Linux
Monthly
The Linux kernel's romfs filesystem fails to validate the return value of sb_set_blocksize(), allowing a local attacker with user privileges to trigger a denial of service by mounting a romfs image on a loop device configured with an incompatible block size. Public exploit code exists for this vulnerability. The flaw causes the filesystem to proceed with an invalid superblock configuration, potentially leading to system crashes or filesystem corruption.
The Linux kernel's Classmate laptop driver lacks NULL pointer checks in sysfs attribute handlers, allowing local users to trigger a denial of service by accessing device attributes before driver initialization completes. A premature sysfs access can cause the driver to dereference a NULL pointer when retrieving uninitialized device data, crashing the affected system.
The Linux kernel fbdev smscufx driver fails to properly copy user-supplied data to kernel memory in the UFX_IOCTL_REPORT_DAMAGE ioctl handler, instead directly referencing userspace memory which can be manipulated or invalidated. A local attacker with appropriate privileges can exploit this to cause a denial of service by triggering kernel memory access violations or crashes. No patch is currently available for this medium-severity vulnerability.
Local privilege escalation in Linux kernel f2fs sysfs attributes allows unprivileged users to trigger out-of-bounds memory access and cause denial of service by writing oversized integer values to filesystem control interfaces. The vulnerability stems from improper bounds checking when mapping sysfs attributes to kernel structures of varying integer sizes, enabling attackers to corrupt kernel memory and crash the system. No patch is currently available for this vulnerability.
A use-after-free vulnerability in the Linux kernel's f2fs filesystem allows a local attacker with user privileges to trigger memory corruption and crash the system through a race condition between I/O completion and filesystem unmount operations. The vulnerability occurs when a loop device completes write operations concurrently with an unmount that frees filesystem structures still being accessed by pending I/O handlers. This issue has no available patch and requires kernel-level access to exploit.
F2FS swapfile memory corruption in Linux kernel 6.6+ allows local attackers with user privileges to cause data corruption through improper physical block mapping when using fragmented swapfiles smaller than the F2FS section size. Public exploit code exists for this vulnerability, and attackers can trigger dm-verity corruption errors or F2FS node corruption leading to system crashes and data loss. No patch is currently available.
A revert of a Linux kernel patch introduces a potential deadlock condition in the f2fs filesystem when concurrent write operations and checkpoint operations occur, allowing a local user with write permissions to cause a denial of service through system hang. The vulnerability affects the Linux kernel's f2fs module and requires low privileges to trigger. No patch is currently available to address this issue.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases.
A use-after-free vulnerability in the Linux kernel's netfilter nf_tables chain registration allows local attackers with user privileges to trigger memory corruption and cause a denial of service, potentially leading to privilege escalation. The flaw occurs when hook registration fails during chain addition, allowing concurrent operations to access freed memory without proper RCU synchronization. The vulnerability affects systems running vulnerable Linux kernels with netfilter enabled, and no patch is currently available.
Canonical LXD 6.6 on Linux contains an authorization bypass in the GET /1.0/certificates API endpoint that allows authenticated users with restricted privileges to enumerate all certificate fingerprints trusted by the server. Public exploit code exists for this vulnerability. While this enables information disclosure with limited impact, it could facilitate further attacks by revealing trust relationships on the system.
A vulnerability was determined in YosysHQ yosy versions up to 0.62. is affected by buffer overflow (CVSS 3.3).
Blind SQL injection in Centreon Web's Service Dependencies module allows authenticated attackers to extract sensitive database information through unsanitized array keys in deletion requests. This vulnerability affects Centreon Web versions before 25.10.8, 24.10.20, and 24.04.24 on Linux systems, requiring valid credentials but no user interaction to exploit. No patch is currently available, leaving affected deployments vulnerable to database reconnaissance and potential data exfiltration.
Inetutils versions up to 2.7 is affected by inclusion of functionality from untrusted control sphere (CVSS 7.4).
Junrar versions prior to 7.5.8 contain a path traversal vulnerability in LocalFolderExtractor that allows attackers to write arbitrary files to the filesystem when processing malicious RAR archives on Linux/Unix systems. Public exploit code exists for this vulnerability, which can facilitate remote code execution through file overwrite attacks such as modifying shell profiles or cron jobs. Users should upgrade to version 7.5.8 or later to remediate this issue.
Unauthenticated remote code execution in Ajenti server admin panel before 2.2.13. Unauthenticated users can gain full server access. Patch available.
NetExec's spider_plus module prior to version 1.5.1 fails to sanitize path traversal characters in SMB share filenames, allowing remote attackers to write or overwrite arbitrary files on Linux systems when the DOWNLOAD feature is enabled. The vulnerability requires user interaction to trigger the malicious SMB share crawl and currently has no available patch. Organizations using NetExec should disable the DOWNLOAD=true option as a temporary mitigation.
Improper SNMP request parsing in Cisco Nexus 9000 Series switches running ACI mode allows authenticated remote attackers to trigger kernel panics and device reloads by sending specially crafted queries to specific MIBs. An attacker with valid SNMP read-only community credentials can exploit this vulnerability across SNMP versions 1, 2c, and 3 to achieve denial of service. No patch is currently available for this vulnerability.
NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escalation of privileges. [CVSS 7.3 HIGH]
NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escalation of privileges. [CVSS 8.0 HIGH]
NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could run an unauthorized command. A successful exploit of this vulnerability might lead to escalation of privileges. [CVSS 8.0 HIGH]
Cryptopro Secure Disk contains a vulnerability that allows attackers to execute arbitrary code in the context of the root user and enables an attacker t (CVSS 6.8).
Local privilege escalation via out-of-bounds memory read in Docker Desktop's grpcfuse kernel module (versions up to 4.61.0) on Linux, Windows, and macOS allows authenticated local attackers to achieve complete system compromise through manipulation of /proc/docker entries. The vulnerability requires local access and valid user credentials but enables reading and modifying arbitrary kernel memory with high impact on confidentiality, integrity, and availability. Docker Desktop 4.62.0 and later resolve this issue.
Prototype pollution in Swiper versions 6.5.1 through 12.1.1 allows local authenticated attackers to manipulate Object.prototype through improperly validated user input, enabling authentication bypass, denial of service, and remote code execution. Public exploit code exists for this vulnerability, which affects applications on Linux and Windows using Node.js or Bun runtimes. A patch is available and should be applied immediately to affected systems processing untrusted input.
Arbitrary host file exfiltration from Cloud Hypervisor VMM versions 34.0-50.0. CVSS 10.0. Patch available.
Missing authorization in Acronis Cyber Protect 16 allows sensitive data access. CVSS 10.0.
Second improper authentication in Acronis Cyber Protect 16. CVSS 10.0.
Improper authentication in Acronis Cyber Protect 16. CVSS 10.0.
Missing authentication in Acronis Cyber Protect Cloud Agent (Linux, Windows, macOS).
emp3r0r C2 framework versions prior to 3.21.2 crash due to unsynchronized concurrent map access in Go goroutines, allowing attackers with network access to trigger denial of service against the C2 infrastructure. Public exploit code exists for this vulnerability. The issue is resolved in version 3.21.2 and later.
Remote code execution in Microsoft Semantic Kernel Python SDK before 1.39.4. Code injection in the AI orchestration framework. Patch available.
The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such kernel memory mappings, I/O ports, BPF and kprobes. [CVSS 7.7 HIGH]
Linux kernel SMB client denial of service vulnerability caused by concurrent bitfield updates in the cached_fid structure that can corrupt flag states through read-modify-write races. A local attacker with standard privileges can trigger this race condition to cause availability disruptions by forcing inconsistent flag states in cached file handle management. No patch is currently available for this medium-severity issue.
The Linux kernel's virtio-crypto driver lacks proper synchronization when handling virtqueue notifications from multiple processes, causing data corruption and system hangs when processing cryptographic operations concurrently. Local attackers with user privileges can trigger denial of service by running parallel crypto workloads, as demonstrated through multi-process OpenSSL benchmarks that expose race conditions in the virtcrypto_done_task() handler. No patch is currently available for this medium-severity vulnerability affecting systems running virtio-crypto with builtin backends.
The Linux kernel ksmbd server leaks the active_num_conn counter when kthread_run() fails during TCP connection initialization, allowing local authenticated users to exhaust connection tracking resources and cause a denial of service. The vulnerability stems from improper cleanup that fails to decrement the counter when freeing the transport structure. No patch is currently available for this medium-severity issue.
The Exynos Virtual Display driver in the Linux kernel lacks proper synchronization when allocating and freeing memory structures, enabling use-after-free conditions through race conditions between concurrent operations. A local attacker with unprivileged access can exploit this vulnerability to cause memory corruption or achieve information disclosure by manipulating display connector operations. No patch is currently available for this high-severity vulnerability affecting Linux systems with Samsung Exynos graphics hardware.
The Linux kernel ksmbd subsystem contains a use-after-free vulnerability in multi-channel session handling due to missing synchronization on the ksmbd_chann_list xarray, allowing a local attacker with user privileges to cause memory corruption and potentially execute arbitrary code. The vulnerability affects the channel lookup and deletion operations between multiple concurrent sessions. A patch is available to add proper locking mechanisms to protect xarray access.
In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Don't assume CID is CPU owned on mode switch Shinichiro reported a KASAN UAF, which is actually an out of bounds access in the MMCID management code.
The Linux kernel erofs file system contains a use-after-free vulnerability in direct I/O file-backed mount operations that allows local attackers with user privileges to cause memory corruption and potentially achieve code execution or denial of service. The vulnerability occurs when accessing files through the directio option, where freed memory is subsequently accessed during I/O operations. A patch is not currently available, making this a critical concern for systems running affected Linux kernel versions.
Use-after-free vulnerability in Linux kernel XFS subsystem allows local attackers with unprivileged access to cause memory corruption and potential privilege escalation through improper pointer dereferencing in the btree block owner checking function. The flaw stems from attempting to access freed memory due to incorrect temporal ordering of operations when determining cursor aliases. This vulnerability affects all Linux systems using XFS and currently lacks a patch.
Memory allocation errors in the Linux kernel's OMAP crypto driver cause scatterlist objects to be undersized by 4x, enabling local authenticated attackers to trigger denial of service conditions through memory corruption. An attacker with local access and user-level privileges can exploit this miscalculation to crash the system or cause unpredictable kernel behavior. No patch is currently available for this vulnerability.
The Linux kernel's fsl-mc bus driver contains a use-after-free vulnerability in the driver_override_show() function that reads device configuration without proper locking, allowing a local privileged user to trigger memory corruption by concurrently modifying the same data. This vulnerability affects Linux systems running vulnerable kernel versions and could enable local denial of service or potential privilege escalation through heap memory manipulation. No patch is currently available for this issue.
The Linux kernel's ksmbd SMB server implementation contains a denial-of-service vulnerability where failed signature verification on chained SMB2 requests causes an infinite loop due to improper state reset. A local or authenticated attacker can trigger this condition by sending a malformed signed request, causing the ksmbd process to hang and become unresponsive.
In the Linux kernel, the following vulnerability has been resolved: nilfs2: Fix potential block overflow that cause system hang When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Validate sp before freeing associated memory System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Delay module unload while fabric scan in progress System crash seen during load/unload test in a loop.
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add The driver does not set hw->sta_data_size, which causes mac80211 to allocate insufficient space for driver private station data in __sta_info_alloc().
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Avoid creating sub-groups asynchronously The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Free sp in error path to fix system crash System crash seen during load/unload test in a loop, [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X.
In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.
In the Linux kernel, the following vulnerability has been resolved: hfs: ensure sb->s_fs_info is always cleaned up When hfs was converted to the new mount api a bug was introduced by changing the allocation pattern of sb->s_fs_info.
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.
Memory allocation profiling in the Linux kernel fails to properly clear allocation tags during abort operations when CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, allowing a local privileged user to trigger a denial of service through kernel warnings and potential system instability. The vulnerability affects the slab memory allocator's interaction with memcg abort handling and requires local access with elevated privileges to exploit. No patch is currently available for this medium-severity issue.
A null pointer dereference in the Linux kernel's loongson-64bit GPIO driver allows local attackers with user privileges to cause a denial of service through an incorrect NULL check that fails to validate chip->irq.parents after memory allocation. The vulnerability affects Linux systems with Loongson GPIO hardware and requires no user interaction to trigger. No patch is currently available.
A deadlock vulnerability in the Linux kernel's RISC-V tracing subsystem allows local users with tracing privileges to hang the system by enabling ftrace snapshots on __sbi_ecall functions, causing recursive IPI interrupts that trigger infinite snapshot loops. This issue is particularly easy to exploit on RISC-V systems lacking the SSTC extension, where timer events automatically invoke SBI ecalls. The vulnerability requires local access and is only exploitable if tracing is enabled, making it a denial of service vector for systems with active kernel tracing.
A use-after-free vulnerability in the Linux kernel's iSCSI target implementation allows local attackers with low privileges to cause memory corruption and potential denial of service by exploiting a race condition in the connection usage counting mechanism. The flaw occurs when a spinlock is released after calling complete(), allowing a waiting thread to free the connection structure before the current thread finishes its unlock operation. No patch is currently available for this vulnerability.
The Linux kernel's VMware hypercall implementation improperly handles register state during mouse events, allowing local attackers with user privileges to trigger a denial of service through a kernel panic via crafted input to the vmmouse driver. The vulnerability stems from incomplete register preservation when the QEMU VMware mouse emulation clears the upper 32 bits of CPU registers containing kernel pointers. No patch is currently available for this medium-severity issue affecting Linux systems running on VMware or QEMU with vmmouse support.
A denial of service vulnerability in the Linux kernel's btrfs filesystem allows local users with standard privileges to cause a system crash by triggering transaction aborts on read-only mounted filesystems. An attacker can exploit this by mounting a malformed btrfs filesystem with rescue options, causing the kernel to abort transactions with error handling failures during unmount. No patch is currently available for this medium-severity vulnerability.
AMD GPU drivers on Linux systems fail to prevent MMIO register access during SMU Mode 1 reset, allowing incomplete PCIe transactions that can trigger NMI panics or system hangs. A local attacker with driver interaction capabilities could exploit this to cause a denial of service by accessing registers while the device is offline. The vulnerability affects Linux kernel implementations with AMD PM functionality and currently lacks an available patch.
A data-race condition in the Linux kernel bonding driver's slave->last_rx field can be accessed without proper synchronization, potentially causing a denial of service on systems using bonded network interfaces. Local attackers with limited privileges can trigger the race condition to cause system instability or crashes. A patch is not currently available, and exploitation requires specific timing conditions.
Linux kernel swap handling can cause a kernel panic under heavy memory pressure when arch_prepare_to_swap fails due to read-only swap address space restrictions introduced in a prior commit. A local attacker with user privileges can trigger this denial of service condition during memory reclamation operations. No patch is currently available for this medium-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't WARN for connections on invalid channels It's not clear (to me) how exactly syzbot managed to hit this, but it seems conceivable that e.g.
In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updating raid_disks via sysfs In raid1_reshape(), freeze_array() is called before modifying the r1bio memory pool (conf->r1bio_pool) and conf->raid_disks, and unfreeze_array() is called after the update is completed.
HPE Aruba Networking ClearPass OnGuard Software for Linux contains a local privilege escalation vulnerability that allows authenticated users to execute arbitrary code with root privileges. The flaw requires local access and no user interaction, making it exploitable by any local account on an affected system. No patch is currently available to remediate this issue.
IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to a buffer being overwritten when it is allocated on the stack. [CVSS 6.5 MEDIUM]
Db2 Merge Backup versions up to 12.1.0.0 is affected by incorrect calculation of buffer size (CVSS 6.5).
Db2 Recovery Expert versions up to 5.5.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).
Db2 Recovery Expert versions up to 5.5.0 is affected by cleartext transmission of sensitive information (CVSS 5.9).
Db2 Recovery Expert versions up to 5.5.0 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 6.5).
Db2 Merge Backup versions up to 12.1.0.0 contains a vulnerability that allows attackers to access sensitive information in memory due to the buffer not properly clearing r (CVSS 5.5).
Db2 versions up to 12.1.3 contains a vulnerability that allows attackers to an authenticated user to obtain sensitive information under specific HADR config (CVSS 5.3).
Db2 versions up to 12.1.3 is affected by improper restriction of xml external entity reference (CVSS 7.1).
Db2 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service due to improper neutralizatio (CVSS 6.5).
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic
Hardcoded OS credentials in Glory RBG-100 cash recycler systems using ISPK-08 software component. Physical cash handling equipment ships with known default credentials enabling complete system takeover.
The system suffers from the absence of a kernel module signature verification. If an attacker can execute commands on behalf of root user (due to additional vulnerabilities), then he/she is also able to load custom kernel modules to the kernel space and execute code in the kernel context. [CVSS 6.7 MEDIUM]
The Linux kernel's ice driver contains a race condition in PTP (Precision Time Protocol) handling where periodic work can execute while the Virtual Station Interface (VSI) is being rebuilt, causing a NULL pointer dereference when accessing rx_rings. A local attacker with low privileges can trigger this vulnerability to cause a denial of service by crashing the kernel. No patch is currently available for this medium-severity vulnerability.
Local privilege escalation in the Linux kernel macvlan driver allows a local attacker with user privileges to cause memory corruption and kernel crashes through improper error handling in macvlan_common_newlink(). The vulnerability stems from a use-after-free condition when macvlan link creation fails during device registration, enabling denial of service and potential privilege escalation on affected systems.
A buffer overflow in the Linux kernel's ALSA USB audio driver allows local attackers with user privileges to write beyond allocated URB buffers by crafting malicious audio parameters with mismatched packet sizes and frame counts. An attacker can trigger out-of-bounds memory corruption, potentially achieving privilege escalation or denial of service. No patch is currently available for this vulnerability.
The Tegra210-QSPI driver in the Linux kernel is vulnerable to a race condition where an unprotected NULL pointer check in the interrupt handler can be exploited by a local attacker with low privileges to cause a denial of service through kernel panic. The vulnerability occurs when the timeout path clears the curr_xfer pointer while the ISR thread is simultaneously accessing it, resulting in a NULL dereference. A patch is available to resolve this issue by properly synchronizing access with spinlock protection.
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count.
A memory leak in the Linux kernel's SMB/CIFS client implementation allows local attackers with unprivileged access to exhaust kernel memory and cause a denial of service by triggering failed file operations on read-only mounted shares. An attacker can exploit this by repeatedly attempting to write files to a read-only CIFS mount, causing memory allocated for SMB requests to not be properly freed. The vulnerability persists until the cifs kernel module is unloaded, and currently lacks a public patch.
The Linux kernel's u32 traffic classifier fails to properly validate negative offset values in skb_header_pointer(), allowing local attackers with low privileges to trigger out-of-bounds memory reads and cause denial of service. This vulnerability affects the network scheduling subsystem and requires local access to exploit, with no currently available patch.
In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations.
In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress.
In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`.
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 route.
In the Linux kernel, the following vulnerability has been resolved: procfs: avoid fetching build ID while holding VMA lock Fix PROCMAP_QUERY to fetch optional build ID only after dropping mmap_lock or per-VMA lock, whichever was used to lock VMA under question, to avoid deadlock reported by syzbot: -> #1 (&mm->mmap_lock){++++}-{4:4}: __might_fault+0xed/0x170 _copy_to_iter+0x118/0x1720 copy_page_to_iter+0x12d/0x1e0 filemap_read+0x720/0x10a0 blkdev_read_iter+0x2b5/0x4e0 vfs_read+0x7f4/0xae0 ksys_read+0x12a/0x250 do_syscall_64+0xcb/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&sb->s_type->i_mutex_key#8){++++}-{4:4}: __lock_acquire+0x1509/0x26d0 lock_acquire+0x185/0x340 down_read+0x98/0x490 blkdev_read_iter+0x2a7/0x4e0 __kernel_read+0x39a/0xa90 freader_fetch+0x1d5/0xa80 __build_id_parse.isra.0+0xea/0x6a0 do_procmap_query+0xd75/0x1050 procfs_procmap_ioctl+0x7a/0xb0 __x64_sys_ioctl+0x18e/0x210 do_syscall_64+0xcb/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(&mm->mmap_lock); lock(&sb->s_type->i_mutex_key#8); lock(&mm->mmap_lock); rlock(&sb->s_type->i_mutex_key#8); *** DEADLOCK *** This seems to be exacerbated (as we haven't seen these syzbot reports before that) by the recent: 777a8560fd29 ("lib/buildid: use __kernel_read() for sleepable context") To make this safe, we need to grab file refcount while VMA is still locked, but other than that everything is pretty straightforward.
In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI.
In the Linux kernel, the following vulnerability has been resolved: i2c: imx: preserve error state in block data length handler When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX, the length handler sets the state to IMX_I2C_STATE_FAILED.
In the Linux kernel, the following vulnerability has been resolved: HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer Add DMA buffer readiness check before reading DMA buffer to avoid unexpected NULL pointer accessing.
The Linux kernel's romfs filesystem fails to validate the return value of sb_set_blocksize(), allowing a local attacker with user privileges to trigger a denial of service by mounting a romfs image on a loop device configured with an incompatible block size. Public exploit code exists for this vulnerability. The flaw causes the filesystem to proceed with an invalid superblock configuration, potentially leading to system crashes or filesystem corruption.
The Linux kernel's Classmate laptop driver lacks NULL pointer checks in sysfs attribute handlers, allowing local users to trigger a denial of service by accessing device attributes before driver initialization completes. A premature sysfs access can cause the driver to dereference a NULL pointer when retrieving uninitialized device data, crashing the affected system.
The Linux kernel fbdev smscufx driver fails to properly copy user-supplied data to kernel memory in the UFX_IOCTL_REPORT_DAMAGE ioctl handler, instead directly referencing userspace memory which can be manipulated or invalidated. A local attacker with appropriate privileges can exploit this to cause a denial of service by triggering kernel memory access violations or crashes. No patch is currently available for this medium-severity vulnerability.
Local privilege escalation in Linux kernel f2fs sysfs attributes allows unprivileged users to trigger out-of-bounds memory access and cause denial of service by writing oversized integer values to filesystem control interfaces. The vulnerability stems from improper bounds checking when mapping sysfs attributes to kernel structures of varying integer sizes, enabling attackers to corrupt kernel memory and crash the system. No patch is currently available for this vulnerability.
A use-after-free vulnerability in the Linux kernel's f2fs filesystem allows a local attacker with user privileges to trigger memory corruption and crash the system through a race condition between I/O completion and filesystem unmount operations. The vulnerability occurs when a loop device completes write operations concurrently with an unmount that frees filesystem structures still being accessed by pending I/O handlers. This issue has no available patch and requires kernel-level access to exploit.
F2FS swapfile memory corruption in Linux kernel 6.6+ allows local attackers with user privileges to cause data corruption through improper physical block mapping when using fragmented swapfiles smaller than the F2FS section size. Public exploit code exists for this vulnerability, and attackers can trigger dm-verity corruption errors or F2FS node corruption leading to system crashes and data loss. No patch is currently available.
A revert of a Linux kernel patch introduces a potential deadlock condition in the f2fs filesystem when concurrent write operations and checkpoint operations occur, allowing a local user with write permissions to cause a denial of service through system hang. The vulnerability affects the Linux kernel's f2fs module and requires low privileges to trigger. No patch is currently available to address this issue.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases.
A use-after-free vulnerability in the Linux kernel's netfilter nf_tables chain registration allows local attackers with user privileges to trigger memory corruption and cause a denial of service, potentially leading to privilege escalation. The flaw occurs when hook registration fails during chain addition, allowing concurrent operations to access freed memory without proper RCU synchronization. The vulnerability affects systems running vulnerable Linux kernels with netfilter enabled, and no patch is currently available.
Canonical LXD 6.6 on Linux contains an authorization bypass in the GET /1.0/certificates API endpoint that allows authenticated users with restricted privileges to enumerate all certificate fingerprints trusted by the server. Public exploit code exists for this vulnerability. While this enables information disclosure with limited impact, it could facilitate further attacks by revealing trust relationships on the system.
A vulnerability was determined in YosysHQ yosy versions up to 0.62. is affected by buffer overflow (CVSS 3.3).
Blind SQL injection in Centreon Web's Service Dependencies module allows authenticated attackers to extract sensitive database information through unsanitized array keys in deletion requests. This vulnerability affects Centreon Web versions before 25.10.8, 24.10.20, and 24.04.24 on Linux systems, requiring valid credentials but no user interaction to exploit. No patch is currently available, leaving affected deployments vulnerable to database reconnaissance and potential data exfiltration.
Inetutils versions up to 2.7 is affected by inclusion of functionality from untrusted control sphere (CVSS 7.4).
Junrar versions prior to 7.5.8 contain a path traversal vulnerability in LocalFolderExtractor that allows attackers to write arbitrary files to the filesystem when processing malicious RAR archives on Linux/Unix systems. Public exploit code exists for this vulnerability, which can facilitate remote code execution through file overwrite attacks such as modifying shell profiles or cron jobs. Users should upgrade to version 7.5.8 or later to remediate this issue.
Unauthenticated remote code execution in Ajenti server admin panel before 2.2.13. Unauthenticated users can gain full server access. Patch available.
NetExec's spider_plus module prior to version 1.5.1 fails to sanitize path traversal characters in SMB share filenames, allowing remote attackers to write or overwrite arbitrary files on Linux systems when the DOWNLOAD feature is enabled. The vulnerability requires user interaction to trigger the malicious SMB share crawl and currently has no available patch. Organizations using NetExec should disable the DOWNLOAD=true option as a temporary mitigation.
Improper SNMP request parsing in Cisco Nexus 9000 Series switches running ACI mode allows authenticated remote attackers to trigger kernel panics and device reloads by sending specially crafted queries to specific MIBs. An attacker with valid SNMP read-only community credentials can exploit this vulnerability across SNMP versions 1, 2c, and 3 to achieve denial of service. No patch is currently available for this vulnerability.
NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escalation of privileges. [CVSS 7.3 HIGH]
NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escalation of privileges. [CVSS 8.0 HIGH]
NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could run an unauthorized command. A successful exploit of this vulnerability might lead to escalation of privileges. [CVSS 8.0 HIGH]
Cryptopro Secure Disk contains a vulnerability that allows attackers to execute arbitrary code in the context of the root user and enables an attacker t (CVSS 6.8).
Local privilege escalation via out-of-bounds memory read in Docker Desktop's grpcfuse kernel module (versions up to 4.61.0) on Linux, Windows, and macOS allows authenticated local attackers to achieve complete system compromise through manipulation of /proc/docker entries. The vulnerability requires local access and valid user credentials but enables reading and modifying arbitrary kernel memory with high impact on confidentiality, integrity, and availability. Docker Desktop 4.62.0 and later resolve this issue.
Prototype pollution in Swiper versions 6.5.1 through 12.1.1 allows local authenticated attackers to manipulate Object.prototype through improperly validated user input, enabling authentication bypass, denial of service, and remote code execution. Public exploit code exists for this vulnerability, which affects applications on Linux and Windows using Node.js or Bun runtimes. A patch is available and should be applied immediately to affected systems processing untrusted input.
Arbitrary host file exfiltration from Cloud Hypervisor VMM versions 34.0-50.0. CVSS 10.0. Patch available.
Missing authorization in Acronis Cyber Protect 16 allows sensitive data access. CVSS 10.0.
Second improper authentication in Acronis Cyber Protect 16. CVSS 10.0.
Improper authentication in Acronis Cyber Protect 16. CVSS 10.0.
Missing authentication in Acronis Cyber Protect Cloud Agent (Linux, Windows, macOS).
emp3r0r C2 framework versions prior to 3.21.2 crash due to unsynchronized concurrent map access in Go goroutines, allowing attackers with network access to trigger denial of service against the C2 infrastructure. Public exploit code exists for this vulnerability. The issue is resolved in version 3.21.2 and later.
Remote code execution in Microsoft Semantic Kernel Python SDK before 1.39.4. Code injection in the AI orchestration framework. Patch available.
The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such kernel memory mappings, I/O ports, BPF and kprobes. [CVSS 7.7 HIGH]
Linux kernel SMB client denial of service vulnerability caused by concurrent bitfield updates in the cached_fid structure that can corrupt flag states through read-modify-write races. A local attacker with standard privileges can trigger this race condition to cause availability disruptions by forcing inconsistent flag states in cached file handle management. No patch is currently available for this medium-severity issue.
The Linux kernel's virtio-crypto driver lacks proper synchronization when handling virtqueue notifications from multiple processes, causing data corruption and system hangs when processing cryptographic operations concurrently. Local attackers with user privileges can trigger denial of service by running parallel crypto workloads, as demonstrated through multi-process OpenSSL benchmarks that expose race conditions in the virtcrypto_done_task() handler. No patch is currently available for this medium-severity vulnerability affecting systems running virtio-crypto with builtin backends.
The Linux kernel ksmbd server leaks the active_num_conn counter when kthread_run() fails during TCP connection initialization, allowing local authenticated users to exhaust connection tracking resources and cause a denial of service. The vulnerability stems from improper cleanup that fails to decrement the counter when freeing the transport structure. No patch is currently available for this medium-severity issue.
The Exynos Virtual Display driver in the Linux kernel lacks proper synchronization when allocating and freeing memory structures, enabling use-after-free conditions through race conditions between concurrent operations. A local attacker with unprivileged access can exploit this vulnerability to cause memory corruption or achieve information disclosure by manipulating display connector operations. No patch is currently available for this high-severity vulnerability affecting Linux systems with Samsung Exynos graphics hardware.
The Linux kernel ksmbd subsystem contains a use-after-free vulnerability in multi-channel session handling due to missing synchronization on the ksmbd_chann_list xarray, allowing a local attacker with user privileges to cause memory corruption and potentially execute arbitrary code. The vulnerability affects the channel lookup and deletion operations between multiple concurrent sessions. A patch is available to add proper locking mechanisms to protect xarray access.
In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Don't assume CID is CPU owned on mode switch Shinichiro reported a KASAN UAF, which is actually an out of bounds access in the MMCID management code.
The Linux kernel erofs file system contains a use-after-free vulnerability in direct I/O file-backed mount operations that allows local attackers with user privileges to cause memory corruption and potentially achieve code execution or denial of service. The vulnerability occurs when accessing files through the directio option, where freed memory is subsequently accessed during I/O operations. A patch is not currently available, making this a critical concern for systems running affected Linux kernel versions.
Use-after-free vulnerability in Linux kernel XFS subsystem allows local attackers with unprivileged access to cause memory corruption and potential privilege escalation through improper pointer dereferencing in the btree block owner checking function. The flaw stems from attempting to access freed memory due to incorrect temporal ordering of operations when determining cursor aliases. This vulnerability affects all Linux systems using XFS and currently lacks a patch.
Memory allocation errors in the Linux kernel's OMAP crypto driver cause scatterlist objects to be undersized by 4x, enabling local authenticated attackers to trigger denial of service conditions through memory corruption. An attacker with local access and user-level privileges can exploit this miscalculation to crash the system or cause unpredictable kernel behavior. No patch is currently available for this vulnerability.
The Linux kernel's fsl-mc bus driver contains a use-after-free vulnerability in the driver_override_show() function that reads device configuration without proper locking, allowing a local privileged user to trigger memory corruption by concurrently modifying the same data. This vulnerability affects Linux systems running vulnerable kernel versions and could enable local denial of service or potential privilege escalation through heap memory manipulation. No patch is currently available for this issue.
The Linux kernel's ksmbd SMB server implementation contains a denial-of-service vulnerability where failed signature verification on chained SMB2 requests causes an infinite loop due to improper state reset. A local or authenticated attacker can trigger this condition by sending a malformed signed request, causing the ksmbd process to hang and become unresponsive.
In the Linux kernel, the following vulnerability has been resolved: nilfs2: Fix potential block overflow that cause system hang When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Validate sp before freeing associated memory System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Delay module unload while fabric scan in progress System crash seen during load/unload test in a loop.
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add The driver does not set hw->sta_data_size, which causes mac80211 to allocate insufficient space for driver private station data in __sta_info_alloc().
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Avoid creating sub-groups asynchronously The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Free sp in error path to fix system crash System crash seen during load/unload test in a loop, [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X.
In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned.
In the Linux kernel, the following vulnerability has been resolved: hfs: ensure sb->s_fs_info is always cleaned up When hfs was converted to the new mount api a bug was introduced by changing the allocation pattern of sb->s_fs_info.
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.
Memory allocation profiling in the Linux kernel fails to properly clear allocation tags during abort operations when CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, allowing a local privileged user to trigger a denial of service through kernel warnings and potential system instability. The vulnerability affects the slab memory allocator's interaction with memcg abort handling and requires local access with elevated privileges to exploit. No patch is currently available for this medium-severity issue.
A null pointer dereference in the Linux kernel's loongson-64bit GPIO driver allows local attackers with user privileges to cause a denial of service through an incorrect NULL check that fails to validate chip->irq.parents after memory allocation. The vulnerability affects Linux systems with Loongson GPIO hardware and requires no user interaction to trigger. No patch is currently available.
A deadlock vulnerability in the Linux kernel's RISC-V tracing subsystem allows local users with tracing privileges to hang the system by enabling ftrace snapshots on __sbi_ecall functions, causing recursive IPI interrupts that trigger infinite snapshot loops. This issue is particularly easy to exploit on RISC-V systems lacking the SSTC extension, where timer events automatically invoke SBI ecalls. The vulnerability requires local access and is only exploitable if tracing is enabled, making it a denial of service vector for systems with active kernel tracing.
A use-after-free vulnerability in the Linux kernel's iSCSI target implementation allows local attackers with low privileges to cause memory corruption and potential denial of service by exploiting a race condition in the connection usage counting mechanism. The flaw occurs when a spinlock is released after calling complete(), allowing a waiting thread to free the connection structure before the current thread finishes its unlock operation. No patch is currently available for this vulnerability.
The Linux kernel's VMware hypercall implementation improperly handles register state during mouse events, allowing local attackers with user privileges to trigger a denial of service through a kernel panic via crafted input to the vmmouse driver. The vulnerability stems from incomplete register preservation when the QEMU VMware mouse emulation clears the upper 32 bits of CPU registers containing kernel pointers. No patch is currently available for this medium-severity issue affecting Linux systems running on VMware or QEMU with vmmouse support.
A denial of service vulnerability in the Linux kernel's btrfs filesystem allows local users with standard privileges to cause a system crash by triggering transaction aborts on read-only mounted filesystems. An attacker can exploit this by mounting a malformed btrfs filesystem with rescue options, causing the kernel to abort transactions with error handling failures during unmount. No patch is currently available for this medium-severity vulnerability.
AMD GPU drivers on Linux systems fail to prevent MMIO register access during SMU Mode 1 reset, allowing incomplete PCIe transactions that can trigger NMI panics or system hangs. A local attacker with driver interaction capabilities could exploit this to cause a denial of service by accessing registers while the device is offline. The vulnerability affects Linux kernel implementations with AMD PM functionality and currently lacks an available patch.
A data-race condition in the Linux kernel bonding driver's slave->last_rx field can be accessed without proper synchronization, potentially causing a denial of service on systems using bonded network interfaces. Local attackers with limited privileges can trigger the race condition to cause system instability or crashes. A patch is not currently available, and exploitation requires specific timing conditions.
Linux kernel swap handling can cause a kernel panic under heavy memory pressure when arch_prepare_to_swap fails due to read-only swap address space restrictions introduced in a prior commit. A local attacker with user privileges can trigger this denial of service condition during memory reclamation operations. No patch is currently available for this medium-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't WARN for connections on invalid channels It's not clear (to me) how exactly syzbot managed to hit this, but it seems conceivable that e.g.
In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updating raid_disks via sysfs In raid1_reshape(), freeze_array() is called before modifying the r1bio memory pool (conf->r1bio_pool) and conf->raid_disks, and unfreeze_array() is called after the update is completed.
HPE Aruba Networking ClearPass OnGuard Software for Linux contains a local privilege escalation vulnerability that allows authenticated users to execute arbitrary code with root privileges. The flaw requires local access and no user interaction, making it exploitable by any local account on an affected system. No patch is currently available to remediate this issue.
IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to a buffer being overwritten when it is allocated on the stack. [CVSS 6.5 MEDIUM]
Db2 Merge Backup versions up to 12.1.0.0 is affected by incorrect calculation of buffer size (CVSS 6.5).
Db2 Recovery Expert versions up to 5.5.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).
Db2 Recovery Expert versions up to 5.5.0 is affected by cleartext transmission of sensitive information (CVSS 5.9).
Db2 Recovery Expert versions up to 5.5.0 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 6.5).
Db2 Merge Backup versions up to 12.1.0.0 contains a vulnerability that allows attackers to access sensitive information in memory due to the buffer not properly clearing r (CVSS 5.5).
Db2 versions up to 12.1.3 contains a vulnerability that allows attackers to an authenticated user to obtain sensitive information under specific HADR config (CVSS 5.3).
Db2 versions up to 12.1.3 is affected by improper restriction of xml external entity reference (CVSS 7.1).
Db2 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service due to improper neutralizatio (CVSS 6.5).
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic
Hardcoded OS credentials in Glory RBG-100 cash recycler systems using ISPK-08 software component. Physical cash handling equipment ships with known default credentials enabling complete system takeover.
The system suffers from the absence of a kernel module signature verification. If an attacker can execute commands on behalf of root user (due to additional vulnerabilities), then he/she is also able to load custom kernel modules to the kernel space and execute code in the kernel context. [CVSS 6.7 MEDIUM]
The Linux kernel's ice driver contains a race condition in PTP (Precision Time Protocol) handling where periodic work can execute while the Virtual Station Interface (VSI) is being rebuilt, causing a NULL pointer dereference when accessing rx_rings. A local attacker with low privileges can trigger this vulnerability to cause a denial of service by crashing the kernel. No patch is currently available for this medium-severity vulnerability.
Local privilege escalation in the Linux kernel macvlan driver allows a local attacker with user privileges to cause memory corruption and kernel crashes through improper error handling in macvlan_common_newlink(). The vulnerability stems from a use-after-free condition when macvlan link creation fails during device registration, enabling denial of service and potential privilege escalation on affected systems.
A buffer overflow in the Linux kernel's ALSA USB audio driver allows local attackers with user privileges to write beyond allocated URB buffers by crafting malicious audio parameters with mismatched packet sizes and frame counts. An attacker can trigger out-of-bounds memory corruption, potentially achieving privilege escalation or denial of service. No patch is currently available for this vulnerability.
The Tegra210-QSPI driver in the Linux kernel is vulnerable to a race condition where an unprotected NULL pointer check in the interrupt handler can be exploited by a local attacker with low privileges to cause a denial of service through kernel panic. The vulnerability occurs when the timeout path clears the curr_xfer pointer while the ISR thread is simultaneously accessing it, resulting in a NULL dereference. A patch is available to resolve this issue by properly synchronizing access with spinlock protection.
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count.
A memory leak in the Linux kernel's SMB/CIFS client implementation allows local attackers with unprivileged access to exhaust kernel memory and cause a denial of service by triggering failed file operations on read-only mounted shares. An attacker can exploit this by repeatedly attempting to write files to a read-only CIFS mount, causing memory allocated for SMB requests to not be properly freed. The vulnerability persists until the cifs kernel module is unloaded, and currently lacks a public patch.
The Linux kernel's u32 traffic classifier fails to properly validate negative offset values in skb_header_pointer(), allowing local attackers with low privileges to trigger out-of-bounds memory reads and cause denial of service. This vulnerability affects the network scheduling subsystem and requires local access to exploit, with no currently available patch.
In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations.
In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress.
In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`.
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 route.
In the Linux kernel, the following vulnerability has been resolved: procfs: avoid fetching build ID while holding VMA lock Fix PROCMAP_QUERY to fetch optional build ID only after dropping mmap_lock or per-VMA lock, whichever was used to lock VMA under question, to avoid deadlock reported by syzbot: -> #1 (&mm->mmap_lock){++++}-{4:4}: __might_fault+0xed/0x170 _copy_to_iter+0x118/0x1720 copy_page_to_iter+0x12d/0x1e0 filemap_read+0x720/0x10a0 blkdev_read_iter+0x2b5/0x4e0 vfs_read+0x7f4/0xae0 ksys_read+0x12a/0x250 do_syscall_64+0xcb/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&sb->s_type->i_mutex_key#8){++++}-{4:4}: __lock_acquire+0x1509/0x26d0 lock_acquire+0x185/0x340 down_read+0x98/0x490 blkdev_read_iter+0x2a7/0x4e0 __kernel_read+0x39a/0xa90 freader_fetch+0x1d5/0xa80 __build_id_parse.isra.0+0xea/0x6a0 do_procmap_query+0xd75/0x1050 procfs_procmap_ioctl+0x7a/0xb0 __x64_sys_ioctl+0x18e/0x210 do_syscall_64+0xcb/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(&mm->mmap_lock); lock(&sb->s_type->i_mutex_key#8); lock(&mm->mmap_lock); rlock(&sb->s_type->i_mutex_key#8); *** DEADLOCK *** This seems to be exacerbated (as we haven't seen these syzbot reports before that) by the recent: 777a8560fd29 ("lib/buildid: use __kernel_read() for sleepable context") To make this safe, we need to grab file refcount while VMA is still locked, but other than that everything is pretty straightforward.
In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI.
In the Linux kernel, the following vulnerability has been resolved: i2c: imx: preserve error state in block data length handler When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX, the length handler sets the state to IMX_I2C_STATE_FAILED.
In the Linux kernel, the following vulnerability has been resolved: HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer Add DMA buffer readiness check before reading DMA buffer to avoid unexpected NULL pointer accessing.