Monthly
Local privilege escalation in the Windows Notification component lets an already-authenticated low-privileged user elevate to higher privileges (SYSTEM) across a broad range of Windows 10, Windows 11, and Windows Server releases. The flaw stems from an incorrect type conversion/cast (CWE-704) and carries a CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) with high confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in node-tar prior to 7.5.18 allows unauthenticated network-reachable attackers to crash Node.js processes by submitting crafted tar archives containing all-digit PAX header path or linkpath values. The library incorrectly coerces these string values to JavaScript numbers in src/pax.ts, causing downstream path handling (normalizeWindowsPath(entry.path).split('/')) to throw an uncaught TypeError when it attempts to call a string method on a numeric value. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Denial of service in NI grpc-device 2.17.0 and earlier allows an authenticated remote attacker to crash or destabilize the gRPC server by sending a crafted BeginSidebandStream message containing an out-of-range enum value. The unchecked cast triggers undefined behavior in the server process, with no public exploit identified at time of analysis. The flaw is reported by the vendor and tracked under GHSA-prfr-q8h3-mqxv.
Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) allows remote unauthenticated attackers to crash SSH server processes by sending crafted AES-GCM encrypted packets. An incorrectly placed bytes-to-int cast in the AES-GCM packet decoder triggers a server-side panic when processing well-crafted inputs. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
### Summary free5GC's UDR `nudr-dr` `DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` handler panics on a single authenticated request against a fresh UDR instance when the supplied `ueId` does not exist in `UESubsCollection`. The processor checks `value, ok := udrSelf.UESubsCollection.Load(ueId)` and sets a `404 USER_NOT_FOUND` problem-details on the miss path, but execution continues and immediately runs `value.(*udr_context.UESubsData)` -- a Go type assertion on a nil interface, which panics with `interface conversion: interface {} is nil, not *context.UESubsData`. Gin recovery converts the panic into `HTTP 500`, but the endpoint remains repeatedly panicable. This is the no-precondition sibling of free5gc/free5gc#919: same handler, same bug pattern (set `pd`, do not return, then dereference), but the panic site is the nil-interface type assertion at line 61 instead of the nil-pointer deref at line 69. No earlier EE-subscription create is required. This endpoint requires a valid `nudr-dr` OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding. ### Details Validated against the UDR container in the official Docker compose lab. - Source repo tag: `v4.2.1` - Running Docker image: `free5gc/udr:v4.2.1` - Runtime UDR commit: `754d23b0` - Docker validation date: 2026-03-22 - UDR endpoint: `http://10.100.200.11:8000` Vulnerable handler (the `ok` miss path sets `pd` but does not return; the next line type-asserts the nil interface): ```go subsId := c.Params.ByName("subsId") s.Processor().RemoveAmfSubscriptionsInfoProcedure(c, subsId, ueId) ``` In the processor: ```go value, ok := udrSelf.UESubsCollection.Load(ueId) if !ok { pd = util.ProblemDetailsNotFound("USER_NOT_FOUND") } UESubsData := value.(*udr_context.UESubsData) // panics: nil interface ``` When `ueId` is absent from `UESubsCollection`, `value` is the nil `interface{}` returned by `sync.Map.Load`, and `value.(*udr_context.UESubsData)` panics with: ``` panic: interface conversion: interface {} is nil, not *context.UESubsData ``` Code evidence (paths in `free5gc/udr`): - Route exposure + handler dispatch: - `NFs/udr/internal/sbi/api_datarepository.go:2161` - `NFs/udr/internal/sbi/api_datarepository.go:2170` - `NFs/udr/internal/sbi/api_datarepository.go:2172` - Panic root cause (nil interface type assertion): - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:53` - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:56` - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:61` ### PoC Reproduced end-to-end against the running UDR at `http://10.100.200.11:8000` -- single authenticated request, no preconditions. 1. Restart UDR (clean state -- proves no precondition is needed): ``` docker restart udr ``` 2. Obtain a valid `nudr-dr` token from NRF: ``` curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=UDR&scope=nudr-dr' ``` 3. Trigger the panic with one DELETE for a nonexistent `ueId=x`: ``` curl -i -sS -X DELETE \ 'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions' \ -H 'Authorization: Bearer <valid_nudr_dr_jwt>' ``` ``` HTTP/1.1 500 Internal Server Error Content-Length: 0 ``` 4. UDR container logs (`docker logs udr`) confirm the nil-interface conversion panic at `event_amf_subscription_info_document.go:61` inside `RemoveAmfSubscriptionsInfoProcedure`: ``` [ERRO][UDR][GIN] panic: interface conversion: interface {} is nil, not *context.UESubsData github.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure .../event_amf_subscription_info_document.go:61 github.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo .../api_datarepository.go:2172 [INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions | ``` ### Impact Incorrect type conversion on a nil interface (CWE-704) inside an authenticated UDR data-repository handler, caused by improper handling of the missing-ueId branch (CWE-754): the handler sets a `404` problem-details value but does not return, then runs a Go type assertion on the nil interface returned by `sync.Map.Load`. This is NOT framed as an auth-bypass finding: the endpoint requires a valid `nudr-dr` OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can: - Trigger a reliable, single-request panic on the `amf-subscriptions` delete route against a fresh UDR (no preparatory state needed -- this is strictly easier than free5gc/free5gc#919). - Repeat the trigger to sustain a per-request panic-DoS on UDR's data-repository surface, with each panic costing more CPU + log writes than the intended `404 USER_NOT_FOUND` response would have. No Confidentiality impact (the response is `500` with empty body). No Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running). Affected: free5gc v4.2.1. Upstream issue: https://github.com/free5gc/free5gc/issues/920 Upstream fix: https://github.com/free5gc/udr/pull/60
Apko crashes via denial-of-service when a repository JWKS endpoint returns a non-RSA key due to an unchecked type assertion in the DiscoverKeys function. The vulnerability affects any workflow initializing the APK database and requires user interaction to trigger (e.g., running apko with a malicious repository), with CVSS 6.5 reflecting the availability impact. No patch is currently available, though the issue is confirmed and acknowledged by the apko maintainers.
Remote denial of service in Coturn TURN/STUN server allows unauthenticated attackers to crash ARM64 deployments with a single malformed UDP packet. The vulnerability triggers a fatal SIGBUS signal via misaligned memory access during STUN attribute parsing, requiring no authentication or special configuration. All ARM64 installations of Coturn prior to 4.10.0 are vulnerable to instant process termination. EPSS exploitation probability is not yet available as this is a newly disclosed CVE, but the attack complexity is low (AC:L) and requires no privileges (PR:N), making exploitation trivial once awareness spreads in attacker communities.
Unaligned memory write in OpenEXR DWA decoder causes immediate crashes on ARM/RISC-V architectures and enables potential exploitation on x86 systems via compiler optimization abuse. Affects OpenEXR versions 3.2.0-3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8 when processing DWA/DWAB-compressed EXR files with FLOAT-type channels. Remote attackers can trigger this by convincing users to open malicious EXR files (CVSS 7.1, AV:N/PR:N/UI:R). No public exploit identified at time of analysis, though the technical details are fully disclosed in the GitHub security advisory.
Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. [CVSS 6.5 MEDIUM]
Local privilege escalation in the Windows Notification component lets an already-authenticated low-privileged user elevate to higher privileges (SYSTEM) across a broad range of Windows 10, Windows 11, and Windows Server releases. The flaw stems from an incorrect type conversion/cast (CWE-704) and carries a CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) with high confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in node-tar prior to 7.5.18 allows unauthenticated network-reachable attackers to crash Node.js processes by submitting crafted tar archives containing all-digit PAX header path or linkpath values. The library incorrectly coerces these string values to JavaScript numbers in src/pax.ts, causing downstream path handling (normalizeWindowsPath(entry.path).split('/')) to throw an uncaught TypeError when it attempts to call a string method on a numeric value. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Denial of service in NI grpc-device 2.17.0 and earlier allows an authenticated remote attacker to crash or destabilize the gRPC server by sending a crafted BeginSidebandStream message containing an out-of-range enum value. The unchecked cast triggers undefined behavior in the server process, with no public exploit identified at time of analysis. The flaw is reported by the vendor and tracked under GHSA-prfr-q8h3-mqxv.
Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) allows remote unauthenticated attackers to crash SSH server processes by sending crafted AES-GCM encrypted packets. An incorrectly placed bytes-to-int cast in the AES-GCM packet decoder triggers a server-side panic when processing well-crafted inputs. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
### Summary free5GC's UDR `nudr-dr` `DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` handler panics on a single authenticated request against a fresh UDR instance when the supplied `ueId` does not exist in `UESubsCollection`. The processor checks `value, ok := udrSelf.UESubsCollection.Load(ueId)` and sets a `404 USER_NOT_FOUND` problem-details on the miss path, but execution continues and immediately runs `value.(*udr_context.UESubsData)` -- a Go type assertion on a nil interface, which panics with `interface conversion: interface {} is nil, not *context.UESubsData`. Gin recovery converts the panic into `HTTP 500`, but the endpoint remains repeatedly panicable. This is the no-precondition sibling of free5gc/free5gc#919: same handler, same bug pattern (set `pd`, do not return, then dereference), but the panic site is the nil-interface type assertion at line 61 instead of the nil-pointer deref at line 69. No earlier EE-subscription create is required. This endpoint requires a valid `nudr-dr` OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding. ### Details Validated against the UDR container in the official Docker compose lab. - Source repo tag: `v4.2.1` - Running Docker image: `free5gc/udr:v4.2.1` - Runtime UDR commit: `754d23b0` - Docker validation date: 2026-03-22 - UDR endpoint: `http://10.100.200.11:8000` Vulnerable handler (the `ok` miss path sets `pd` but does not return; the next line type-asserts the nil interface): ```go subsId := c.Params.ByName("subsId") s.Processor().RemoveAmfSubscriptionsInfoProcedure(c, subsId, ueId) ``` In the processor: ```go value, ok := udrSelf.UESubsCollection.Load(ueId) if !ok { pd = util.ProblemDetailsNotFound("USER_NOT_FOUND") } UESubsData := value.(*udr_context.UESubsData) // panics: nil interface ``` When `ueId` is absent from `UESubsCollection`, `value` is the nil `interface{}` returned by `sync.Map.Load`, and `value.(*udr_context.UESubsData)` panics with: ``` panic: interface conversion: interface {} is nil, not *context.UESubsData ``` Code evidence (paths in `free5gc/udr`): - Route exposure + handler dispatch: - `NFs/udr/internal/sbi/api_datarepository.go:2161` - `NFs/udr/internal/sbi/api_datarepository.go:2170` - `NFs/udr/internal/sbi/api_datarepository.go:2172` - Panic root cause (nil interface type assertion): - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:53` - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:56` - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:61` ### PoC Reproduced end-to-end against the running UDR at `http://10.100.200.11:8000` -- single authenticated request, no preconditions. 1. Restart UDR (clean state -- proves no precondition is needed): ``` docker restart udr ``` 2. Obtain a valid `nudr-dr` token from NRF: ``` curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=UDR&scope=nudr-dr' ``` 3. Trigger the panic with one DELETE for a nonexistent `ueId=x`: ``` curl -i -sS -X DELETE \ 'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions' \ -H 'Authorization: Bearer <valid_nudr_dr_jwt>' ``` ``` HTTP/1.1 500 Internal Server Error Content-Length: 0 ``` 4. UDR container logs (`docker logs udr`) confirm the nil-interface conversion panic at `event_amf_subscription_info_document.go:61` inside `RemoveAmfSubscriptionsInfoProcedure`: ``` [ERRO][UDR][GIN] panic: interface conversion: interface {} is nil, not *context.UESubsData github.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure .../event_amf_subscription_info_document.go:61 github.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo .../api_datarepository.go:2172 [INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions | ``` ### Impact Incorrect type conversion on a nil interface (CWE-704) inside an authenticated UDR data-repository handler, caused by improper handling of the missing-ueId branch (CWE-754): the handler sets a `404` problem-details value but does not return, then runs a Go type assertion on the nil interface returned by `sync.Map.Load`. This is NOT framed as an auth-bypass finding: the endpoint requires a valid `nudr-dr` OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can: - Trigger a reliable, single-request panic on the `amf-subscriptions` delete route against a fresh UDR (no preparatory state needed -- this is strictly easier than free5gc/free5gc#919). - Repeat the trigger to sustain a per-request panic-DoS on UDR's data-repository surface, with each panic costing more CPU + log writes than the intended `404 USER_NOT_FOUND` response would have. No Confidentiality impact (the response is `500` with empty body). No Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running). Affected: free5gc v4.2.1. Upstream issue: https://github.com/free5gc/free5gc/issues/920 Upstream fix: https://github.com/free5gc/udr/pull/60
Apko crashes via denial-of-service when a repository JWKS endpoint returns a non-RSA key due to an unchecked type assertion in the DiscoverKeys function. The vulnerability affects any workflow initializing the APK database and requires user interaction to trigger (e.g., running apko with a malicious repository), with CVSS 6.5 reflecting the availability impact. No patch is currently available, though the issue is confirmed and acknowledged by the apko maintainers.
Remote denial of service in Coturn TURN/STUN server allows unauthenticated attackers to crash ARM64 deployments with a single malformed UDP packet. The vulnerability triggers a fatal SIGBUS signal via misaligned memory access during STUN attribute parsing, requiring no authentication or special configuration. All ARM64 installations of Coturn prior to 4.10.0 are vulnerable to instant process termination. EPSS exploitation probability is not yet available as this is a newly disclosed CVE, but the attack complexity is low (AC:L) and requires no privileges (PR:N), making exploitation trivial once awareness spreads in attacker communities.
Unaligned memory write in OpenEXR DWA decoder causes immediate crashes on ARM/RISC-V architectures and enables potential exploitation on x86 systems via compiler optimization abuse. Affects OpenEXR versions 3.2.0-3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8 when processing DWA/DWAB-compressed EXR files with FLOAT-type channels. Remote attackers can trigger this by convincing users to open malicious EXR files (CVSS 7.1, AV:N/PR:N/UI:R). No public exploit identified at time of analysis, though the technical details are fully disclosed in the GitHub security advisory.
Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. [CVSS 6.5 MEDIUM]