Redhat
Monthly
Memory leak in the Linux kernel's device tree unittest module allows local users with standard privileges to cause a denial of service by exhausting system memory when the of_resolve_phandles() function fails during unit test execution. The vulnerability stems from improper resource cleanup in the unittest_data_add() function, where allocated memory is not freed on error paths. A patch is not currently available.
The Linux kernel's libceph library fails to reset sparse-read state machine tracking during OSD connection failures, causing the client to misinterpret new replies as continuations of previous ones. This can lead to the sparse-read machinery entering an unrecoverable failure state, resulting in denial of service through infinite error loops. Local attackers or systems experiencing network faults could exploit this to crash or hang OSD client operations.
The Linux kernel ath12k WiFi driver incorrectly frees DMA memory buffers using aligned addresses instead of the original unaligned pointers returned by dma_alloc_coherent(), potentially causing memory management errors and denial of service on systems using affected WiFi hardware. A local attacker with user privileges can trigger this vulnerability through normal WiFi driver operations, leading to system instability or crashes. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's kmalloc_nolock() function on PREEMPT_RT systems fails to properly validate execution context before acquiring a sleeping lock, causing a kernel panic when BPF programs execute from tracepoints with preemption disabled. A local attacker with ability to run BPF programs can trigger a denial of service by causing the kernel to attempt sleeping operations in invalid contexts. No patch is currently available for this medium-severity vulnerability.
The ath10k WiFi driver in the Linux kernel incorrectly frees DMA-allocated memory by using aligned addresses instead of the original unaligned pointers, potentially causing memory corruption and system denial of service on affected systems. A local attacker with appropriate privileges can trigger this vulnerability to crash the kernel or cause system instability. No patch is currently available for this issue.
The Linux kernel's Synopsys DesignWare DisplayPort bridge driver contains improper error handling in the dw_dp_bind() function that fails to unregister auxiliary devices and return error codes correctly, potentially causing resource leaks or kernel instability for systems using affected display hardware. A local attacker with sufficient privileges could trigger these error paths to cause a denial of service through resource exhaustion or kernel panic.
In the Linux kernel, the following vulnerability has been resolved: iommu/sva: invalidate stale IOTLB entries for kernel address space Introduce a new IOMMU interface to flush IOTLB paging cache entries for the CPU kernel address space.
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix early read unlock of page with EOF in middle The read result collection for buffered reads seems to run ahead of the completion of subrequests under some circumstances, as can be seen in the following log snippet: 9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0 ...
The HP BIOS configuration driver in the Linux kernel fails to validate attribute names before kobject registration, causing kernel warnings and potential denial of service when HP BIOS returns empty name strings. A local user with standard privileges can trigger this vulnerability to crash or destabilize the system by supplying malformed BIOS attribute data. No patch is currently available for this medium-severity flaw affecting Linux systems with HP BIOS configuration support.
A deadlock condition in the Linux kernel's ath12k WiFi driver occurs when management frame transmission is blocked by the wiphy lock during flush operations, causing the wireless interface to hang and preventing authentication. Local users with sufficient privileges can trigger this condition by initiating WiFi authentication while pending management frames are being flushed, resulting in a denial of service. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's DPLL subsystem fails to prevent duplicate pin registrations, allowing callers to register the same pin multiple times and causing memory management issues during unregistration. A local attacker with unprivileged access could trigger this condition to cause a denial of service through kernel warnings or crashes. No patch is currently available for this vulnerability.
The Linux kernel's ARM64 hibernation resume function fails to disable Control Flow Integrity (CFI) checking, causing a data abort exception when resuming from hibernation on affected systems. A local attacker with hibernation access could trigger a denial of service by invoking the resume function without proper CFI validation. This affects Linux kernel deployments on ARM64 architecture, though no patch is currently available.
Linux kernel perf subsystem allows local authenticated users to trigger a use-after-free condition via refcount manipulation when creating perf event group members with PERF_FLAG_FD_OUTPUT flag, resulting in denial of service through kernel warnings and potential system instability. This vulnerability requires local access and existing privileges to exploit, with no patch currently available.
The Linux kernel netdevsim driver contains a race condition in the bpf_bound_progs list operations where concurrent calls to nsim_bpf_create_prog() and nsim_bpf_destroy_prog() can corrupt the list and trigger kernel crashes. A local attacker with limited privileges can exploit this vulnerability to cause a denial of service by manipulating eBPF program creation and destruction. No patch is currently available for this issue.
A null pointer dereference in the Linux kernel's SCTP authentication initialization can be triggered by local attackers with user privileges to cause a denial of service through a crash in the packet transmission path. The vulnerability occurs when SCTP-AUTH key setup fails during association peer initialization, leaving a dangling pointer that is subsequently dereferenced. No patch is currently available for this medium-severity issue affecting the Linux kernel.
A data race condition in the Linux kernel's IPv6 NDISC router discovery function allows concurrent unsynchronized read/write access to the ra_mtu field, potentially causing denial of service through system instability or crashes on local systems. The vulnerability affects all Linux systems running vulnerable kernel versions and requires local access to trigger. No patch is currently available, though the race condition is considered low-impact as the affected field represents best-effort MTU configuration.
Uninitialized pointer dereferences in the Linux kernel's interconnect debugfs implementation can cause denial of service when users interact with src_node and dst_node debugfs entries. A local attacker with standard user privileges can trigger memory access violations through reads or writes to these debugfs interfaces, crashing the system or causing kernel instability. No patch is currently available for this medium-severity vulnerability.
The Intel i225/i226 Ethernet controller driver in the Linux kernel is susceptible to TX unit hangs during heavy timestamping operations due to insufficient packet buffer allocation. A local user with low privileges can trigger denial of service by generating sustained timestamped network traffic that exhausts the 7KB per-queue TX buffer, requiring a kernel patch that reduces the buffer to 5KB per hardware specification to mitigate the hang condition.
A data-race condition in the Linux kernel's mISDN subsystem allows local attackers with unprivileged access to cause a denial of service by triggering concurrent access to the dev->work field through ioctl and read operations without proper synchronization. The vulnerability affects the mISDN timer device driver where unsynchronized reads and writes to shared data can result in system availability issues. No patch is currently available for this medium-severity vulnerability.
A data-race condition in the Linux kernel's L2TP tunnel deletion function can cause a denial of service on systems using L2TP networking. Local attackers with unprivileged access can trigger concurrent socket operations to crash the kernel or cause system instability. No patch is currently available for this vulnerability.
The Linux kernel bonding driver fails to properly provide a network namespace pointer to the flow dissector function, allowing a local attacker with unprivileged access to trigger a kernel warning and cause a denial of service. The vulnerability exists in the bond_flow_dissect() code path used for XDP packet transmission, where crafted network packets lacking proper device or socket context can be processed unsafely.
A race condition in the Linux kernel's rxrpc subsystem allows local attackers with limited privileges to cause a denial of service by exploiting unsynchronized access to the last_tx_at timestamp variable, potentially triggering load/store tearing on 32-bit architectures. The vulnerability requires local access and specific timing conditions to trigger, but can result in system instability or crash when successfully exploited. No patch is currently available.
A NULL pointer dereference in the Linux kernel's ice driver occurs when devlink reload fails and the driver is subsequently removed, affecting systems using Intel ice network adapters. A local privileged user can trigger this denial of service condition by initiating a devlink reinit operation that fails, leaving the hardware in an uninitialized state. The vulnerability stems from a missing ice_deinit_hw() call in the devlink reinit path that leaves control queues uninitialized.
Improper handling of reset and clock masking in the Linux kernel's i.MX8MQ VPU power domain controller can cause system hangs when attempting to independently reset GPU cores. Local attackers with sufficient privileges can trigger this vulnerability by manipulating VPU reset operations, leading to denial of service. A patch is not currently available.
A race condition in the Linux kernel's serial driver allows local attackers with low privileges to bypass TTY device linkage during console configuration, potentially enabling unauthorized access to serial console interfaces on Qualcomm SoCs and other affected systems. The vulnerability stems from improper initialization ordering that fails to configure tty->port before uart_configure_port() is called, creating a window where user-space applications can open the console without proper driver linkage. No patch is currently available.
Linux kernel ptrace operations on ARM64 systems without SME support can corrupt SVE register state, causing the kernel to enter an invalid FPSIMD configuration that triggers warnings and potential instability. A local attacker with ptrace privileges can exploit this to cause a denial of service by manipulating SVE register writes on affected systems. The vulnerability requires local access and is present on Linux systems running vulnerable kernel versions without an available patch.
The Linux kernel io_uring/io-wq subsystem fails to properly monitor exit signals during work execution loops, allowing a local attacker with user privileges to cause the work queue to hang indefinitely by queuing operations that take excessive time to complete. This denial of service condition prevents the io-wq worker threads from shutting down gracefully, potentially blocking system operations that depend on io_uring. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode When operating in HS200 or HS400 timing modes, reducing the clock frequency below 52MHz will lead to link broken as the Rockchip DWC MSHC controller requires maintaining a minimum clock of 52MHz in these modes.
Stack buffer overflow in Vim's NetBeans integration allows a malicious NetBeans server to corrupt memory and potentially crash the editor or execute arbitrary code through a specially crafted specialKeys command. The vulnerability affects Vim builds with NetBeans support enabled and requires user interaction to connect to a compromised server. A patch is available in Vim version 9.1.2148 and later.
Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites.
Linux kernel NVMe-oF TCP transport lacks proper bounds checking in PDU processing, allowing a local attacker with low privileges to trigger a kernel panic by crafting malicious PDU parameters that exceed scatter-gather list boundaries. The vulnerability enables denial of service through GPF/KASAN errors when invalid memory offsets are dereferenced during data copy operations. No patch is currently available for affected systems.
A use-after-free vulnerability in the Linux kernel's netfilter nf_tables module allows local attackers with unprivileged access to cause memory corruption and denial of service through an inverted logic check in catchall map element activation during failed transactions. The flaw occurs in nft_map_catchall_activate() which incorrectly processes already-active elements instead of inactive ones, potentially leading to privilege escalation or system crash. No patch is currently available.
libsoup's improper validation of HTTP Range headers enables remote attackers to read sensitive server memory when processing specially crafted requests against vulnerable SoupServer instances. The flaw affects GNOME-based systems using certain build configurations and requires no authentication or user interaction. No patch is currently available, and exploitation likelihood remains low at 0.1% EPSS.
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. [CVSS 7.3 HIGH]
Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resources by exploiting improper timeout handling in STARTTLS request processing. An attacker can send a PostgreSQL SSLRequest prelude and then stall the connection indefinitely, bypassing the readTimeout protection and accumulating open connections until service availability is degraded. A patch is available in version 3.6.8.
Heap buffer overflow in the pg_trgm extension of PostgreSQL 18.0 and 18.1 allows authenticated database users to trigger memory corruption through specially crafted input strings. An attacker with database access could potentially achieve privilege escalation or cause service disruption, though exploit complexity is currently limited by restricted control over written data. No patch is currently available.
Arbitrary code execution in PostgreSQL results from insufficient validation of multibyte character lengths in text manipulation functions, allowing authenticated database users to trigger buffer overflows and execute commands with database process privileges. Affected versions include PostgreSQL 14.x before 14.21, 15.x before 15.16, 16.x before 16.12, 17.x before 17.8, and all versions before 18.2. No patch is currently available, leaving databases vulnerable to privilege escalation attacks from database-level users.
Arbitrary code execution in PostgreSQL pgcrypto module (versions before 14.21, 15.16, 16.12, 17.8, and 18.2) stems from a heap buffer overflow that allows attackers with database access to execute commands with the privileges of the PostgreSQL system user. An authenticated attacker can exploit this vulnerability by providing specially crafted ciphertext to trigger the overflow condition. No patch is currently available, leaving affected PostgreSQL installations vulnerable to privilege escalation and full system compromise.
PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21 contain insufficient input validation in the intarray extension's selectivity estimator function, enabling authenticated users with object creation privileges to execute arbitrary code with database server privileges. The vulnerability requires valid database credentials but allows complete system compromise through code execution at the OS level. No patch is currently available for affected deployments.
Improper validation of the "oidvector" type in PostgreSQL allows authenticated database users to read small amounts of server memory, potentially exposing sensitive data. This vulnerability affects PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21, with no patch currently available for impacted systems.
Grafana public dashboards with annotations enabled fail to enforce the dashboard's locked timerange restriction on annotation queries, allowing unauthenticated attackers to retrieve the complete annotation history beyond the intended viewing window. This information disclosure affects any organization exposing public dashboards with annotations, though only annotations already visible on the dashboard are accessible. No patch is currently available for this vulnerability.
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. [CVSS 6.8 MEDIUM]
Markdown-It versions up to 14.1.1 is affected by inefficient regular expression complexity (redos) (CVSS 5.3).
Safari web extensions on Apple platforms can leak user tracking information due to inadequate state management controls, allowing websites to identify and monitor individual users across browsing sessions. This vulnerability affects iOS, iPadOS, macOS, and visionOS, and is resolved in version 26.3 of each platform. The low CVSS score reflects limited direct user impact, though it represents a privacy concern for Safari users.
Remote denial-of-service attacks against Apple's macOS, iOS, iPadOS, Safari, and visionOS result from improper memory handling that allows unauthenticated attackers to crash affected systems over the network. The vulnerability affects multiple Apple platforms and requires no user interaction or elevated privileges to exploit. Patches are available for macOS Tahoe 26.3, iOS/iPadOS 18.7.5, visionOS 26.3, and Safari 26.3.
Memory handling flaws in Apple's macOS, iOS, iPadOS, and Safari allow remote attackers to crash affected processes by serving specially crafted web content, requiring only user interaction to trigger the denial of service. The vulnerability affects multiple Apple platforms and products across recent versions, with fixes available in macOS Tahoe 26.3, iOS 18.7.5, iPadOS 18.7.5, and Safari 26.3. No patches are currently available for all affected versions.
Denial of service in Apple Safari, iOS, iPadOS, and macOS results from improper memory handling when processing maliciously crafted web content, causing unexpected process crashes. An unauthenticated remote attacker can trigger this vulnerability through a specially crafted webpage, affecting users who view the malicious content. No patch is currently available for this vulnerability.
Denial of service affecting Apple's macOS, iOS, iPadOS, watchOS, tvOS, and visionOS results from a memory handling flaw that crashes processes when parsing malicious web content. An unauthenticated remote attacker can trigger unexpected application termination through crafted web pages, requiring only user interaction to visit a malicious site. A patch is not currently available for this medium-severity vulnerability.
Denial of service in Apple macOS, iOS, and iPadOS results from improper state management when processing malicious web content, causing unexpected process crashes. Local attackers with user interaction can trigger this vulnerability to disrupt system availability. No patch is currently available.
Keras versions 3.0.0 through 3.13.1 are vulnerable to arbitrary file read through malicious .keras model files that abuse HDF5 external dataset references, enabling unauthenticated remote attackers to disclose sensitive local files. This high-severity vulnerability affects all supported platforms and currently has no available patch. An attacker can exploit this by crafting a specially formatted model file that, when loaded by a Keras application, reads arbitrary files from the system.
RecursiveUrlLoader in LangChain Community prior to 1.1.14 uses weak string-based URL validation that allows attackers to bypass the preventOutside crawling restriction by crafting domains with matching prefixes, potentially exposing the crawler to malicious or internal infrastructure endpoints. An attacker controlling a crawled webpage could inject links to cloud metadata services or private IP ranges, which the crawler would follow without validation, leading to information disclosure.
Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls and retrieve all ciphers within their organization through the /ciphers/organization-details endpoint. An attacker with regular member privileges can access sensitive credentials and encrypted data they should not have permission to view. No patch is currently available for affected deployments.
D-Link products using BusyBox are vulnerable to privilege escalation through malicious tar archives containing unvalidated symlink or hardlink entries that extract files outside the intended directory. An attacker with local access can craft a specially crafted archive to modify critical system files when extraction occurs with elevated privileges, potentially gaining unauthorized system access. No patch is currently available for this vulnerability.
BusyBox archive extraction utilities contain insufficient path validation that enables attackers to write files outside intended directories through specially crafted archives, potentially leading to arbitrary file overwrite and code execution on affected systems. Local attackers with user interaction can exploit this vulnerability to modify sensitive system files and gain elevated privileges. No patch is currently available for this vulnerability.
Pion DTLS is a Go implementation of Datagram Transport Layer Security. [CVSS 5.9 MEDIUM]
Out-of-bounds write in Pillow versions 10.3.0 through 12.1.0 allows remote denial of service when processing maliciously crafted PSD image files. An attacker can trigger a crash by supplying a specially crafted image without authentication or user interaction. A patch is available in version 12.1.1.
KeePass Password Safe versions before 2.44 contain a denial of service vulnerability in the help system's HTML handling. Attackers can trigger the vulnerability by dragging and dropping malicious HTML files into the help area, potentially causing application instability or crash. [CVSS 7.5 HIGH]
Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).
Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.4).
Heap corruption in Google Chrome's Ozone component (versions prior to 145.0.7632.45) stems from a use-after-free vulnerability that can be triggered when users interact with malicious HTML pages through specific UI gestures. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. No patch is currently available, leaving affected Chrome users vulnerable to exploitation.
Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).
Google Chrome versions prior to 145.0.7632.45 contain a race condition in DevTools that allows remote attackers to corrupt objects by convincing users to perform specific UI interactions and install a malicious extension. An attacker exploiting this vulnerability could achieve high-impact outcomes including information disclosure, data modification, or denial of service. The vulnerability currently has no available patch.
Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).
Google Chrome versions before 145.0.7632.45 contain an animation implementation flaw that allows remote attackers to exfiltrate cross-origin data through specially crafted HTML pages. The vulnerability requires user interaction to trigger and affects all Chrome users, potentially exposing sensitive information from other websites. No patch is currently available.
Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).
Out of bounds memory access in Google Chrome's WebGPU implementation prior to version 145.0.7632.45 allows unauthenticated attackers to trigger memory corruption through a malicious HTML page. This vulnerability requires user interaction but carries high risk due to potential for arbitrary code execution or information disclosure. No patch is currently available.
Heap buffer overflow in Google Chrome's codec implementation prior to version 145.0.7632.45 enables remote attackers to corrupt heap memory and potentially achieve arbitrary code execution through a malicious HTML page. The vulnerability requires user interaction to visit a crafted webpage but does not require special privileges, affecting all Chrome users. No patch is currently available.
Heap corruption in Google Chrome's CSS engine prior to version 145.0.7632.45 can be triggered through crafted HTML pages, enabling remote attackers to achieve arbitrary code execution without user interaction beyond viewing a malicious webpage. The vulnerability stems from a use-after-free memory flaw that affects all Chrome users, and currently no patch is available. With a CVSS score of 8.8 and low exploit difficulty, this represents a critical risk to active Chrome installations.
Unsafe deserialization in DiskCache Python library through 5.6.3. Uses pickle by default, allowing attackers with cache directory write access to execute arbitrary code.
Roundcube Webmail versions up to 1.5.13 is affected by inclusion of functionality from untrusted control sphere (CVSS 4.7).
Python's cryptography library prior to version 46.0.5 fails to validate that elliptic curve public key points belong to the expected prime-order subgroup, allowing attackers to supply crafted keys from small-order subgroups. This validation gap enables attackers to extract sensitive information about a victim's private key during ECDH key exchange or compromise ECDSA signature verification. Developers using affected key loading or generation functions should update to the patched version immediately.
Buffer overflow in MUNGE authentication daemon (versions 0.5 to 0.5.17) allows local attackers to extract cryptographic key material from memory, enabling forgery of credentials to impersonate any user on systems relying on MUNGE for authentication. By sending a crafted message with an oversized address length field, an attacker can corrupt the daemon's internal state and retrieve the MAC subkey used for credential verification. The vulnerability affects Debian Linux and other distributions packaging affected MUNGE versions; patching to 0.5.18 or later is available.
Out-of-bounds heap buffer reads in libpng versions prior to 1.6.55 can be triggered through the png_set_quantize() function when processing specially crafted PNG images with specific palette configurations, potentially causing denial of service or information disclosure. Public exploit code exists for this vulnerability, affecting applications that use libpng to process untrusted PNG files. A patch is available in version 1.6.55 and later.
Missing protection mechanism for alternate hardware interface in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow an escalation of privilege. [CVSS 7.9 HIGH]
A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. [CVSS 5.0 MEDIUM]
Corrupted Git pack and index files are not properly validated in go-git versions before 5.16.5, allowing an attacker to supply malicious packfiles that bypass integrity checks and cause go-git to consume corrupted data. This can result in unexpected application errors and denial of service conditions for any system using the vulnerable go-git library to fetch or process Git repositories. The vulnerability requires user interaction to fetch from a malicious or compromised Git source.
Faraday HTTP client library versions before 2.14.1 fail to properly validate protocol-relative URLs when merging user-supplied paths with base URLs, allowing attackers to redirect requests to arbitrary hosts via SSRF attacks. Applications that pass untrusted input to Faraday request methods like get() or post() are vulnerable to request hijacking. A patch is available in version 2.14.1 and later.
Axios versions up to 0.30.3 is affected by improper check for unusual or exceptional conditions (CVSS 7.5).
Harden-Runner versions prior to 2.14.2 fail to log outbound network connections made through sendto, sendmsg, and sendmmsg socket calls when audit mode is enabled, allowing attackers to exfiltrate data from GitHub Actions runners without detection. This integrity bypass affects users relying on Harden-Runner's egress policy auditing for security monitoring. A patch is available in version 2.14.2 and later.
Keycloak's invitation token validation fails to cryptographically verify JWT payload modifications, allowing authenticated attackers to alter organization IDs and email addresses to register into unauthorized organizations. This enables unauthorized access to organizations without proper authentication, affecting any Keycloak deployment using the invitation feature. No patch is currently available.
Keycloak's JWT authorization grant flow fails to verify that an Identity Provider is enabled before accepting tokens signed by its key, allowing attackers with a disabled IdP's signing credentials to obtain valid access tokens. This authentication bypass affects organizations that have disabled IdPs due to compromise or offboarding but retain the associated signing keys. An attacker can exploit this to gain unauthorized access to systems relying on Keycloak for authentication.
A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). [CVSS 5.4 MEDIUM]
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the audio playback subsystem where the RDPSND async thread processes queued audio packets after the channel has been closed and its internal state freed, causing a denial of service. The vulnerability affects systems running vulnerable FreeRDP versions and can be exploited remotely without authentication or user interaction. A patch is available in FreeRDP 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the input event handling mechanism where unsynchronized access to cached channel callbacks can be freed or reinitialized by concurrent channel closure operations. An attacker with network access can trigger a denial of service condition by exploiting this race condition. A patch is available in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a buffer management error in audio format parsing that causes out-of-bounds memory access when processing malformed audio data. An attacker can exploit this vulnerability over the network without authentication to trigger a denial of service condition. A patch is available in FreeRDP 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the URBDRC channel handler where asynchronous bulk transfer completions reference freed memory after channel closure, enabling denial of service attacks. An unauthenticated remote attacker can trigger this condition through malformed RDP protocol messages to crash the FreeRDP service. A patch is available in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in pointer handling where sdl_Pointer_New and sdl_Pointer_Free both attempt to free the same memory, causing a denial of service condition. An attacker with network access can trigger this memory corruption to crash RDP client instances without authentication. The vulnerability affects all users of vulnerable FreeRDP versions and is resolved in version 3.22.0 and later.
FreeRDP prior to 3.22.0 has a heap buffer overflow in the URBDRC USB redirection client enabling RCE through malicious RDP servers.
FreeRDP versions prior to 3.22.0 are vulnerable to a use-after-free condition in the ecam_channel_write function when a capture thread attempts to write samples through a freed device channel callback. An unauthenticated remote attacker can exploit this vulnerability to cause a denial of service by crashing the affected system. A patch is available in version 3.22.0 and later.
FreeRDP prior to 3.22.0 has a use-after-free in ecam_encoder_compress allowing malicious RDP servers to crash or execute code on clients.
Memory leak in the Linux kernel's device tree unittest module allows local users with standard privileges to cause a denial of service by exhausting system memory when the of_resolve_phandles() function fails during unit test execution. The vulnerability stems from improper resource cleanup in the unittest_data_add() function, where allocated memory is not freed on error paths. A patch is not currently available.
The Linux kernel's libceph library fails to reset sparse-read state machine tracking during OSD connection failures, causing the client to misinterpret new replies as continuations of previous ones. This can lead to the sparse-read machinery entering an unrecoverable failure state, resulting in denial of service through infinite error loops. Local attackers or systems experiencing network faults could exploit this to crash or hang OSD client operations.
The Linux kernel ath12k WiFi driver incorrectly frees DMA memory buffers using aligned addresses instead of the original unaligned pointers returned by dma_alloc_coherent(), potentially causing memory management errors and denial of service on systems using affected WiFi hardware. A local attacker with user privileges can trigger this vulnerability through normal WiFi driver operations, leading to system instability or crashes. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's kmalloc_nolock() function on PREEMPT_RT systems fails to properly validate execution context before acquiring a sleeping lock, causing a kernel panic when BPF programs execute from tracepoints with preemption disabled. A local attacker with ability to run BPF programs can trigger a denial of service by causing the kernel to attempt sleeping operations in invalid contexts. No patch is currently available for this medium-severity vulnerability.
The ath10k WiFi driver in the Linux kernel incorrectly frees DMA-allocated memory by using aligned addresses instead of the original unaligned pointers, potentially causing memory corruption and system denial of service on affected systems. A local attacker with appropriate privileges can trigger this vulnerability to crash the kernel or cause system instability. No patch is currently available for this issue.
The Linux kernel's Synopsys DesignWare DisplayPort bridge driver contains improper error handling in the dw_dp_bind() function that fails to unregister auxiliary devices and return error codes correctly, potentially causing resource leaks or kernel instability for systems using affected display hardware. A local attacker with sufficient privileges could trigger these error paths to cause a denial of service through resource exhaustion or kernel panic.
In the Linux kernel, the following vulnerability has been resolved: iommu/sva: invalidate stale IOTLB entries for kernel address space Introduce a new IOMMU interface to flush IOTLB paging cache entries for the CPU kernel address space.
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix early read unlock of page with EOF in middle The read result collection for buffered reads seems to run ahead of the completion of subrequests under some circumstances, as can be seen in the following log snippet: 9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0 ...
The HP BIOS configuration driver in the Linux kernel fails to validate attribute names before kobject registration, causing kernel warnings and potential denial of service when HP BIOS returns empty name strings. A local user with standard privileges can trigger this vulnerability to crash or destabilize the system by supplying malformed BIOS attribute data. No patch is currently available for this medium-severity flaw affecting Linux systems with HP BIOS configuration support.
A deadlock condition in the Linux kernel's ath12k WiFi driver occurs when management frame transmission is blocked by the wiphy lock during flush operations, causing the wireless interface to hang and preventing authentication. Local users with sufficient privileges can trigger this condition by initiating WiFi authentication while pending management frames are being flushed, resulting in a denial of service. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's DPLL subsystem fails to prevent duplicate pin registrations, allowing callers to register the same pin multiple times and causing memory management issues during unregistration. A local attacker with unprivileged access could trigger this condition to cause a denial of service through kernel warnings or crashes. No patch is currently available for this vulnerability.
The Linux kernel's ARM64 hibernation resume function fails to disable Control Flow Integrity (CFI) checking, causing a data abort exception when resuming from hibernation on affected systems. A local attacker with hibernation access could trigger a denial of service by invoking the resume function without proper CFI validation. This affects Linux kernel deployments on ARM64 architecture, though no patch is currently available.
Linux kernel perf subsystem allows local authenticated users to trigger a use-after-free condition via refcount manipulation when creating perf event group members with PERF_FLAG_FD_OUTPUT flag, resulting in denial of service through kernel warnings and potential system instability. This vulnerability requires local access and existing privileges to exploit, with no patch currently available.
The Linux kernel netdevsim driver contains a race condition in the bpf_bound_progs list operations where concurrent calls to nsim_bpf_create_prog() and nsim_bpf_destroy_prog() can corrupt the list and trigger kernel crashes. A local attacker with limited privileges can exploit this vulnerability to cause a denial of service by manipulating eBPF program creation and destruction. No patch is currently available for this issue.
A null pointer dereference in the Linux kernel's SCTP authentication initialization can be triggered by local attackers with user privileges to cause a denial of service through a crash in the packet transmission path. The vulnerability occurs when SCTP-AUTH key setup fails during association peer initialization, leaving a dangling pointer that is subsequently dereferenced. No patch is currently available for this medium-severity issue affecting the Linux kernel.
A data race condition in the Linux kernel's IPv6 NDISC router discovery function allows concurrent unsynchronized read/write access to the ra_mtu field, potentially causing denial of service through system instability or crashes on local systems. The vulnerability affects all Linux systems running vulnerable kernel versions and requires local access to trigger. No patch is currently available, though the race condition is considered low-impact as the affected field represents best-effort MTU configuration.
Uninitialized pointer dereferences in the Linux kernel's interconnect debugfs implementation can cause denial of service when users interact with src_node and dst_node debugfs entries. A local attacker with standard user privileges can trigger memory access violations through reads or writes to these debugfs interfaces, crashing the system or causing kernel instability. No patch is currently available for this medium-severity vulnerability.
The Intel i225/i226 Ethernet controller driver in the Linux kernel is susceptible to TX unit hangs during heavy timestamping operations due to insufficient packet buffer allocation. A local user with low privileges can trigger denial of service by generating sustained timestamped network traffic that exhausts the 7KB per-queue TX buffer, requiring a kernel patch that reduces the buffer to 5KB per hardware specification to mitigate the hang condition.
A data-race condition in the Linux kernel's mISDN subsystem allows local attackers with unprivileged access to cause a denial of service by triggering concurrent access to the dev->work field through ioctl and read operations without proper synchronization. The vulnerability affects the mISDN timer device driver where unsynchronized reads and writes to shared data can result in system availability issues. No patch is currently available for this medium-severity vulnerability.
A data-race condition in the Linux kernel's L2TP tunnel deletion function can cause a denial of service on systems using L2TP networking. Local attackers with unprivileged access can trigger concurrent socket operations to crash the kernel or cause system instability. No patch is currently available for this vulnerability.
The Linux kernel bonding driver fails to properly provide a network namespace pointer to the flow dissector function, allowing a local attacker with unprivileged access to trigger a kernel warning and cause a denial of service. The vulnerability exists in the bond_flow_dissect() code path used for XDP packet transmission, where crafted network packets lacking proper device or socket context can be processed unsafely.
A race condition in the Linux kernel's rxrpc subsystem allows local attackers with limited privileges to cause a denial of service by exploiting unsynchronized access to the last_tx_at timestamp variable, potentially triggering load/store tearing on 32-bit architectures. The vulnerability requires local access and specific timing conditions to trigger, but can result in system instability or crash when successfully exploited. No patch is currently available.
A NULL pointer dereference in the Linux kernel's ice driver occurs when devlink reload fails and the driver is subsequently removed, affecting systems using Intel ice network adapters. A local privileged user can trigger this denial of service condition by initiating a devlink reinit operation that fails, leaving the hardware in an uninitialized state. The vulnerability stems from a missing ice_deinit_hw() call in the devlink reinit path that leaves control queues uninitialized.
Improper handling of reset and clock masking in the Linux kernel's i.MX8MQ VPU power domain controller can cause system hangs when attempting to independently reset GPU cores. Local attackers with sufficient privileges can trigger this vulnerability by manipulating VPU reset operations, leading to denial of service. A patch is not currently available.
A race condition in the Linux kernel's serial driver allows local attackers with low privileges to bypass TTY device linkage during console configuration, potentially enabling unauthorized access to serial console interfaces on Qualcomm SoCs and other affected systems. The vulnerability stems from improper initialization ordering that fails to configure tty->port before uart_configure_port() is called, creating a window where user-space applications can open the console without proper driver linkage. No patch is currently available.
Linux kernel ptrace operations on ARM64 systems without SME support can corrupt SVE register state, causing the kernel to enter an invalid FPSIMD configuration that triggers warnings and potential instability. A local attacker with ptrace privileges can exploit this to cause a denial of service by manipulating SVE register writes on affected systems. The vulnerability requires local access and is present on Linux systems running vulnerable kernel versions without an available patch.
The Linux kernel io_uring/io-wq subsystem fails to properly monitor exit signals during work execution loops, allowing a local attacker with user privileges to cause the work queue to hang indefinitely by queuing operations that take excessive time to complete. This denial of service condition prevents the io-wq worker threads from shutting down gracefully, potentially blocking system operations that depend on io_uring. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode When operating in HS200 or HS400 timing modes, reducing the clock frequency below 52MHz will lead to link broken as the Rockchip DWC MSHC controller requires maintaining a minimum clock of 52MHz in these modes.
Stack buffer overflow in Vim's NetBeans integration allows a malicious NetBeans server to corrupt memory and potentially crash the editor or execute arbitrary code through a specially crafted specialKeys command. The vulnerability affects Vim builds with NetBeans support enabled and requires user interaction to connect to a compromised server. A patch is available in Vim version 9.1.2148 and later.
Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites.
Linux kernel NVMe-oF TCP transport lacks proper bounds checking in PDU processing, allowing a local attacker with low privileges to trigger a kernel panic by crafting malicious PDU parameters that exceed scatter-gather list boundaries. The vulnerability enables denial of service through GPF/KASAN errors when invalid memory offsets are dereferenced during data copy operations. No patch is currently available for affected systems.
A use-after-free vulnerability in the Linux kernel's netfilter nf_tables module allows local attackers with unprivileged access to cause memory corruption and denial of service through an inverted logic check in catchall map element activation during failed transactions. The flaw occurs in nft_map_catchall_activate() which incorrectly processes already-active elements instead of inactive ones, potentially leading to privilege escalation or system crash. No patch is currently available.
libsoup's improper validation of HTTP Range headers enables remote attackers to read sensitive server memory when processing specially crafted requests against vulnerable SoupServer instances. The flaw affects GNOME-based systems using certain build configurations and requires no authentication or user interaction. No patch is currently available, and exploitation likelihood remains low at 0.1% EPSS.
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. [CVSS 7.3 HIGH]
Denial of service in Traefik versions prior to 3.6.8 allows unauthenticated remote attackers to exhaust connection resources by exploiting improper timeout handling in STARTTLS request processing. An attacker can send a PostgreSQL SSLRequest prelude and then stall the connection indefinitely, bypassing the readTimeout protection and accumulating open connections until service availability is degraded. A patch is available in version 3.6.8.
Heap buffer overflow in the pg_trgm extension of PostgreSQL 18.0 and 18.1 allows authenticated database users to trigger memory corruption through specially crafted input strings. An attacker with database access could potentially achieve privilege escalation or cause service disruption, though exploit complexity is currently limited by restricted control over written data. No patch is currently available.
Arbitrary code execution in PostgreSQL results from insufficient validation of multibyte character lengths in text manipulation functions, allowing authenticated database users to trigger buffer overflows and execute commands with database process privileges. Affected versions include PostgreSQL 14.x before 14.21, 15.x before 15.16, 16.x before 16.12, 17.x before 17.8, and all versions before 18.2. No patch is currently available, leaving databases vulnerable to privilege escalation attacks from database-level users.
Arbitrary code execution in PostgreSQL pgcrypto module (versions before 14.21, 15.16, 16.12, 17.8, and 18.2) stems from a heap buffer overflow that allows attackers with database access to execute commands with the privileges of the PostgreSQL system user. An authenticated attacker can exploit this vulnerability by providing specially crafted ciphertext to trigger the overflow condition. No patch is currently available, leaving affected PostgreSQL installations vulnerable to privilege escalation and full system compromise.
PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21 contain insufficient input validation in the intarray extension's selectivity estimator function, enabling authenticated users with object creation privileges to execute arbitrary code with database server privileges. The vulnerability requires valid database credentials but allows complete system compromise through code execution at the OS level. No patch is currently available for affected deployments.
Improper validation of the "oidvector" type in PostgreSQL allows authenticated database users to read small amounts of server memory, potentially exposing sensitive data. This vulnerability affects PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21, with no patch currently available for impacted systems.
Grafana public dashboards with annotations enabled fail to enforce the dashboard's locked timerange restriction on annotation queries, allowing unauthenticated attackers to retrieve the complete annotation history beyond the intended viewing window. This information disclosure affects any organization exposing public dashboards with annotations, though only annotations already visible on the dashboard are accessible. No patch is currently available for this vulnerability.
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. [CVSS 6.8 MEDIUM]
Markdown-It versions up to 14.1.1 is affected by inefficient regular expression complexity (redos) (CVSS 5.3).
Safari web extensions on Apple platforms can leak user tracking information due to inadequate state management controls, allowing websites to identify and monitor individual users across browsing sessions. This vulnerability affects iOS, iPadOS, macOS, and visionOS, and is resolved in version 26.3 of each platform. The low CVSS score reflects limited direct user impact, though it represents a privacy concern for Safari users.
Remote denial-of-service attacks against Apple's macOS, iOS, iPadOS, Safari, and visionOS result from improper memory handling that allows unauthenticated attackers to crash affected systems over the network. The vulnerability affects multiple Apple platforms and requires no user interaction or elevated privileges to exploit. Patches are available for macOS Tahoe 26.3, iOS/iPadOS 18.7.5, visionOS 26.3, and Safari 26.3.
Memory handling flaws in Apple's macOS, iOS, iPadOS, and Safari allow remote attackers to crash affected processes by serving specially crafted web content, requiring only user interaction to trigger the denial of service. The vulnerability affects multiple Apple platforms and products across recent versions, with fixes available in macOS Tahoe 26.3, iOS 18.7.5, iPadOS 18.7.5, and Safari 26.3. No patches are currently available for all affected versions.
Denial of service in Apple Safari, iOS, iPadOS, and macOS results from improper memory handling when processing maliciously crafted web content, causing unexpected process crashes. An unauthenticated remote attacker can trigger this vulnerability through a specially crafted webpage, affecting users who view the malicious content. No patch is currently available for this vulnerability.
Denial of service affecting Apple's macOS, iOS, iPadOS, watchOS, tvOS, and visionOS results from a memory handling flaw that crashes processes when parsing malicious web content. An unauthenticated remote attacker can trigger unexpected application termination through crafted web pages, requiring only user interaction to visit a malicious site. A patch is not currently available for this medium-severity vulnerability.
Denial of service in Apple macOS, iOS, and iPadOS results from improper state management when processing malicious web content, causing unexpected process crashes. Local attackers with user interaction can trigger this vulnerability to disrupt system availability. No patch is currently available.
Keras versions 3.0.0 through 3.13.1 are vulnerable to arbitrary file read through malicious .keras model files that abuse HDF5 external dataset references, enabling unauthenticated remote attackers to disclose sensitive local files. This high-severity vulnerability affects all supported platforms and currently has no available patch. An attacker can exploit this by crafting a specially formatted model file that, when loaded by a Keras application, reads arbitrary files from the system.
RecursiveUrlLoader in LangChain Community prior to 1.1.14 uses weak string-based URL validation that allows attackers to bypass the preventOutside crawling restriction by crafting domains with matching prefixes, potentially exposing the crawler to malicious or internal infrastructure endpoints. An attacker controlling a crawled webpage could inject links to cloud metadata services or private IP ranges, which the crawler would follow without validation, leading to information disclosure.
Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls and retrieve all ciphers within their organization through the /ciphers/organization-details endpoint. An attacker with regular member privileges can access sensitive credentials and encrypted data they should not have permission to view. No patch is currently available for affected deployments.
D-Link products using BusyBox are vulnerable to privilege escalation through malicious tar archives containing unvalidated symlink or hardlink entries that extract files outside the intended directory. An attacker with local access can craft a specially crafted archive to modify critical system files when extraction occurs with elevated privileges, potentially gaining unauthorized system access. No patch is currently available for this vulnerability.
BusyBox archive extraction utilities contain insufficient path validation that enables attackers to write files outside intended directories through specially crafted archives, potentially leading to arbitrary file overwrite and code execution on affected systems. Local attackers with user interaction can exploit this vulnerability to modify sensitive system files and gain elevated privileges. No patch is currently available for this vulnerability.
Pion DTLS is a Go implementation of Datagram Transport Layer Security. [CVSS 5.9 MEDIUM]
Out-of-bounds write in Pillow versions 10.3.0 through 12.1.0 allows remote denial of service when processing maliciously crafted PSD image files. An attacker can trigger a crash by supplying a specially crafted image without authentication or user interaction. A patch is available in version 12.1.1.
KeePass Password Safe versions before 2.44 contain a denial of service vulnerability in the help system's HTML handling. Attackers can trigger the vulnerability by dragging and dropping malicious HTML files into the help area, potentially causing application instability or crash. [CVSS 7.5 HIGH]
Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).
Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.4).
Heap corruption in Google Chrome's Ozone component (versions prior to 145.0.7632.45) stems from a use-after-free vulnerability that can be triggered when users interact with malicious HTML pages through specific UI gestures. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. No patch is currently available, leaving affected Chrome users vulnerable to exploitation.
Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).
Google Chrome versions prior to 145.0.7632.45 contain a race condition in DevTools that allows remote attackers to corrupt objects by convincing users to perform specific UI interactions and install a malicious extension. An attacker exploiting this vulnerability could achieve high-impact outcomes including information disclosure, data modification, or denial of service. The vulnerability currently has no available patch.
Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).
Google Chrome versions before 145.0.7632.45 contain an animation implementation flaw that allows remote attackers to exfiltrate cross-origin data through specially crafted HTML pages. The vulnerability requires user interaction to trigger and affects all Chrome users, potentially exposing sensitive information from other websites. No patch is currently available.
Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).
Out of bounds memory access in Google Chrome's WebGPU implementation prior to version 145.0.7632.45 allows unauthenticated attackers to trigger memory corruption through a malicious HTML page. This vulnerability requires user interaction but carries high risk due to potential for arbitrary code execution or information disclosure. No patch is currently available.
Heap buffer overflow in Google Chrome's codec implementation prior to version 145.0.7632.45 enables remote attackers to corrupt heap memory and potentially achieve arbitrary code execution through a malicious HTML page. The vulnerability requires user interaction to visit a crafted webpage but does not require special privileges, affecting all Chrome users. No patch is currently available.
Heap corruption in Google Chrome's CSS engine prior to version 145.0.7632.45 can be triggered through crafted HTML pages, enabling remote attackers to achieve arbitrary code execution without user interaction beyond viewing a malicious webpage. The vulnerability stems from a use-after-free memory flaw that affects all Chrome users, and currently no patch is available. With a CVSS score of 8.8 and low exploit difficulty, this represents a critical risk to active Chrome installations.
Unsafe deserialization in DiskCache Python library through 5.6.3. Uses pickle by default, allowing attackers with cache directory write access to execute arbitrary code.
Roundcube Webmail versions up to 1.5.13 is affected by inclusion of functionality from untrusted control sphere (CVSS 4.7).
Python's cryptography library prior to version 46.0.5 fails to validate that elliptic curve public key points belong to the expected prime-order subgroup, allowing attackers to supply crafted keys from small-order subgroups. This validation gap enables attackers to extract sensitive information about a victim's private key during ECDH key exchange or compromise ECDSA signature verification. Developers using affected key loading or generation functions should update to the patched version immediately.
Buffer overflow in MUNGE authentication daemon (versions 0.5 to 0.5.17) allows local attackers to extract cryptographic key material from memory, enabling forgery of credentials to impersonate any user on systems relying on MUNGE for authentication. By sending a crafted message with an oversized address length field, an attacker can corrupt the daemon's internal state and retrieve the MAC subkey used for credential verification. The vulnerability affects Debian Linux and other distributions packaging affected MUNGE versions; patching to 0.5.18 or later is available.
Out-of-bounds heap buffer reads in libpng versions prior to 1.6.55 can be triggered through the png_set_quantize() function when processing specially crafted PNG images with specific palette configurations, potentially causing denial of service or information disclosure. Public exploit code exists for this vulnerability, affecting applications that use libpng to process untrusted PNG files. A patch is available in version 1.6.55 and later.
Missing protection mechanism for alternate hardware interface in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow an escalation of privilege. [CVSS 7.9 HIGH]
A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. [CVSS 5.0 MEDIUM]
Corrupted Git pack and index files are not properly validated in go-git versions before 5.16.5, allowing an attacker to supply malicious packfiles that bypass integrity checks and cause go-git to consume corrupted data. This can result in unexpected application errors and denial of service conditions for any system using the vulnerable go-git library to fetch or process Git repositories. The vulnerability requires user interaction to fetch from a malicious or compromised Git source.
Faraday HTTP client library versions before 2.14.1 fail to properly validate protocol-relative URLs when merging user-supplied paths with base URLs, allowing attackers to redirect requests to arbitrary hosts via SSRF attacks. Applications that pass untrusted input to Faraday request methods like get() or post() are vulnerable to request hijacking. A patch is available in version 2.14.1 and later.
Axios versions up to 0.30.3 is affected by improper check for unusual or exceptional conditions (CVSS 7.5).
Harden-Runner versions prior to 2.14.2 fail to log outbound network connections made through sendto, sendmsg, and sendmmsg socket calls when audit mode is enabled, allowing attackers to exfiltrate data from GitHub Actions runners without detection. This integrity bypass affects users relying on Harden-Runner's egress policy auditing for security monitoring. A patch is available in version 2.14.2 and later.
Keycloak's invitation token validation fails to cryptographically verify JWT payload modifications, allowing authenticated attackers to alter organization IDs and email addresses to register into unauthorized organizations. This enables unauthorized access to organizations without proper authentication, affecting any Keycloak deployment using the invitation feature. No patch is currently available.
Keycloak's JWT authorization grant flow fails to verify that an Identity Provider is enabled before accepting tokens signed by its key, allowing attackers with a disabled IdP's signing credentials to obtain valid access tokens. This authentication bypass affects organizations that have disabled IdPs due to compromise or offboarding but retain the associated signing keys. An attacker can exploit this to gain unauthorized access to systems relying on Keycloak for authentication.
A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). [CVSS 5.4 MEDIUM]
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the audio playback subsystem where the RDPSND async thread processes queued audio packets after the channel has been closed and its internal state freed, causing a denial of service. The vulnerability affects systems running vulnerable FreeRDP versions and can be exploited remotely without authentication or user interaction. A patch is available in FreeRDP 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the input event handling mechanism where unsynchronized access to cached channel callbacks can be freed or reinitialized by concurrent channel closure operations. An attacker with network access can trigger a denial of service condition by exploiting this race condition. A patch is available in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a buffer management error in audio format parsing that causes out-of-bounds memory access when processing malformed audio data. An attacker can exploit this vulnerability over the network without authentication to trigger a denial of service condition. A patch is available in FreeRDP 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the URBDRC channel handler where asynchronous bulk transfer completions reference freed memory after channel closure, enabling denial of service attacks. An unauthenticated remote attacker can trigger this condition through malformed RDP protocol messages to crash the FreeRDP service. A patch is available in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in pointer handling where sdl_Pointer_New and sdl_Pointer_Free both attempt to free the same memory, causing a denial of service condition. An attacker with network access can trigger this memory corruption to crash RDP client instances without authentication. The vulnerability affects all users of vulnerable FreeRDP versions and is resolved in version 3.22.0 and later.
FreeRDP prior to 3.22.0 has a heap buffer overflow in the URBDRC USB redirection client enabling RCE through malicious RDP servers.
FreeRDP versions prior to 3.22.0 are vulnerable to a use-after-free condition in the ecam_channel_write function when a capture thread attempts to write samples through a freed device channel callback. An unauthenticated remote attacker can exploit this vulnerability to cause a denial of service by crashing the affected system. A patch is available in version 3.22.0 and later.
FreeRDP prior to 3.22.0 has a use-after-free in ecam_encoder_compress allowing malicious RDP servers to crash or execute code on clients.