Redhat

CVE-2025-38017 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2025-38016 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix memory leak in error handling path of idxd_alloc Memory allocated for idxd is not freed if an error occurs during idxd_alloc(). To fix it, free the allocated memory in the reverse order of allocation before exiting the function in case of an error.

CVE-2025-38014 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2025-38013 is an array-index-out-of-bounds vulnerability in the Linux kernel's mac80211 WiFi subsystem where the n_channels field is not properly initialized before use in the cfg80211_scan_request structure, allowing a local unprivileged attacker to trigger memory safety violations. The vulnerability affects Linux kernel versions with the vulnerable code path in net/mac80211/scan.c and can lead to information disclosure, memory corruption, or denial of service. This is not currently listed as actively exploited in public KEV databases, but UBSAN detection indicates the issue is triggerable via syzkaller fuzzing.

In the Linux kernel, the following vulnerability has been resolved: sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator BPF programs may call next() and destroy() on BPF iterators even after new() returns an error value (e.g. bpf_for_each() macro ignores error returns from new()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized state after an error return causing bpf_iter_scx_dsq_next() to dereference garbage data. Make bpf_iter_scx_dsq_new() always clear $kit->dsq so that next() and destroy() become noops.

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: csa unmap use uninterruptible lock After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return,...

In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking The current implementation uses bias_pad_enable as a reference count to manage the shared bias pad for all UTMI PHYs. However, during system suspension with connected USB devices, multiple power-down requests for the UTMI pad result in a mismatch in the reference count, which in turn produces warnings such as: [ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763103] Call trace: [ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 [ 237.763110] phy_power_off+0x48/0x100 [ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 [ 237.763119] tegra_xusb_suspend+0x48/0x140 [ 237.763122] platform_pm_suspend+0x2c/0xb0 [ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 [ 237.763127] __device_suspend+0x118/0x330 [ 237.763129] dpm_suspend+0x10c/0x1f0 [ 237.763130] dpm_suspend_start+0x88/0xb0 [ 237.763132] suspend_devices_and_enter+0x120/0x500 [ 237.763135] pm_suspend+0x1ec/0x270 The root cause was traced back to the dynamic power-down changes introduced in commit a30951d31b25 ("xhci: tegra: USB2 pad power controls"), where the UTMI pad was being powered down without verifying its current state. This unbalanced behavior led to discrepancies in the reference count. To rectify this issue, this patch replaces the single reference counter with a bitmask, renamed to utmi_pad_enabled. Each bit in the mask corresponds to one of the four USB2 PHYs, allowing us to track each pad's enablement status individually. With this change: - The bias pad is powered on only when the mask is clear. - Each UTMI pad is powered on or down based on its corresponding bit in the mask, preventing redundant operations. - The overall power state of the shared bias pad is maintained correctly during suspend/resume cycles. The mutex used to prevent race conditions during UTMI pad enable/disable operations has been moved from the tegra186_utmi_bias_pad_power_on/off functions to the parent functions tegra186_utmi_pad_power_on/down. This change ensures that there are no race conditions when updating the bitmask.

CVE-2025-38009 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: fix race condition in unaccepted memory handling The page allocator tracks the number of zones that have unaccepted memory using static_branch_enc/dec() and uses that static branch in hot paths to determine if it needs to deal with unaccepted memory. Borislav and Thomas pointed out that the tracking is racy: operations on static_branch are not serialized against adding/removing unaccepted pages to/from the zone. Sanity checks inside static_branch machinery detects it: WARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0 The comment around the WARN() explains the problem: /* * Warn about the '-1' case though; since that means a * decrement is concurrent with a first (0->1) increment. IOW * people are trying to disable something that wasn't yet fully * enabled. This suggests an ordering problem on the user side. */ The effect of this static_branch optimization is only visible on microbenchmark. Instead of adding more complexity around it, remove it altogether.

In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails.

In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma: Add missing locking Recent kernels complain about a missing lock in k3-udma.c when the lock validator is enabled: [ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238 [ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28 [ 4.144867] Hardware name: pp-v12 (DT) [ 4.148648] Workqueue: events udma_check_tx_completion [ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.160834] pc : udma_start.isra.0+0x34/0x238 [ 4.165227] lr : udma_start.isra.0+0x30/0x238 [ 4.169618] sp : ffffffc083cabcf0 [ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005 [ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000 [ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670 [ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030 [ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048 [ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001 [ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68 [ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8 [ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000 [ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000 [ 4.244986] Call trace: [ 4.247463] udma_start.isra.0+0x34/0x238 [ 4.251509] udma_check_tx_completion+0xd0/0xdc [ 4.256076] process_one_work+0x244/0x3fc [ 4.260129] process_scheduled_works+0x6c/0x74 [ 4.264610] worker_thread+0x150/0x1dc [ 4.268398] kthread+0xd8/0xe8 [ 4.271492] ret_from_fork+0x10/0x20 [ 4.275107] irq event stamp: 220 [ 4.278363] hardirqs last enabled at (219): [<ffffffc080a27c7c>] _raw_spin_unlock_irq+0x38/0x50 [ 4.287183] hardirqs last disabled at (220): [<ffffffc080a1c154>] el1_dbg+0x24/0x50 [ 4.294879] softirqs last enabled at (182): [<ffffffc080037e68>] handle_softirqs+0x1c0/0x3cc [ 4.303437] softirqs last disabled at (177): [<ffffffc080010170>] __do_softirq+0x1c/0x28 [ 4.311559] ---[ end trace 0000000000000000 ]--- This commit adds the missing locking.

A flaw was found in libgepub, a library used to read EPUB files. The software mishandles file size calculations when opening specially crafted EPUB files, leading to incorrect memory allocations. This issue causes the application to crash. Known affected usage includes desktop services like Tumbler, which may process malicious files automatically when browsing directories. While no direct remote attack vectors are confirmed, any application using libgepub to parse user-supplied EPUB content could be vulnerable to a denial of service.

CVE-2025-49180 is an integer overflow vulnerability in the RandR (Resize and Rotate) X11 extension's RRChangeProviderProperty function that fails to properly validate input parameters. This allows a local, unprivileged attacker to trigger memory allocation failures or heap corruption, potentially leading to privilege escalation or denial of service on X11-based systems. The vulnerability requires local access and low privileges to exploit, making it a significant risk for multi-user systems and shared computing environments.

CVE-2025-49179 is an integer overflow vulnerability in the X Record extension's RecordSanityCheckRegisterClients function that allows authenticated local users to bypass request length validation checks. This flaw enables privilege escalation and potential code execution on affected X11 systems. With a CVSS score of 7.3 and requiring local access with low privileges, this poses a moderate-to-high risk for multi-user systems; exploitation status and POC availability have not been confirmed in public disclosures as of analysis time.

A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service.

A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.

CVE-2025-49176 is an integer overflow vulnerability in the X11 Big Requests extension that allows local attackers with low privileges to bypass request size validation by triggering a multiplication-based integer wrap-around, enabling denial of service or potential code execution through oversized X protocol requests. The vulnerability affects X11 server implementations that use the Big Requests extension; while not currently listed in CISA KEV catalog, the 7.3 CVSS score and local attack vector indicate moderate-to-high real-world risk for multi-user systems. No public POC or active exploitation has been confirmed at time of analysis.

A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash.

CVE-2025-6069 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Critical privilege escalation vulnerability in FreeIPA that allows authenticated users with high privileges to create Kerberos services with the same canonical name (krbCanonicalName) as the realm administrator, enabling them to obtain administrative credentials. The vulnerability affects FreeIPA default configurations where uniqueness validation is not enforced, allowing attackers to retrieve Kerberos tickets with admin@REALM credentials and perform unrestricted administrative operations. With a CVSS 9.1 score and network-accessible attack vector, this represents a severe threat to FreeIPA-based identity infrastructures, particularly in environments where service creation permissions are delegated or insufficiently restricted.

A privilege escalation vulnerability in A flaw (CVSS 7.8). High severity vulnerability requiring prompt remediation.

Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901

CVE-2025-49125 is an authentication bypass vulnerability in Apache Tomcat affecting versions 8.5.0-8.5.100, 9.0.0-9.0.105, 10.1.0-10.1.41, and 11.0.0-11.0.7. The vulnerability allows unauthenticated remote attackers to access PreResources or PostResources mounted outside the web application root via alternate path traversal, bypassing security constraints configured for the intended resource path. With a CVSS score of 7.5 and high confidentiality impact, this represents a critical authentication mechanism failure that requires immediate patching.

A remote code execution vulnerability in Apache Tomcat (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Apache Commons FileUpload contains a Denial of Service vulnerability in multipart header processing due to insufficient resource allocation limits (CWE-770). Affected versions are 1.0 through 1.5.x and 2.0.0-M1 through 2.0.0-M3. An unauthenticated remote attacker can exploit this with a network request to cause resource exhaustion and service unavailability without requiring user interaction or elevated privileges. CVSS 7.5 (High) reflects the high availability impact; KEV and EPSS data availability would determine exploitation likelihood in the wild.

A vulnerability classified as critical was found in Open Asset Import Library Assimp up to 5.4.3. Affected by this vulnerability is the function read_meshes in the library assimp/code/AssetLib/MDL/HalfLife/HL1MDLLoader.cpp. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The project decided to collect all Fuzzer bugs in a main-issue to address them in the future.

A vulnerability classified as critical has been found in Open Asset Import Library Assimp up to 5.4.3. Affected is the function Assimp::BVHLoader::ReadNodeChannels in the library assimp/code/AssetLib/BVH/BVHLoader.cpp. The manipulation of the argument pNode leads to use after free. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The project decided to collect all Fuzzer bugs in a main-issue to address them in the future.

A flaw was found in GIMP. An integer overflow vulnerability exists in the GIMP "Despeckle" plug-in. The issue occurs due to unchecked multiplication of image dimensions, such as width, height, and bytes-per-pixel (img_bpp), which can result in allocating insufficient memory and subsequently performing out-of-bounds writes. This issue could lead to heap corruption, a potential denial of service (DoS), or arbitrary code execution in certain scenarios.

CVE-2025-30399 is an untrusted search path vulnerability in .NET and Visual Studio that allows unauthenticated remote attackers to execute arbitrary code through a network vector, requiring user interaction. The vulnerability affects multiple versions of .NET Framework and Visual Studio across Windows platforms. While the CVSS score is 7.5 (high), the attack complexity is high and requires user interaction, potentially limiting real-world exploitation frequency.

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an application is vulnerable when all the following are true: * The header is prepared with org.springframework.http.ContentDisposition. * The filename is set via ContentDisposition.Builder#filename(String, Charset). * The value for the filename is derived from user-supplied input. * The application does not sanitize the user-supplied input. * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details). An application is not vulnerable if any of the following is true: * The application does not set a “Content-Disposition” response header. * The header is not prepared with org.springframework.http.ContentDisposition. * The filename is set via one of: * ContentDisposition.Builder#filename(String), or * ContentDisposition.Builder#filename(String, ASCII) * The filename is not derived from user-supplied input. * The filename is derived from user-supplied input but sanitized by the application. * The attacker cannot inject malicious content in the downloaded content of the response. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.7 * 6.1.0 - 6.1.20 * 6.0.5 - 6.0.28 * Older, unsupported versions are not affected MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

Certificate policy validation bypass in cryptographic verification routines where specifying ExtKeyUsageAny in VerifyOptions.KeyUsages inadvertently disables policy validation checks. This affects applications performing X.509 certificate chain verification, particularly those validating certificates containing policy constraint graphs (an uncommon but security-critical scenario). An attacker can present a malicious certificate chain that would normally be rejected due to policy violations, potentially enabling unauthorized certificate acceptance and compromising trust validation in PKI-dependent systems.

The PostgreSQL JDBC driver (pgjdbc) versions 42.7.4 through 42.7.6 contain an authentication bypass vulnerability where channel binding validation is incorrectly disabled, allowing man-in-the-middle attackers to intercept connections that administrators configured to require channel binding protection. Affected users running pgjdbc with channel binding set to 'required' (a non-default but security-conscious configuration) are vulnerable to credential interception and session hijacking despite believing their connections are protected. The vulnerability is fixed in version 42.7.7.

Remote code execution vulnerability in KDE Konsole before version 25.04.2 that exploits improper fallback behavior in URL scheme handler processing. When a user clicks on ssh://, telnet://, or rlogin:// URLs, Konsole attempts to execute the corresponding binary; if unavailable, it dangerously falls back to /bin/bash with the URL as an argument, allowing arbitrary command execution. The vulnerability requires user interaction (clicking a malicious link) but affects all Konsole users, potentially at scale through phishing or drive-by attacks.

Libtpms is a library that targets the integration of TPM functionality into hypervisors, primarily into Qemu. Libtpms, which is derived from the TPM 2.0 reference implementation code published by the Trusted Computing Group, is prone to a potential out of bounds (OOB) read vulnerability. The vulnerability occurs in the ‘CryptHmacSign’ function with an inconsistent pairing of the signKey and signScheme parameters, where the signKey is ALG_KEYEDHASH key and inScheme is an ECC or RSA scheme. The reported vulnerability is in the ‘CryptHmacSign’ function, which is defined in the "Part 4: Supporting Routines - Code" document, section "7.151 - /tpm/src/crypt/CryptUtil.c ". This vulnerability can be triggered from user-mode applications by sending malicious commands to a TPM 2.0/vTPM (swtpm) whose firmware is based on an affected TCG reference implementation. The effect on libtpms is that it will cause an abort due to the detection of the out-of-bounds access, thus for example making a vTPM (swtpm) unavailable to a VM. This vulnerability is fixed in 0.7.12, 0.8.10, 0.9.7, and 0.10.1.

Critical arbitrary write vulnerability in Microsoft-signed UEFI firmware that permits attackers with high privileges to execute untrusted code and modify firmware settings stored in NVRAM, potentially enabling persistence mechanisms and full system compromise. The vulnerability affects UEFI implementations across multiple Microsoft platforms, with a CVSS score of 8.2 reflecting high severity. While specific KEV status and EPSS probability data were not provided in available sources, the local attack vector and high privilege requirement suggest this poses elevated risk primarily to targeted systems rather than widespread exploitation.

A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

A remote code execution vulnerability in A possible security vulnerability (CVSS 8.8). High severity vulnerability requiring prompt remediation.

A SSRF vulnerability in A possible arbitrary file read and SSRF vulnerability (CVSS 7.5) that allows clients. Risk factors: EPSS 17% exploitation probability.

A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.

CVE-2025-5914 is an integer overflow vulnerability in libarchive's archive_read_format_rar_seek_data() function that leads to a double-free memory corruption condition. This affects all users of libarchive who process untrusted RAR archive files, potentially allowing arbitrary code execution or denial-of-service with user interaction (opening a malicious RAR file). While no KEV listing or confirmed public exploits are currently documented, the high CVSS score (7.8) and memory safety nature of the vulnerability indicate significant real-world risk if weaponized.

A security vulnerability in Requests (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

A flaw exists in the nbdkit "blocksize" filter that can be triggered by a specific type of client request. When a client requests block status information for a very large data range, exceeding a certain limit, it causes an internal error in the nbdkit, leading to a denial of service.

CVE-2025-47711 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

The AuthPolicy metadata on Red Hat Connectivity Link contains an object which stores secretes, however it assumes those secretes are already in the kuadrant-system instead of copying it to the referred namespace. This creates space for a malicious actor with a developer persona access to leak those secrets over HTTP connection, as long the attacker knows the name of the targeted secrets and those secrets are limited to one line only.

A Developer persona can bring down the Authorino service, preventing the evaluation of all AuthPolicies on the cluster

The Authorino service in the Red Hat Connectivity Link is the authorization service for zero trust API security. Authorino allows the users with developer persona to add callbacks to be executed to HTTP endpoints once the authorization process is completed. It was found that an attacker with developer persona access can add a large number of those callbacks to be executed by Authorino and as the authentication policy is enforced by a single instance of the service, this leada to a Denial of Service in Authorino while processing the post-authorization callbacks.

A race condition vulnerability exists in the Linux kernel's CAN broadcast manager (BCM) module where concurrent updates to the 'currframe' counter from both user space and hrtimer interrupt context can trigger a slab-out-of-bounds read. This affects local authenticated users who can trigger the vulnerability through CAN frame sequence manipulation; a proof-of-concept has been demonstrated by Anderson Nascimento, making this a real and reproducible issue with CVSS 7.1 severity affecting confidentiality and availability.

CVE-2025-38003 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Denial of Service vulnerability in libcurl's WebSocket implementation that allows a malicious server to send a specially crafted packet triggering an endless busy-loop, forcing applications to kill the affected thread or process to recover. This affects all libcurl versions with WebSocket support, with CVSS 7.5 (High) severity due to network-accessible attack vector requiring no authentication. The vulnerability has high real-world impact for any application using libcurl for WebSocket connections, though exploitation requires active malicious server control.

Jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x. This issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via PR #652. All users should upgrade to version 2.13.0 or later. If upgrading is not immediately possible, applications can mitigate the issue by disabling exception message exposure to clients to avoid returning parsing exception messages in HTTP responses and/or disabling source inclusion in exceptions to prevent Jackson from embedding any source content in exception messages, avoiding leakage.

Critical remote code execution vulnerability in GIMP's ICO file parser caused by an integer overflow (CWE-190) that lacks proper input validation. This vulnerability affects GIMP users who open malicious ICO files or visit attacker-controlled pages serving malicious images, allowing arbitrary code execution with user privileges. The CVSS score of 8.8 reflects high severity with network-accessible attack vector and required user interaction; exploitation status and active weaponization details require cross-reference with KEV/EPSS data.

A denial of service vulnerability in versions (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Privilege escalation vulnerability in the Rust 'users' crate that incorrectly includes the root group in access control lists when a user or process has fewer than 1024 groups. An authenticated local attacker with low privileges can exploit this flaw to gain unauthorized access to resources restricted to the root group, achieving privilege escalation. The vulnerability requires local access and existing user privileges but has high impact on confidentiality and integrity.

CVE-2025-38002 is a security vulnerability (CVSS 5.5). Risk factors: public PoC available. Vendor patch is available.

In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u

A flaw was found in Samba. The smbd service daemon does not pick up group membership changes when re-authenticating an expired SMB session. This issue can expose file shares until clients disconnect and then connect again.

Use-after-free vulnerability in the Linux kernel's HFSC (Hierarchical Fair Service Curve) queue discipline scheduler that occurs when enqueuing packets triggers a peek operation on child qdiscs before queue accounting is updated. Local attackers with unprivileged user privileges can exploit this to cause denial of service or potentially execute code with kernel privileges. The vulnerability affects Linux kernel versions with the vulnerable HFSC implementation and has a CVSS score of 7.8 (high severity) with local attack vector requirements.

A security vulnerability in the GNU C Library (CVSS 5.6). Remediation should follow standard vulnerability management procedures.

A security vulnerability in the GNU C Library (CVSS 5.6). Remediation should follow standard vulnerability management procedures.

File::Find::Rule through version 0.34 contains an arbitrary code execution vulnerability in the grep() function where attacker-controlled filenames are passed unsafely to Perl's open() function using the 2-argument form, allowing command injection. This affects any Perl application using File::Find::Rule to search files in directories containing maliciously-named files. A proof-of-concept exists demonstrating command execution via filenames containing pipe characters (|), and the vulnerability requires user interaction (UI:R) to trigger by searching a directory with crafted filenames.

When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash. This issue affects Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and 6.9.1.

Critical SQL injection vulnerability affecting run-llama/llama_index v0.12.21 and potentially other versions, present in multiple vector store integrations. Attackers can execute arbitrary SQL commands without authentication to read and write data, potentially compromising data belonging to other users in web applications leveraging this library. With a CVSS 9.8 severity score, network-accessible attack vector, and no authentication required, this vulnerability poses an immediate and severe risk to production deployments.

A security vulnerability in Django 5.2 (CVSS 4.0) that allows remote attackers. Remediation should follow standard vulnerability management procedures.

Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.

A denial of service vulnerability in Column handling crashes in Wireshark 4.4.0 to 4.4.6 and 4.2.0 to 4.2.12 (CVSS 7.8) that allows denial of service. Risk factors: public PoC available.

A information disclosure vulnerability (CVSS 7.3) that allows an attacker. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Denial of Service vulnerability in Multer (Node.js multipart form-data middleware) affecting versions 1.4.4-lts.1 through 2.0.0 where an attacker can crash the application process by uploading a file with an empty string field name, triggering an unhandled exception. The vulnerability has a CVSS score of 8.7 indicating high severity, though the impact is limited to availability (DoS) rather than confidentiality or integrity. No active exploitation or public POC has been confirmed at this time, but the low attack complexity and network accessibility make this a practical DoS vector for any exposed Multer instance.

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.

A remote code execution vulnerability in webpack-dev-server (CVSS 5.3) that allows users. Risk factors: public PoC available. Vendor patch is available.

Path traversal in Python tarfile extraction with filter='data'.

Logic flaw in Python's TarFile module where the documented behavior of errorlevel=0 (skip filtered members) contradicts the actual implementation (extract filtered members anyway). This affects any application using Python's tarfile library with extraction filters, allowing attackers to extract files that should be blocked, potentially leading to path traversal or extraction of malicious content. The vulnerability has a high CVSS score (7.5) with network-accessible attack vector and no authentication required, though exploitation requires the application to implement extraction filters expecting them to be respected.

Path traversal vulnerability in Python's tarfile module extraction filters that allows attackers to bypass the 'data' and 'tar' filter protections, enabling symlink targets to point outside the extraction directory and permitting modification of file metadata. This affects any application using TarFile.extractall() or TarFile.extract() with filter='data' or filter='tar' on untrusted tar archives, as well as Python 3.14+ users relying on the new 'data' default filter. The vulnerability has a CVSS score of 7.5 (High) with high integrity impact, though exploitation requires an attacker to control the tar archive contents.

CVE-2025-4138 is a security vulnerability (CVSS 7.5) that allows the extraction filter. High severity vulnerability requiring prompt remediation.

Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.

tar-fs versions prior to 3.0.9, 2.1.3, and 1.16.5 contain a path traversal vulnerability (CWE-22) that allows attackers to extract tar archives outside the intended directory using specially crafted tarballs. This affects all users of vulnerable tar-fs versions with network-accessible extraction endpoints; the high CVSS 8.7 score reflects the integrity impact and network-accessible attack vector, though no KEV status or widespread public exploits have been confirmed at this time.

ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability in the `sanitiseArg` and `sanitizeArg` actions that allows unauthenticated remote attackers to cause service disruption by submitting requests with an excessive number of arguments. This is a network-accessible DoS vulnerability with high impact on availability that affects widely-deployed WAF deployments across Apache, IIS, and Nginx platforms.

A remote code execution vulnerability in A Allocation of Resources Without Limits or Throttling vulnerability in sslh (CVSS 8.7) that allows attackers. High severity vulnerability requiring prompt remediation.

This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources.

Nil-pointer dereference vulnerability in quic-go's path probe loss recovery logic introduced in v0.50.0 that allows unauthenticated remote attackers to crash QUIC servers. A malicious client can trigger a denial-of-service by sending valid QUIC packets from multiple addresses to initiate path validation, then crafting specific ACKs to dereference a null pointer. The vulnerability affects quic-go versions from v0.50.0 through v0.50.0 (patched in v0.50.1), with a CVSS score of 7.5 and high availability impact but no known active exploitation or public POC at time of disclosure.

CVE-2025-3260 is an authorization bypass vulnerability in Grafana's dashboard API endpoints (/apis/dashboard.grafana.app/*) that allows authenticated users to circumvent dashboard and folder permission controls across all API versions (v0alpha1, v1alpha1, v2alpha1). Affected users with viewer or editor roles can access, modify, or delete dashboards and folders they should not have permission to interact with, while organization isolation boundaries and datasource access controls remain unaffected. With a CVSS score of 8.3 and requiring only low-privilege authentication, this represents a significant risk to multi-tenant Grafana deployments and requires immediate patching.

Denial-of-service vulnerability in Qt's private qDecodeDataUrl() function that triggers an assertion failure when processing malformed data URLs with incomplete charset parameters. This affects Qt versions up to 5.15.18, 6.0.0-6.5.8, 6.6.0-6.8.3, and 6.9.0, impacting applications using QTextDocument and QNetworkReply. An attacker can crash Qt-based applications by sending a specially crafted data URL, resulting in service disruption; the vulnerability requires user interaction (UI involvement) but has a high CVSS score of 8.4 due to integrity and availability impact.

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows authenticated users to achieve remote code execution through a crafted upload URL. With EPSS 90.4% and KEV listing, this vulnerability in one of the most widely deployed open-source webmail platforms enables any email user to compromise the mail server, accessing all hosted mailboxes.

File modification via 2-args open in YAML-LibYAML before 0.903.0 for Perl. PoC and patch available.

vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

A vulnerability was found in systemd-coredump. Rated medium severity (CVSS 4.7). Public exploit code available and no vendor patch available.