Common Weakness Enumeration

CWE-459

Allowed

Incomplete Cleanup

Abstraction: Base · Status: Draft

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

223 vulnerabilities reference this CWE, most recent first.

CVE-2021-4032 (GCVE-0-2021-4032)

Vulnerability from cvelistv5 – Published: 2022-01-21 18:17 – Updated: 2024-08-03 17:16
VLAI
Summary
A vulnerability was found in the Linux kernel's KVM subsystem in arch/x86/kvm/lapic.c kvm_free_lapic when a failure allocation was detected. In this flaw the KVM subsystem may crash the kernel due to mishandling of memory errors that happens during VCPU construction, which allows an attacker with special user privilege to cause a denial of service. This flaw affects kernel versions prior to 5.15 rc7.
Severity
No CVSS data available.
CWE
Assigner
Impacted products
Vendor Product Version
n/a kernel Affected: kernel 5.15 rc7
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:16:03.043Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2027403"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f7d8a19f9a056a05c5c509fa65af472a322abfee"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lkml.org/lkml/2021/9/8/587"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kernel",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "kernel 5.15 rc7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in the Linux kernel\u0027s KVM subsystem in arch/x86/kvm/lapic.c kvm_free_lapic when a failure allocation was detected. In this flaw the KVM subsystem may crash the kernel due to mishandling of memory errors that happens during VCPU construction, which allows an attacker with special user privilege to cause a denial of service. This flaw affects kernel versions prior to 5.15 rc7."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-459",
              "description": "CWE-459",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-21T18:17:29.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2027403"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f7d8a19f9a056a05c5c509fa65af472a322abfee"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lkml.org/lkml/2021/9/8/587"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-4032",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "kernel 5.15 rc7"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability was found in the Linux kernel\u0027s KVM subsystem in arch/x86/kvm/lapic.c kvm_free_lapic when a failure allocation was detected. In this flaw the KVM subsystem may crash the kernel due to mishandling of memory errors that happens during VCPU construction, which allows an attacker with special user privilege to cause a denial of service. This flaw affects kernel versions prior to 5.15 rc7."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-459"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2027403",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2027403"
            },
            {
              "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f7d8a19f9a056a05c5c509fa65af472a322abfee",
              "refsource": "MISC",
              "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f7d8a19f9a056a05c5c509fa65af472a322abfee"
            },
            {
              "name": "https://lkml.org/lkml/2021/9/8/587",
              "refsource": "MISC",
              "url": "https://lkml.org/lkml/2021/9/8/587"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-4032",
    "datePublished": "2022-01-21T18:17:29.000Z",
    "dateReserved": "2021-11-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T17:16:03.043Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-4002 (GCVE-0-2021-4002)

Vulnerability from cvelistv5 – Published: 2022-03-03 21:42 – Updated: 2024-08-03 17:16
VLAI
Summary
A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.
Severity
No CVSS data available.
CWE
Assigner
Impacted products
Vendor Product Version
n/a kernel Affected: affects kernel v3.6 and later through v5.15.5.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:16:03.279Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025726"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2021/11/25/1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=13e4ad2ce8df6e058ef482a31fdd81c725b0f7ea"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4a118f2eead1d6c49e00765de89878288d4b890"
          },
          {
            "name": "[debian-lts-announce] 20220309 [SECURITY] [DLA 2940-1] linux security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html"
          },
          {
            "name": "[debian-lts-announce] 20220309 [SECURITY] [DLA 2941-1] linux-4.19 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html"
          },
          {
            "name": "DSA-5096",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5096"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kernel",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "affects kernel v3.6 and later through v5.15.5."
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A memory leak flaw in the Linux kernel\u0027s hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-459",
              "description": "CWE-459",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:42:37.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025726"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2021/11/25/1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=13e4ad2ce8df6e058ef482a31fdd81c725b0f7ea"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4a118f2eead1d6c49e00765de89878288d4b890"
        },
        {
          "name": "[debian-lts-announce] 20220309 [SECURITY] [DLA 2940-1] linux security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html"
        },
        {
          "name": "[debian-lts-announce] 20220309 [SECURITY] [DLA 2941-1] linux-4.19 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html"
        },
        {
          "name": "DSA-5096",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5096"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-4002",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "affects kernel v3.6 and later through v5.15.5."
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A memory leak flaw in the Linux kernel\u0027s hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-459"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2025726",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025726"
            },
            {
              "name": "https://www.openwall.com/lists/oss-security/2021/11/25/1",
              "refsource": "MISC",
              "url": "https://www.openwall.com/lists/oss-security/2021/11/25/1"
            },
            {
              "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=13e4ad2ce8df6e058ef482a31fdd81c725b0f7ea",
              "refsource": "MISC",
              "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=13e4ad2ce8df6e058ef482a31fdd81c725b0f7ea"
            },
            {
              "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4a118f2eead1d6c49e00765de89878288d4b890",
              "refsource": "MISC",
              "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4a118f2eead1d6c49e00765de89878288d4b890"
            },
            {
              "name": "[debian-lts-announce] 20220309 [SECURITY] [DLA 2940-1] linux security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html"
            },
            {
              "name": "[debian-lts-announce] 20220309 [SECURITY] [DLA 2941-1] linux-4.19 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html"
            },
            {
              "name": "DSA-5096",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5096"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-4002",
    "datePublished": "2022-03-03T21:42:47.000Z",
    "dateReserved": "2021-11-22T00:00:00.000Z",
    "dateUpdated": "2024-08-03T17:16:03.279Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-12494 (GCVE-0-2020-12494)

Vulnerability from cvelistv5 – Published: 2020-06-16 13:28 – Updated: 2024-08-04 11:56
VLAI
Title
Beckhoff: Etherleak in TwinCAT RT network driver
Summary
Beckhoff's TwinCAT RT network driver for Intel 8254x and 8255x is providing EtherCAT functionality. The driver implements real-time features. Except for Ethernet frames sent from real-time functionality, all other Ethernet frames sent through the driver are not padded if their payload is less than the minimum Ethernet frame size. Instead, arbitrary memory content is transmitted within in the padding bytes of the frame. Most likely this memory contains slices from previously transmitted or received frames. By this method, memory content is disclosed, however, an attacker can hardly control which memory content is affected. For example, the disclosure can be provoked with small sized ICMP echo requests sent to the device.
CWE
Assigner
References
Impacted products
Vendor Product Version
Beckhoff TwinCat Driver for Intel 8254x (Tcl8254x.sys) Affected: unspecified , ≤ 3.1.0.3603 for TwinCAT 3.1 4024 (custom)
Affected: unspecified , ≤ 3.1.0.3512 for TwinCAT 3.1 4022 (custom)
Affected: unspecified , ≤ 2.11.0.2120 for TwinCAT 2.11 2350 (custom)
Create a notification for this product.
Beckhoff TwinCat Driver for Intel 8255x (Tcl8255x.sys) Affected: unspecified , ≤ 3.1.0.3600 for TwinCAT 3.1 4024 (custom)
Affected: unspecified , ≤ 3.1.0.3500 for TwinCAT 3.1 4024 (custom)
Affected: unspecified , ≤ 2.11.0.2117 for TwinCAT 2.11 2350 (custom)
Create a notification for this product.
Credits
Beckhoff reported this vulnerability to CERT@VDE
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:56:52.090Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert.vde.com/en-us/advisories/vde-2020-019"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TwinCat Driver for Intel 8254x (Tcl8254x.sys)",
          "vendor": "Beckhoff",
          "versions": [
            {
              "lessThanOrEqual": "3.1.0.3603 for TwinCAT 3.1 4024",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "3.1.0.3512 for TwinCAT 3.1 4022",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.11.0.2120 for TwinCAT 2.11 2350",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "TwinCat Driver for Intel 8255x (Tcl8255x.sys)",
          "vendor": "Beckhoff",
          "versions": [
            {
              "lessThanOrEqual": "3.1.0.3600 for TwinCAT 3.1 4024",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "3.1.0.3500 for TwinCAT 3.1 4024",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.11.0.2117 for TwinCAT 2.11 2350",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Beckhoff reported this vulnerability to CERT@VDE"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Beckhoff\u0027s TwinCAT RT network driver for Intel 8254x and 8255x is providing EtherCAT functionality. The driver implements real-time features. Except for Ethernet frames sent from real-time functionality, all other Ethernet frames sent through the driver are not padded if their payload is less than the minimum Ethernet frame size. Instead, arbitrary memory content is transmitted within in the padding bytes of the frame. Most likely this memory contains slices from previously transmitted or received frames. By this method, memory content is disclosed, however, an attacker can hardly control which memory content is affected. For example, the disclosure can be provoked with small sized ICMP echo requests sent to the device."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-459",
              "description": "CWE-459 Incomplete Cleanup",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-19T12:29:17.000Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert.vde.com/en-us/advisories/vde-2020-019"
        }
      ],
      "source": {
        "advisory": "VDE-2020-019",
        "discovery": "UNKNOWN"
      },
      "title": "Beckhoff: Etherleak in TwinCAT RT network driver",
      "workarounds": [
        {
          "lang": "en",
          "value": "If no real-time communication from TwinCAT is required on the Ethernet interface, then users can alternatively re-configure them to use the Intel \u00ae driver, which is shipped with Beckhoff images.\nCustomers should configure a perimeter firewall to block traffic from untrusted networks to the device, especially regarding ICMP and other small ethernet frames.\nBeckhoff offers software patches for TwinCAT 3.1 and TwinCAT 2.11 on request. These patches will be included in the the next regular releases to the affected software versions. The advisory will be updated upon availability."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "CERT@VDE",
          "ASSIGNER": "info@cert.vde.com",
          "ID": "CVE-2020-12494",
          "STATE": "PUBLIC",
          "TITLE": "Beckhoff: Etherleak in TwinCAT RT network driver"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "TwinCat Driver for Intel 8254x (Tcl8254x.sys)",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "3.1.0.3603 for TwinCAT 3.1 4024"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "3.1.0.3512 for TwinCAT 3.1 4022"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.11.0.2120 for TwinCAT 2.11 2350"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "TwinCat Driver for Intel 8255x (Tcl8255x.sys)",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "3.1.0.3600 for TwinCAT 3.1 4024"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "3.1.0.3500 for TwinCAT 3.1 4024"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.11.0.2117 for TwinCAT 2.11 2350"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Beckhoff"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Beckhoff reported this vulnerability to CERT@VDE"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Beckhoff\u0027s TwinCAT RT network driver for Intel 8254x and 8255x is providing EtherCAT functionality. The driver implements real-time features. Except for Ethernet frames sent from real-time functionality, all other Ethernet frames sent through the driver are not padded if their payload is less than the minimum Ethernet frame size. Instead, arbitrary memory content is transmitted within in the padding bytes of the frame. Most likely this memory contains slices from previously transmitted or received frames. By this method, memory content is disclosed, however, an attacker can hardly control which memory content is affected. For example, the disclosure can be provoked with small sized ICMP echo requests sent to the device."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-459 Incomplete Cleanup"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert.vde.com/en-us/advisories/vde-2020-019",
              "refsource": "CONFIRM",
              "url": "https://cert.vde.com/en-us/advisories/vde-2020-019"
            }
          ]
        },
        "source": {
          "advisory": "VDE-2020-019",
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "If no real-time communication from TwinCAT is required on the Ethernet interface, then users can alternatively re-configure them to use the Intel \u00ae driver, which is shipped with Beckhoff images.\nCustomers should configure a perimeter firewall to block traffic from untrusted networks to the device, especially regarding ICMP and other small ethernet frames.\nBeckhoff offers software patches for TwinCAT 3.1 and TwinCAT 2.11 on request. These patches will be included in the the next regular releases to the affected software versions. The advisory will be updated upon availability."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2020-12494",
    "datePublished": "2020-06-16T13:28:38.000Z",
    "dateReserved": "2020-04-30T00:00:00.000Z",
    "dateUpdated": "2024-08-04T11:56:52.090Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-10685 (GCVE-0-2020-10685)

Vulnerability from cvelistv5 – Published: 2020-05-11 00:00 – Updated: 2024-08-04 11:06
VLAI
Summary
A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.
CWE
Assigner
Impacted products
Vendor Product Version
Red Hat Ansible Affected: ansible-engine versions 2.7.x before 2.7.17
Affected: ansible-engine 2.8.x before 2.8.11
Affected: ansible-engine 2.9.x before 2.9.7
Affected: Ansible Tower <= 3.4.5
Affected: Ansible Tower <= 3.5.5
Affected: Ansible Tower <= 3.6.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:06:10.628Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "GLSA-202006-11",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202006-11"
          },
          {
            "name": "DSA-4950",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4950"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10685"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/ansible/ansible/pull/68433"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Ansible",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "ansible-engine versions 2.7.x before 2.7.17"
            },
            {
              "status": "affected",
              "version": "ansible-engine 2.8.x before 2.8.11"
            },
            {
              "status": "affected",
              "version": "ansible-engine 2.9.x before 2.9.7"
            },
            {
              "status": "affected",
              "version": "Ansible Tower \u003c= 3.4.5"
            },
            {
              "status": "affected",
              "version": "Ansible Tower \u003c= 3.5.5"
            },
            {
              "status": "affected",
              "version": "Ansible Tower \u003c= 3.6.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-459",
              "description": "CWE-459",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-07T00:00:00.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "GLSA-202006-11",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202006-11"
        },
        {
          "name": "DSA-4950",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4950"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10685"
        },
        {
          "url": "https://github.com/ansible/ansible/pull/68433"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-10685",
    "datePublished": "2020-05-11T00:00:00.000Z",
    "dateReserved": "2020-03-20T00:00:00.000Z",
    "dateUpdated": "2024-08-04T11:06:10.628Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-5011 (GCVE-0-2019-5011)

Vulnerability from cvelistv5 – Published: 2019-03-21 14:50 – Updated: 2024-08-04 19:40
VLAI
Summary
An exploitable privilege escalation vulnerability exists in the helper service CleanMyMac X, version 4.20, due to improper updating. The application failed to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.
CWE
Assigner
References
Impacted products
Vendor Product Version
n/a CleanMyMac X Affected: Clean My Mac X 4.20
Date Public
2019-03-11 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:40:49.194Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0759"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "CleanMyMac X",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Clean My Mac X 4.20"
            }
          ]
        }
      ],
      "datePublic": "2019-03-11T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An exploitable privilege escalation vulnerability exists in the helper service CleanMyMac X, version 4.20, due to improper updating. The application failed to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-459",
              "description": "CWE-459: Incomplete Cleanup",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-19T17:32:42.000Z",
        "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
        "shortName": "talos"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0759"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "talos-cna@cisco.com",
          "ID": "CVE-2019-5011",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "CleanMyMac X",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Clean My Mac X 4.20"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An exploitable privilege escalation vulnerability exists in the helper service CleanMyMac X, version 4.20, due to improper updating. The application failed to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": 7.1,
            "baseSeverity": "High",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-459: Incomplete Cleanup"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0759",
              "refsource": "MISC",
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0759"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
    "assignerShortName": "talos",
    "cveId": "CVE-2019-5011",
    "datePublished": "2019-03-21T14:50:38.000Z",
    "dateReserved": "2019-01-04T00:00:00.000Z",
    "dateUpdated": "2024-08-04T19:40:49.194Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-22XM-P789-9HFC

Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-24 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ixgbevf: Fix resource leak in ixgbevf_init_module()

ixgbevf_init_module() won't destroy the workqueue created by create_singlethread_workqueue() when pci_register_driver() failed. Add destroy_workqueue() in fail path to prevent the resource leak.

Similar to the handling of u132_hcd_init in commit f276e002793c ("usb: u132-hcd: fix resource leak")

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49028"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T20:15:13Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbevf: Fix resource leak in ixgbevf_init_module()\n\nixgbevf_init_module() won\u0027t destroy the workqueue created by\ncreate_singlethread_workqueue() when pci_register_driver() failed. Add\ndestroy_workqueue() in fail path to prevent the resource leak.\n\nSimilar to the handling of u132_hcd_init in commit f276e002793c\n(\"usb: u132-hcd: fix resource leak\")",
  "id": "GHSA-22xm-p789-9hfc",
  "modified": "2024-10-24T18:30:42Z",
  "published": "2024-10-21T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49028"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7109e941099244cc876a4b3cb7a3ec79f104374a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8cfa238a48f34038464b99d0b4825238c2687181"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c99671d4699dcf90d6939923c8fe8a8918e140b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f166c62cad798c53300b4b327e44300c73ec492d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2F2X-8MWP-P2GC

Vulnerability from github – Published: 2026-02-12 15:29 – Updated: 2026-02-12 22:07
VLAI
Summary
webtransport-go: Memory Exhaustion Attack due to Missing Cleanup of Streams Map
Details

Summary

An attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources.

Details

webtransport-go maintains an internal map tracking WebTransport streams (both unidirectional and bidirectional) belonging to a session. In affected versions, entries for closed streams were not removed from this map, causing the map to grow indefinitely as streams were created and closed.

A malicious peer can exploit this by opening large numbers of streams and closing them, leading to steady memory growth proportional to the number of closed streams.

The Fix

webtransport-go now removes closed streams from the internal map upon closure. This allows the associated resources to be garbage collected, bounding memory usage to active streams only.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/quic-go/webtransport-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-21438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401",
      "CWE-459"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-12T15:29:11Z",
    "nvd_published_at": "2026-02-12T19:15:51Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nAn attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources.\n\n## Details\nwebtransport-go maintains an internal map tracking WebTransport streams (both unidirectional and bidirectional) belonging to a session. In affected versions, entries for closed streams were not removed from this map, causing the map to grow indefinitely as streams were created and closed.\n\nA malicious peer can exploit this by opening large numbers of streams and closing them, leading to steady memory growth proportional to the number of closed streams.\n\n## The Fix\nwebtransport-go now removes closed streams from the internal map upon closure. This allows the associated resources to be garbage collected, bounding memory usage to active streams only.",
  "id": "GHSA-2f2x-8mwp-p2gc",
  "modified": "2026-02-12T22:07:42Z",
  "published": "2026-02-12T15:29:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21438"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quic-go/webtransport-go"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "webtransport-go: Memory Exhaustion Attack due to Missing Cleanup of Streams Map"
}

GHSA-2G5F-4P47-MX3M

Vulnerability from github – Published: 2025-03-27 18:31 – Updated: 2025-10-28 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nvmem: core: fix cleanup after dev_set_name()

If dev_set_name() fails, we leak nvmem->wp_gpio as the cleanup does not put this. While a minimal fix for this would be to add the gpiod_put() call, we can do better if we split device_register(), and use the tested nvmem_release() cleanup code by initialising the device early, and putting the device.

This results in a slightly larger fix, but results in clear code.

Note: this patch depends on "nvmem: core: initialise nvmem->id early" and "nvmem: core: remove nvmem_config wp_gpio".

[Srini: Fixed subject line and error code handing with wp_gpio while applying.]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T17:15:42Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: core: fix cleanup after dev_set_name()\n\nIf dev_set_name() fails, we leak nvmem-\u003ewp_gpio as the cleanup does not\nput this. While a minimal fix for this would be to add the gpiod_put()\ncall, we can do better if we split device_register(), and use the\ntested nvmem_release() cleanup code by initialising the device early,\nand putting the device.\n\nThis results in a slightly larger fix, but results in clear code.\n\nNote: this patch depends on \"nvmem: core: initialise nvmem-\u003eid early\"\nand \"nvmem: core: remove nvmem_config wp_gpio\".\n\n[Srini: Fixed subject line and error code handing with wp_gpio while applying.]",
  "id": "GHSA-2g5f-4p47-mx3m",
  "modified": "2025-10-28T21:30:28Z",
  "published": "2025-03-27T18:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52929"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/23676ecd2eb377f7c24a6ff578b0f4c7135658b6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/39708bc8da7858de0bed9b3a88b3beb1d1e0b443"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/560181d3ace61825f4ca9dd3481d6c0ee6709fa8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f9c4b2a3b132bf6698e477aba6ee194b40c75f4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GF8-Q9RR-JQ3H

Vulnerability from github – Published: 2026-07-02 20:11 – Updated: 2026-07-02 20:11
VLAI
Summary
zebrad has persistent on-disk corruption of Sapling/Orchard subtree roots after chain fork via pop_tip
Details

Am I affected

You are affected if:

  1. You run zebrad up to and including v4.4.1.
  2. Your node participates in a network where chain forks occur (mainnet, testnet, or any network with multiple miners).

All default configurations are affected. The corruption persists across restarts because it is written to RocksDB.

Summary

When pop_tip removes the tip block during a chain fork, stale Sapling and Orchard note commitment subtree root data is retained in the in-memory non-finalized state. When the chain subsequently finalizes, this stale data is written to the persistent RocksDB state. The corrupted subtree root history affects z_getsubtreesbyindex (used by lightwalletd for wallet synchronization) and could affect future chain verification that depends on correct subtree roots.

Details

The non-finalized state provides two methods for removing blocks: pop_root (removes the oldest block during finalization) and pop_tip (removes the newest block during a fork revert). pop_root correctly cleans up note commitment subtree contributions. pop_tip does not: it removes the block but retains the block's subtree root contributions in the in-memory state.

When a chain fork occurs and pop_tip reverts the old tip, the winning fork's chain is extended. When that chain is later finalized, the stale subtree data from the reverted blocks is included in the RocksDB write batch and persisted to disk.

The pop_root/pop_tip asymmetry is specific to subtree root handling. Other state managed by pop_tip (nullifiers, UTXOs, anchors, block hashes) uses different cleanup patterns that are not affected.

Patches

zebra-state 7.0.0 and zebrad 4.5.0.

The fix adds subtree root cleanup to pop_tip matching the pattern already used by pop_root.

Workarounds

There is no configuration-level workaround. Chain forks are natural events on any Proof-of-Work network. Operators can mitigate the downstream impact by periodically verifying subtree root consistency using z_getsubtreesbyindex against a known-good reference.

Impact

Persistent corruption of Sapling and Orchard subtree root history in the RocksDB state database. The corruption survives node restarts. Downstream consumers that rely on z_getsubtreesbyindex for wallet synchronization (primarily lightwalletd and light wallets) receive incorrect subtree roots. This does not directly affect consensus validation of new blocks but can cause wallet synchronization failures or incorrect wallet state. Recovery requires rebuilding the state database from scratch.

Credit

Reported by @dingledropper via a private GitHub Security Advisory submission.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebra-state"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.1"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebrad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459",
      "CWE-672"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T20:11:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Am I affected\n\nYou are affected if:\n\n1. You run `zebrad` up to and including `v4.4.1`.\n2. Your node participates in a network where chain forks occur (mainnet, testnet, or any network with multiple miners).\n\nAll default configurations are affected. The corruption persists across restarts because it is written to RocksDB.\n\n### Summary\n\nWhen `pop_tip` removes the tip block during a chain fork, stale Sapling and Orchard note commitment subtree root data is retained in the in-memory non-finalized state. When the chain subsequently finalizes, this stale data is written to the persistent RocksDB state. The corrupted subtree root history affects `z_getsubtreesbyindex` (used by lightwalletd for wallet synchronization) and could affect future chain verification that depends on correct subtree roots.\n\n### Details\n\nThe non-finalized state provides two methods for removing blocks: `pop_root` (removes the oldest block during finalization) and `pop_tip` (removes the newest block during a fork revert). `pop_root` correctly cleans up note commitment subtree contributions. `pop_tip` does not: it removes the block but retains the block\u0027s subtree root contributions in the in-memory state.\n\nWhen a chain fork occurs and `pop_tip` reverts the old tip, the winning fork\u0027s chain is extended. When that chain is later finalized, the stale subtree data from the reverted blocks is included in the RocksDB write batch and persisted to disk.\n\nThe `pop_root`/`pop_tip` asymmetry is specific to subtree root handling. Other state managed by `pop_tip` (nullifiers, UTXOs, anchors, block hashes) uses different cleanup patterns that are not affected.\n\n### Patches\n\nzebra-state 7.0.0 and zebrad 4.5.0.\n\nThe fix adds subtree root cleanup to `pop_tip` matching the pattern already used by `pop_root`.\n\n### Workarounds\n\nThere is no configuration-level workaround. Chain forks are natural events on any Proof-of-Work network. Operators can mitigate the downstream impact by periodically verifying subtree root consistency using `z_getsubtreesbyindex` against a known-good reference.\n\n### Impact\n\nPersistent corruption of Sapling and Orchard subtree root history in the RocksDB state database. The corruption survives node restarts. Downstream consumers that rely on `z_getsubtreesbyindex` for wallet synchronization (primarily `lightwalletd` and light wallets) receive incorrect subtree roots. This does not directly affect consensus validation of new blocks but can cause wallet synchronization failures or incorrect wallet state. Recovery requires rebuilding the state database from scratch.\n\n### Credit\n\nReported by `@dingledropper` via a private GitHub Security Advisory submission.",
  "id": "GHSA-2gf8-q9rr-jq3h",
  "modified": "2026-07-02T20:11:36Z",
  "published": "2026-07-02T20:11:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-2gf8-q9rr-jq3h"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ZcashFoundation/zebra"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "zebrad has persistent on-disk corruption of Sapling/Orchard subtree roots after chain fork via pop_tip"
}

GHSA-2V48-6XMQ-VXHP

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-21 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/sync: Cleanup partially initialized sync on parse failure

xe_sync_entry_parse() can allocate references (syncobj, fence, chain fence, or user fence) before hitting a later failure path. Several of those paths returned directly, leaving partially initialized state and leaking refs.

Route these error paths through a common free_sync label and call xe_sync_entry_cleanup(sync) before returning the error.

(cherry picked from commit f939bdd9207a5d1fc55cced5459858480686ce22)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T15:16:50Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/sync: Cleanup partially initialized sync on parse failure\n\nxe_sync_entry_parse() can allocate references (syncobj, fence, chain fence,\nor user fence) before hitting a later failure path. Several of those paths\nreturned directly, leaving partially initialized state and leaking refs.\n\nRoute these error paths through a common free_sync label and call\nxe_sync_entry_cleanup(sync) before returning the error.\n\n(cherry picked from commit f939bdd9207a5d1fc55cced5459858480686ce22)",
  "id": "GHSA-2v48-6xmq-vxhp",
  "modified": "2026-05-21T21:30:29Z",
  "published": "2026-05-08T15:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43395"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1bfd7575092420ba5a0b944953c95b74a5646ff8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91c228f96fcfacc2341a58815b1da8c69da94ebb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af65cd1853599394b94201c08bed7a46717db478"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f0af63ffa06306f12592cd3919fad6957b425e1b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Temporary files and other supporting resources should be deleted/released immediately after they are no longer needed.

No CAPEC attack patterns related to this CWE.