Suse
Monthly
In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head().
In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr.
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data.
In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: sai: fix OF node leak on probe The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the set_sync() callback fails during DAI probe.
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the current task can be preempted.
In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex.
In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer.
CVE-2025-71077 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Limit num_syncs to prevent oversized allocations The OA open parameters did not validate num_syncs, allowing userspace to pass arbitrarily large values, potentially leading to excessive allocations.
In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability.
In the Linux kernel, the following vulnerability has been resolved: functionfs: fix the open/removal races ffs_epfile_open() can race with removal, ending up with file->private_data pointing to freed object.
In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields.
In the Linux kernel, the following vulnerability has been resolved: shmem: fix recovery on rename failures maple_tree insertions can fail if we are seriously short on memory; simple_offset_rename() does not recover well if it runs into that. The same goes for simple_offset_rename_exchange().
In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors.
In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array.
In the Linux kernel, the following vulnerability has been resolved: ublk: fix deadlock when reading partition table When one process(such as udev) opens ublk block device (e.g., to read the partition table via bdev_open()), a deadlock[1] can occur: 1. bdev_open() grabs disk->open_mutex 2. [CVSS 5.5 MEDIUM]
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. [CVSS 7.8 HIGH]
Firefox 146 and Thunderbird 146 contain memory safety bugs with evidence of memory corruption that could potentially be exploited for code execution.
Arbitrary code execution in Firefox and Thunderbird versions prior to 147/140.7 results from memory corruption vulnerabilities that could allow remote attackers to execute malicious code with no user interaction required. Multiple memory safety flaws across Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146, and Thunderbird 146 create conditions for potential exploitation despite no patch currently being available. The high CVSS score of 8.1 reflects the critical nature of achieving full system compromise through network-based attack vectors.
DOM spoofing in Mozilla Firefox and Thunderbird's copy, paste, and drag-and-drop functionality allows unauthenticated attackers to deceive users into performing unintended actions through crafted content. The vulnerability affects Firefox versions below 147 and ESR versions below 140.7, as well as Thunderbird versions below 147 and 140.7, requiring user interaction to exploit. No patch is currently available.
Service Workers in Mozilla Firefox and Thunderbird versions below 147 are vulnerable to remote denial-of-service attacks that require no user interaction or authentication. An unauthenticated attacker can crash affected applications over the network, and public exploit code exists for this vulnerability. Currently no patch is available for remediation.
Firefox and Thunderbird versions before 147 contain an information disclosure vulnerability in their XML processing component that allows unauthenticated attackers to access sensitive data over the network with minimal attack complexity. The vulnerability requires no user interaction and affects the confidentiality of information without impacting system integrity or availability. No security patch is currently available.
The PDF Viewer component in Firefox and Thunderbird is vulnerable to clickjacking attacks that enable information disclosure through UI redressing techniques. Attackers can manipulate user interactions to trick victims into unintentionally revealing sensitive information, affecting Firefox versions below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7. No patch is currently available for this vulnerability.
Improper boundary validation in the Graphics component of Firefox, Firefox ESR, and Thunderbird allows unauthenticated remote attackers to cause limited information disclosure over the network without user interaction. Affected versions include Firefox before 147, Firefox ESR before 115.32 and 140.7, and Thunderbird before 147 and 140.7. No patch is currently available for this medium-severity vulnerability.
Memory corruption in Firefox and Thunderbird's JavaScript garbage collection engine allows remote attackers to crash the application or potentially leak sensitive information without user interaction. The vulnerability affects Firefox versions below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7, with no patch currently available.
Firefox JavaScript engine has a use-after-free vulnerability. Affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147 and < 140.7.
The Networking component in Firefox and Thunderbird discloses sensitive information to unauthenticated remote attackers over the network. Affected versions include Firefox below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7. No patch is currently available to remediate this vulnerability.
A use-after-free vulnerability in the IPC component of Firefox (versions below 147 and ESR versions below 115.32/140.7) and Thunderbird (versions below 147 and 140.7) enables remote code execution when users interact with malicious content. The flaw requires user interaction and network access, allowing attackers to achieve full system compromise with high integrity and confidentiality impact. No patch is currently available for this vulnerability.
Firefox Messaging System component has a sandbox escape vulnerability. Maximum CVSS 10.0 with scope change. Affects Firefox < 147 and Thunderbird < 147.
Integer overflow in Firefox and Thunderbird's Graphics component enables sandbox escape, allowing remote attackers to execute arbitrary code with high privileges through a malicious webpage or content requiring user interaction. Affected versions include Firefox below 147, Firefox ESR below 115.32 and 140.7, and Thunderbird below 147 and 140.7. No patch is currently available.
Firefox sandbox escape via incorrect boundary conditions in the Graphics component. Affects Firefox < 147, Firefox ESR < 115.32 and < 140.7, Thunderbird < 147 and < 140.7.
Incorrect boundary condition validation in Firefox and Thunderbird's WebGL graphics component allows attackers to escape the sandbox and potentially execute arbitrary code through a crafted web page or malicious content. The vulnerability affects Firefox versions below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7, and requires user interaction to exploit. No patch is currently available.
DOM security bypass in Firefox and Thunderbird allows remote attackers to circumvent protective mitigations through user interaction, affecting multiple versions across both products. An attacker can exploit this to achieve high-impact compromise of confidentiality and integrity without requiring authentication. Currently no patch is available for affected users.
Libpng versions 1.6.26 through 1.6.53 contain an integer truncation flaw in the simplified write API functions that triggers a heap buffer over-read when processing images with negative row strides or strides exceeding 65535 bytes. Local attackers can exploit this to read sensitive heap memory, potentially disclosing application data. No patch is currently available; users should avoid processing untrusted PNG images with these vulnerable libpng versions.
Libpng versions 1.6.51-1.6.53 contain a heap buffer over-read in the simplified API function png_image_finish_read when processing interlaced 16-bit PNG images with 8-bit output and non-minimal row stride, allowing local attackers to read out-of-bounds memory through a malicious image file. Public exploit code exists for this regression, which was introduced by a previous security fix. Upgrade to version 1.6.54 to remediate.
Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. [CVSS 7.5 HIGH]
Gin-vue-admin versions 2.8.7 and earlier contain a path traversal vulnerability in the breakpoint resume upload API that allows authenticated attackers to write arbitrary files to any directory on the system. Public exploit code exists for this vulnerability, which affects administrators and users with file upload privileges. An attacker can bypass directory restrictions by injecting traversal sequences (../) into the fileName parameter to escape the intended fileDir location.
Fulcio versions prior to 1.8.5 allow unauthenticated attackers to bypass MetaIssuer URL validation through unanchored regex patterns, enabling blind SSRF attacks against internal services. Although the vulnerability is limited to read-only GET requests with no response exfiltration, attackers can probe internal networks to discover active services and infrastructure. Public exploit code exists for this medium-severity issue, and a patch is available in version 1.8.5.
cpp-httplib versions prior to 0.30.1 are vulnerable to denial of service attacks due to insufficient validation of decompressed HTTP request body sizes. An unauthenticated remote attacker can send a malicious gzip or brotli-compressed request that decompresses to an arbitrarily large payload in memory, exhausting server resources. Public exploit code exists for this vulnerability, and a patch is available in version 0.30.1 and later.
Credential theft via Lua script execution in Envoy Gateway versions before 1.5.7 and 1.6.2 allows authenticated attackers to extract proxy credentials and subsequently access the control plane and all associated secrets including TLS private keys. Public exploit code exists for this vulnerability. Affected organizations running vulnerable Envoy Gateway instances should immediately upgrade as no patch is currently available for intermediate versions.
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. [CVSS 6.5 MEDIUM]
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. [CVSS 6.5 MEDIUM]
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. [CVSS 5.5 MEDIUM]
Cosign's bundle verification mechanism fails to properly validate that embedded Rekor entries reference the correct artifact digest, signature, and public key, allowing an attacker with a compromised signing identity to forge valid bundles and bypass transparency log verification. A malicious actor could exploit this to create counterfeit signatures that pass validation checks, affecting users relying on Cosign for container and binary code signing verification. Public exploit code exists for this vulnerability; patches are available in versions 2.6.2 and 3.0.4.
Virtualenv versions up to 20.36.1 is affected by improper link resolution before file access (CVSS 4.5).
Python's filelock SoftFileLock implementation prior to version 3.20.3 contains a TOCTOU race condition that allows local attackers with symlink creation privileges to interfere with lock file operations between permission validation and file creation. An attacker can exploit this window to create a symlink at the target lock path, causing lock operations to fail or redirect to unintended files, resulting in denial of service or unexpected behavior. Upgrade to filelock version 3.20.3 or later to remediate this vulnerability.
HarfBuzz text shaping engine versions prior to 12.3.0 crash when the SubtableUnicodesCache::create function attempts to dereference a null pointer returned by failed memory allocation, enabling denial of service in applications processing untrusted font data. Public exploit code exists for this vulnerability. A patch is available in version 12.3.0 and later.
Mailpit versions up to 1.28.2 contains a vulnerability that allows attackers to intercept sensitive data such as email contents, headers, and server statistics (CVSS 6.5).
pypdf versions prior to 6.6.0 are vulnerable to denial of service through CPU exhaustion when processing malformed PDF files with crafted startxref entries in non-strict reading mode. An attacker can create a specially crafted PDF containing excessive whitespace that causes the library to consume significant processing resources during cross-reference table reconstruction. A patch is available in version 6.6.0 and later.
Denial of service via resource exhaustion in pypdf prior to version 6.6.0 allows remote attackers to trigger excessive processing times by submitting specially crafted PDF files with missing /Root objects and inflated /Size values. The vulnerability only affects non-strict parsing mode and causes the library to consume significant CPU resources when processing otherwise invalid documents. A patch is available in version 6.6.0 and later.
WeKnora LLM framework (before 0.2.5) allows authenticated users to inject MCP stdio commands that the server executes as subprocesses. PoC available, patch available.
WeKnora versions before 0.2.5 allow unauthenticated attackers to bypass database query restrictions through prompt injection techniques when the Agent service is enabled, enabling unauthorized access to sensitive data. Public exploit code exists for this vulnerability, which affects the framework's document understanding and semantic retrieval capabilities. A patch is available in version 0.2.5 and later.
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]
React Router is a router for React. In @remix-run/router version prior to 1.23.2. [CVSS 8.0 HIGH]
React Router is a router for React. In @remix-run/react version prior to 2.17.3. [CVSS 8.2 HIGH]
A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. [CVSS 4.3 MEDIUM]
A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack. [CVSS 6.5 MEDIUM]
fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file. [CVSS 7.5 HIGH]
A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. [CVSS 7.6 HIGH]
A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. [CVSS 8.8 HIGH]
Soft Serve versions prior to 0.11.2 contain an authorization bypass in the LFS lock deletion endpoint that allows authenticated users to forcibly delete locks owned by other users by exploiting improper validation order. Any user with repository write access can leverage this vulnerability to disrupt collaborative workflows by removing locks created by teammates. A public exploit exists and patches are available.
Werkzeug versions prior to 3.1.5 fail to properly validate Windows reserved device names in the safe_join function, allowing attackers to bypass path restrictions by using device names with file extensions or trailing spaces (e.g., CON.txt, AUX ). This denial of service vulnerability affects Windows systems running vulnerable Werkzeug versions and could allow an unauthenticated remote attacker to access restricted files or cause application crashes. A patch is available in version 3.1.5 and later.
Authlib is a Python library which builds OAuth and OpenID Connect servers. [CVSS 5.7 MEDIUM]
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limit...
HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scripts when applications pass unsanitized user-controlled data as component children, with public exploit code already available. The vulnerability stems from a regression in Preact 10.26.5 that weakened protections against constructing Virtual DOM elements from malicious JSON payloads. Affected applications are vulnerable if they consume unvalidated external data without sanitization and lack additional mitigations like Content Security Policy.
The RSA crate versions prior to 0.9.10 crash when constructing private keys with invalid prime components (such as 1), allowing an attacker to trigger a denial of service by providing malformed key material. This affects applications using the vulnerable RSA library for cryptographic operations. A patch is available in version 0.9.10 and later.
Miniflux's media proxy endpoint is vulnerable to Server-Side Request Forgery (SSRF) in versions prior to 2.2.16, allowing authenticated users to craft malicious proxy URLs that force the application to fetch and expose responses from internal network resources including localhost and private IP ranges. An attacker with valid credentials can abuse this to access sensitive internal services and metadata endpoints by embedding specially crafted URLs in feed content. Public exploit code exists for this vulnerability, and no patch is currently available for affected installations.
Libsoup's NTLM authentication handler crashes when processing exceptionally long passwords due to a signed integer overflow in memory allocation calculations, affecting GNOME and applications relying on this library for network operations. An unauthenticated remote attacker can trigger a denial-of-service condition by sending specially crafted authentication requests. No patch is currently available.
SUSE Harvester virtualization environment (1.5.x, 1.6.x) exposes the OS default SSH login password when using the interactive installer. This affects all hosts provisioned through the interactive method, potentially compromising entire virtualization clusters.
NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. [CVSS 8.8 HIGH]
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. [CVSS 5.3 MEDIUM]
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. [CVSS 5.3 MEDIUM]
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. [CVSS 5.3 MEDIUM]
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. [CVSS 6.3 MEDIUM]
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. [CVSS 5.9 MEDIUM]
Bokeh versions 3.8.1 and below allow attackers to bypass Origin validation in WebSocket connections by registering domains that suffix-match allowlisted domains (e.g., dashboard.corp.attacker.com for allowlist entry dashboard.corp), enabling unauthorized server interaction. Public exploit code exists for this vulnerability, which could allow attackers to access sensitive data or modify visualizations on behalf of victims. The issue is resolved in Bokeh 3.8.2.
Llama.cpp server endpoints fail to validate the n_discard parameter from JSON input, allowing negative values that trigger out-of-bounds memory writes when the context buffer fills. This memory corruption vulnerability affects LLM inference operations and can be exploited remotely without authentication to crash the service or achieve code execution; public exploit code exists and no patch is currently available.
Mailpit versions 1.28.0 and earlier contain a server-side request forgery vulnerability in the /proxy endpoint that permits unauthenticated attackers to probe and access internal network resources and services. The endpoint insufficiently validates destination addresses, allowing requests to internal IP ranges despite scheme validation. Public exploit code exists for this vulnerability, which is resolved in version 1.28.1.
urllib3 versions 1.22 through 2.6.2 perform unnecessary decompression of redirect response bodies in the streaming API, consuming memory and processing resources before any read methods are invoked. An unauthenticated remote attacker can trigger excessive decompression of large redirect responses to cause denial of service through memory exhaustion or high CPU consumption. This vulnerability affects all Python applications using urllib3's streaming functionality with compressed HTTP redirects.
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". [CVSS 8.8 HIGH]
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. [CVSS 7.5 HIGH]
Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. [CVSS 7.5 HIGH]
Local privilege escalation in zlib 1.3.1.2 and earlier allows authenticated users to achieve arbitrary code execution through a buffer overflow in the contrib/untgz utility when processing command-line arguments with excessively long archive names. The vulnerability affects only the standalone untgz demonstration tool and does not impact the core zlib library. No patch is currently available.
Google Chrome versions prior to 143.0.7499.192 fail to properly enforce policies on WebView tags, allowing attackers who trick users into installing malicious extensions to inject arbitrary scripts and HTML into privileged pages. This vulnerability affects all Chrome users and requires user interaction to exploit, resulting in potential code execution with high impact to confidentiality, integrity, and availability. No patch is currently available.
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. [CVSS 5.4 MEDIUM]
Crypt::Sodium::XS for Perl bundles a vulnerable version of libsodium (<= 1.0.20) that has a signature verification flaw. In atypical use cases with custom cryptography, this can compromise data authenticity guarantees. Patch available.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. [CVSS 7.5 HIGH]
In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head().
In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr.
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data.
In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: sai: fix OF node leak on probe The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the set_sync() callback fails during DAI probe.
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the current task can be preempted.
In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex.
In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer.
CVE-2025-71077 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Limit num_syncs to prevent oversized allocations The OA open parameters did not validate num_syncs, allowing userspace to pass arbitrarily large values, potentially leading to excessive allocations.
In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability.
In the Linux kernel, the following vulnerability has been resolved: functionfs: fix the open/removal races ffs_epfile_open() can race with removal, ending up with file->private_data pointing to freed object.
In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields.
In the Linux kernel, the following vulnerability has been resolved: shmem: fix recovery on rename failures maple_tree insertions can fail if we are seriously short on memory; simple_offset_rename() does not recover well if it runs into that. The same goes for simple_offset_rename_exchange().
In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors.
In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array.
In the Linux kernel, the following vulnerability has been resolved: ublk: fix deadlock when reading partition table When one process(such as udev) opens ublk block device (e.g., to read the partition table via bdev_open()), a deadlock[1] can occur: 1. bdev_open() grabs disk->open_mutex 2. [CVSS 5.5 MEDIUM]
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. [CVSS 7.8 HIGH]
Firefox 146 and Thunderbird 146 contain memory safety bugs with evidence of memory corruption that could potentially be exploited for code execution.
Arbitrary code execution in Firefox and Thunderbird versions prior to 147/140.7 results from memory corruption vulnerabilities that could allow remote attackers to execute malicious code with no user interaction required. Multiple memory safety flaws across Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146, and Thunderbird 146 create conditions for potential exploitation despite no patch currently being available. The high CVSS score of 8.1 reflects the critical nature of achieving full system compromise through network-based attack vectors.
DOM spoofing in Mozilla Firefox and Thunderbird's copy, paste, and drag-and-drop functionality allows unauthenticated attackers to deceive users into performing unintended actions through crafted content. The vulnerability affects Firefox versions below 147 and ESR versions below 140.7, as well as Thunderbird versions below 147 and 140.7, requiring user interaction to exploit. No patch is currently available.
Service Workers in Mozilla Firefox and Thunderbird versions below 147 are vulnerable to remote denial-of-service attacks that require no user interaction or authentication. An unauthenticated attacker can crash affected applications over the network, and public exploit code exists for this vulnerability. Currently no patch is available for remediation.
Firefox and Thunderbird versions before 147 contain an information disclosure vulnerability in their XML processing component that allows unauthenticated attackers to access sensitive data over the network with minimal attack complexity. The vulnerability requires no user interaction and affects the confidentiality of information without impacting system integrity or availability. No security patch is currently available.
The PDF Viewer component in Firefox and Thunderbird is vulnerable to clickjacking attacks that enable information disclosure through UI redressing techniques. Attackers can manipulate user interactions to trick victims into unintentionally revealing sensitive information, affecting Firefox versions below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7. No patch is currently available for this vulnerability.
Improper boundary validation in the Graphics component of Firefox, Firefox ESR, and Thunderbird allows unauthenticated remote attackers to cause limited information disclosure over the network without user interaction. Affected versions include Firefox before 147, Firefox ESR before 115.32 and 140.7, and Thunderbird before 147 and 140.7. No patch is currently available for this medium-severity vulnerability.
Memory corruption in Firefox and Thunderbird's JavaScript garbage collection engine allows remote attackers to crash the application or potentially leak sensitive information without user interaction. The vulnerability affects Firefox versions below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7, with no patch currently available.
Firefox JavaScript engine has a use-after-free vulnerability. Affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147 and < 140.7.
The Networking component in Firefox and Thunderbird discloses sensitive information to unauthenticated remote attackers over the network. Affected versions include Firefox below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7. No patch is currently available to remediate this vulnerability.
A use-after-free vulnerability in the IPC component of Firefox (versions below 147 and ESR versions below 115.32/140.7) and Thunderbird (versions below 147 and 140.7) enables remote code execution when users interact with malicious content. The flaw requires user interaction and network access, allowing attackers to achieve full system compromise with high integrity and confidentiality impact. No patch is currently available for this vulnerability.
Firefox Messaging System component has a sandbox escape vulnerability. Maximum CVSS 10.0 with scope change. Affects Firefox < 147 and Thunderbird < 147.
Integer overflow in Firefox and Thunderbird's Graphics component enables sandbox escape, allowing remote attackers to execute arbitrary code with high privileges through a malicious webpage or content requiring user interaction. Affected versions include Firefox below 147, Firefox ESR below 115.32 and 140.7, and Thunderbird below 147 and 140.7. No patch is currently available.
Firefox sandbox escape via incorrect boundary conditions in the Graphics component. Affects Firefox < 147, Firefox ESR < 115.32 and < 140.7, Thunderbird < 147 and < 140.7.
Incorrect boundary condition validation in Firefox and Thunderbird's WebGL graphics component allows attackers to escape the sandbox and potentially execute arbitrary code through a crafted web page or malicious content. The vulnerability affects Firefox versions below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7, and requires user interaction to exploit. No patch is currently available.
DOM security bypass in Firefox and Thunderbird allows remote attackers to circumvent protective mitigations through user interaction, affecting multiple versions across both products. An attacker can exploit this to achieve high-impact compromise of confidentiality and integrity without requiring authentication. Currently no patch is available for affected users.
Libpng versions 1.6.26 through 1.6.53 contain an integer truncation flaw in the simplified write API functions that triggers a heap buffer over-read when processing images with negative row strides or strides exceeding 65535 bytes. Local attackers can exploit this to read sensitive heap memory, potentially disclosing application data. No patch is currently available; users should avoid processing untrusted PNG images with these vulnerable libpng versions.
Libpng versions 1.6.51-1.6.53 contain a heap buffer over-read in the simplified API function png_image_finish_read when processing interlaced 16-bit PNG images with 8-bit output and non-minimal row stride, allowing local attackers to read out-of-bounds memory through a malicious image file. Public exploit code exists for this regression, which was introduced by a previous security fix. Upgrade to version 1.6.54 to remediate.
Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. [CVSS 7.5 HIGH]
Gin-vue-admin versions 2.8.7 and earlier contain a path traversal vulnerability in the breakpoint resume upload API that allows authenticated attackers to write arbitrary files to any directory on the system. Public exploit code exists for this vulnerability, which affects administrators and users with file upload privileges. An attacker can bypass directory restrictions by injecting traversal sequences (../) into the fileName parameter to escape the intended fileDir location.
Fulcio versions prior to 1.8.5 allow unauthenticated attackers to bypass MetaIssuer URL validation through unanchored regex patterns, enabling blind SSRF attacks against internal services. Although the vulnerability is limited to read-only GET requests with no response exfiltration, attackers can probe internal networks to discover active services and infrastructure. Public exploit code exists for this medium-severity issue, and a patch is available in version 1.8.5.
cpp-httplib versions prior to 0.30.1 are vulnerable to denial of service attacks due to insufficient validation of decompressed HTTP request body sizes. An unauthenticated remote attacker can send a malicious gzip or brotli-compressed request that decompresses to an arbitrarily large payload in memory, exhausting server resources. Public exploit code exists for this vulnerability, and a patch is available in version 0.30.1 and later.
Credential theft via Lua script execution in Envoy Gateway versions before 1.5.7 and 1.6.2 allows authenticated attackers to extract proxy credentials and subsequently access the control plane and all associated secrets including TLS private keys. Public exploit code exists for this vulnerability. Affected organizations running vulnerable Envoy Gateway instances should immediately upgrade as no patch is currently available for intermediate versions.
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. [CVSS 6.5 MEDIUM]
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. [CVSS 6.5 MEDIUM]
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. [CVSS 5.5 MEDIUM]
Cosign's bundle verification mechanism fails to properly validate that embedded Rekor entries reference the correct artifact digest, signature, and public key, allowing an attacker with a compromised signing identity to forge valid bundles and bypass transparency log verification. A malicious actor could exploit this to create counterfeit signatures that pass validation checks, affecting users relying on Cosign for container and binary code signing verification. Public exploit code exists for this vulnerability; patches are available in versions 2.6.2 and 3.0.4.
Virtualenv versions up to 20.36.1 is affected by improper link resolution before file access (CVSS 4.5).
Python's filelock SoftFileLock implementation prior to version 3.20.3 contains a TOCTOU race condition that allows local attackers with symlink creation privileges to interfere with lock file operations between permission validation and file creation. An attacker can exploit this window to create a symlink at the target lock path, causing lock operations to fail or redirect to unintended files, resulting in denial of service or unexpected behavior. Upgrade to filelock version 3.20.3 or later to remediate this vulnerability.
HarfBuzz text shaping engine versions prior to 12.3.0 crash when the SubtableUnicodesCache::create function attempts to dereference a null pointer returned by failed memory allocation, enabling denial of service in applications processing untrusted font data. Public exploit code exists for this vulnerability. A patch is available in version 12.3.0 and later.
Mailpit versions up to 1.28.2 contains a vulnerability that allows attackers to intercept sensitive data such as email contents, headers, and server statistics (CVSS 6.5).
pypdf versions prior to 6.6.0 are vulnerable to denial of service through CPU exhaustion when processing malformed PDF files with crafted startxref entries in non-strict reading mode. An attacker can create a specially crafted PDF containing excessive whitespace that causes the library to consume significant processing resources during cross-reference table reconstruction. A patch is available in version 6.6.0 and later.
Denial of service via resource exhaustion in pypdf prior to version 6.6.0 allows remote attackers to trigger excessive processing times by submitting specially crafted PDF files with missing /Root objects and inflated /Size values. The vulnerability only affects non-strict parsing mode and causes the library to consume significant CPU resources when processing otherwise invalid documents. A patch is available in version 6.6.0 and later.
WeKnora LLM framework (before 0.2.5) allows authenticated users to inject MCP stdio commands that the server executes as subprocesses. PoC available, patch available.
WeKnora versions before 0.2.5 allow unauthenticated attackers to bypass database query restrictions through prompt injection techniques when the Agent service is enabled, enabling unauthorized access to sensitive data. Public exploit code exists for this vulnerability, which affects the framework's document understanding and semantic retrieval capabilities. A patch is available in version 0.2.5 and later.
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]
React Router is a router for React. In @remix-run/router version prior to 1.23.2. [CVSS 8.0 HIGH]
React Router is a router for React. In @remix-run/react version prior to 2.17.3. [CVSS 8.2 HIGH]
A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. [CVSS 4.3 MEDIUM]
A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack. [CVSS 6.5 MEDIUM]
fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file. [CVSS 7.5 HIGH]
A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. [CVSS 7.6 HIGH]
A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. [CVSS 8.8 HIGH]
Soft Serve versions prior to 0.11.2 contain an authorization bypass in the LFS lock deletion endpoint that allows authenticated users to forcibly delete locks owned by other users by exploiting improper validation order. Any user with repository write access can leverage this vulnerability to disrupt collaborative workflows by removing locks created by teammates. A public exploit exists and patches are available.
Werkzeug versions prior to 3.1.5 fail to properly validate Windows reserved device names in the safe_join function, allowing attackers to bypass path restrictions by using device names with file extensions or trailing spaces (e.g., CON.txt, AUX ). This denial of service vulnerability affects Windows systems running vulnerable Werkzeug versions and could allow an unauthenticated remote attacker to access restricted files or cause application crashes. A patch is available in version 3.1.5 and later.
Authlib is a Python library which builds OAuth and OpenID Connect servers. [CVSS 5.7 MEDIUM]
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limit...
HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scripts when applications pass unsanitized user-controlled data as component children, with public exploit code already available. The vulnerability stems from a regression in Preact 10.26.5 that weakened protections against constructing Virtual DOM elements from malicious JSON payloads. Affected applications are vulnerable if they consume unvalidated external data without sanitization and lack additional mitigations like Content Security Policy.
The RSA crate versions prior to 0.9.10 crash when constructing private keys with invalid prime components (such as 1), allowing an attacker to trigger a denial of service by providing malformed key material. This affects applications using the vulnerable RSA library for cryptographic operations. A patch is available in version 0.9.10 and later.
Miniflux's media proxy endpoint is vulnerable to Server-Side Request Forgery (SSRF) in versions prior to 2.2.16, allowing authenticated users to craft malicious proxy URLs that force the application to fetch and expose responses from internal network resources including localhost and private IP ranges. An attacker with valid credentials can abuse this to access sensitive internal services and metadata endpoints by embedding specially crafted URLs in feed content. Public exploit code exists for this vulnerability, and no patch is currently available for affected installations.
Libsoup's NTLM authentication handler crashes when processing exceptionally long passwords due to a signed integer overflow in memory allocation calculations, affecting GNOME and applications relying on this library for network operations. An unauthenticated remote attacker can trigger a denial-of-service condition by sending specially crafted authentication requests. No patch is currently available.
SUSE Harvester virtualization environment (1.5.x, 1.6.x) exposes the OS default SSH login password when using the interactive installer. This affects all hosts provisioned through the interactive method, potentially compromising entire virtualization clusters.
NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. [CVSS 8.8 HIGH]
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. [CVSS 5.3 MEDIUM]
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. [CVSS 5.3 MEDIUM]
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. [CVSS 5.3 MEDIUM]
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. [CVSS 6.3 MEDIUM]
When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. [CVSS 5.9 MEDIUM]
Bokeh versions 3.8.1 and below allow attackers to bypass Origin validation in WebSocket connections by registering domains that suffix-match allowlisted domains (e.g., dashboard.corp.attacker.com for allowlist entry dashboard.corp), enabling unauthorized server interaction. Public exploit code exists for this vulnerability, which could allow attackers to access sensitive data or modify visualizations on behalf of victims. The issue is resolved in Bokeh 3.8.2.
Llama.cpp server endpoints fail to validate the n_discard parameter from JSON input, allowing negative values that trigger out-of-bounds memory writes when the context buffer fills. This memory corruption vulnerability affects LLM inference operations and can be exploited remotely without authentication to crash the service or achieve code execution; public exploit code exists and no patch is currently available.
Mailpit versions 1.28.0 and earlier contain a server-side request forgery vulnerability in the /proxy endpoint that permits unauthenticated attackers to probe and access internal network resources and services. The endpoint insufficiently validates destination addresses, allowing requests to internal IP ranges despite scheme validation. Public exploit code exists for this vulnerability, which is resolved in version 1.28.1.
urllib3 versions 1.22 through 2.6.2 perform unnecessary decompression of redirect response bodies in the streaming API, consuming memory and processing resources before any read methods are invoked. An unauthenticated remote attacker can trigger excessive decompression of large redirect responses to cause denial of service through memory exhaustion or high CPU consumption. This vulnerability affects all Python applications using urllib3's streaming functionality with compressed HTTP redirects.
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". [CVSS 8.8 HIGH]
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. [CVSS 7.5 HIGH]
Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. [CVSS 7.5 HIGH]
Local privilege escalation in zlib 1.3.1.2 and earlier allows authenticated users to achieve arbitrary code execution through a buffer overflow in the contrib/untgz utility when processing command-line arguments with excessively long archive names. The vulnerability affects only the standalone untgz demonstration tool and does not impact the core zlib library. No patch is currently available.
Google Chrome versions prior to 143.0.7499.192 fail to properly enforce policies on WebView tags, allowing attackers who trick users into installing malicious extensions to inject arbitrary scripts and HTML into privileged pages. This vulnerability affects all Chrome users and requires user interaction to exploit, resulting in potential code execution with high impact to confidentiality, integrity, and availability. No patch is currently available.
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. [CVSS 5.4 MEDIUM]
Crypt::Sodium::XS for Perl bundles a vulnerable version of libsodium (<= 1.0.20) that has a signature verification flaw. In atypical use cases with custom cryptography, this can compromise data authenticity guarantees. Patch available.
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. [CVSS 7.5 HIGH]