Monthly
Privilege escalation in Eclipse Jetty 9.4.0-12.1.7 allows unauthenticated remote attackers to bypass authentication via ThreadLocal variable pollution in JASPIAuthenticator. Early returns from authentication checks fail to clear ThreadLocal values, causing subsequent requests on the same thread to inherit elevated privileges. CVSS 7.4 with high complexity but no authentication required. EPSS and KEV status not provided; no public exploit identified at time of analysis. Affects all major Jetty versions from 9.x through 12.x.
Information disclosure vulnerability in Semtech LR11xx LoRa transceivers (LR1110, LR1120, LR1121) allows attackers with physical SPI interface access to retrieve decrypted firmware contents by exploiting improper memory cleanup after firmware validation. The device fails to clear the last decrypted firmware block from memory after integrity checks complete, enabling an attacker to bypass firmware encryption protection via subsequent SPI memory read commands. This affects early firmware versions and requires direct physical access to the SPI interface.
Db2 Merge Backup versions up to 12.1.0.0 contains a vulnerability that allows attackers to access sensitive information in memory due to the buffer not properly clearing r (CVSS 5.5).
In certain Arm CPUs, a CPP RCTX instruction executed on one Processing Element (PE) may inhibit TLB invalidation when a TLBI is issued to the PE, either by the same PE or another PE in the shareability domain. [CVSS 7.9 HIGH]
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
Sensitive information uncleared in resource before release for reuse for some Intel(R) NPU Drivers for Windows before version 32.0.100.4023 within Ring 3: User Applications may allow an information. Rated low severity (CVSS 2.0), this vulnerability is low attack complexity. No vendor patch available.
The Honeywell Experion PKS and OneWireless WDM contains Sensitive Information in Resource vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in buffer reuse which may cause incorrect system behavior. Honeywell also recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. The affected Experion PKS products are C300, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are 520.1 before 520.2 TCU9 HF1 and 530 before 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.
wire-webapp is the web application for the open-source messaging service Wire. Rated medium severity (CVSS 6.0).
Privilege escalation in Eclipse Jetty 9.4.0-12.1.7 allows unauthenticated remote attackers to bypass authentication via ThreadLocal variable pollution in JASPIAuthenticator. Early returns from authentication checks fail to clear ThreadLocal values, causing subsequent requests on the same thread to inherit elevated privileges. CVSS 7.4 with high complexity but no authentication required. EPSS and KEV status not provided; no public exploit identified at time of analysis. Affects all major Jetty versions from 9.x through 12.x.
Information disclosure vulnerability in Semtech LR11xx LoRa transceivers (LR1110, LR1120, LR1121) allows attackers with physical SPI interface access to retrieve decrypted firmware contents by exploiting improper memory cleanup after firmware validation. The device fails to clear the last decrypted firmware block from memory after integrity checks complete, enabling an attacker to bypass firmware encryption protection via subsequent SPI memory read commands. This affects early firmware versions and requires direct physical access to the SPI interface.
Db2 Merge Backup versions up to 12.1.0.0 contains a vulnerability that allows attackers to access sensitive information in memory due to the buffer not properly clearing r (CVSS 5.5).
In certain Arm CPUs, a CPP RCTX instruction executed on one Processing Element (PE) may inhibit TLB invalidation when a TLBI is issued to the PE, either by the same PE or another PE in the shareability domain. [CVSS 7.9 HIGH]
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
Sensitive information uncleared in resource before release for reuse for some Intel(R) NPU Drivers for Windows before version 32.0.100.4023 within Ring 3: User Applications may allow an information. Rated low severity (CVSS 2.0), this vulnerability is low attack complexity. No vendor patch available.
The Honeywell Experion PKS and OneWireless WDM contains Sensitive Information in Resource vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in buffer reuse which may cause incorrect system behavior. Honeywell also recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. The affected Experion PKS products are C300, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are 520.1 before 520.2 TCU9 HF1 and 530 before 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.
wire-webapp is the web application for the open-source messaging service Wire. Rated medium severity (CVSS 6.0).