Monthly
Local privilege escalation or denial-of-service in the Linux kernel's RDMA/mlx4 InfiniBand driver stems from improper RCU synchronization in mlx4_srq_event(), where the mlx4_srq structure is never freed via RCU and can be accessed before initialization completes. Local low-privileged users on systems using Mellanox ConnectX (mlx4) RDMA hardware can trigger a race condition leading to memory corruption or kernel crash, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS scores this at just 0.02%, indicating minimal real-world exploitation likelihood.
Denial of service in GNU C Library 2.36 on x86_64 systems occurs when nscd-backed functions trigger a race condition in the optimized memcmp implementation, allowing concurrent thread modification of input data to cause application crashes. This affects any application using NSS caching functionality under high load conditions. No patch is currently available.
Commerce Cloud versions up to 2205 contains a vulnerability that allows attackers to a cart entry being created with erroneous product value which could be checked o (CVSS 5.9).
Outray versions prior to 0.1.5 lack database transaction locking in the subdomain creation API endpoint, allowing authenticated users to bypass rate limits and provision more subdomains than permitted by their service tier. Public exploit code exists for this vulnerability, which affects the quota enforcement mechanism for free plan users. Upgrade to version 0.1.5 or later to remediate.
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XZ Utils provide a general-purpose data-compression library plus command-line tools. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A race condition in Ivanti Application Control Engine before version 10.14.4.0 allows a local authenticated attacker to bypass the application blocking functionality. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable.
A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. Rated high severity (CVSS 7.0).
A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. Rated medium severity (CVSS 4.7). No vendor patch available.
Local privilege escalation or denial-of-service in the Linux kernel's RDMA/mlx4 InfiniBand driver stems from improper RCU synchronization in mlx4_srq_event(), where the mlx4_srq structure is never freed via RCU and can be accessed before initialization completes. Local low-privileged users on systems using Mellanox ConnectX (mlx4) RDMA hardware can trigger a race condition leading to memory corruption or kernel crash, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS scores this at just 0.02%, indicating minimal real-world exploitation likelihood.
Denial of service in GNU C Library 2.36 on x86_64 systems occurs when nscd-backed functions trigger a race condition in the optimized memcmp implementation, allowing concurrent thread modification of input data to cause application crashes. This affects any application using NSS caching functionality under high load conditions. No patch is currently available.
Commerce Cloud versions up to 2205 contains a vulnerability that allows attackers to a cart entry being created with erroneous product value which could be checked o (CVSS 5.9).
Outray versions prior to 0.1.5 lack database transaction locking in the subdomain creation API endpoint, allowing authenticated users to bypass rate limits and provision more subdomains than permitted by their service tier. Public exploit code exists for this vulnerability, which affects the quota enforcement mechanism for free plan users. Upgrade to version 0.1.5 or later to remediate.
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XZ Utils provide a general-purpose data-compression library plus command-line tools. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A race condition in Ivanti Application Control Engine before version 10.14.4.0 allows a local authenticated attacker to bypass the application blocking functionality. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable.
A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. Rated high severity (CVSS 7.0).
A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. Rated medium severity (CVSS 4.7). No vendor patch available.