Monthly
Write lock exclusivity is silently violated in concurrent-ruby's `ReentrantReadWriteLock`, confirmed on version 1.3.6 and fixed in 1.3.7. After a single thread acquires the read lock exactly 32,768 times reentrantl, its per-thread `@HeldCount` counter overflows into bit 15, which the implementation also uses as the `WRITE_LOCK_HELD` flag - causing `try_write_lock` to return `true` via the fast-path 'already hold write lock' branch without ever setting the global `RUNNING_WRITER` bit. Other threads receive no signal of an active writer and continue acquiring read locks concurrently, breaking mutual exclusion with no exception raised. A publicly available proof-of-concept reproduces the condition; no public exploit identified as actively exploited (not in CISA KEV).
Wrap-around error in Linux kernel mode driver for some Intel(R) Ethernet Network Controllers and Adapters before version 28.3 may allow an authenticated user to potentially enable escalation of. Rated critical severity (CVSS 9.3), this vulnerability is low attack complexity. No vendor patch available.
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Write lock exclusivity is silently violated in concurrent-ruby's `ReentrantReadWriteLock`, confirmed on version 1.3.6 and fixed in 1.3.7. After a single thread acquires the read lock exactly 32,768 times reentrantl, its per-thread `@HeldCount` counter overflows into bit 15, which the implementation also uses as the `WRITE_LOCK_HELD` flag - causing `try_write_lock` to return `true` via the fast-path 'already hold write lock' branch without ever setting the global `RUNNING_WRITER` bit. Other threads receive no signal of an active writer and continue acquiring read locks concurrently, breaking mutual exclusion with no exception raised. A publicly available proof-of-concept reproduces the condition; no public exploit identified as actively exploited (not in CISA KEV).
Wrap-around error in Linux kernel mode driver for some Intel(R) Ethernet Network Controllers and Adapters before version 28.3 may allow an authenticated user to potentially enable escalation of. Rated critical severity (CVSS 9.3), this vulnerability is low attack complexity. No vendor patch available.
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.