 [ 0.833866] [0000000000000080] user address but active_mm is swapper [ 0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 0.845953] Modules linked in: [ 0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1 [ 0.855617] Hardware name: Freescale i.MX8MP EVK (DT) [ 0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0 [ 0.872283] lr : imx_uart_int+0xf8/0x1ec The issue only happends in the inmate linux when Jailhouse hypervisor enabled. The test procedure is: while true; do jailhouse enable imx8mp.cell jailhouse cell linux xxxx sleep 10 jailhouse cell destroy 1 jailhouse disable sleep 5 done And during the upper test, press keys to the 2nd linux console. When `jailhouse cell destroy 1`, the 2nd linux has no chance to put the uart to a quiese state, so USR1/2 may has pending interrupts. Then when `jailhosue cell linux xx` to start 2nd linux again, the issue trigger. In order to disable irqs before requesting them, both UCR1 and UCR2 irqs should be disabled, so here fix that, disable the Ageing Timer interrupt in UCR2 as UCR1 does. | 2025-12-30 | not yet calculated | CVE-2023-54287 | https://git.kernel.org/stable/c/3d41d9b256ae626c0dc434427c8e32450358d3b4 https://git.kernel.org/stable/c/9795ece3a85ba9238191e97665586e2d79703ff3 https://git.kernel.org/stable/c/963875b0655197281775b0ea614aab8b6b3eb001 https://git.kernel.org/stable/c/ef25e16ea9674b713a68c3bda821556ce9901254 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fortify the spinlock against deadlock by interrupt In the function ieee80211_tx_dequeue() there is a particular locking sequence: begin: spin_lock(&local->queue_stop_reason_lock); q_stopped = local->queue_stop_reasons[q]; spin_unlock(&local->queue_stop_reason_lock); However small the chance (increased by ftracetest), an asynchronous interrupt can occur in between of spin_lock() and spin_unlock(), and the interrupt routine will attempt to lock the same &local->queue_stop_reason_lock again. This will cause a costly reset of the CPU and the wifi device or an altogether hang in the single CPU and single core scenario. The only remaining spin_lock(&local->queue_stop_reason_lock) that did not disable interrupts was patched, which should prevent any deadlocks on the same CPU/core and the same wifi device. This is the probable trace of the deadlock: kernel: ================================ kernel: WARNING: inconsistent lock state kernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G W kernel: ——————————– kernel: inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. kernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes: kernel: ffff9d6190779478 (&local->queue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40 kernel: {IN-SOFTIRQ-W} state was registered at: kernel: lock_acquire+0xc7/0x2d0 kernel: _raw_spin_lock+0x36/0x50 kernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211] kernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm] kernel: iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm] kernel: ieee80211_queue_skb+0x450/0x730 [mac80211] kernel: __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211] kernel: __ieee80211_subif_start_xmit+0x217/0x530 [mac80211] kernel: ieee80211_subif_start_xmit+0x60/0x580 [mac80211] kernel: dev_hard_start_xmit+0xb5/0x260 kernel: __dev_queue_xmit+0xdbe/0x1200 kernel: neigh_resolve_output+0x166/0x260 kernel: ip_finish_output2+0x216/0xb80 kernel: __ip_finish_output+0x2a4/0x4d0 kernel: ip_finish_output+0x2d/0xd0 kernel: ip_output+0x82/0x2b0 kernel: ip_local_out+0xec/0x110 kernel: igmpv3_sendpack+0x5c/0x90 kernel: igmp_ifc_timer_expire+0x26e/0x4e0 kernel: call_timer_fn+0xa5/0x230 kernel: run_timer_softirq+0x27f/0x550 kernel: __do_softirq+0xb4/0x3a4 kernel: irq_exit_rcu+0x9b/0xc0 kernel: sysvec_apic_timer_interrupt+0x80/0xa0 kernel: asm_sysvec_apic_timer_interrupt+0x1f/0x30 kernel: _raw_spin_unlock_irqrestore+0x3f/0x70 kernel: free_to_partial_list+0x3d6/0x590 kernel: __slab_free+0x1b7/0x310 kernel: kmem_cache_free+0x52d/0x550 kernel: putname+0x5d/0x70 kernel: do_sys_openat2+0x1d7/0x310 kernel: do_sys_open+0x51/0x80 kernel: __x64_sys_openat+0x24/0x30 kernel: do_syscall_64+0x5c/0x90 kernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc kernel: irq event stamp: 5120729 kernel: hardirqs last enabled at (5120729): [<ffffffff9d149936>] trace_graph_return+0xd6/0x120 kernel: hardirqs last disabled at (5120728): [<ffffffff9d149950>] trace_graph_return+0xf0/0x120 kernel: softirqs last enabled at (5069900): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40 kernel: softirqs last disabled at (5067555): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40 kernel: other info that might help us debug this: kernel: Possible unsafe locking scenario: kernel: CPU0 kernel: —- kernel: lock(&local->queue_stop_reason_lock); kernel: <Interrupt> kernel: lock(&local->queue_stop_reason_lock); kernel: *** DEADLOCK *** kernel: 8 locks held by kworker/5:0/25656: kernel: #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530 kernel: #1: ffffb1ef4637fe68 ((work_completion)(&local->restart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530 kernel: #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 kernel: #3: ffff9d619 —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54288 | https://git.kernel.org/stable/c/c79d794a2cd76eca47b2491c5030be9a6418c5d6 https://git.kernel.org/stable/c/6df3eafa31b3ee4f0cba601ca857019964355034 https://git.kernel.org/stable/c/ef6e1997da63ad0ac3fe33153fec9524c9ae56c9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Fix NULL dereference in error handling Smatch reported: drivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues() warn: missing unwind goto? At this point in the function, nothing has been allocated so we can return directly. In particular the “qedf->global_queues” have not been allocated so calling qedf_free_global_queues() will lead to a NULL dereference when we check if (!gl[i]) and “gl” is NULL. | 2025-12-30 | not yet calculated | CVE-2023-54289 | https://git.kernel.org/stable/c/961c8370c5f7e80a267680476e1bcff34bffe71a https://git.kernel.org/stable/c/ac64019e4d4b08c23edb117e0b2590985e33de1d https://git.kernel.org/stable/c/b1de5105d29b145b727b797e2d5de071ab3a7ca1 https://git.kernel.org/stable/c/c316bde418af4c2a9df51149ed01d1bd8ca5bebf https://git.kernel.org/stable/c/08c001c1e9444a3046c79a99aa93ac48073b18cc https://git.kernel.org/stable/c/271c9b2eb60149afbeab28cb39e52f73bde9900c https://git.kernel.org/stable/c/f025312b089474a54e4859f3453771314d9e3d4f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vduse: fix NULL pointer dereference vduse_vdpa_set_vq_affinity callback can be called with NULL value as cpu_mask when deleting the vduse device. This patch resets virtqueue’s IRQ affinity mask value to set all CPUs instead of dereferencing NULL cpu_mask. [ 4760.952149] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 4760.959110] #PF: supervisor read access in kernel mode [ 4760.964247] #PF: error_code(0x0000) – not-present page [ 4760.969385] PGD 0 P4D 0 [ 4760.971927] Oops: 0000 [#1] PREEMPT SMP PTI [ 4760.976112] CPU: 13 PID: 2346 Comm: vdpa Not tainted 6.4.0-rc6+ #4 [ 4760.982291] Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.8.1 06/26/2020 [ 4760.989769] RIP: 0010:memcpy_orig+0xc5/0x130 [ 4760.994049] Code: 16 f8 4c 89 07 4c 89 4f 08 4c 89 54 17 f0 4c 89 5c 17 f8 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 fa 08 72 1b <4c> 8b 06 4c 8b 4c 16 f8 4c 89 07 4c 89 4c 17 f8 c3 cc cc cc cc 66 [ 4761.012793] RSP: 0018:ffffb1d565abb830 EFLAGS: 00010246 [ 4761.018020] RAX: ffff9f4bf6b27898 RBX: ffff9f4be23969c0 RCX: ffff9f4bcadf6400 [ 4761.025152] RDX: 0000000000000008 RSI: 0000000000000000 RDI: ffff9f4bf6b27898 [ 4761.032286] RBP: 0000000000000000 R08: 0000000000000008 R09: 0000000000000000 [ 4761.039416] R10: 0000000000000000 R11: 0000000000000600 R12: 0000000000000000 [ 4761.046549] R13: 0000000000000000 R14: 0000000000000080 R15: ffffb1d565abbb10 [ 4761.053680] FS: 00007f64c2ec2740(0000) GS:ffff9f635f980000(0000) knlGS:0000000000000000 [ 4761.061765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4761.067513] CR2: 0000000000000000 CR3: 0000001875270006 CR4: 00000000007706e0 [ 4761.074645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4761.081775] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4761.088909] PKRU: 55555554 [ 4761.091620] Call Trace: [ 4761.094074] <TASK> [ 4761.096180] ? __die+0x1f/0x70 [ 4761.099238] ? page_fault_oops+0x171/0x4f0 [ 4761.103340] ? exc_page_fault+0x7b/0x180 [ 4761.107265] ? asm_exc_page_fault+0x22/0x30 [ 4761.111460] ? memcpy_orig+0xc5/0x130 [ 4761.115126] vduse_vdpa_set_vq_affinity+0x3e/0x50 [vduse] [ 4761.120533] virtnet_clean_affinity.part.0+0x3d/0x90 [virtio_net] [ 4761.126635] remove_vq_common+0x1a4/0x250 [virtio_net] [ 4761.131781] virtnet_remove+0x5d/0x70 [virtio_net] [ 4761.136580] virtio_dev_remove+0x3a/0x90 [ 4761.140509] device_release_driver_internal+0x19b/0x200 [ 4761.145742] bus_remove_device+0xc2/0x130 [ 4761.149755] device_del+0x158/0x3e0 [ 4761.153245] ? kernfs_find_ns+0x35/0xc0 [ 4761.157086] device_unregister+0x13/0x60 [ 4761.161010] unregister_virtio_device+0x11/0x20 [ 4761.165543] device_release_driver_internal+0x19b/0x200 [ 4761.170770] bus_remove_device+0xc2/0x130 [ 4761.174782] device_del+0x158/0x3e0 [ 4761.178276] ? __pfx_vdpa_name_match+0x10/0x10 [vdpa] [ 4761.183336] device_unregister+0x13/0x60 [ 4761.187260] vdpa_nl_cmd_dev_del_set_doit+0x63/0xe0 [vdpa] | 2025-12-30 | not yet calculated | CVE-2023-54291 | https://git.kernel.org/stable/c/f9d46429de2a251e1e4962e1bf86c344d6336562 https://git.kernel.org/stable/c/f06cf1e1a503169280467d12d2ec89bf2c30ace7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix data race on CQP request done KCSAN detects a data race on cqp_request->request_done memory location which is accessed locklessly in irdma_handle_cqp_op while being updated in irdma_cqp_ce_handler. Annotate lockless intent with READ_ONCE/WRITE_ONCE to avoid any compiler optimizations like load fusing and/or KCSAN warning. [222808.417128] BUG: KCSAN: data-race in irdma_cqp_ce_handler [irdma] / irdma_wait_event [irdma] [222808.417532] write to 0xffff8e44107019dc of 1 bytes by task 29658 on cpu 5: [222808.417610] irdma_cqp_ce_handler+0x21e/0x270 [irdma] [222808.417725] cqp_compl_worker+0x1b/0x20 [irdma] [222808.417827] process_one_work+0x4d1/0xa40 [222808.417835] worker_thread+0x319/0x700 [222808.417842] kthread+0x180/0x1b0 [222808.417852] ret_from_fork+0x22/0x30 [222808.417918] read to 0xffff8e44107019dc of 1 bytes by task 29688 on cpu 1: [222808.417995] irdma_wait_event+0x1e2/0x2c0 [irdma] [222808.418099] irdma_handle_cqp_op+0xae/0x170 [irdma] [222808.418202] irdma_cqp_cq_destroy_cmd+0x70/0x90 [irdma] [222808.418308] irdma_puda_dele_rsrc+0x46d/0x4d0 [irdma] [222808.418411] irdma_rt_deinit_hw+0x179/0x1d0 [irdma] [222808.418514] irdma_ib_dealloc_device+0x11/0x40 [irdma] [222808.418618] ib_dealloc_device+0x2a/0x120 [ib_core] [222808.418823] __ib_unregister_device+0xde/0x100 [ib_core] [222808.418981] ib_unregister_device+0x22/0x40 [ib_core] [222808.419142] irdma_ib_unregister_device+0x70/0x90 [irdma] [222808.419248] i40iw_close+0x6f/0xc0 [irdma] [222808.419352] i40e_client_device_unregister+0x14a/0x180 [i40e] [222808.419450] i40iw_remove+0x21/0x30 [irdma] [222808.419554] auxiliary_bus_remove+0x31/0x50 [222808.419563] device_remove+0x69/0xb0 [222808.419572] device_release_driver_internal+0x293/0x360 [222808.419582] driver_detach+0x7c/0xf0 [222808.419592] bus_remove_driver+0x8c/0x150 [222808.419600] driver_unregister+0x45/0x70 [222808.419610] auxiliary_driver_unregister+0x16/0x30 [222808.419618] irdma_exit_module+0x18/0x1e [irdma] [222808.419733] __do_sys_delete_module.constprop.0+0x1e2/0x310 [222808.419745] __x64_sys_delete_module+0x1b/0x30 [222808.419755] do_syscall_64+0x39/0x90 [222808.419763] entry_SYSCALL_64_after_hwframe+0x63/0xcd [222808.419829] value changed: 0x01 -> 0x03 | 2025-12-30 | not yet calculated | CVE-2023-54292 | https://git.kernel.org/stable/c/c5b5dbcbf91f769b8eb25f88e32a1522f920f37a https://git.kernel.org/stable/c/5986e96be7d0b82e50a9c6b019ea3f1926fd8764 https://git.kernel.org/stable/c/b8b90ba636e3861665aef9a3eab5fcf92839a2c5 https://git.kernel.org/stable/c/f0842bb3d38863777e3454da5653d80b5fde6321 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bcache: fixup btree_cache_wait list damage We get a kernel crash about “list_add corruption. next->prev should be prev (ffff9c801bc01210), but was ffff9c77b688237c. (next=ffffae586d8afe68).” crash> struct list_head 0xffff9c801bc01210 struct list_head { next = 0xffffae586d8afe68, prev = 0xffffae586d8afe68 } crash> struct list_head 0xffff9c77b688237c struct list_head { next = 0x0, prev = 0x0 } crash> struct list_head 0xffffae586d8afe68 struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: “gdb_readmem_callback” Cannot access memory at address 0xffffae586d8afe68 [230469.019492] Call Trace: [230469.032041] prepare_to_wait+0x8a/0xb0 [230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache] [230469.056533] mca_cannibalize_lock+0x72/0x90 [escache] [230469.068788] mca_alloc+0x2ae/0x450 [escache] [230469.080790] bch_btree_node_get+0x136/0x2d0 [escache] [230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache] [230469.104382] ? finish_wait+0x80/0x80 [230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache] [230469.127259] kthread+0x112/0x130 [230469.138448] ? kthread_flush_work_fn+0x10/0x10 [230469.149477] ret_from_fork+0x35/0x40 bch_btree_check_thread() and bch_dirty_init_thread() may call mca_cannibalize() to cannibalize other cached btree nodes. Only one thread can do it at a time, so the op of other threads will be added to the btree_cache_wait list. We must call finish_wait() to remove op from btree_cache_wait before free it’s memory address. Otherwise, the list will be damaged. Also should call bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up other waiters. | 2025-12-30 | not yet calculated | CVE-2023-54293 | https://git.kernel.org/stable/c/bcb295778afda4f2feb0d3c0289a53fd43d5a3a6 https://git.kernel.org/stable/c/cbdd5b3322f7bbe6454c97cac994757f1192c07b https://git.kernel.org/stable/c/25ec4779d0fb3ed9cac1e4d9e0e4261b4a12f6ed https://git.kernel.org/stable/c/2882a4c4f0c90e99f37dbd8db369b9982fd613e7 https://git.kernel.org/stable/c/f0854489fc07d2456f7cc71a63f4faf9c716ffbe |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix memleak of md thread In raid10_run(), if setup_conf() succeed and raid10_run() failed before setting ‘mddev->thread’, then in the error path ‘conf->thread’ is not freed. Fix the problem by setting ‘mddev->thread’ right after setup_conf(). | 2025-12-30 | not yet calculated | CVE-2023-54294 | https://git.kernel.org/stable/c/abf4d67060c8f63caff096e5fca1564bfef1e5d4 https://git.kernel.org/stable/c/3725b35fc0e5e4eea0434ef625f3d92f3059d080 https://git.kernel.org/stable/c/2a65555f7e0f4a05b663879908a991e6d9f81e51 https://git.kernel.org/stable/c/d6cfcf98b824591cffa4c1e9889fb4fa619359fe https://git.kernel.org/stable/c/36ba0c7b86acd9c2ea80a273204d52c21c955471 https://git.kernel.org/stable/c/5d763f708b0f918fb87799e33c25113ae6081216 https://git.kernel.org/stable/c/ec473e82e10d39a02eb59b0b95e546119a3bdb79 https://git.kernel.org/stable/c/f0ddb83da3cbbf8a1f9087a642c448ff52ee9abd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type spi_nor_set_erase_type() was used either to set or to mask out an erase type. When we used it to mask out an erase type a shift-out-of-bounds was hit: UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24 shift exponent 4294967295 is too large for 32-bit type ‘int’ The setting of the size_{shift, mask} and of the opcode are unnecessary when the erase size is zero, as throughout the code just the erase size is considered to determine whether an erase type is supported or not. Setting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF is an unused opcode. Thus when masking out an erase type, just set the erase size to zero. This will fix the shift-out-of-bounds. [ta: refine changes, new commit message, fix compilation error] | 2025-12-30 | not yet calculated | CVE-2023-54295 | https://git.kernel.org/stable/c/e6409208c13f7c56adc12dd795abf4141e3d5e64 https://git.kernel.org/stable/c/61d44a4db2f54dbac7d22c2541574ea5755e0468 https://git.kernel.org/stable/c/53b2916ebde741c657a857fa1936c0d9fcb59170 https://git.kernel.org/stable/c/99341b8aee7b5b4255b339345bbcaa35867dfd0c https://git.kernel.org/stable/c/f0f0cfdc3a024e21161714f2e05f0df3b84d42ad |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration Fix a goof where KVM tries to grab source vCPUs from the destination VM when doing intrahost migration. Grabbing the wrong vCPU not only hoses the guest, it also crashes the host due to the VMSA pointer being left NULL. BUG: unable to handle page fault for address: ffffe38687000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 39 PID: 17143 Comm: sev_migrate_tes Tainted: GO 6.5.0-smp–fff2e47e6c3b-next #151 Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.28.0 07/10/2023 RIP: 0010:__free_pages+0x15/0xd0 RSP: 0018:ffff923fcf6e3c78 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffe38687000000 RCX: 0000000000000100 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffe38687000000 RBP: ffff923fcf6e3c88 R08: ffff923fcafb0000 R09: 0000000000000000 R10: 0000000000000000 R11: ffffffff83619b90 R12: ffff923fa9540000 R13: 0000000000080007 R14: ffff923f6d35d000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff929d0d7c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffe38687000000 CR3: 0000005224c34005 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> sev_free_vcpu+0xcb/0x110 [kvm_amd] svm_vcpu_free+0x75/0xf0 [kvm_amd] kvm_arch_vcpu_destroy+0x36/0x140 [kvm] kvm_destroy_vcpus+0x67/0x100 [kvm] kvm_arch_destroy_vm+0x161/0x1d0 [kvm] kvm_put_kvm+0x276/0x560 [kvm] kvm_vm_release+0x25/0x30 [kvm] __fput+0x106/0x280 ____fput+0x12/0x20 task_work_run+0x86/0xb0 do_exit+0x2e3/0x9c0 do_group_exit+0xb1/0xc0 __x64_sys_exit_group+0x1b/0x20 do_syscall_64+0x41/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> CR2: ffffe38687000000 | 2025-12-30 | not yet calculated | CVE-2023-54296 | https://git.kernel.org/stable/c/5c18ace750e4d4d58d7da02d1c669bf21c824158 https://git.kernel.org/stable/c/2ee4b180d51b12a45bdd3264629719ef6a572a73 https://git.kernel.org/stable/c/f1187ef24eb8f36e8ad8106d22615ceddeea6097 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix memory leak after finding block group with super blocks At exclude_super_stripes(), if we happen to find a block group that has super blocks mapped to it and we are on a zoned filesystem, we error out as this is not supposed to happen, indicating either a bug or maybe some memory corruption for example. However we are exiting the function without freeing the memory allocated for the logical address of the super blocks. Fix this by freeing the logical address. | 2025-12-30 | not yet calculated | CVE-2023-54297 | https://git.kernel.org/stable/c/ab80a901f8daca07c4a54af0ab0de745c9918294 https://git.kernel.org/stable/c/c35ea606196243063e63785918c7c8fe27c45798 https://git.kernel.org/stable/c/cca627afb463a4b47721eac017516ba200de85c3 https://git.kernel.org/stable/c/f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: thermal: intel: quark_dts: fix error pointer dereference If alloc_soc_dts() fails, then we can just return. Trying to free “soc_dts” will lead to an Oops. | 2025-12-30 | not yet calculated | CVE-2023-54298 | https://git.kernel.org/stable/c/0b366c6a42e2e2bc67af8d1130b68f3bfa31c80e https://git.kernel.org/stable/c/d0178f2788fb1183a5cc350213efdc94010b9147 https://git.kernel.org/stable/c/e23f1d9e6e03d04da2f18e78ab5d4255ffeb1333 https://git.kernel.org/stable/c/f73134231fa23e0856c15010db5f5c03693c1e92 https://git.kernel.org/stable/c/5eaf55b38691291d49417c22e726591078ca1893 https://git.kernel.org/stable/c/69e49f1b53605706bc2203455021539aba2ebe21 https://git.kernel.org/stable/c/24c221b11c2894e1a5f07b93362d9bc91c6d8be7 https://git.kernel.org/stable/c/f1b930e740811d416de4d2074da48b6633a672c8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: bus: verify partner exists in typec_altmode_attention Some usb hubs will negotiate DisplayPort Alt mode with the device but will then negotiate a data role swap after entering the alt mode. The data role swap causes the device to unregister all alt modes, however the usb hub will still send Attention messages even after failing to reregister the Alt Mode. type_altmode_attention currently does not verify whether or not a device’s altmode partner exists, which results in a NULL pointer error when dereferencing the typec_altmode and typec_altmode_ops belonging to the altmode partner. Verify the presence of a device’s altmode partner before sending the Attention message to the Alt Mode driver. | 2025-12-30 | not yet calculated | CVE-2023-54299 | https://git.kernel.org/stable/c/5f71716772b88cbe0e1788f6a38d7871aff2120b https://git.kernel.org/stable/c/38e1f2ee82bacbbfded8f1c06794a443d038d054 https://git.kernel.org/stable/c/0ad6bad31da692f8d7acacab07eabe7586239ae0 https://git.kernel.org/stable/c/0d3b5fe47938e9c451466845304a2bd74e967a80 https://git.kernel.org/stable/c/d49547950bf7f3480d6ca05fe055978e5f0d9e5b https://git.kernel.org/stable/c/1101867a1711c27d8bbe0e83136bec47f8c1ca2a https://git.kernel.org/stable/c/f23643306430f86e2f413ee2b986e0773e79da31 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx For the reasons also described in commit b383e8abed41 (“wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()”), ath9k_htc_rx_msg() should validate pkt_len before accessing the SKB. For example, the obtained SKB may have been badly constructed with pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr but after being processed in ath9k_htc_rx_msg() and passed to ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI command header which should be located inside its data payload. Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit memory can be referenced. Tested on Qualcomm Atheros Communications AR9271 802.11n . Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-12-30 | not yet calculated | CVE-2023-54300 | https://git.kernel.org/stable/c/0bc12e41af4e3ae1f0efecc377f0514459df0707 https://git.kernel.org/stable/c/28259ce4f1f1f9ab37fa817756c89098213d2fc0 https://git.kernel.org/stable/c/90e3c10177573b8662ac9858abd9bf731d5d98e0 https://git.kernel.org/stable/c/250efb4d3f5b32a115ea6bf25437ba44a1b3c04f https://git.kernel.org/stable/c/ad5425e70789c29b93acafb5bb4629e4eb908296 https://git.kernel.org/stable/c/d1c2ff2bd84c3692c9df267a2b991ce92bfca8ef https://git.kernel.org/stable/c/8ed572e52714593b209e3aa352406aff84481179 https://git.kernel.org/stable/c/75acec91aeaa07375cd5f418069e61b16d39bbad https://git.kernel.org/stable/c/f24292e827088bba8de7158501ac25a59b064953 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: serial: 8250_bcm7271: fix leak in `brcmuart_probe` Smatch reports: drivers/tty/serial/8250/8250_bcm7271.c:1120 brcmuart_probe() warn: ‘baud_mux_clk’ from clk_prepare_enable() not released on lines: 1032. The issue is fixed by using a managed clock. | 2025-12-30 | not yet calculated | CVE-2023-54301 | https://git.kernel.org/stable/c/5258395e67fee6929fb8e50c8239f8de51b8cb2d https://git.kernel.org/stable/c/2a3e5f428fc4315be6144524912eaefac16f43a9 https://git.kernel.org/stable/c/56a81445b8e4b8906d557518c5dae3ddbb447d1e https://git.kernel.org/stable/c/f264f2f6f4788dc031cef60a0cf2881902736709 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix data race on CQP completion stats CQP completion statistics is read lockesly in irdma_wait_event and irdma_check_cqp_progress while it can be updated in the completion thread irdma_sc_ccq_get_cqe_info on another CPU as KCSAN reports. Make completion statistics an atomic variable to reflect coherent updates to it. This will also avoid load/store tearing logic bug potentially possible by compiler optimizations. [77346.170861] BUG: KCSAN: data-race in irdma_handle_cqp_op [irdma] / irdma_sc_ccq_get_cqe_info [irdma] [77346.171383] write to 0xffff8a3250b108e0 of 8 bytes by task 9544 on cpu 4: [77346.171483] irdma_sc_ccq_get_cqe_info+0x27a/0x370 [irdma] [77346.171658] irdma_cqp_ce_handler+0x164/0x270 [irdma] [77346.171835] cqp_compl_worker+0x1b/0x20 [irdma] [77346.172009] process_one_work+0x4d1/0xa40 [77346.172024] worker_thread+0x319/0x700 [77346.172037] kthread+0x180/0x1b0 [77346.172054] ret_from_fork+0x22/0x30 [77346.172136] read to 0xffff8a3250b108e0 of 8 bytes by task 9838 on cpu 2: [77346.172234] irdma_handle_cqp_op+0xf4/0x4b0 [irdma] [77346.172413] irdma_cqp_aeq_cmd+0x75/0xa0 [irdma] [77346.172592] irdma_create_aeq+0x390/0x45a [irdma] [77346.172769] irdma_rt_init_hw.cold+0x212/0x85d [irdma] [77346.172944] irdma_probe+0x54f/0x620 [irdma] [77346.173122] auxiliary_bus_probe+0x66/0xa0 [77346.173137] really_probe+0x140/0x540 [77346.173154] __driver_probe_device+0xc7/0x220 [77346.173173] driver_probe_device+0x5f/0x140 [77346.173190] __driver_attach+0xf0/0x2c0 [77346.173208] bus_for_each_dev+0xa8/0xf0 [77346.173225] driver_attach+0x29/0x30 [77346.173240] bus_add_driver+0x29c/0x2f0 [77346.173255] driver_register+0x10f/0x1a0 [77346.173272] __auxiliary_driver_register+0xbc/0x140 [77346.173287] irdma_init_module+0x55/0x1000 [irdma] [77346.173460] do_one_initcall+0x7d/0x410 [77346.173475] do_init_module+0x81/0x2c0 [77346.173491] load_module+0x1232/0x12c0 [77346.173506] __do_sys_finit_module+0x101/0x180 [77346.173522] __x64_sys_finit_module+0x3c/0x50 [77346.173538] do_syscall_64+0x39/0x90 [77346.173553] entry_SYSCALL_64_after_hwframe+0x63/0xcd [77346.173634] value changed: 0x0000000000000094 -> 0x0000000000000095 | 2025-12-30 | not yet calculated | CVE-2023-54302 | https://git.kernel.org/stable/c/bf0f9f65b7fe36ea9d2e23263dcefc90255d7b1f https://git.kernel.org/stable/c/4e1a5842a359ee18d5a9e75097d7cf4d93e233bb https://git.kernel.org/stable/c/2623ca92cd8f9668edabe9e4f4a3cf77fd7115f2 https://git.kernel.org/stable/c/f2c3037811381f9149243828c7eb9a1631df9f9c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Disable preemption in bpf_perf_event_output The nesting protection in bpf_perf_event_output relies on disabled preemption, which is guaranteed for kprobes and tracepoints. However bpf_perf_event_output can be also called from uprobes context through bpf_prog_run_array_sleepable function which disables migration, but keeps preemption enabled. This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like: kernel tried to execute NX-protected page – exploit attempt? (uid: 0) BUG: unable to handle page fault for address: ffffffff82be3eea … Call Trace: ? __die+0x1f/0x70 ? page_fault_oops+0x176/0x4d0 ? exc_page_fault+0x132/0x230 ? asm_exc_page_fault+0x22/0x30 ? perf_output_sample+0x12b/0x910 ? perf_event_output+0xd0/0x1d0 ? bpf_perf_event_output+0x162/0x1d0 ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87 ? __uprobe_perf_func+0x12b/0x540 ? uprobe_dispatcher+0x2c4/0x430 ? uprobe_notify_resume+0x2da/0xce0 ? atomic_notifier_call_chain+0x7b/0x110 ? exit_to_user_mode_prepare+0x13e/0x290 ? irqentry_exit_to_user_mode+0x5/0x30 ? asm_exc_int3+0x35/0x40 Fixing this by disabling preemption in bpf_perf_event_output. | 2025-12-30 | not yet calculated | CVE-2023-54303 | https://git.kernel.org/stable/c/3654ed5daf492463c3faa434c7000d45c2da2ace https://git.kernel.org/stable/c/a0ac32cf61e5a76e2429e486925a52ee41dd75e3 https://git.kernel.org/stable/c/f2c67a3e60d1071b65848efaa8c3b66c363dd025 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: meson_sm: fix to avoid potential NULL pointer dereference of_match_device() may fail and returns a NULL pointer. Fix this by checking the return value of of_match_device. | 2025-12-30 | not yet calculated | CVE-2023-54304 | https://git.kernel.org/stable/c/fba9c24c196310546f13c77ff66d0741155fa771 https://git.kernel.org/stable/c/9f4017cac70c04090dd4f672e755d6c875af67d8 https://git.kernel.org/stable/c/502dfc5875bab9ae5d6a2939146c2c5e5683be40 https://git.kernel.org/stable/c/bd3a6b6d5dd863dbbe17985c7612159cf4533cad https://git.kernel.org/stable/c/68f3209546b5083f8bffa46f7173cc05191eace1 https://git.kernel.org/stable/c/2d6c4a1a4e6678cb98dd57964f133a995ecc91c1 https://git.kernel.org/stable/c/f2ed165619c16577c02b703a114a1f6b52026df4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: refuse to create ea block when umounted The ea block expansion need to access s_root while it is already set as NULL when umount is triggered. Refuse this request to avoid panic. | 2025-12-30 | not yet calculated | CVE-2023-54305 | https://git.kernel.org/stable/c/aedea161d031502a423ed1c7597754681a4f8cda https://git.kernel.org/stable/c/21f6a80d9234422e2eb445734b22c78fc5bf6719 https://git.kernel.org/stable/c/a92b67e768bde433b9385cde56c09deb58db269e https://git.kernel.org/stable/c/0dc0fa313bb4e86382a3e7125429710d44383196 https://git.kernel.org/stable/c/116008ada3d0de4991099edaf6b8c2e9cd6f225a https://git.kernel.org/stable/c/05cbf6ddd9847c7b4f0662c048f195b09405a9d0 https://git.kernel.org/stable/c/a458a8c1d1fc4e10a1813786132b09a3863ad3f2 https://git.kernel.org/stable/c/f31173c19901a96bb2ebf6bcfec8a08df7095c91 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: tls: avoid hanging tasks on the tx_lock syzbot sent a hung task report and Eric explains that adversarial receiver may keep RWIN at 0 for a long time, so we are not guaranteed to make forward progress. Thread which took tx_lock and went to sleep may not release tx_lock for hours. Use interruptible sleep where possible and reschedule the work if it can’t take the lock. Testing: existing selftest passes | 2025-12-30 | not yet calculated | CVE-2023-54306 | https://git.kernel.org/stable/c/bde541a57b4204d0a800afbbd3d1c06c9cdb133f https://git.kernel.org/stable/c/7123a4337bf73132bbfb5437e4dc83ba864a9a1e https://git.kernel.org/stable/c/be5d5d0637fd88c18ee76024bdb22649a1de00d6 https://git.kernel.org/stable/c/1f800f6aae57d2d8f63d32fff383017cbc11cf65 https://git.kernel.org/stable/c/ccf1ccdc5926907befbe880b562b2a4b5f44c087 https://git.kernel.org/stable/c/f3221361dc85d4de22586ce8441ec2c67b454f5d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ptp_qoriq: fix memory leak in probe() Smatch complains that: drivers/ptp/ptp_qoriq.c ptp_qoriq_probe() warn: ‘base’ from ioremap() not released. Fix this by revising the parameter from ‘ptp_qoriq->base’ to ‘base’. This is only a bug if ptp_qoriq_init() returns on the first -ENODEV error path. For other error paths ptp_qoriq->base and base are the same. And this change makes the code more readable. | 2025-12-30 | not yet calculated | CVE-2023-54307 | https://git.kernel.org/stable/c/46c4993a1514eea3bbc7147d0c81c23cc06c6bed https://git.kernel.org/stable/c/3907fcb5a439933cf8c10d6dc300bc11eba30de3 https://git.kernel.org/stable/c/c0de1a26e6595b0e7969c5b35990a77a2d93104f https://git.kernel.org/stable/c/43b4331ce0cd88ccba425e0702ba35c1a52daccf https://git.kernel.org/stable/c/c960785c8168d0e572101ed921b9be3934ed0bc9 https://git.kernel.org/stable/c/f33642224e38d7e0d59336e10e7b4e370b1c4506 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: ymfpci: Create card with device-managed snd_devm_card_new() snd_card_ymfpci_remove() was removed in commit c6e6bb5eab74 (“ALSA: ymfpci: Allocate resources with device-managed APIs”), but the call to snd_card_new() was not replaced with snd_devm_card_new(). Since there was no longer a call to snd_card_free, unloading the module would eventually result in Oops: [697561.532887] BUG: unable to handle page fault for address: ffffffffc0924480 [697561.532893] #PF: supervisor read access in kernel mode [697561.532896] #PF: error_code(0x0000) – not-present page [697561.532899] PGD ae1e15067 P4D ae1e15067 PUD ae1e17067 PMD 11a8f5067 PTE 0 [697561.532905] Oops: 0000 [#1] PREEMPT SMP NOPTI [697561.532909] CPU: 21 PID: 5080 Comm: wireplumber Tainted: G W OE 6.2.7 #1 [697561.532914] Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS, BIOS 4408 10/28/2022 [697561.532916] RIP: 0010:try_module_get.part.0+0x1a/0xe0 [697561.532924] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 49 89 fc bf 01 00 00 00 e8 56 3c f8 ff <41> 83 3c 24 02 0f 84 96 00 00 00 41 8b 84 24 30 03 00 00 85 c0 0f [697561.532927] RSP: 0018:ffffbe9b858c3bd8 EFLAGS: 00010246 [697561.532930] RAX: ffff9815d14f1900 RBX: ffff9815c14e6000 RCX: 0000000000000000 [697561.532933] RDX: 0000000000000000 RSI: ffffffffc055092c RDI: ffffffffb3778c1a [697561.532935] RBP: ffffbe9b858c3be8 R08: 0000000000000040 R09: ffff981a1a741380 [697561.532937] R10: ffffbe9b858c3c80 R11: 00000009d56533a6 R12: ffffffffc0924480 [697561.532939] R13: ffff9823439d8500 R14: 0000000000000025 R15: ffff9815cd109f80 [697561.532942] FS: 00007f13084f1f80(0000) GS:ffff9824aef40000(0000) knlGS:0000000000000000 [697561.532945] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [697561.532947] CR2: ffffffffc0924480 CR3: 0000000145344000 CR4: 0000000000350ee0 [697561.532949] Call Trace: [697561.532951] <TASK> [697561.532955] try_module_get+0x13/0x30 [697561.532960] snd_ctl_open+0x61/0x1c0 [snd] [697561.532976] snd_open+0xb4/0x1e0 [snd] [697561.532989] chrdev_open+0xc7/0x240 [697561.532995] ? fsnotify_perm.part.0+0x6e/0x160 [697561.533000] ? __pfx_chrdev_open+0x10/0x10 [697561.533005] do_dentry_open+0x169/0x440 [697561.533009] vfs_open+0x2d/0x40 [697561.533012] path_openat+0xa9d/0x10d0 [697561.533017] ? debug_smp_processor_id+0x17/0x20 [697561.533022] ? trigger_load_balance+0x65/0x370 [697561.533026] do_filp_open+0xb2/0x160 [697561.533032] ? _raw_spin_unlock+0x19/0x40 [697561.533036] ? alloc_fd+0xa9/0x190 [697561.533040] do_sys_openat2+0x9f/0x160 [697561.533044] __x64_sys_openat+0x55/0x90 [697561.533048] do_syscall_64+0x3b/0x90 [697561.533052] entry_SYSCALL_64_after_hwframe+0x72/0xdc [697561.533056] RIP: 0033:0x7f1308a40db4 [697561.533059] Code: 24 20 eb 8f 66 90 44 89 54 24 0c e8 46 68 f8 ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 32 44 89 c7 89 44 24 0c e8 78 68 f8 ff 8b 44 [697561.533062] RSP: 002b:00007ffcce664450 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 [697561.533066] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1308a40db4 [697561.533068] RDX: 0000000000080000 RSI: 00007ffcce664690 RDI: 00000000ffffff9c [697561.533070] RBP: 00007ffcce664690 R08: 0000000000000000 R09: 0000000000000012 [697561.533072] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000080000 [697561.533074] R13: 00007f13054b069b R14: 0000565209f83200 R15: 0000000000000000 [697561.533078] </TASK> | 2025-12-30 | not yet calculated | CVE-2023-54308 | https://git.kernel.org/stable/c/95642872c466030240199ba796a40771c493ed0c https://git.kernel.org/stable/c/db7d7782677ff998c06997903d5400a0ba91cebb https://git.kernel.org/stable/c/255a81a89501df77379b51a81c7a2e8e7c359bc6 https://git.kernel.org/stable/c/f33fc1576757741479452255132d6e3aaf558ffe |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation /dev/vtpmx is made visible before ‘workqueue’ is initialized, which can lead to a memory corruption in the worst case scenario. Address this by initializing ‘workqueue’ as the very first step of the driver initialization. | 2025-12-30 | not yet calculated | CVE-2023-54309 | https://git.kernel.org/stable/c/509d21f1c4bb9d35d397fca3226165b156a7639f https://git.kernel.org/stable/c/04e8697d26613ccea760cf57eb20a5a27f788c0f https://git.kernel.org/stable/c/86b9820395f226b8f33cbae9599deebf8af1ce72 https://git.kernel.org/stable/c/9ff7fcb3a2ed0e9b895bb5b4c13872d584a8815b https://git.kernel.org/stable/c/e08295290c53a3cf174c236721747a01b9550ae2 https://git.kernel.org/stable/c/99b998fb9d7d2d2d9dbb3e19db2d0ade02f5a604 https://git.kernel.org/stable/c/092db954e2c3c5ba6c0ce990c7da72cf8f3b9c51 https://git.kernel.org/stable/c/f4032d615f90970d6c3ac1d9c0bce3351eb4445c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition mptlan_probe() calls mpt_register_lan_device() which initializes the &priv->post_buckets_task workqueue. A call to mpt_lan_wake_post_buckets_task() will subsequently start the work. During driver unload in mptlan_remove() the following race may occur: CPU0 CPU1 |mpt_lan_post_receive_buckets_work() mptlan_remove() | free_netdev() | kfree(dev); | | | dev->mtu | //use Fix this by finishing the work prior to cleaning up in mptlan_remove(). [mkp: we really should remove mptlan instead of attempting to fix it] | 2025-12-30 | not yet calculated | CVE-2023-54310 | https://git.kernel.org/stable/c/92f869693d84e813895ff4d25363744575515423 https://git.kernel.org/stable/c/60c8645ad6f5b722615383d595d63b62b07a13c3 https://git.kernel.org/stable/c/410e610a96c52a7b41e2ab6c9ca60868d9acecce https://git.kernel.org/stable/c/697f92f8317e538d8409a0c95d6370eb40b34c05 https://git.kernel.org/stable/c/e84282efc87f2414839f6e15c31b4daa34ebaac1 https://git.kernel.org/stable/c/9c6da3b7f12528cd52c458b33496a098b838fcfc https://git.kernel.org/stable/c/48daa4a3015d859ee424948844ce3c12f2fe44e6 https://git.kernel.org/stable/c/f486893288f3e9b171b836f43853a6426515d800 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix deadlock when converting an inline directory in nojournal mode In no journal mode, ext4_finish_convert_inline_dir() can self-deadlock by calling ext4_handle_dirty_dirblock() when it already has taken the directory lock. There is a similar self-deadlock in ext4_incvert_inline_data_nolock() for data files which we’ll fix at the same time. A simple reproducer demonstrating the problem: mke2fs -Fq -t ext2 -O inline_data -b 4k /dev/vdc 64 mount -t ext4 -o dirsync /dev/vdc /vdc cd /vdc mkdir file0 cd file0 touch file0 touch file1 attr -s BurnSpaceInEA -V abcde . touch supercalifragilisticexpialidocious | 2025-12-30 | not yet calculated | CVE-2023-54311 | https://git.kernel.org/stable/c/b4fa4768c9acff77245d672d855d2c88294850b1 https://git.kernel.org/stable/c/5f8b55136ad787aed2c184f7cb3e93772ae637a3 https://git.kernel.org/stable/c/640c8c365999c6f23447ac766437236ad88317c5 https://git.kernel.org/stable/c/665cc3ba50330049524c1d275bc840a8f28dde73 https://git.kernel.org/stable/c/0b1c4357bb21d9770451a1bdb8d419ea10bada88 https://git.kernel.org/stable/c/804de0c72cd473e186ca4e1f6287d45431b14e5a https://git.kernel.org/stable/c/f4ce24f54d9cca4f09a395f3eecce20d6bec4663 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: samples/bpf: Fix buffer overflow in tcp_basertt Using sizeof(nv) or strlen(nv)+1 is correct. | 2025-12-30 | not yet calculated | CVE-2023-54312 | https://git.kernel.org/stable/c/cf7514fedc25675e68b74941df28a883951e70fd https://git.kernel.org/stable/c/f394d204d64095d72ad9f03ff98f3f3743bf743a https://git.kernel.org/stable/c/bd3e880dce27d225598730d2bbb3dc05b443af22 https://git.kernel.org/stable/c/e92f61e0701ea780e57e1be8dbd1fbec5f42c09e https://git.kernel.org/stable/c/56c25f2763a16db4fa1b486e6a21dc246cd992bd https://git.kernel.org/stable/c/dfc004688518d24159606289c74d0c4e123e6436 https://git.kernel.org/stable/c/7c08d1b0d1f75117cf82aeaef49ba9f861b3fb59 https://git.kernel.org/stable/c/f4dea9689c5fea3d07170c2cb0703e216f1a0922 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ovl: fix null pointer dereference in ovl_get_acl_rcu() Following process: P1 P2 path_openat link_path_walk may_lookup inode_permission(rcu) ovl_permission acl_permission_check check_acl get_cached_acl_rcu ovl_get_inode_acl realinode = ovl_inode_real(ovl_inode) drop_cache __dentry_kill(ovl_dentry) iput(ovl_inode) ovl_destroy_inode(ovl_inode) dput(oi->__upperdentry) dentry_kill(upperdentry) dentry_unlink_inode upperdentry->d_inode = NULL ovl_inode_upper upperdentry = ovl_i_dentry_upper(ovl_inode) d_inode(upperdentry) // returns NULL IS_POSIXACL(realinode) // NULL pointer dereference , will trigger an null pointer dereference at realinode: [ 205.472797] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ 205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted 6.3.0-12064-g2edfa098e750-dirty #1216 [ 205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300 [ 205.489584] Call Trace: [ 205.489812] <TASK> [ 205.490014] ovl_get_inode_acl+0x26/0x30 [ 205.490466] get_cached_acl_rcu+0x61/0xa0 [ 205.490908] generic_permission+0x1bf/0x4e0 [ 205.491447] ovl_permission+0x79/0x1b0 [ 205.491917] inode_permission+0x15e/0x2c0 [ 205.492425] link_path_walk+0x115/0x550 [ 205.493311] path_lookupat.isra.0+0xb2/0x200 [ 205.493803] filename_lookup+0xda/0x240 [ 205.495747] vfs_fstatat+0x7b/0xb0 Fetch a reproducer in [Link]. Use the helper ovl_i_path_realinode() to get realinode and then do non-nullptr checking. | 2025-12-30 | not yet calculated | CVE-2023-54313 | https://git.kernel.org/stable/c/d97481c7b2739a704848bb3c01f224dc71bdf78e https://git.kernel.org/stable/c/c4a5fb1ae5d3f02d3227afde2b9339994389463d https://git.kernel.org/stable/c/d536af163c53ce9f9bcfe87d2e9946f06f1a7ea4 https://git.kernel.org/stable/c/f4e19e595cc2e76a8a58413eb19d3d9c51328b53 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: af9005: Fix null-ptr-deref in af9005_i2c_xfer In af9005_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9005_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a (“media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()”) | 2025-12-30 | not yet calculated | CVE-2023-54314 | https://git.kernel.org/stable/c/98c12abb275b75a98ff62de9466d21e4daa98536 https://git.kernel.org/stable/c/63d962ac7a52c0ff4cd09af2e284dce5e5955dfe https://git.kernel.org/stable/c/0c02eb70b1dd4ae9bb304ce6cdadbc6faba2b2e9 https://git.kernel.org/stable/c/c7e5ac737db25d7387fe517cb5207706782b6cf8 https://git.kernel.org/stable/c/033b0c0780adee32dde218179e9bc51d2525108f https://git.kernel.org/stable/c/abb6fd93e05e80668d2317fe1110bc99b05034c3 https://git.kernel.org/stable/c/e595ff350b2fd600823ee8491df7df693ae4b7c5 https://git.kernel.org/stable/c/f4ee84f27625ce1fdf41e8483fa0561a1b837d10 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/sriov: perform null check on iov before dereferencing iov Currently pointer iov is being dereferenced before the null check of iov which can lead to null pointer dereference errors. Fix this by moving the iov null check before the dereferencing. Detected using cppcheck static analysis: linux/arch/powerpc/platforms/powernv/pci-sriov.c:597:12: warning: Either the condition ‘!iov’ is redundant or there is possible null pointer dereference: iov. [nullPointerRedundantCheck] num_vfs = iov->num_vfs; ^ | 2025-12-30 | not yet calculated | CVE-2023-54315 | https://git.kernel.org/stable/c/07c19c0ad4b07f4b598da369714de028f6a6a323 https://git.kernel.org/stable/c/d3a0d96c16e5f8d55e2c70163abda3c7c8328106 https://git.kernel.org/stable/c/d9a1aaea856002cb58dfb7c8d8770400fa1a0299 https://git.kernel.org/stable/c/6314465b88072a6b6f3b3c12a7898abe09095f95 https://git.kernel.org/stable/c/72990144e17e5e2cb378f1d9b10530b85b9bc382 https://git.kernel.org/stable/c/f4f913c980bc6abe0ccfe88fe3909c125afe4a2d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: refscale: Fix uninitalized use of wait_queue_head_t Running the refscale test occasionally crashes the kernel with the following error: [ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8 [ 8569.952900] #PF: supervisor read access in kernel mode [ 8569.952902] #PF: error_code(0x0000) – not-present page [ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0 [ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI [ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021 [ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190 : [ 8569.952940] Call Trace: [ 8569.952941] <TASK> [ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale] [ 8569.952959] kthread+0x10e/0x130 [ 8569.952966] ret_from_fork+0x1f/0x30 [ 8569.952973] </TASK> The likely cause is that init_waitqueue_head() is called after the call to the torture_create_kthread() function that creates the ref_scale_reader kthread. Although this init_waitqueue_head() call will very likely complete before this kthread is created and starts running, it is possible that the calling kthread will be delayed between the calls to torture_create_kthread() and init_waitqueue_head(). In this case, the new kthread will use the waitqueue head before it is properly initialized, which is not good for the kernel’s health and well-being. The above crash happened here: static inline void __add_wait_queue(…) { : if (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here The offset of flags from list_head entry in wait_queue_entry is -0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task structure is zero initialized, the instruction will try to access address 0xffffffffffffffe8, which is exactly the fault address listed above. This commit therefore invokes init_waitqueue_head() before creating the kthread. | 2025-12-30 | not yet calculated | CVE-2023-54316 | https://git.kernel.org/stable/c/066fbd8bc981cf49923bf828b7b4092894df577f https://git.kernel.org/stable/c/ec9d118ad99dc6f1bc674c1e649c25533d89b9ba https://git.kernel.org/stable/c/e0322a255a2242dbe4686b6176b3c83dea490529 https://git.kernel.org/stable/c/e5de968a9032366198720eac4f368ed7e690b3ef https://git.kernel.org/stable/c/70a2856fd1d0a040c876ba9e3f89b949ae92e4dd https://git.kernel.org/stable/c/f5063e8948dad7f31adb007284a5d5038ae31bb8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm flakey: don’t corrupt the zero page When we need to zero some range on a block device, the function __blkdev_issue_zero_pages submits a write bio with the bio vector pointing to the zero page. If we use dm-flakey with corrupt bio writes option, it will corrupt the content of the zero page which results in crashes of various userspace programs. Glibc assumes that memory returned by mmap is zeroed and it uses it for calloc implementation; if the newly mapped memory is not zeroed, calloc will return non-zeroed memory. Fix this bug by testing if the page is equal to ZERO_PAGE(0) and avoiding the corruption in this case. | 2025-12-30 | not yet calculated | CVE-2023-54317 | https://git.kernel.org/stable/c/b7f8892f672222dbfcc721f51edc03963212b249 https://git.kernel.org/stable/c/98e311be44dbe31ad9c42aa067b2359bac451fda https://git.kernel.org/stable/c/3c4a56ef7c538d16c1738ba0ccea9e7146105b5a https://git.kernel.org/stable/c/f2b478228bfdd11e358c5bc197561331f5d5c394 https://git.kernel.org/stable/c/ff60b2bb680ebcaf8890814dd51084a022891469 https://git.kernel.org/stable/c/be360c83f2d810493c04f999d69ec9152981e0c0 https://git.kernel.org/stable/c/63d31617883d64b43b0e2d529f0751f40713ecae https://git.kernel.org/stable/c/f50714b57aecb6b3dc81d578e295f86d9c73f078 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add While doing smcr_port_add, there maybe linkgroup add into or delete from smc_lgr_list.list at the same time, which may result kernel crash. So, use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add. The crash calltrace show below: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 0 PID: 559726 Comm: kworker/0:92 Kdump: loaded Tainted: G Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 449e491 04/01/2014 Workqueue: events smc_ib_port_event_work [smc] RIP: 0010:smcr_port_add+0xa6/0xf0 [smc] RSP: 0000:ffffa5a2c8f67de0 EFLAGS: 00010297 RAX: 0000000000000001 RBX: ffff9935e0650000 RCX: 0000000000000000 RDX: 0000000000000010 RSI: ffff9935e0654290 RDI: ffff9935c8560000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9934c0401918 R10: 0000000000000000 R11: ffffffffb4a5c278 R12: ffff99364029aae4 R13: ffff99364029aa00 R14: 00000000ffffffed R15: ffff99364029ab08 FS: 0000000000000000(0000) GS:ffff994380600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000f06a10003 CR4: 0000000002770ef0 PKRU: 55555554 Call Trace: smc_ib_port_event_work+0x18f/0x380 [smc] process_one_work+0x19b/0x340 worker_thread+0x30/0x370 ? process_one_work+0x340/0x340 kthread+0x114/0x130 ? __kthread_cancel_work+0x50/0x50 ret_from_fork+0x1f/0x30 | 2025-12-30 | not yet calculated | CVE-2023-54318 | https://git.kernel.org/stable/c/d1c6c93c27a4bf48006ab16cd9b38d85559d7645 https://git.kernel.org/stable/c/06b4934ab2b534bb92935c7601852066ebb9eab8 https://git.kernel.org/stable/c/70c8d17007dc4a07156b7da44509527990e569b3 https://git.kernel.org/stable/c/b717463610a27fc0b58484cfead7a623d5913e61 https://git.kernel.org/stable/c/f5146e3ef0a9eea405874b36178c19a4863b8989 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91-pio4: check return value of devm_kasprintf() devm_kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Depends-on: 1c4e5c470a56 (“pinctrl: at91: use devm_kasprintf() to avoid potential leaks”) Depends-on: 5a8f9cf269e8 (“pinctrl: at91-pio4: use proper format specifier for unsigned int”) | 2025-12-30 | not yet calculated | CVE-2023-54319 | https://git.kernel.org/stable/c/8d788f2ba830d6d32499b198c526d577c590eedf https://git.kernel.org/stable/c/3e8ce1d5a1a9d758b359e5c426543957f35991f8 https://git.kernel.org/stable/c/aa3932eb07392d626486428e2ffddc660658e22a https://git.kernel.org/stable/c/f3c7b95c9991dab02e616fc251b6c3516e0bd0ac https://git.kernel.org/stable/c/0a95dd17a73b7603818ad7c46c99d757232be331 https://git.kernel.org/stable/c/0af388fce352ed2ab383fd5d1a08db551ca15c38 https://git.kernel.org/stable/c/5bfd577cc728270d6cd7af6c652a1e7661f25487 https://git.kernel.org/stable/c/8a1fa202f47f39680a4305af744f499a324f8a03 https://git.kernel.org/stable/c/f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd: pmc: Fix memory leak in amd_pmc_stb_debugfs_open_v2() Function amd_pmc_stb_debugfs_open_v2() may be called when the STB debug mechanism enabled. When amd_pmc_send_cmd() fails, the ‘buf’ needs to be released. | 2025-12-30 | not yet calculated | CVE-2023-54320 | https://git.kernel.org/stable/c/d804adef7b23b22bb82e1b3dd113e9073cea9bc1 https://git.kernel.org/stable/c/f6e7ac4c35a28aef0be93b32c533ae678ad0b9e7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential null-ptr-deref in device_add() I got the following null-ptr-deref report while doing fault injection test: BUG: kernel NULL pointer dereference, address: 0000000000000058 CPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+ RIP: 0010:klist_put+0x2d/0xd0 Call Trace: <TASK> klist_remove+0xf1/0x1c0 device_release_driver_internal+0x196/0x210 bus_remove_device+0x1bd/0x240 device_add+0xd3d/0x1100 w1_add_master_device+0x476/0x490 [wire] ds2482_probe+0x303/0x3e0 [ds2482] This is how it happened: w1_alloc_dev() // The dev->driver is set to w1_master_driver. memcpy(&dev->dev, device, sizeof(struct device)); device_add() bus_add_device() dpm_sysfs_add() // It fails, calls bus_remove_device. // error path bus_remove_device() // The dev->driver is not null, but driver is not bound. __device_release_driver() klist_remove(&dev->p->knode_driver) <– It causes null-ptr-deref. // normal path bus_probe_device() // It’s not called yet. device_bind_driver() If dev->driver is set, in the error path after calling bus_add_device() in device_add(), bus_remove_device() is called, then the device will be detached from driver. But device_bind_driver() is not called yet, so it causes null-ptr-deref while access the ‘knode_driver’. To fix this, set dev->driver to null in the error path before calling bus_remove_device(). | 2025-12-30 | not yet calculated | CVE-2023-54321 | https://git.kernel.org/stable/c/2c59650d078b1b3f1ea50d5f8ee9fcc537dc02d3 https://git.kernel.org/stable/c/7cf515bf9e8c2908dc170ecf2df117162a16c9c5 https://git.kernel.org/stable/c/17982304806c5c10924e73f7ca5556e0d7378452 https://git.kernel.org/stable/c/f6837f34a34973ef6600c08195ed300e24e97317 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: set __exception_irq_entry with __irq_entry as a default filter_irq_stacks() is supposed to cut entries which are related irq entries from its call stack. And in_irqentry_text() which is called by filter_irq_stacks() uses __irqentry_text_start/end symbol to find irq entries in callstack. But it doesn’t work correctly as without “CONFIG_FUNCTION_GRAPH_TRACER”, arm64 kernel doesn’t include gic_handle_irq which is entry point of arm64 irq between __irqentry_text_start and __irqentry_text_end as we discussed in below link. https://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t This problem can makes unintentional deep call stack entries especially in KASAN enabled situation as below. [ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity [ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c [ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=–) [ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c [ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c [ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0 [ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000 [ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd [ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040 [ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000 [ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20 [ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8 [ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800 [ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8 [ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c [ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022 [ 2479.386231]I[0:launcher-loader: 1719] Call trace: [ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c [ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70 [ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138 [ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24 [ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170 [ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20 [ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c [ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28 [ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0 [ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80 [ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98 [ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c [ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0 [ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 [ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c [ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4 [ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0 [ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 [ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c [ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304 [ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160 [ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194 [ 2479.386833]I —truncated— | 2025-12-30 | not yet calculated | CVE-2023-54322 | https://git.kernel.org/stable/c/c71d6934c6ac40a97146a410e0320768c7b1bb3c https://git.kernel.org/stable/c/0bd309f22663f3ee749bea0b6d70642c31a1c0a5 https://git.kernel.org/stable/c/d3b219e504fc5c5a25fa7c04c8589ff34baef9a8 https://git.kernel.org/stable/c/f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cxl/pmem: Fix nvdimm registration races A loop of the form: while true; do modprobe cxl_pci; modprobe -r cxl_pci; done …fails with the following crash signature: BUG: kernel NULL pointer dereference, address: 0000000000000040 [..] RIP: 0010:cxl_internal_send_cmd+0x5/0xb0 [cxl_core] [..] Call Trace: <TASK> cxl_pmem_ctl+0x121/0x240 [cxl_pmem] nvdimm_get_config_data+0xd6/0x1a0 [libnvdimm] nd_label_data_init+0x135/0x7e0 [libnvdimm] nvdimm_probe+0xd6/0x1c0 [libnvdimm] nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm] really_probe+0xde/0x380 __driver_probe_device+0x78/0x170 driver_probe_device+0x1f/0x90 __device_attach_driver+0x85/0x110 bus_for_each_drv+0x7d/0xc0 __device_attach+0xb4/0x1e0 bus_probe_device+0x9f/0xc0 device_add+0x445/0x9c0 nd_async_device_register+0xe/0x40 [libnvdimm] async_run_entry_fn+0x30/0x130 …namely that the bottom half of async nvdimm device registration runs after the CXL has already torn down the context that cxl_pmem_ctl() needs. Unlike the ACPI NFIT case that benefits from launching multiple nvdimm device registrations in parallel from those listed in the table, CXL is already marked PROBE_PREFER_ASYNCHRONOUS. So provide for a synchronous registration path to preclude this scenario. | 2025-12-30 | not yet calculated | CVE-2023-54323 | https://git.kernel.org/stable/c/a371788d4f4a7f59eecd22644331d599979fd283 https://git.kernel.org/stable/c/18c65667fa9104780eeaa0dc1bc240f0c2094772 https://git.kernel.org/stable/c/f57aec443c24d2e8e1f3b5b4856aea12ddda4254 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm: fix a race condition in retrieve_deps There’s a race condition in the multipath target when retrieve_deps races with multipath_message calling dm_get_device and dm_put_device. retrieve_deps walks the list of open devices without holding any lock but multipath may add or remove devices to the list while it is running. The end result may be memory corruption or use-after-free memory access. See this description of a UAF with multipath_message(): https://listman.redhat.com/archives/dm-devel/2022-October/052373.html Fix this bug by introducing a new rw semaphore “devices_lock”. We grab devices_lock for read in retrieve_deps and we grab it for write in dm_get_device and dm_put_device. | 2025-12-30 | not yet calculated | CVE-2023-54324 | https://git.kernel.org/stable/c/dbf1a719850577bb51fc7512a3972994b797a17b https://git.kernel.org/stable/c/38f6e5ae5d9ff4a4050ea6f7b543d5d5a4e087cf https://git.kernel.org/stable/c/f6007dce0cd35d634d9be91ef3515a6385dcee16 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: qat – fix out-of-bounds read When preparing an AER-CTR request, the driver copies the key provided by the user into a data structure that is accessible by the firmware. If the target device is QAT GEN4, the key size is rounded up by 16 since a rounded up size is expected by the device. If the key size is rounded up before the copy, the size used for copying the key might be bigger than the size of the region containing the key, causing an out-of-bounds read. Fix by doing the copy first and then update the keylen. This is to fix the following warning reported by KASAN: [ 138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat] [ 138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340 [ 138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45 [ 138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022 [ 138.150663] Call Trace: [ 138.150668] <TASK> [ 138.150922] kasan_check_range+0x13a/0x1c0 [ 138.150931] memcpy+0x1f/0x60 [ 138.150940] qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat] [ 138.151006] qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat] [ 138.151073] crypto_skcipher_setkey+0x82/0x160 [ 138.151085] ? prepare_keybuf+0xa2/0xd0 [ 138.151095] test_skcipher_vec_cfg+0x2b8/0x800 | 2025-12-30 | not yet calculated | CVE-2023-54325 | https://git.kernel.org/stable/c/7697139d5dfd491f4c495a914a1dd68f6e827a0f https://git.kernel.org/stable/c/dc3809f390357c8992f0a23083da934a20fef9af https://git.kernel.org/stable/c/2b1501f058245573a3aa6bf234d205dde1196184 https://git.kernel.org/stable/c/f6044cc3030e139f60c281386f28bda6e3049d66 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Free IRQs before removing the device In pci_endpoint_test_remove(), freeing the IRQs after removing the device creates a small race window for IRQs to be received with the test device memory already released, causing the IRQ handler to access invalid memory, resulting in an oops. Free the device IRQs before removing the device to avoid this issue. | 2025-12-30 | not yet calculated | CVE-2023-54326 | https://git.kernel.org/stable/c/fb7f8bdb886f2ebf35ee5edaf2bf5f02b063ddb7 https://git.kernel.org/stable/c/dd2210379205fcd23a9d8869b0cef90e3770577c https://git.kernel.org/stable/c/cdf9a7e2cdc7a5464e3cc6d0b715ba2b1d215521 https://git.kernel.org/stable/c/14bdee38e96c7d37ca15e7bea50411eee25fe315 https://git.kernel.org/stable/c/c2dba13bc0c62b79a3cbe4bfe5faa32231bf9b55 https://git.kernel.org/stable/c/38d12bcf4e2ce3d285eb29644a79a54f42040fab https://git.kernel.org/stable/c/f61b7634a3249d12b9daa36ffbdb9965b6f24c6c |
| pmmp–PocketMine-MP | PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player’s hotbar, triggering a server crash and resulting in denial of service. | 2025-12-31 | not yet calculated | CVE-2023-7332 | https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h87r-f4vc-mchv https://github.com/pmmp/PocketMine-MP/commit/5897476 https://www.vulncheck.com/advisories/pocketmine-mp-improper-validation-of-dropped-item-count-allows-remote-server-crash |
| Vvvebjs–givanz | A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server-Side Request Forgery (SSRF) and arbitrary file reading. The vulnerability stems from improper handling of user-supplied URLs in the “file_get_contents” function within the “save.php” file. | 2025-12-29 | not yet calculated | CVE-2024-25181 | https://gist.github.com/joaoviictorti/69cbae23d98fb9a1a4b3eee0c305c7de |
| Vvvebjs–givanz | givanz VvvebJs 1.7.2 suffers from a File Upload vulnerability via save.php. | 2025-12-29 | not yet calculated | CVE-2024-25182 | https://gist.github.com/joaoviictorti/ff6220d8ed6df77a0420f4413a1d9b8d |
| Vvvebjs–givanz | givanz VvvebJs 1.7.2 is vulnerable to Directory Traversal via scan.php. | 2025-12-29 | not yet calculated | CVE-2024-25183 | https://gist.github.com/joaoviictorti/db387ef5ea3d35482c5ad4598d945b2f |
| Vvvebjs–givanz | givanz VvvebJs 1.7.2 is vulnerable to Insecure File Upload. | 2025-12-29 | not yet calculated | CVE-2024-27480 | https://gist.github.com/joaoviictorti/abb2d1929c29d09c13c60bb45f28a8ff |
| DedeCMS–Dede | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/makehtml_list_action.php. | 2025-12-29 | not yet calculated | CVE-2024-30855 | https://github.com/Limingqian123/cms/blob/main/1.md https://gist.github.com/Limingqian123/e90a1b86c02bd83d4ab07c08cad9a629 |
| REDCap–REDCap | REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts. | 2026-01-02 | not yet calculated | CVE-2024-55374 | http://redcap.com https://github.com/T3slaa/CVE-2024-55374 |
| feast-dev–feast-dev/feast | A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(…, Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage. | 2026-01-01 | not yet calculated | CVE-2025-11157 | https://huntr.com/bounties/46d4d585-b968-4a76-80ce-872bc5525564 https://github.com/feast-dev/feast/commit/b2e37ff37953b68ae833f6874ab5bc510a4ca5fb |
| QNAP Systems Inc.–Malware Remover | An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism. We have already fixed the vulnerability in the following version: Malware Remover 6.6.8.20251023 and later | 2026-01-02 | not yet calculated | CVE-2025-11837 | https://www.qnap.com/en/security-advisory/qsa-25-47 |
| Unknown–WPBookit | The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack. | 2026-01-02 | not yet calculated | CVE-2025-12685 | https://wpscan.com/vulnerability/e5ba488a-b43d-4c5f-9716-4b24701999f3/ |
| Unknown–Knowband Mobile App Builder | The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users. | 2025-12-31 | not yet calculated | CVE-2025-13029 | https://wpscan.com/vulnerability/22344534-cd36-4817-b683-c0af55759e01/ |
| Unknown–Logo Slider | The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2026-01-02 | not yet calculated | CVE-2025-13153 | https://wpscan.com/vulnerability/0ed67947-228d-420c-8d28-e0d7326eb101/ |
| Unknown–Plugin Organizer | The Plugin Organizer WordPress plugin before 10.2.4 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers to perform SQL injection attacks. | 2025-12-29 | not yet calculated | CVE-2025-13417 | https://wpscan.com/vulnerability/862fdf28-5195-443d-8ef2-e4043d0fdc92/ |
| Unknown–ShopBuilder | The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2026-01-02 | not yet calculated | CVE-2025-13456 | https://wpscan.com/vulnerability/5872ece6-52cb-4306-b7ee-41282815a243/ |
| Unknown–Comments | The Comments WordPress plugin before 7.6.40 does not properly validate user’s identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet. | 2026-01-01 | not yet calculated | CVE-2025-13820 | https://wpscan.com/vulnerability/21bc9b41-a967-42dc-9916-bb993b05709c/ |
| Unknown–YaMaps for WordPress Plugin | The YaMaps for WordPress Plugin WordPress plugin before 0.6.40 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2025-12-29 | not yet calculated | CVE-2025-13958 | https://wpscan.com/vulnerability/0d4bb338-f0d0-4b57-8664-1b8cba7cbe52/ |
| Unknown–Ninja Forms | The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions. | 2026-01-02 | not yet calculated | CVE-2025-14072 | https://wpscan.com/vulnerability/4b19a333-eb19-4903-aa96-1fe871dd0f9f/ |
| TP-Link Systems Inc.–TL-WR820N v2.8 | A vulnerability in the SSH server of TP-Link TL-WR820N v2.80 allows the use of a weak cryptographic algorithm, enabling an adjacent attacker to intercept and decrypt SSH traffic. Exploitation may expose sensitive information and compromise confidentiality. | 2025-12-29 | not yet calculated | CVE-2025-14175 | https://www.tp-link.com/en/support/download/tl-wr820n/#Firmware https://www.tp-link.com/in/support/download/tl-wr820n/#Firmware https://www.tp-link.com/us/support/faq/4861/ |
| Unknown–Advance WP Query Search Filter | The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-12-30 | not yet calculated | CVE-2025-14312 | https://wpscan.com/vulnerability/f06f982b-108b-4fc1-ad48-2f890a06ecf0/ |
| Unknown–Advance WP Query Search Filter | The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-12-30 | not yet calculated | CVE-2025-14313 | https://wpscan.com/vulnerability/5ebcdb32-da82-4129-8538-40d1b03a1108/ |
| Unknown–Ultimate Post Kit Addons for Elementor | The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upk_alex_grid_loadmore_posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and retrieve rendered HTML content of private and unpublished ones. | 2025-12-31 | not yet calculated | CVE-2025-14434 | https://wpscan.com/vulnerability/bf3c3193-fc9c-454b-ad4f-94ba1669a312/ |
| Temporal–Temporal | When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace’s limits/policies by setting the embedded start request’s namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context. This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. | 2025-12-30 | not yet calculated | CVE-2025-14986 | https://github.com/temporalio/temporal/releases/tag/v1.27.4 https://github.com/temporalio/temporal/releases/tag/v1.28.2 https://github.com/temporalio/temporal/releases/tag/v1.29.2 |
| Temporal–Temporal | When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes RespondWorkflowTaskCompleted based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace. This issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. | 2025-12-30 | not yet calculated | CVE-2025-14987 | https://github.com/temporalio/temporal/releases/tag/v1.27.4 https://github.com/temporalio/temporal/releases/tag/v1.28.2 https://github.com/temporalio/temporal/releases/tag/v1.29.2 |
| Moxa–NPort 5000AI-M12 Series | A vulnerability exists in serial device servers where active debug code remains enabled in the UART interface. An attacker with physical access to the device can directly connect to the UART interface and, without authentication, user interaction, or execution conditions, gain unauthorized access to internal debug functionality. Exploitation is low complexity and allows an attacker to execute privileged operations and access sensitive system resources, resulting in a high impact to the confidentiality, integrity, and availability of the affected device. No security impact to external or dependent systems has been identified. | 2025-12-31 | not yet calculated | CVE-2025-15017 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-257331-cve-2025-15017-active-debug-code-vulnerability-in-serial-device-servers |
| FontForge–FontForge | FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28564. | 2025-12-31 | not yet calculated | CVE-2025-15269 | ZDI-25-1195 |
| FontForge–FontForge | FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28563. | 2025-12-31 | not yet calculated | CVE-2025-15270 | ZDI-25-1194 |
| FontForge–FontForge | FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28562. | 2025-12-31 | not yet calculated | CVE-2025-15271 | ZDI-25-1193 |
| FontForge–FontForge | FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28547. | 2025-12-31 | not yet calculated | CVE-2025-15272 | ZDI-25-1192 |
| FontForge–FontForge | FontForge PFB File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PFB files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28546. | 2025-12-31 | not yet calculated | CVE-2025-15273 | ZDI-25-1191 |
| FontForge–FontForge | FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28544. | 2025-12-31 | not yet calculated | CVE-2025-15274 | ZDI-25-1190 |
| FontForge–FontForge | FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28543. | 2025-12-31 | not yet calculated | CVE-2025-15275 | ZDI-25-1189 |
| FontForge–FontForge | FontForge SFD File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28198. | 2025-12-31 | not yet calculated | CVE-2025-15276 | ZDI-25-1187 |
| FontForge–FontForge | FontForge GUtils SGI File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of scanlines within SGI files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27920. | 2025-12-31 | not yet calculated | CVE-2025-15277 | ZDI-25-1186 |
| FontForge–FontForge | FontForge GUtils XBM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of pixels within XBM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27865. | 2025-12-31 | not yet calculated | CVE-2025-15278 | ZDI-25-1185 |
| FontForge–FontForge | FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of pixels within BMP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27517. | 2025-12-31 | not yet calculated | CVE-2025-15279 | ZDI-25-1184 |
| FontForge–FontForge | FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28525. | 2025-12-31 | not yet calculated | CVE-2025-15280 | ZDI-25-1188 |
| Moxa–NPort 6100-G2/6200-G2 Series | The NPort 6100-G2/6200-G2 Series is affected by an execution with unnecessary privileges vulnerability (CVE-2025-1977) that allows an authenticated user with read-only access to perform unauthorized configuration changes through the MCC (Moxa CLI Configuration) tool. The issue can be exploited remotely over the network with low-attack complexity and no user interaction but requires specific system conditions or configurations to be present. Successful exploitation may result in changes to device settings that were not intended to be permitted for the affected user role, potentially leading to a high impact on the confidentiality, integrity, and availability of the device. No impact on other systems has been identified. | 2025-12-31 | not yet calculated | CVE-2025-1977 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-251731-cve-2025-1977-cve-2025-2026-multiple-vulnerabilities-in-nport-6100-g2-6200-g2-series |
| Moxa–NPort 6100-G2/6200-G2 Series | The NPort 6100-G2/6200-G2 Series is affected by a high-severity vulnerability (CVE-2025-2026) that allows remote attackers to execute a null byte injection through the device’s web API. This may lead to an unexpected device reboot and result in a denial-of-service (DoS) condition. An authenticated remote attacker with web read-only privileges can exploit the vulnerable API to inject malicious input. Successful exploitation may cause the device to reboot, disrupting normal operations and causing a temporary denial of service. | 2025-12-31 | not yet calculated | CVE-2025-2026 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-251731-cve-2025-1977-cve-2025-2026-multiple-vulnerabilities-in-nport-6100-g2-6200-g2-series |
| IceWhale Tech–CasaOS | CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host. | 2026-01-03 | not yet calculated | CVE-2025-34171 | https://casaos.zimaspace.com/ https://github.com/IceWhaleTech/CasaOS https://www.vulncheck.com/advisories/casaos-unauthenticated-file-and-debug-data-exposure |
| fredtempez–ZwiiCMS | ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns “404 Not Found” as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated. | 2025-12-31 | not yet calculated | CVE-2025-34467 | https://github.com/fredtempez/ZwiiCMS https://codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00 https://www.vulncheck.com/advisories/zwiicms-lock-persistence-authenticated-dos-against-administrative-pages |
| libcoap–libcoap | libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap). | 2025-12-31 | not yet calculated | CVE-2025-34468 | https://github.com/obgm/libcoap/pull/1737 https://github.com/obgm/libcoap/commit/30db3ea https://libcoap.net/ https://www.vulncheck.com/advisories/libcoap-stack-based-buffer-overflow-in-address-resolution-dos-or-potential-rce |
| Cowrie–Cowrie | Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker’s true source address behind the honeypot’s IP. | 2025-12-31 | not yet calculated | CVE-2025-34469 | https://github.com/advisories/GHSA-83jg-m2pm-4jxj https://github.com/cowrie/cowrie/releases/tag/v2.9.0 https://github.com/cowrie/cowrie/pull/2800 https://github.com/cowrie/cowrie/issues/2622 https://www.vulncheck.com/advisories/cowrie-unrestricted-wget-curl-emulation-enables-ssrf-based-ddos-amplification |
| QNAP Systems Inc.–QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later | 2026-01-02 | not yet calculated | CVE-2025-44013 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| httpbin–mccutchen | A cross-site scripting (XSS) vulnerability in mccutchen httpbin v2.17.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2026-01-02 | not yet calculated | CVE-2025-45286 | https://github.com/mccutchen/go-httpbin/security/advisories/GHSA-528q-4pgm-wvg2 https://github.com/advisories/GHSA-528q-4pgm-wvg2 |
| QNAP Systems Inc.–QTS | An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later | 2026-01-02 | not yet calculated | CVE-2025-47208 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| Apache Software Foundation–Apache StreamPipes | A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. This vulnerability allows an attacker to gain administrative control over the application by manipulating JWT tokens, which can lead to data tampering, unauthorized access and other security issues. This issue affects Apache StreamPipes: through 0.97.0. Users are recommended to upgrade to version 0.98.0, which fixes the issue. | 2026-01-01 | not yet calculated | CVE-2025-47411 | https://lists.apache.org/thread/lngko4ht2ok3o0rk9h0clgm4kb0lmt36 |
| QNAP Systems Inc.–QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: QTS 5.2.8.3332 build 20251128 and later | 2026-01-02 | not yet calculated | CVE-2025-48721 | https://www.qnap.com/en/security-advisory/qsa-25-51 |
| Apache Software Foundation–Apache NuttX RTOS | Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the target architecture), or in general, a Denial of Service. This issue affects Apache NuttX RTOS: from 10.0.0 before 12.10.0. Users of filesystem based services with write access that were exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.10.0 that fixes the issue. | 2026-01-01 | not yet calculated | CVE-2025-48768 | https://github.com/apache/nuttx/pull/16437 https://lists.apache.org/thread/nwo1kd08b7t3dyz082q2pghdxwvxwyvo |
| Apache Software Foundation–Apache NuttX RTOS | Use After Free vulnerability was discovered in fs/vfs/fs_rename code of the Apache NuttX RTOS, that due recursive implementation and single buffer use by two different pointer variables allowed arbitrary user provided size buffer reallocation and write to the previously freed heap chunk, that in specific cases could cause unintended virtual filesystem rename/move operation results. This issue affects Apache NuttX RTOS: from 7.20 before 12.11.0. Users of virtual filesystem based services with write access especially when exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.11.0 that fixes the issue. | 2026-01-01 | not yet calculated | CVE-2025-48769 | https://github.com/apache/nuttx/pull/16455 https://lists.apache.org/thread/7m83v11ldfq7bvw72n9t5sccocczocjn |
| nfields–VarCreateStruct | An issue was discovered in matio 1.5.28. A heap-based memory corruption can occur in Mat_VarCreateStruct() when the nfields value does not match the actual number of strings in the fields array. This leads to out-of-bounds reads and invalid memory frees during cleanup, potentially causing a segmentation fault or heap corruption. | 2025-12-30 | not yet calculated | CVE-2025-50343 | https://github.com/tbeu/matio/issues/275 https://github.com/zakkanijia/POC/blob/main/matio/CVE-2025-50343/matio.md |
| QNAP Systems Inc.–QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-52426 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-52430 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-52431 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.0.3192 build 20250716 and later | 2026-01-02 | not yet calculated | CVE-2025-52863 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.0.3192 build 20250716 and later | 2026-01-02 | not yet calculated | CVE-2025-52864 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–License Center | An out-of-bounds read vulnerability has been reported to affect License Center. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following version: License Center 2.0.36 and later | 2026-01-02 | not yet calculated | CVE-2025-52871 | https://www.qnap.com/en/security-advisory/qsa-25-52 |
| QNAP Systems Inc.–QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.0.3192 build 20250716 and later | 2026-01-02 | not yet calculated | CVE-2025-52872 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53405 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53414 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53589 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later | 2026-01-02 | not yet calculated | CVE-2025-53590 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53591 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53592 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53593 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–Qfinder Pro Mac | A path traversal vulnerability has been reported to affect several product versions. If a local attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: Qfinder Pro Mac 7.13.0 and later Qsync for Mac 5.1.5 and later QVPN Device Client for Mac 2.2.8 and later | 2026-01-02 | not yet calculated | CVE-2025-53594 | https://www.qnap.com/en/security-advisory/qsa-25-55 |
| QNAP Systems Inc.–QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53596 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–License Center | A buffer overflow vulnerability has been reported to affect License Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: License Center 2.0.36 and later | 2026-01-02 | not yet calculated | CVE-2025-53597 | https://www.qnap.com/en/security-advisory/qsa-25-52 |
| QNAP Systems Inc.–QTS | An out-of-bounds read vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-54164 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | An out-of-bounds read vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-54165 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | An out-of-bounds read vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-54166 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| pangolin–fosrl | Authentication Bypass in fosrl/pangolin v1.6.2 and before allows attackers to access Pangolin resource via Insecure Default Configuration | 2025-12-30 | not yet calculated | CVE-2025-56332 | https://github.com/fosrl/pangolin https://gist.github.com/mrdgef/ef6fa41d69c0457874414c163d7d7d75 |
| pangolin–fosrl | An issue in Fossorial fosrl/pangolin v.1.6.2 and before allows a remote attacker to escalate privileges via the 2FA component | 2025-12-29 | not yet calculated | CVE-2025-56333 | https://github.com/fosrl/pangolin https://gist.github.com/mrdgef/ef6fa41d69c0457874414c163d7d7d75 |
| machsol–machpanel | File upload vulnerability in machsol machpanel 8.0.32 allows attacker to gain a webshell. | 2025-12-29 | not yet calculated | CVE-2025-57460 | https://www.machsol.com/ https://github.com/aljoharasubaie/CVE-2025-57460/blob/main/README.md |
| machsol–machpanel | Stored cross-site scripting (xss) in machsol machpanel 8.0.32 allows attackers to execute arbitrary web scripts or HTML via a crafted PDF file. | 2025-12-29 | not yet calculated | CVE-2025-57462 | https://www.machsol.com/ https://github.com/aljoharasubaie/CVE-2025-57462/blob/main/README.md |
| QNAP Systems Inc.–QTS | An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-57705 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.–QTS | A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later | 2026-01-02 | not yet calculated | CVE-2025-59380 | https://www.qnap.com/en/security-advisory/qsa-25-51 |
| QNAP Systems Inc.–QTS | A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later | 2026-01-02 | not yet calculated | CVE-2025-59381 | https://www.qnap.com/en/security-advisory/qsa-25-51 |
| QNAP Systems Inc.–Qfiling | A path traversal vulnerability has been reported to affect Qfiling. The remote attackers can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qfiling 3.13.1 and later | 2026-01-02 | not yet calculated | CVE-2025-59384 | https://www.qnap.com/en/security-advisory/qsa-25-54 |
| QNAP Systems Inc.–MARS (Multi-Application Recovery Service) | An SQL injection vulnerability has been reported to affect MARS (Multi-Application Recovery Service). The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: MARS (Multi-Application Recovery Service) 1.2.1.1686 and later | 2026-01-02 | not yet calculated | CVE-2025-59387 | https://www.qnap.com/en/security-advisory/qsa-25-53 |
| QNAP Systems Inc.–Hyper Data Protector | An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: Hyper Data Protector 2.2.4.1 and later | 2026-01-02 | not yet calculated | CVE-2025-59389 | https://www.qnap.com/en/security-advisory/qsa-25-48 |
| UxPlay-UxPlay | UxPlay 1.72 contains a double free vulnerability in its RTSP request handling. A specially crafted RTSP TEARDOWN request can trigger multiple calls to free() on the same memory address, potentially causing a Denial of Service. | 2025-12-29 | not yet calculated | CVE-2025-60458 | https://github.com/0pepsi/CVE-2025-60458 |
| SevenCs–ORCA | A local privilege escalation vulnerability exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The flaw is a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management logic. The regService process, which runs with SYSTEM privileges, creates a fixed directory and writes files without verifying whether the path is an NTFS reparse point. By exploiting this race condition, an attacker can replace the target directory with a junction pointing to a user-controlled path. This causes the SYSTEM-level process to drop binaries in a location fully controlled by the attacker, allowing arbitrary code execution with SYSTEM privileges. The vulnerability can be exploited by any standard user with only a single UAC confirmation, making it highly practical and dangerous in real-world environments. | 2025-12-31 | not yet calculated | CVE-2025-61037 | https://gist.github.com/jc0818/233462416579661e4e2795f96457a6bf |
| nixseparatedebuginfod–nixseparatedebuginfod | nixseparatedebuginfod before v0.4.1 is vulnerable to Directory Traversal. | 2025-12-30 | not yet calculated | CVE-2025-61557 | https://github.com/symphorien/nixseparatedebuginfod https://urldefense.us/v2/url?u=https-3A__github.com_symphorien_nixseparatedebuginfod_commit_57ac448324bfa11a8d8e8f9bea04ae9205ad18b2&d=DwIFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=Nrzxo0WDF_OE-Sa1wccaFKpKc1i6Uzf32ZZrlnVhmbk&m=dtk61i_OKshHyBz6nYW1Xx-pK5y9qdHl8ipsEqB31N2lKuU5GtTeg0C21yVO5M_W&s=wMjbc-B-uuwViJamR0q794vsOHExyt0nbnOuAZfxoGk&e= https://github.com/symphorien/nixseparatedebuginfod/blob/05ff4edf6953d0bcfedc3f448ed0ad9c4f279ee9/advisories/CVE-2025-61557.md |
| ruby–uri | URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue. | 2025-12-30 | not yet calculated | CVE-2025-61594 | https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/ https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902 https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a |
| QNAP Systems Inc.–HBS 3 Hybrid Backup Sync | A generation of error message containing sensitive information vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read application data. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later | 2026-01-02 | not yet calculated | CVE-2025-62840 | https://www.qnap.com/en/security-advisory/qsa-25-46 |
| QNAP Systems Inc.–HBS 3 Hybrid Backup Sync | An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later | 2026-01-02 | not yet calculated | CVE-2025-62842 | https://www.qnap.com/en/security-advisory/qsa-25-46 |
| QNAP Systems Inc.–QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: QTS 5.2.8.3332 build 20251128 and later | 2026-01-02 | not yet calculated | CVE-2025-62852 | https://www.qnap.com/en/security-advisory/qsa-25-51 |
| QNAP Systems Inc.–QuMagie | A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: QuMagie 2.8.1 and later | 2026-01-02 | not yet calculated | CVE-2025-62857 | https://www.qnap.com/en/security-advisory/qsa-25-49 |
| Nuvation Energy–Battery Management System | A vulnerability in Nuvation Battery Management System allows Authentication Bypass.This issue affects Battery Management System: through 2.3.9. | 2026-01-02 | not yet calculated | CVE-2025-64119 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| Nuvation Energy–Multi-Stack Controller (MSC) | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1. | 2026-01-02 | not yet calculated | CVE-2025-64120 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| Nuvation Energy–Multi-Stack Controller (MSC) | Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Authentication Bypass.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1. | 2026-01-02 | not yet calculated | CVE-2025-64121 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| Nuvation Energy–Multi-Stack Controller (MSC) | Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Signature Spoofing by Key Theft.This issue affects Multi-Stack Controller (MSC): through 2.5.1. | 2026-01-02 | not yet calculated | CVE-2025-64122 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| Nuvation Energy–Multi-Stack Controller (MSC) | Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network Boundary Bridging.This issue affects Multi-Stack Controller (MSC): through and including release 2.5.1. | 2026-01-02 | not yet calculated | CVE-2025-64123 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| Nuvation Energy–Multi-Stack Controller (MSC) | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): before 2.5.1. | 2026-01-03 | not yet calculated | CVE-2025-64124 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| Nuvation Energy–nCloud VPN Service | A vulnerability in Nuvation Energy nCloud VPN Service allowed Network Boundary Bridging.This issue affected the nCloud VPN Service and was fixed on 2025-12-1 (December, 2025). End users do not have to take any action to mitigate the issue. | 2026-01-03 | not yet calculated | CVE-2025-64125 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| discourse–discourse | Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix. | 2025-12-30 | not yet calculated | CVE-2025-64528 | https://github.com/discourse/discourse/security/advisories/GHSA-c59w-jwx7-34v4 https://github.com/discourse/discourse/commit/1cb45b8b287597085e3514596ffb1d9b41938f81 https://github.com/discourse/discourse/commit/6192f55629624925595dae14364fd86cac0f09df https://github.com/discourse/discourse/commit/e936a523b5900a9d866d23ea3da904ba12bb0fb2 |
| SevenCs–ORCA | An incorrect NULL DACL issue exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The regService process, which runs with SYSTEM privileges, applies a Security Descriptor to a device object with no explicitly configured DACL. This condition could allow an attacker to perform unauthorized raw disk operations, which could lead to system disruption (DoS) and exposure of sensitive data, and may facilitate local privilege escalation. | 2025-12-31 | not yet calculated | CVE-2025-64699 | https://gist.github.com/GunP4ng/42b19ee99e94c315173b74a9fb26c2b9 |
| gosaliajainam–online-movie-booking | SQL injection in gosaliajainam/online-movie-booking 5.5 in movie_details.php allows attackers to gain sensitive information. | 2026-01-02 | not yet calculated | CVE-2025-65125 | https://github.com/TheAnhaj/CVE-Researches |
| Recutils–GNU | A divide-by-zero in the encryption/decryption routines of GNU Recutils v1.9 allows attackers to cause a Denial of Service (DoS) via inputting an empty value as a password. | 2025-12-30 | not yet calculated | CVE-2025-65409 | https://www.gnu.org/software/recutils/ http://ftp.gnu.org/gnu/recutils/ https://lists.gnu.org/archive/html/bug-recutils/2025-10/msg00004.html https://github.com/MAXEUR5/Vulnerability_Disclosures/blob/main/2025/CVE-2025-65409.md |
| Unrtf–GNU | A NULL pointer dereference in the src/path.c component of GNU Unrtf v0.21.10 allows attackers to cause a Denial of Service (DoS) via injecting a crafted payload into the search_path parameter. | 2025-12-30 | not yet calculated | CVE-2025-65411 | https://www.gnu.org/software/unrtf/ https://savannah.gnu.org/projects/unrtf/ https://lists.gnu.org/archive/html/bug-unrtf/2025-11/msg00000.html https://sources.debian.org/src/unrtf/0.21.10-clean-1/src/main.c/#L661 https://github.com/MAXEUR5/Vulnerability_Disclosures/blob/main/2025/CVE-2025-65411.md |
| Vue–Vue | DOM-based Cross-Site Scripting (XSS) vulnerability in 201206030 novel V3.5.0 allows remote attackers to execute arbitrary JavaScript code or disclose sensitive information (e.g., user session cookies) via a crafted “wvstest” parameter in the URL or malicious script injection into window.localStorage. The vulnerability arises from insufficient validation and encoding of user-controllable data in the book comment module: unfiltered user input is stored in the backend database (book_comment table, commentContent field) and returned via API, then rendered directly into the page DOM via Vue 3’s v-html directive without sanitization. Even if modern browsers’ built-in XSS filters block pop-up alerts, attackers can use concealed payloads to bypass interception and achieve actual harm. | 2025-12-29 | not yet calculated | CVE-2025-65442 | https://github.com/201206030/novel https://github.com/201206030/novel-front-web https://github.com/zero-day348/DOM-based-Cross-Site-Scripting-XSS-Vulnerability-in-novel-V3.5.0-CWE-79- |
| jsish–jsish | A type confusion in jsish 2.0 allows incorrect control flow during execution of the OP_NEXT opcode. When an “instanceof” expression uses an array element access as the left-hand operand inside a for-in loop, the instructions implementation leaves an additional array reference on the stack rather than consuming it during OP_INSTANCEOF. As a result, OP_NEXT interprets the array as an iterator object and reads the iterCmd function pointer from an invalid structure, potentially causing a crash or enabling code execution depending on heap layout. | 2025-12-29 | not yet calculated | CVE-2025-65570 | https://blog.mcsky.ro/writeups/2025/11/15/inline8-writeup.html |
| Zeroheight–Zeroheight | An issue was discovered in Zeroheight (SaaS) prior to 2025-06-13. A legacy user creation API pathway allowed accounts to be created without completing the intended email verification step. While unverified accounts could not access product functionality, the behavior bypassed intended verification controls and allowed unintended account creation. This could have enabled spam/fake account creation or resource usage impact. No data exposure or unauthorized access to existing accounts was reported. | 2025-12-30 | not yet calculated | CVE-2025-65925 | https://github.com/Sneden/zeroheight-account-verification-bypass-CVE-2025-65925 |
| nanomq–nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). The vulnerability is triggered when NanoMQ acts as a bridge connecting to a remote MQTT broker. A malicious remote broker can trigger a crash (Denial of Service) or potential memory corruption by accepting the connection and immediately sending a malformed packet sequence. Version 0.34.5 contains a patch. The patch enforces stricter protocol adherence in the MQTT client SDK embedded in NanoMQ. Specifically, it ensures that CONNACK is always the first packet processed in the line. This prevents the state confusion that led to the Heap-Use-After-Free (UAF) when a malicious server sent a malformed packet sequence immediately after connection establishment. As a workaround, validate the remote broker before bridging. | 2026-01-01 | not yet calculated | CVE-2025-66023 | https://github.com/nanomq/nanomq/security/advisories/GHSA-24f7-q5hh-27hf https://github.com/nanomq/nanomq/issues/2145 https://github.com/nanomq/NanoNNG/pull/1365 |
| Brands Engine–inMusic | inMusic Brands Engine DJ 4.3.0 suffers from Insecure Permissions due to exposed HTTP service in the Remote Library, which allows attackers to access all files and network paths. | 2025-12-30 | not yet calculated | CVE-2025-66723 | http://inmusic.com https://github.com/audiopump/cve-2025-66723 |
| TrueConf–TrueConf | An HTML Injection vulnerability in TrueConf server 5.5.2.10813 in the conference description field allows an attacker to inject arbitrary HTML in the Create/Edit conference functionality. The payload will be triggered when the victim opens the Conference Info page ([conference url]/info). | 2025-12-30 | not yet calculated | CVE-2025-66823 | https://trueconf.com https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66823/README.md |
| TrueConf–TrueConf | A Stored Cross-Site Scripting (XSS) vulnerability exists in the Meeting location field of the Create/Edit Conference functionality in TrueConf Server v5.5.2.10813. The injected payload is stored via the meeting_room parameter and executed when users visit the Conference Info page, allowing attackers to achieve full Account Takeover (ATO). This issue is caused by improper sanitization of user-supplied input in the meeting_room field. | 2025-12-30 | not yet calculated | CVE-2025-66824 | https://trueconf.com https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66824/README.md |
| TrueConf–TrueConf | A CSV Formula Injection vulnerability in TrueConf Server v5.5.2.10813 allows a normal user to inject malicious spreadsheet formulas into exported chat logs via crafted Display Name. | 2025-12-30 | not yet calculated | CVE-2025-66834 | https://trueconf.com https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66834/README.md |
| TrueConf–TrueConf | TrueConf Client 8.5.2 is vulnerable to DLL hijacking via crafted wfapi.dll allowing local attackers to execute arbitrary code within the user’s context. | 2025-12-30 | not yet calculated | CVE-2025-66835 | http://trueconf.com https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66835/README.md |
| JD Cloud–JD Cloud | JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability. | 2025-12-30 | not yet calculated | CVE-2025-66848 | http://jd.com https://www.notion.so/JD-Cloud-Unauth-RCE-2d22b76e8e0c802c975bf186b208d0c2 |
| cp-demangle.c–cp-demangle.c | An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file. | 2025-12-29 | not yet calculated | CVE-2025-66861 | https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md |
| cp-demangle.c–cp-demangle.c | A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | 2025-12-29 | not yet calculated | CVE-2025-66862 | https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash3.md |
| cp-demangle.c–cp-demangle.c | An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | 2025-12-29 | not yet calculated | CVE-2025-66863 | https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash2.md |
| cp-demangle.c–cp-demangle.c | An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | 2025-12-29 | not yet calculated | CVE-2025-66864 | https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md |
| cp-demangle.c–cp-demangle.c | An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | 2025-12-29 | not yet calculated | CVE-2025-66865 | https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash4.md |
| cp-demangle.c–cp-demangle.c | An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | 2025-12-29 | not yet calculated | CVE-2025-66866 | https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash6.md |
| libming– libming | Buffer overflow vulnerability in function strcat in asan_interceptors.cpp in libming 0.4.8. | 2025-12-29 | not yet calculated | CVE-2025-66869 | https://github.com/libming/libming/issues/366 |
| libming– libming | Buffer overflow vulnerability in function dcputchar in decompile.c in libming 0.4.8. | 2025-12-29 | not yet calculated | CVE-2025-66877 | https://github.com/libming/libming/issues/367 |
| Revotech–Revotech | An authentication bypass in the /cgi-bin/jvsweb.cgi endpoint of Revotech I6032W-FHW v1.0.0014 – 20210517 allows attackers to access sensitive information and escalate privileges via a crafted HTTP request. | 2026-01-02 | not yet calculated | CVE-2025-67158 | http://i6032w-fhw.com http://revotech.com https://github.com/Remenis/CVE-2025-67158 |
| Vatilon–Vatilon | Vatilon v1.12.37-20240124 was discovered to transmit user credentials in plaintext. | 2026-01-02 | not yet calculated | CVE-2025-67159 | http://vatilon.com https://github.com/Remenis/CVE-2025-67159 |
| Vatilon–Vatilon | An issue in Vatilon v1.12.37-20240124 allows attackers to access sensitive directories and files via a directory traversal. | 2026-01-02 | not yet calculated | CVE-2025-67160 | http://vatilon.com https://github.com/Remenis/CVE-2025-67160 |
| NagiosXI–NagiosXI | NagiosXI 2026R1.0.1 build 1762361101 is vulnerable to Directory Traversal in /admin/coreconfigsnapshots.php. | 2025-12-29 | not yet calculated | CVE-2025-67254 | https://www.nagios.org/ https://github.com/YongYe-Security/NagiosXI/tree/main |
| NagiosXI–NagiosXI | In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability. | 2025-12-29 | not yet calculated | CVE-2025-67255 | https://www.nagios.org/ https://github.com/YongYe-Security/NagiosXI/tree/main |
| gpsd–gpsd | gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution. | 2026-01-02 | not yet calculated | CVE-2025-67268 | https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4 https://github.com/ntpsec/gpsd/blob/master/drivers/driver_nmea2000.c https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md |
| gpsd–gpsd | An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c – 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition. | 2026-01-02 | not yet calculated | CVE-2025-67269 | https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7 https://gitlab.com/gpsd/gpsd https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md |
| composer–composer | Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue. | 2025-12-30 | not yet calculated | CVE-2025-67746 | https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917 https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71 https://github.com/composer/composer/releases/tag/2.2.26 https://github.com/composer/composer/releases/tag/2.9.3 |
| github.com/golang/vscode-go–github.com/golang/vscode-go | To prevent unexpected untrusted code execution, the Visual Studio Code Go extension is now disabled in Restricted Mode. | 2025-12-29 | not yet calculated | CVE-2025-68120 | https://nvd.nist.gov/vuln/detail/CVE-2025-68120 https://groups.google.com/g/golang-dev/c/CHG4qfcicBU/m/4tanFUymDQAJ https://pkg.go.dev/vuln/GO-2025-4249 |
| agronholm–cbor2 | cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue. | 2025-12-31 | not yet calculated | CVE-2025-68131 | https://github.com/agronholm/cbor2/security/advisories/GHSA-wcj4-jw5j-44wh https://github.com/agronholm/cbor2/pull/268 |
| SignalK–signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. The vulnerability exists because npm’s version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script. Version 2.19.0 contains a patch for the issue. | 2026-01-01 | not yet calculated | CVE-2025-68619 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-93jc-vqqc-vvvh https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 |
| infiniflow–ragflow | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated user (normal login account) can execute arbitrary system commands on the server host process via the frontend Canvas CodeExec component, completely bypassing sandbox isolation. This occurs because untrusted data (stdout) is parsed using eval() with no filtering or sandboxing. The intended design was to “automatically convert string results into Python objects,” but this effectively executes attacker-controlled code. Additional endpoints lack access control or contain inverted permission logic, significantly expanding the attack surface and enabling chained exploitation. Version 0.23.0 contains a patch for the issue. | 2025-12-31 | not yet calculated | CVE-2025-68700 | https://github.com/infiniflow/ragflow/security/advisories/GHSA-8xw3-v6c2-j84j https://github.com/infiniflow/ragflow/commit/7a344a32f9f83529e12ca12f40f2657eb79fe811 |
| GoAhead-Webs–GoAhead-Webs | A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer with no bounds checks. This allows an attacker to corrupt adjacent stack memory, crash the web server, and (under certain conditions) may enable arbitrary code execution. | 2025-12-29 | not yet calculated | CVE-2025-68706 | https://kuwfi.com/products/kuwfi-gigabit-wireless-router-4g-lte-wifi-router-dual-band-portable-wifi-modem-hotspot-64-user-with-gigabit-wan-lan-rj11-port https://github.com/actuator/cve/tree/main/Kuwfi https://drive.proton.me/urls/HJCJYAC7JM#XtHcm3P7QaYk https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-68706.txt |
| miniOrange–WordPress Social Login and Register | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through <= 7.7.0. | 2025-12-30 | not yet calculated | CVE-2025-68974 | https://vdp.patchstack.com/database/Wordpress/Plugin/miniorange-login-openid/vulnerability/wordpress-wordpress-social-login-and-register-plugin-7-7-0-local-file-inclusion-vulnerability?_s_id=cve |
| Eagle-Themes–Eagle Booking | Authorization Bypass Through User-Controlled Key vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3. | 2025-12-30 | not yet calculated | CVE-2025-68975 | https://vdp.patchstack.com/database/Wordpress/Plugin/eagle-booking/vulnerability/wordpress-eagle-booking-plugin-1-3-4-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Eagle-Themes–Eagle Booking | Missing Authorization vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3. | 2025-12-30 | not yet calculated | CVE-2025-68976 | https://vdp.patchstack.com/database/Wordpress/Plugin/eagle-booking/vulnerability/wordpress-eagle-booking-plugin-1-3-4-3-settings-change-vulnerability?_s_id=cve |
| designthemes–DesignThemes Portfolio Addon | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in designthemes DesignThemes Portfolio Addon designthemes-portfolio-addon allows DOM-Based XSS.This issue affects DesignThemes Portfolio Addon: from n/a through <= 1.5. | 2025-12-30 | not yet calculated | CVE-2025-68977 | https://vdp.patchstack.com/database/Wordpress/Plugin/designthemes-portfolio-addon/vulnerability/wordpress-designthemes-portfolio-addon-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| designthemes–DesignThemes Core | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in designthemes DesignThemes Core designthemes-core allows DOM-Based XSS.This issue affects DesignThemes Core: from n/a through <= 1.6. | 2025-12-30 | not yet calculated | CVE-2025-68978 | https://vdp.patchstack.com/database/Wordpress/Plugin/designthemes-core/vulnerability/wordpress-designthemes-core-plugin-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SimpleCalendar–Google Calendar Events | Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google Calendar Events: from n/a through <= 3.5.9. | 2025-12-30 | not yet calculated | CVE-2025-68979 | https://vdp.patchstack.com/database/Wordpress/Plugin/google-calendar-events/vulnerability/wordpress-google-calendar-events-plugin-3-5-9-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| designthemes–WeDesignTech Portfolio | Missing Authorization vulnerability in designthemes WeDesignTech Portfolio wedesigntech-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Portfolio: from n/a through <= 1.0.2. | 2025-12-30 | not yet calculated | CVE-2025-68980 | https://vdp.patchstack.com/database/Wordpress/Plugin/wedesigntech-portfolio/vulnerability/wordpress-wedesigntech-portfolio-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| designthemes–HomeFix Elementor Portfolio | Missing Authorization vulnerability in designthemes HomeFix Elementor Portfolio homefix-ele-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeFix Elementor Portfolio: from n/a through <= 1.0.1. | 2025-12-30 | not yet calculated | CVE-2025-68981 | https://vdp.patchstack.com/database/Wordpress/Plugin/homefix-ele-portfolio/vulnerability/wordpress-homefix-elementor-portfolio-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| designthemes–DesignThemes LMS Addon | Missing Authorization vulnerability in designthemes DesignThemes LMS Addon designthemes-lms-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes LMS Addon: from n/a through <= 2.6. | 2025-12-30 | not yet calculated | CVE-2025-68982 | https://vdp.patchstack.com/database/Wordpress/Plugin/designthemes-lms-addon/vulnerability/wordpress-designthemes-lms-addon-plugin-2-6-broken-access-control-vulnerability?_s_id=cve |
| thembay–Greenmart | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in thembay Greenmart greenmart allows PHP Local File Inclusion.This issue affects Greenmart: from n/a through <= 4.2.11. | 2025-12-30 | not yet calculated | CVE-2025-68983 | https://vdp.patchstack.com/database/Wordpress/Theme/greenmart/vulnerability/wordpress-greenmart-theme-4-2-11-local-file-inclusion-vulnerability?_s_id=cve |
| thembay–Puca | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in thembay Puca puca allows PHP Local File Inclusion.This issue affects Puca: from n/a through <= 2.6.39. | 2025-12-30 | not yet calculated | CVE-2025-68984 | https://vdp.patchstack.com/database/Wordpress/Theme/puca/vulnerability/wordpress-puca-theme-2-6-39-local-file-inclusion-vulnerability?_s_id=cve |
| thembay–Aora | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15. | 2025-12-30 | not yet calculated | CVE-2025-68985 | https://vdp.patchstack.com/database/Wordpress/Theme/aora/vulnerability/wordpress-aora-theme-1-3-15-local-file-inclusion-vulnerability?_s_id=cve |
| Edge-Themes–Cinerama – A WordPress Theme for Movie Studios and Filmmakers | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Edge-Themes Cinerama – A WordPress Theme for Movie Studios and Filmmakers cinerama allows PHP Local File Inclusion.This issue affects Cinerama – A WordPress Theme for Movie Studios and Filmmakers: from n/a through <= 2.4. | 2025-12-30 | not yet calculated | CVE-2025-68987 | https://vdp.patchstack.com/database/Wordpress/Theme/cinerama/vulnerability/wordpress-cinerama-a-wordpress-theme-for-movie-studios-and-filmmakers-theme-2-4-local-file-inclusion-vulnerability?_s_id=cve |
| o2oe–E-Invoice App Malaysia | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in o2oe E-Invoice App Malaysia einvoiceapp-malaysia allows Retrieve Embedded Sensitive Data.This issue affects E-Invoice App Malaysia: from n/a through <= 1.1.0. | 2025-12-30 | not yet calculated | CVE-2025-68988 | https://vdp.patchstack.com/database/Wordpress/Plugin/einvoiceapp-malaysia/vulnerability/wordpress-e-invoice-app-malaysia-plugin-1-1-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| Renzo Johnson–Contact Form 7 Extension For Mailchimp | Insertion of Sensitive Information Into Sent Data vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp contact-form-7-mailchimp-extension allows Retrieve Embedded Sensitive Data.This issue affects Contact Form 7 Extension For Mailchimp: from n/a through <= 0.9.49. | 2025-12-30 | not yet calculated | CVE-2025-68989 | https://vdp.patchstack.com/database/Wordpress/Plugin/contact-form-7-mailchimp-extension/vulnerability/wordpress-contact-form-7-extension-for-mailchimp-plugin-0-9-49-sensitive-data-exposure-vulnerability?_s_id=cve |
| xenioushk–BWL Pro Voting Manager | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows Blind SQL Injection.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9. | 2025-12-30 | not yet calculated | CVE-2025-68990 | https://vdp.patchstack.com/database/Wordpress/Plugin/bwl-pro-voting-manager/vulnerability/wordpress-bwl-pro-voting-manager-plugin-1-4-9-sql-injection-vulnerability?_s_id=cve |
| xenioushk–BWL Pro Voting Manager | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows DOM-Based XSS.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9. | 2025-12-30 | not yet calculated | CVE-2025-68991 | https://vdp.patchstack.com/database/Wordpress/Plugin/bwl-pro-voting-manager/vulnerability/wordpress-bwl-pro-voting-manager-plugin-1-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| xenioushk–BWL Knowledge Base Manager | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in xenioushk BWL Knowledge Base Manager bwl-kb-manager allows Stored XSS.This issue affects BWL Knowledge Base Manager: from n/a through <= 1.6.3. | 2025-12-30 | not yet calculated | CVE-2025-68992 | https://vdp.patchstack.com/database/Wordpress/Plugin/bwl-kb-manager/vulnerability/wordpress-bwl-knowledge-base-manager-plugin-1-6-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| XforWooCommerce–Share, Print and PDF Products for WooCommerce | Missing Authorization vulnerability in XforWooCommerce Share, Print and PDF Products for WooCommerce share-print-pdf-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share, Print and PDF Products for WooCommerce: from n/a through <= 3.1.2. | 2025-12-30 | not yet calculated | CVE-2025-68993 | https://vdp.patchstack.com/database/Wordpress/Plugin/share-print-pdf-woocommerce/vulnerability/wordpress-share-print-and-pdf-products-for-woocommerce-plugin-3-1-2-broken-access-control-vulnerability?_s_id=cve |
| XforWooCommerce–Product Loops for WooCommerce | Missing Authorization vulnerability in XforWooCommerce Product Loops for WooCommerce product-loops allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Loops for WooCommerce: from n/a through <= 2.1.2. | 2025-12-30 | not yet calculated | CVE-2025-68994 | https://vdp.patchstack.com/database/Wordpress/Plugin/product-loops/vulnerability/wordpress-product-loops-for-woocommerce-plugin-2-1-2-broken-access-control-vulnerability?_s_id=cve |
| Gal Dubinski–My Sticky Elements | Missing Authorization vulnerability in Gal Dubinski My Sticky Elements mystickyelements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Sticky Elements: from n/a through <= 2.3.3. | 2025-12-30 | not yet calculated | CVE-2025-68995 | https://vdp.patchstack.com/database/Wordpress/Plugin/mystickyelements/vulnerability/wordpress-my-sticky-elements-plugin-2-3-3-broken-access-control-vulnerability?_s_id=cve |
| WebCodingPlace–Responsive Posts Carousel Pro | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows PHP Local File Inclusion.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1. | 2025-12-30 | not yet calculated | CVE-2025-68996 | https://vdp.patchstack.com/database/Wordpress/Plugin/responsive-posts-carousel-pro/vulnerability/wordpress-responsive-posts-carousel-pro-plugin-15-1-local-file-inclusion-vulnerability?_s_id=cve |
| AdvancedCoding–wpDiscuz | Authorization Bypass Through User-Controlled Key vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through <= 7.6.40. | 2025-12-30 | not yet calculated | CVE-2025-68997 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpdiscuz/vulnerability/wordpress-wpdiscuz-plugin-7-6-40-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Heateor Support–Heateor Social Login | Cross-Site Request Forgery (CSRF) vulnerability in Heateor Support Heateor Social Login heateor-social-login allows Cross Site Request Forgery.This issue affects Heateor Social Login: from n/a through <= 1.1.39. | 2025-12-30 | not yet calculated | CVE-2025-68998 | https://vdp.patchstack.com/database/Wordpress/Plugin/heateor-social-login/vulnerability/wordpress-heateor-social-login-plugin-1-1-39-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Atte Moisio–AM Events | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Atte Moisio AM Events am-events allows Stored XSS.This issue affects AM Events: from n/a through <= 1.13.1. | 2025-12-30 | not yet calculated | CVE-2025-69006 | https://vdp.patchstack.com/database/Wordpress/Plugin/am-events/vulnerability/wordpress-am-events-plugin-1-13-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| OTWthemes–Popping Sidebars and Widgets Light | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in OTWthemes Popping Sidebars and Widgets Light popping-sidebars-and-widgets-light allows Stored XSS.This issue affects Popping Sidebars and Widgets Light: from n/a through <= 1.27. | 2025-12-30 | not yet calculated | CVE-2025-69007 | https://vdp.patchstack.com/database/Wordpress/Plugin/popping-sidebars-and-widgets-light/vulnerability/wordpress-popping-sidebars-and-widgets-light-plugin-1-27-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Inboxify–Inboxify Sign Up Form | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Inboxify Inboxify Sign Up Form inboxify-sign-up-form allows Stored XSS.This issue affects Inboxify Sign Up Form: from n/a through <= 1.0.4. | 2025-12-30 | not yet calculated | CVE-2025-69008 | https://vdp.patchstack.com/database/Wordpress/Plugin/inboxify-sign-up-form/vulnerability/wordpress-inboxify-sign-up-form-plugin-1-0-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kamleshyadav–Medicalequipment | Missing Authorization vulnerability in kamleshyadav Medicalequipment medicalequipment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Medicalequipment: from n/a through <= 1.0.9. | 2025-12-30 | not yet calculated | CVE-2025-69009 | https://vdp.patchstack.com/database/Wordpress/Theme/medicalequipment/vulnerability/wordpress-medicalequipment-theme-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| themebeez–Themebeez Toolkit | Missing Authorization vulnerability in themebeez Themebeez Toolkit themebeez-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Themebeez Toolkit: from n/a through <= 1.3.5. | 2025-12-30 | not yet calculated | CVE-2025-69010 | https://vdp.patchstack.com/database/Wordpress/Plugin/themebeez-toolkit/vulnerability/wordpress-themebeez-toolkit-plugin-1-3-5-broken-access-control-vulnerability?_s_id=cve |
| Stephen Harris–Event Organiser | Missing Authorization vulnerability in Stephen Harris Event Organiser event-organiser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Organiser: from n/a through <= 3.12.8. | 2025-12-30 | not yet calculated | CVE-2025-69012 | https://vdp.patchstack.com/database/Wordpress/Plugin/event-organiser/vulnerability/wordpress-event-organiser-plugin-3-12-8-broken-access-control-vulnerability?_s_id=cve |
| jetmonsters–Stratum | Missing Authorization vulnerability in jetmonsters Stratum stratum allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stratum: from n/a through <= 1.6.1. | 2025-12-30 | not yet calculated | CVE-2025-69013 | https://vdp.patchstack.com/database/Wordpress/Plugin/stratum/vulnerability/wordpress-stratum-plugin-1-6-1-broken-access-control-vulnerability?_s_id=cve |
| Youzify–Youzify | Server-Side Request Forgery (SSRF) vulnerability in Youzify Youzify youzify allows Server Side Request Forgery.This issue affects Youzify: from n/a through <= 1.3.5. | 2025-12-30 | not yet calculated | CVE-2025-69014 | https://vdp.patchstack.com/database/Wordpress/Plugin/youzify/vulnerability/wordpress-youzify-plugin-1-3-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Automattic–Crowdsignal Forms | Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crowdsignal Forms: from n/a through <= 1.7.2. | 2025-12-30 | not yet calculated | CVE-2025-69015 | https://vdp.patchstack.com/database/Wordpress/Plugin/crowdsignal-forms/vulnerability/wordpress-crowdsignal-forms-plugin-1-7-2-broken-access-control-vulnerability?_s_id=cve |
| averta–Shortcodes and extra features for Phlox theme | Missing Authorization vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.12. | 2025-12-30 | not yet calculated | CVE-2025-69016 | https://vdp.patchstack.com/database/Wordpress/Plugin/auxin-elements/vulnerability/wordpress-shortcodes-and-extra-features-for-phlox-theme-plugin-2-17-12-broken-access-control-vulnerability?_s_id=cve |
| Magnigenie–RestroPress | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Magnigenie RestroPress restropress allows Stored XSS.This issue affects RestroPress: from n/a through <= 3.2.4.2. | 2025-12-30 | not yet calculated | CVE-2025-69017 | https://vdp.patchstack.com/database/Wordpress/Plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Shamalli–Web Directory Free | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Shamalli Web Directory Free web-directory-free allows DOM-Based XSS.This issue affects Web Directory Free: from n/a through <= 1.7.12. | 2025-12-30 | not yet calculated | CVE-2025-69018 | https://vdp.patchstack.com/database/Wordpress/Plugin/web-directory-free/vulnerability/wordpress-web-directory-free-plugin-1-7-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FlippingBook–FlippingBook | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in FlippingBook FlippingBook flippingbook allows DOM-Based XSS.This issue affects FlippingBook: from n/a through <= 2.0.1. | 2025-12-30 | not yet calculated | CVE-2025-69019 | https://vdp.patchstack.com/database/Wordpress/Plugin/flippingbook/vulnerability/wordpress-flippingbook-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Tribulant Software–Newsletters | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Tribulant Software Newsletters newsletters-lite allows Stored XSS.This issue affects Newsletters: from n/a through <= 4.12. | 2025-12-30 | not yet calculated | CVE-2025-69020 | https://vdp.patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ays Pro–Popup box | Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 6.0.7. | 2025-12-30 | not yet calculated | CVE-2025-69021 | https://vdp.patchstack.com/database/Wordpress/Plugin/ays-popup-box/vulnerability/wordpress-popup-box-plugin-6-0-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Weblizar – WordPress Themes & Plugin–HR Management Lite | Missing Authorization vulnerability in Weblizar – WordPress Themes & Plugin HR Management Lite hr-management-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HR Management Lite: from n/a through <= 3.5. | 2025-12-30 | not yet calculated | CVE-2025-69022 | https://vdp.patchstack.com/database/Wordpress/Plugin/hr-management-lite/vulnerability/wordpress-hr-management-lite-plugin-3-5-broken-access-control-vulnerability?_s_id=cve |
| Marketing Fire–Discussion Board | Missing Authorization vulnerability in Marketing Fire Discussion Board wp-discussion-board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Discussion Board: from n/a through <= 2.5.7. | 2025-12-30 | not yet calculated | CVE-2025-69023 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-discussion-board/vulnerability/wordpress-discussion-board-plugin-2-5-7-broken-access-control-vulnerability?_s_id=cve |
| bizswoop–BizPrint | Missing Authorization vulnerability in bizswoop BizPrint print-google-cloud-print-gcp-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizPrint: from n/a through <= 4.6.7. | 2025-12-30 | not yet calculated | CVE-2025-69024 | https://vdp.patchstack.com/database/Wordpress/Plugin/print-google-cloud-print-gcp-woocommerce/vulnerability/wordpress-bizprint-plugin-4-6-7-broken-access-control-vulnerability?_s_id=cve |
| Aethonic–Poptics: AI-Powered Popup Builder for Lead Generation, Conversions, Exit-Intent, Email Opt-ins & WooCommerce Sales | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Aethonic Poptics: AI-Powered Popup Builder for Lead Generation, Conversions, Exit-Intent, Email Opt-ins & WooCommerce Sales poptics allows Retrieve Embedded Sensitive Data.This issue affects Poptics: AI-Powered Popup Builder for Lead Generation, Conversions, Exit-Intent, Email Opt-ins & WooCommerce Sales: from n/a through <= 1.0.20. | 2025-12-30 | not yet calculated | CVE-2025-69025 | https://vdp.patchstack.com/database/Wordpress/Plugin/poptics/vulnerability/wordpress-poptics-ai-powered-popup-builder-for-lead-generation-conversions-exit-intent-email-opt-ins-woocommerce-sales-plugin-1-0-20-sensitive-data-exposure-vulnerability?_s_id=cve |
| Roxnor–PopupKit | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Roxnor PopupKit popup-builder-block allows Retrieve Embedded Sensitive Data.This issue affects PopupKit: from n/a through <= 2.1.5. | 2025-12-30 | not yet calculated | CVE-2025-69026 | https://vdp.patchstack.com/database/Wordpress/Plugin/popup-builder-block/vulnerability/wordpress-popupkit-plugin-2-1-5-sensitive-data-exposure-vulnerability?_s_id=cve |
| tychesoftwares–Product Delivery Date for WooCommerce Lite | Missing Authorization vulnerability in tychesoftwares Product Delivery Date for WooCommerce – Lite product-delivery-date-for-woocommerce-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Delivery Date for WooCommerce – Lite: from n/a through <= 3.2.0. | 2025-12-30 | not yet calculated | CVE-2025-69027 | https://vdp.patchstack.com/database/Wordpress/Plugin/product-delivery-date-for-woocommerce-lite/vulnerability/wordpress-product-delivery-date-for-woocommerce-lite-plugin-3-2-0-broken-access-control-vulnerability?_s_id=cve |
| BoldGrid–weForms | Missing Authorization vulnerability in BoldGrid weForms weforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weForms: from n/a through <= 1.6.25. | 2025-12-30 | not yet calculated | CVE-2025-69028 | https://vdp.patchstack.com/database/Wordpress/Plugin/weforms/vulnerability/wordpress-weforms-plugin-1-6-25-broken-access-control-vulnerability?_s_id=cve |
| Select-Themes–Struktur | Authorization Bypass Through User-Controlled Key vulnerability in Select-Themes Struktur struktur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Struktur: from n/a through <= 2.5.1. | 2025-12-30 | not yet calculated | CVE-2025-69029 | https://vdp.patchstack.com/database/Wordpress/Theme/struktur/vulnerability/wordpress-struktur-theme-2-5-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–Backpack Traveler | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backpack Traveler: from n/a through <= 2.10.3. | 2025-12-30 | not yet calculated | CVE-2025-69030 | https://vdp.patchstack.com/database/Wordpress/Theme/backpacktraveler/vulnerability/wordpress-backpack-traveler-theme-2-10-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Skywarrior–Arcane | Missing Authorization vulnerability in Skywarrior Arcane arcane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arcane: from n/a through <= 3.6.6. | 2025-12-30 | not yet calculated | CVE-2025-69031 | https://vdp.patchstack.com/database/Wordpress/Theme/arcane/vulnerability/wordpress-arcane-theme-3-6-6-broken-access-control-vulnerability?_s_id=cve |
| Mikado-Themes–FiveStar | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through <= 1.7. | 2025-12-30 | not yet calculated | CVE-2025-69032 | https://vdp.patchstack.com/database/Wordpress/Theme/fivestar/vulnerability/wordpress-fivestar-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| A WP Life–Blog Filter | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.3. | 2025-12-30 | not yet calculated | CVE-2025-69033 | https://vdp.patchstack.com/database/Wordpress/Plugin/blog-filter/vulnerability/wordpress-blog-filter-plugin-1-7-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Mikado-Themes–Lekker | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Mikado-Themes Lekker lekker allows PHP Local File Inclusion.This issue affects Lekker: from n/a through <= 1.8. | 2025-12-30 | not yet calculated | CVE-2025-69034 | https://vdp.patchstack.com/database/Wordpress/Theme/lekker/vulnerability/wordpress-lekker-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| Vidish–Combo Offers WooCommerce | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Vidish Combo Offers WooCommerce woo-combo-offers allows DOM-Based XSS.This issue affects Combo Offers WooCommerce: from n/a through <= 4.2. | 2025-12-30 | not yet calculated | CVE-2025-69088 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-combo-offers/vulnerability/wordpress-combo-offers-woocommerce-plugin-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| autolistings–Auto Listings | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in autolistings Auto Listings auto-listings allows Stored XSS.This issue affects Auto Listings: from n/a through <= 2.7.1. | 2025-12-30 | not yet calculated | CVE-2025-69089 | https://vdp.patchstack.com/database/Wordpress/Plugin/auto-listings/vulnerability/wordpress-auto-listings-plugin-2-7-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Kraft Plugins–Demo Importer Plus | Missing Authorization vulnerability in Kraft Plugins Demo Importer Plus demo-importer-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Demo Importer Plus: from n/a through <= 2.0.8. | 2025-12-30 | not yet calculated | CVE-2025-69091 | https://vdp.patchstack.com/database/Wordpress/Plugin/demo-importer-plus/vulnerability/wordpress-demo-importer-plus-plugin-2-0-8-broken-access-control-vulnerability?_s_id=cve |
| WPDeveloper–Essential Addons for Elementor | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows DOM-Based XSS.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.3. | 2025-12-30 | not yet calculated | CVE-2025-69092 | https://vdp.patchstack.com/database/Wordpress/Plugin/essential-addons-for-elementor-lite/vulnerability/wordpress-essential-addons-for-elementor-plugin-6-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wpdesk–ShopMagic | Missing Authorization vulnerability in wpdesk ShopMagic shopmagic-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopMagic: from n/a through <= 4.7.2. | 2025-12-30 | not yet calculated | CVE-2025-69093 | https://vdp.patchstack.com/database/Wordpress/Plugin/shopmagic-for-woocommerce/vulnerability/wordpress-shopmagic-plugin-4-7-2-broken-access-control-vulnerability?_s_id=cve |
| Quenary–tugtainer | Tugtainer is a self-hosted app for automating updates of docker containers. In versions prior to 1.15.1, arbitary arguments can be injected in tugtainer-agent `POST api/command/run`. Version 1.15.1 fixes the issue. | 2025-12-29 | not yet calculated | CVE-2025-69201 | https://github.com/Quenary/tugtainer/security/advisories/GHSA-grc3-8w5x-g54q https://github.com/Quenary/tugtainer/pull/88 https://github.com/Quenary/tugtainer/commit/dbb17d843e30fd7509acf0328c913dcb42f40831 https://github.com/Quenary/tugtainer/releases/tag/v1.15.1 |
| arthurfiorette–axios-cache-interceptor | Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignoring request headers like `Authorization`. When the server responds with `Vary: Authorization` (indicating the response varies by auth token), the library ignores this, causing all requests to share the same cache regardless of authorization. Server-side applications (APIs, proxies, backend services) that use axios-cache-interceptor to cache requests to upstream services, handle requests from multiple users with different auth tokens, and upstream services replies on `Vary` to differentiate caches are affected. Browser/client-side applications (single user per browser session) are not affected. Services using different auth tokens to call upstream services will return incorrect cached data, bypassing authorization checks and leaking user data across different authenticated sessions. After `v1.11.1`, automatic `Vary` header support is now enabled by default. When server responds with `Vary: Authorization`, cache keys now include the authorization header value. Each user gets their own cache. | 2025-12-29 | not yet calculated | CVE-2025-69202 | https://github.com/arthurfiorette/axios-cache-interceptor/security/advisories/GHSA-x4m5-4cw8-vc44 https://github.com/arthurfiorette/axios-cache-interceptor/commit/49a808059dfc081b9cc23d48f243d55dfce15f01 |
| NeoRazorX–facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session. Version 2025.7 fixes the issue. | 2025-12-30 | not yet calculated | CVE-2025-69210 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-2267-xqcf-gw2m https://facturascripts.com/publicaciones/ya-disponible-facturascripts-2025-7 https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.7 |
| nestjs–nest | Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses `@nestjs/platform-fastify`; relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`; and applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes(‘admin’)`). Exploitation can result in unauthenticated users accessing protected routes, restricted administrative endpoints becoming accessible to lower-privileged users, and/or middleware performing sanitization or validation being skipped. This issue is patched in `@nestjs/platform-fastify@11.1.11`. | 2025-12-29 | not yet calculated | CVE-2025-69211 | https://github.com/nestjs/nest/security/advisories/GHSA-8wpr-639p-ccrj https://github.com/nestjs/nest/commit/c4cedda15a05aafec1e6045b36b0335ab850e771 |
| NAVER–NAVER Whale browser | Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment. | 2025-12-30 | not yet calculated | CVE-2025-69234 | https://cve.naver.com/detail/cve-2025-69234.html |
| NAVER–NAVER Whale browser | Whale browser before 4.35.351.12 allows an attacker to bypass the Same-Origin Policy in a sidebar environment. | 2025-12-30 | not yet calculated | CVE-2025-69235 | https://cve.naver.com/detail/cve-2025-69235.html |
| WasmEdge–WasmEdge | WasmEdge is a WebAssembly runtime. Prior to version 0.16.0-alpha.3, a multiplication in `WasmEdge/include/runtime/instance/memory.h` can wrap, causing `checkAccessBound()` to incorrectly allow the access. This leads to a segmentation fault. Version 0.16.0-alpha.3 contains a patch for the issue. | 2025-12-30 | not yet calculated | CVE-2025-69261 | https://github.com/WasmEdge/WasmEdge/security/advisories/GHSA-89fm-8mr7-gg4m https://github.com/WasmEdge/WasmEdge/commit/37cc9fa19bd23edbbdaa9252059b17f191fa4d17 |
| infiniflow–ragflow | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key and beta (assistant/agent share auth) token generation process allows these tokens to be mutually derivable. Specifically, both tokens are generated using the same `URLSafeTimedSerializer` with predictable inputs, enabling an unauthorized user who obtains the shared assistant/agent URL to derive the personal API key. This grants them full control over the assistant/agent owner’s account. Version 0.22.0 fixes the issue. | 2025-12-31 | not yet calculated | CVE-2025-69286 | https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7 https://github.com/infiniflow/ragflow/commit/a3bb4aadcc3494fb27f2a9933b4c46df8eb532e6 https://github.com/infiniflow/ragflow/blob/v0.20.5/api/apps/system_app.py#L214-L215 https://github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/__init__.py#L343 https://github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/api_utils.py#L378 |
| QNAP Systems Inc.–QTS | An exposure of sensitive system information to an unauthorized control sphere vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-9110 | https://www.qnap.com/en/security-advisory/qsa-25-51 |
| yhirose–cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the “write_headers“ function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue. | 2026-01-01 | not yet calculated | CVE-2026-21428 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7 https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0 |
| emlog–emlog | Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available. | 2026-01-02 | not yet calculated | CVE-2026-21429 | https://github.com/emlog/emlog/security/advisories/GHSA-jw5v-2g53-rx8w |
| emlog–emlog | Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with stored cross-site scripting, leads to account takeover. As of time of publication, no known patched versions are available. | 2026-01-02 | not yet calculated | CVE-2026-21430 | https://github.com/emlog/emlog/security/advisories/GHSA-2g2w-vmg7-pq4q |
| emlog–emlog | Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available. | 2026-01-02 | not yet calculated | CVE-2026-21431 | https://github.com/emlog/emlog/security/advisories/GHSA-9vc2-crhr-248x |
| emlog–emlog | Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available. | 2026-01-02 | not yet calculated | CVE-2026-21432 | https://github.com/emlog/emlog/security/advisories/GHSA-4rxf-mjqx-c464 |
| getsolus–eopkg | eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `–destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `–destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected. | 2026-01-01 | not yet calculated | CVE-2026-21436 | https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m https://github.com/getsolus/eopkg/pull/201 https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d https://github.com/getsolus/eopkg/releases/tag/v4.4.0 |
| getsolus–eopkg | eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected. | 2026-01-01 | not yet calculated | CVE-2026-21437 | https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6 https://github.com/getsolus/eopkg/pull/201 https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d https://github.com/getsolus/eopkg/releases/tag/v4.4.0 |
| adonisjs–core | AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6. | 2026-01-02 | not yet calculated | CVE-2026-21440 | https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h https://github.com/adonisjs/bodyparser/commit/143a16f35602be8561215611582211dec280cae6 https://github.com/adonisjs/bodyparser/commit/6795c0e3fa824ae275bbd992aae60609e96f0f03 https://github.com/adonisjs/bodyparser/releases/tag/v10.1.2 https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.6 |
| langflow-ai–langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch. | 2026-01-02 | not yet calculated | CVE-2026-21445 | https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a |
| bagisto–bagisto | Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue. | 2026-01-02 | not yet calculated | CVE-2026-21446 | https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed |
| bagisto–bagisto | Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch. | 2026-01-02 | not yet calculated | CVE-2026-21448 | https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6 |
| bagisto–bagisto | Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue. | 2026-01-02 | not yet calculated | CVE-2026-21449 | https://github.com/bagisto/bagisto/security/advisories/GHSA-mqhg-v22x-pqj8 |
| bagisto–bagisto | Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue. | 2026-01-02 | not yet calculated | CVE-2026-21450 | https://github.com/bagisto/bagisto/security/advisories/GHSA-9hvg-qw5q-wqwp |
| bagisto–bagisto | Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. Version 2.3.10 fixes the issue. | 2026-01-02 | not yet calculated | CVE-2026-21451 | https://github.com/bagisto/bagisto/security/advisories/GHSA-2mwc-h2mg-v6p8 |
| knadh–listmonk | listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link – no preview click required. Version 6.0.0 fixes the issue. | 2026-01-02 | not yet calculated | CVE-2026-21483 | https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565 |