Monthly
Local integrity modification in iccDEV prior to version 2.3.1.6 affects the CIccCLUT::Iterate() function and CLUT dumping output in CIccMBB::Describe(), allowing local attackers without privileges to alter ICC color profile data integrity. The vulnerability requires local access and produces incorrect LUT (Look-Up Table) dump output that could compromise color management workflows relying on accurate profile representation.
A use-after-return vulnerability in ISC BIND 9's SIG(0) DNS query handler allows an attacker with low-level authentication privileges to manipulate ACL matching logic, potentially bypassing default-allow access controls and gaining unauthorized access to DNS services. The vulnerability affects BIND 9 versions 9.20.0-9.20.20, 9.21.0-9.21.19, and their security branches (9.20.9-S1-9.20.20-S1), while older stable releases (9.18.x) are unaffected. Vendor patches are available, and the moderate CVSS 5.4 score reflects limited technical impact when ACLs are properly configured with fail-secure defaults.
Memory corruption when BTFM client sends new messages over Slimbus to ADSP. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
A race condition leading to a stack use-after-free flaw was found in libvirt. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
An out-of-bounds write vulnerability exists in the OpenImageIO::add_exif_item_to_spec functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An exploitable return of stack variable address vulnerability exists in the JavaScript implementation of Nitro Pro PDF. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Local integrity modification in iccDEV prior to version 2.3.1.6 affects the CIccCLUT::Iterate() function and CLUT dumping output in CIccMBB::Describe(), allowing local attackers without privileges to alter ICC color profile data integrity. The vulnerability requires local access and produces incorrect LUT (Look-Up Table) dump output that could compromise color management workflows relying on accurate profile representation.
A use-after-return vulnerability in ISC BIND 9's SIG(0) DNS query handler allows an attacker with low-level authentication privileges to manipulate ACL matching logic, potentially bypassing default-allow access controls and gaining unauthorized access to DNS services. The vulnerability affects BIND 9 versions 9.20.0-9.20.20, 9.21.0-9.21.19, and their security branches (9.20.9-S1-9.20.20-S1), while older stable releases (9.18.x) are unaffected. Vendor patches are available, and the moderate CVSS 5.4 score reflects limited technical impact when ACLs are properly configured with fail-secure defaults.
Memory corruption when BTFM client sends new messages over Slimbus to ADSP. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
A race condition leading to a stack use-after-free flaw was found in libvirt. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
An out-of-bounds write vulnerability exists in the OpenImageIO::add_exif_item_to_spec functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An exploitable return of stack variable address vulnerability exists in the JavaScript implementation of Nitro Pro PDF. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.