Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-1905
Vulnerability from csaf_certbund
Published
2025-08-25 22:00
Modified
2025-08-27 22:00
Summary
IBM QRadar SIEM Komponente: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM QRadar Security Information and Event Management (SIEM) bietet Unterstützung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.
Angriff
Ein Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM Komponenten ausnutzen, um Daten zu manipulieren, um einen Denial of Service Angriff durchzuführen, um beliebigen Programmcode auszuführen, um Sicherheitsvorkehrungen zu umgehen, und um Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
- UNIX
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "IBM QRadar Security Information and Event Management (SIEM) bietet Unterst\u00fctzung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM Komponenten ausnutzen, um Daten zu manipulieren, um einen Denial of Service Angriff durchzuf\u00fchren, um beliebigen Programmcode auszuf\u00fchren, um Sicherheitsvorkehrungen zu umgehen, und um Informationen offenzulegen.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- UNIX", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2025-1905 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1905.json" }, { "category": "self", "summary": "WID-SEC-2025-1905 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1905" }, { "category": "external", "summary": "IBM Security Bulletin 7243011 vom 2025-08-25", "url": "https://www.ibm.com/support/pages/node/7243011" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:14746 vom 2025-08-27", "url": "https://access.redhat.com/errata/RHSA-2025:14746" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:14748 vom 2025-08-27", "url": "https://access.redhat.com/errata/RHSA-2025:14748" } ], "source_lang": "en-US", "title": "IBM QRadar SIEM Komponente: Mehrere Schwachstellen", "tracking": { "current_release_date": "2025-08-27T22:00:00.000+00:00", "generator": { "date": "2025-08-28T05:52:03.530+00:00", "engine": { "name": "BSI-WID", "version": "1.4.0" } }, "id": "WID-SEC-W-2025-1905", "initial_release_date": "2025-08-25T22:00:00.000+00:00", "revision_history": [ { "date": "2025-08-25T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2025-08-27T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c7.5.0 UP13 IF01", "product": { "name": "IBM QRadar SIEM \u003c7.5.0 UP13 IF01", "product_id": "T046492" } }, { "category": "product_version", "name": "7.5.0 UP13 IF01", "product": { "name": "IBM QRadar SIEM 7.5.0 UP13 IF01", "product_id": "T046492-fixed", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5.0_up13_if01" } } } ], "category": "product_name", "name": "QRadar SIEM" } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17543", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2019-17543" }, { "cve": "CVE-2019-5427", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2019-5427" }, { "cve": "CVE-2020-5260", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2020-5260" }, { "cve": "CVE-2022-49058", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2022-49058" }, { "cve": "CVE-2022-49111", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2022-49111" }, { "cve": "CVE-2022-49136", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2022-49136" }, { "cve": "CVE-2022-49788", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2022-49788" }, { "cve": "CVE-2022-49846", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2022-49846" }, { "cve": "CVE-2022-49977", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2022-49977" }, { "cve": "CVE-2022-50020", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2022-50020" }, { "cve": "CVE-2024-23337", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-23337" }, { "cve": "CVE-2024-28956", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-28956" }, { "cve": "CVE-2024-34397", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-34397" }, { "cve": "CVE-2024-43420", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-43420" }, { "cve": "CVE-2024-45332", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-45332" }, { "cve": "CVE-2024-50154", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-50154" }, { "cve": "CVE-2024-50349", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-50349" }, { "cve": "CVE-2024-52006", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-52006" }, { "cve": "CVE-2024-52533", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-52533" }, { "cve": "CVE-2024-53920", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-53920" }, { "cve": "CVE-2024-54661", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-54661" }, { "cve": "CVE-2024-57980", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-57980" }, { "cve": "CVE-2024-58002", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-58002" }, { "cve": "CVE-2024-6531", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2024-6531" }, { "cve": "CVE-2025-20012", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-20012" }, { "cve": "CVE-2025-20623", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-20623" }, { "cve": "CVE-2025-21905", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-21905" }, { "cve": "CVE-2025-21919", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-21919" }, { "cve": "CVE-2025-21928", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-21928" }, { "cve": "CVE-2025-21991", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-21991" }, { "cve": "CVE-2025-22004", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-22004" }, { "cve": "CVE-2025-22020", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-22020" }, { "cve": "CVE-2025-23150", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-23150" }, { "cve": "CVE-2025-24495", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-24495" }, { "cve": "CVE-2025-27613", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-27613" }, { "cve": "CVE-2025-27614", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-27614" }, { "cve": "CVE-2025-32415", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-32415" }, { "cve": "CVE-2025-37738", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-37738" }, { "cve": "CVE-2025-37890", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-37890" }, { "cve": "CVE-2025-38052", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-38052" }, { "cve": "CVE-2025-38079", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-38079" }, { "cve": "CVE-2025-38086", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-38086" }, { "cve": "CVE-2025-4373", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-4373" }, { "cve": "CVE-2025-46835", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-46835" }, { "cve": "CVE-2025-47273", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-47273" }, { "cve": "CVE-2025-48060", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-48060" }, { "cve": "CVE-2025-48384", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-48384" }, { "cve": "CVE-2025-48385", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-48385" }, { "cve": "CVE-2025-49794", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-49794" }, { "cve": "CVE-2025-49796", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-49796" }, { "cve": "CVE-2025-52434", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-52434" }, { "cve": "CVE-2025-52520", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-52520" }, { "cve": "CVE-2025-53506", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-53506" }, { "cve": "CVE-2025-55668", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-55668" }, { "cve": "CVE-2025-6021", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-6021" }, { "cve": "CVE-2025-6965", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-6965" }, { "cve": "CVE-2025-7425", "product_status": { "known_affected": [ "67646", "T046492" ] }, "release_date": "2025-08-25T22:00:00.000+00:00", "title": "CVE-2025-7425" } ] }
CVE-2025-21991 (GCVE-0-2025-21991)
Vulnerability from cvelistv5
Published
2025-04-02 12:53
Modified
2025-05-04 13:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their
CPU masks and unconditionally accesses per-CPU data for the first CPU of each
mask.
According to Documentation/admin-guide/mm/numaperf.rst:
"Some memory may share the same node as a CPU, and others are provided as
memory only nodes."
Therefore, some node CPU masks may be empty and wouldn't have a "first CPU".
On a machine with far memory (and therefore CPU-less NUMA nodes):
- cpumask_of_node(nid) is 0
- cpumask_first(0) is CONFIG_NR_CPUS
- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an
index that is 1 out of bounds
This does not have any security implications since flashing microcode is
a privileged operation but I believe this has reliability implications by
potentially corrupting memory while flashing a microcode update.
When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes
a microcode update. I get the following splat:
UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y
index 512 is out of range for type 'unsigned long[512]'
[...]
Call Trace:
dump_stack
__ubsan_handle_out_of_bounds
load_microcode_amd
request_microcode_amd
reload_store
kernfs_fop_write_iter
vfs_write
ksys_write
do_syscall_64
entry_SYSCALL_64_after_hwframe
Change the loop to go over only NUMA nodes which have CPUs before determining
whether the first CPU on the respective node needs microcode update.
[ bp: Massage commit message, fix typo. ]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 979e197968a1e8f09bf0d706801dba4432f85ab3 Version: 44a44b57e88f311c1415be1f567c50050913c149 Version: be2710deaed3ab1402379a2ede30a3754fe6767a Version: d576547f489c935b9897d4acf8beee3325dea8a5 Version: 7ff6edf4fef38ab404ee7861f257e28eaaeed35f Version: 7ff6edf4fef38ab404ee7861f257e28eaaeed35f Version: 7ff6edf4fef38ab404ee7861f257e28eaaeed35f Version: 7ff6edf4fef38ab404ee7861f257e28eaaeed35f Version: d6353e2fc12c5b8f00f86efa30ed73d2da2f77be Version: 1b1e0eb1d2971a686b9f7bdc146115bcefcbb960 Version: eaf5dea1eb8c2928554b3ca717575cbe232b843c |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/x86/kernel/cpu/microcode/amd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d509c4731090ebd9bbdb72c70a2d70003ae81f4f", "status": "affected", "version": "979e197968a1e8f09bf0d706801dba4432f85ab3", "versionType": "git" }, { "lessThan": "985a536e04bbfffb1770df43c6470f635a6b1073", "status": "affected", "version": "44a44b57e88f311c1415be1f567c50050913c149", "versionType": "git" }, { "lessThan": "18b5d857c6496b78ead2fd10001b81ae32d30cac", "status": "affected", "version": "be2710deaed3ab1402379a2ede30a3754fe6767a", "versionType": "git" }, { "lessThan": "ec52240622c4d218d0240079b7c1d3ec2328a9f4", "status": "affected", "version": "d576547f489c935b9897d4acf8beee3325dea8a5", "versionType": "git" }, { "lessThan": "e686349cc19e800dac8971929089ba5ff59abfb0", "status": "affected", "version": "7ff6edf4fef38ab404ee7861f257e28eaaeed35f", "versionType": "git" }, { "lessThan": "488ffc0cac38f203979f83634236ee53251ce593", "status": "affected", "version": "7ff6edf4fef38ab404ee7861f257e28eaaeed35f", "versionType": "git" }, { "lessThan": "5ac295dfccb5b015493f86694fa13a0dde4d3665", "status": "affected", "version": "7ff6edf4fef38ab404ee7861f257e28eaaeed35f", "versionType": "git" }, { "lessThan": "e3e89178a9f4a80092578af3ff3c8478f9187d59", "status": "affected", "version": "7ff6edf4fef38ab404ee7861f257e28eaaeed35f", "versionType": "git" }, { "status": "affected", "version": "d6353e2fc12c5b8f00f86efa30ed73d2da2f77be", "versionType": "git" }, { "status": "affected", "version": "1b1e0eb1d2971a686b9f7bdc146115bcefcbb960", "versionType": "git" }, { "status": "affected", "version": "eaf5dea1eb8c2928554b3ca717575cbe232b843c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/x86/kernel/cpu/microcode/amd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.292", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.236", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.180", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.132", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.84", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.20", "versionType": "semver" }, { "lessThanOrEqual": "6.13.*", "status": "unaffected", "version": "6.13.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.14", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.292", "versionStartIncluding": "5.4.235", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.236", "versionStartIncluding": "5.10.173", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.180", "versionStartIncluding": "5.15.99", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.132", "versionStartIncluding": "6.1.16", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.84", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.20", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.8", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.308", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.276", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes\n\nCurrently, load_microcode_amd() iterates over all NUMA nodes, retrieves their\nCPU masks and unconditionally accesses per-CPU data for the first CPU of each\nmask.\n\nAccording to Documentation/admin-guide/mm/numaperf.rst:\n\n \"Some memory may share the same node as a CPU, and others are provided as\n memory only nodes.\"\n\nTherefore, some node CPU masks may be empty and wouldn\u0027t have a \"first CPU\".\n\nOn a machine with far memory (and therefore CPU-less NUMA nodes):\n- cpumask_of_node(nid) is 0\n- cpumask_first(0) is CONFIG_NR_CPUS\n- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an\n index that is 1 out of bounds\n\nThis does not have any security implications since flashing microcode is\na privileged operation but I believe this has reliability implications by\npotentially corrupting memory while flashing a microcode update.\n\nWhen booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes\na microcode update. I get the following splat:\n\n UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y\n index 512 is out of range for type \u0027unsigned long[512]\u0027\n [...]\n Call Trace:\n dump_stack\n __ubsan_handle_out_of_bounds\n load_microcode_amd\n request_microcode_amd\n reload_store\n kernfs_fop_write_iter\n vfs_write\n ksys_write\n do_syscall_64\n entry_SYSCALL_64_after_hwframe\n\nChange the loop to go over only NUMA nodes which have CPUs before determining\nwhether the first CPU on the respective node needs microcode update.\n\n [ bp: Massage commit message, fix typo. ]" } ], "providerMetadata": { "dateUpdated": "2025-05-04T13:06:52.038Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d509c4731090ebd9bbdb72c70a2d70003ae81f4f" }, { "url": "https://git.kernel.org/stable/c/985a536e04bbfffb1770df43c6470f635a6b1073" }, { "url": "https://git.kernel.org/stable/c/18b5d857c6496b78ead2fd10001b81ae32d30cac" }, { "url": "https://git.kernel.org/stable/c/ec52240622c4d218d0240079b7c1d3ec2328a9f4" }, { "url": "https://git.kernel.org/stable/c/e686349cc19e800dac8971929089ba5ff59abfb0" }, { "url": "https://git.kernel.org/stable/c/488ffc0cac38f203979f83634236ee53251ce593" }, { "url": "https://git.kernel.org/stable/c/5ac295dfccb5b015493f86694fa13a0dde4d3665" }, { "url": "https://git.kernel.org/stable/c/e3e89178a9f4a80092578af3ff3c8478f9187d59" } ], "title": "x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-21991", "datePublished": "2025-04-02T12:53:14.230Z", "dateReserved": "2024-12-29T08:45:45.800Z", "dateUpdated": "2025-05-04T13:06:52.038Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-34397 (GCVE-0-2024-34397)
Vulnerability from cvelistv5
Published
2024-05-07 00:00
Modified
2024-11-15 17:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.
References
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-34397", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-05-09T19:45:07.808061Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-15T17:14:35.675Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T02:51:11.424Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3268" }, { "tags": [ "x_transferred" ], "url": "https://www.openwall.com/lists/oss-security/2024/05/07/5" }, { "name": "FEDORA-2024-be032e564d", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IRSFYAE5X23TNRWX7ZWEJOMISLCDSYNS/" }, { "name": "FEDORA-2024-2ce1c754f7", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNFJHISR4O6VFOHBFWH5I5WWMG37H63A/" }, { "name": "[debian-lts-announce] 20240513 [SECURITY] [DLA 3814-1] glib2.0 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00008.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240531-0008/" }, { "name": "FEDORA-2024-fd2569c4e9", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LL6HSJDXCXMLEIJBYV6CPOR4K2NTCTXW/" }, { "name": "FEDORA-2024-635a54eb7e", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCDY3KA7G7D3DRXYTT46K6LFHS2KHWBH/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-06-10T18:08:40.913255", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3268" }, { "url": "https://www.openwall.com/lists/oss-security/2024/05/07/5" }, { "name": "FEDORA-2024-be032e564d", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IRSFYAE5X23TNRWX7ZWEJOMISLCDSYNS/" }, { "name": "FEDORA-2024-2ce1c754f7", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNFJHISR4O6VFOHBFWH5I5WWMG37H63A/" }, { "name": "[debian-lts-announce] 20240513 [SECURITY] [DLA 3814-1] glib2.0 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00008.html" }, { "url": "https://security.netapp.com/advisory/ntap-20240531-0008/" }, { "name": "FEDORA-2024-fd2569c4e9", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LL6HSJDXCXMLEIJBYV6CPOR4K2NTCTXW/" }, { "name": "FEDORA-2024-635a54eb7e", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCDY3KA7G7D3DRXYTT46K6LFHS2KHWBH/" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2024-34397", "datePublished": "2024-05-07T00:00:00", "dateReserved": "2024-05-02T00:00:00", "dateUpdated": "2024-11-15T17:14:35.675Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-32415 (GCVE-0-2025-32415)
Vulnerability from cvelistv5
Published
2025-04-17 00:00
Modified
2025-04-17 18:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1284 - Improper Validation of Specified Quantity in Input
Summary
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-32415", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-04-17T18:38:26.252207Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-17T18:38:30.600Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/890" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "libxml2", "vendor": "xmlsoft", "versions": [ { "lessThan": "2.13.8", "status": "affected", "version": "0", "versionType": "semver" }, { "lessThan": "2.14.2", "status": "affected", "version": "2.14.0", "versionType": "semver" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.13.8", "vulnerable": true }, { "criteria": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.14.2", "versionStartIncluding": "2.14.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used." } ], "metrics": [ { "cvssV3_1": { "baseScore": 2.9, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1284", "description": "CWE-1284 Improper Validation of Specified Quantity in Input", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-04-17T17:21:08.467Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/890" } ], "x_generator": { "engine": "enrichogram 0.0.1" } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2025-32415", "datePublished": "2025-04-17T00:00:00.000Z", "dateReserved": "2025-04-08T00:00:00.000Z", "dateUpdated": "2025-04-17T18:38:30.600Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2019-5427 (GCVE-0-2019-5427)
Vulnerability from cvelistv5
Published
2019-04-22 20:52
Modified
2024-08-04 19:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-776 - XML Entity Expansion ()
Summary
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
References
▼ | URL | Tags |
---|---|---|
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/ | vendor-advisory, x_refsource_FEDORA | |
https://www.oracle.com/security-alerts/cpuapr2020.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpujul2020.html | x_refsource_MISC | |
https://hackerone.com/reports/509315 | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpuoct2020.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpujan2021.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T19:54:53.546Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "FEDORA-2019-cb14e234fc", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/" }, { "name": "FEDORA-2019-063672154a", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/509315" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "c3p0", "vendor": "n/a", "versions": [ { "status": "affected", "version": "before 0.9.5.4" } ] } ], "datePublic": "2019-04-16T00:00:00", "descriptions": [ { "lang": "en", "value": "c3p0 version \u003c 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-776", "description": "XML Entity Expansion (CWE-776)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-10-20T10:38:35", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone" }, "references": [ { "name": "FEDORA-2019-cb14e234fc", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/" }, { "name": "FEDORA-2019-063672154a", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/509315" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-5427", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "c3p0", "version": { "version_data": [ { "version_value": "before 0.9.5.4" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "c3p0 version \u003c 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "XML Entity Expansion (CWE-776)" } ] } ] }, "references": { "reference_data": [ { "name": "FEDORA-2019-cb14e234fc", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/" }, { "name": "FEDORA-2019-063672154a", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "name": "https://www.oracle.com/security-alerts/cpujul2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "name": "https://hackerone.com/reports/509315", "refsource": "MISC", "url": "https://hackerone.com/reports/509315" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-5427", "datePublished": "2019-04-22T20:52:56", "dateReserved": "2019-01-04T00:00:00", "dateUpdated": "2024-08-04T19:54:53.546Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38052 (GCVE-0-2025-38052)
Vulnerability from cvelistv5
Published
2025-06-18 09:33
Modified
2025-06-18 09:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done
Syzbot reported a slab-use-after-free with the following call trace:
==================================================================
BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840
Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25
Call Trace:
kasan_report+0xd9/0x110 mm/kasan/report.c:601
tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840
crypto_request_complete include/crypto/algapi.h:266
aead_request_complete include/crypto/internal/aead.h:85
cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772
crypto_request_complete include/crypto/algapi.h:266
cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
Allocated by task 8355:
kzalloc_noprof include/linux/slab.h:778
tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466
tipc_init_net+0x2dd/0x430 net/tipc/core.c:72
ops_init+0xb9/0x650 net/core/net_namespace.c:139
setup_net+0x435/0xb40 net/core/net_namespace.c:343
copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508
create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
ksys_unshare+0x419/0x970 kernel/fork.c:3323
__do_sys_unshare kernel/fork.c:3394
Freed by task 63:
kfree+0x12a/0x3b0 mm/slub.c:4557
tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539
tipc_exit_net+0x8c/0x110 net/tipc/core.c:119
ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173
cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done
may still visit it in cryptd_queue_worker workqueue.
I reproduce this issue by:
ip netns add ns1
ip link add veth1 type veth peer name veth2
ip link set veth1 netns ns1
ip netns exec ns1 tipc bearer enable media eth dev veth1
ip netns exec ns1 tipc node set key this_is_a_master_key master
ip netns exec ns1 tipc bearer disable media eth dev veth1
ip netns del ns1
The key of reproduction is that, simd_aead_encrypt is interrupted, leading
to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is
triggered, and the tipc_crypto tx will be visited.
tipc_disc_timeout
tipc_bearer_xmit_skb
tipc_crypto_xmit
tipc_aead_encrypt
crypto_aead_encrypt
// encrypt()
simd_aead_encrypt
// crypto_simd_usable() is false
child = &ctx->cryptd_tfm->base;
simd_aead_encrypt
crypto_aead_encrypt
// encrypt()
cryptd_aead_encrypt_enqueue
cryptd_aead_enqueue
cryptd_enqueue_request
// trigger cryptd_queue_worker
queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work)
Fix this by holding net reference count before encrypt.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 Version: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/tipc/crypto.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d42ed4de6aba232d946d20653a70f79158a6535b", "status": "affected", "version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", "versionType": "git" }, { "lessThan": "f5c2c4eaaa5a8e7e0685ec031d480e588e263e59", "status": "affected", "version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", "versionType": "git" }, { "lessThan": "b8fcae6d2e93c54cacb8f579a77d827c1c643eb5", "status": "affected", "version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", "versionType": "git" }, { "lessThan": "b19fc1d0be3c3397e5968fe2627f22e7f84673b1", "status": "affected", "version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", "versionType": "git" }, { "lessThan": "689a205cd968a1572ab561b0c4c2d50a10e9d3b0", "status": "affected", "version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", "versionType": "git" }, { "lessThan": "4a0fddc2c0d5c28aec8c262ad4603be0bef1938c", "status": "affected", "version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", "versionType": "git" }, { "lessThan": "e279024617134c94fd3e37470156534d5f2b3472", "status": "affected", "version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/tipc/crypto.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.5" }, { "lessThan": "5.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.238", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.185", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.141", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.93", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.31", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.238", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.185", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.141", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.93", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.31", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.9", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "versionStartIncluding": "5.5", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done\n\nSyzbot reported a slab-use-after-free with the following call trace:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840\n Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25\n\n Call Trace:\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840\n crypto_request_complete include/crypto/algapi.h:266\n aead_request_complete include/crypto/internal/aead.h:85\n cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772\n crypto_request_complete include/crypto/algapi.h:266\n cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n\n Allocated by task 8355:\n kzalloc_noprof include/linux/slab.h:778\n tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466\n tipc_init_net+0x2dd/0x430 net/tipc/core.c:72\n ops_init+0xb9/0x650 net/core/net_namespace.c:139\n setup_net+0x435/0xb40 net/core/net_namespace.c:343\n copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508\n create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228\n ksys_unshare+0x419/0x970 kernel/fork.c:3323\n __do_sys_unshare kernel/fork.c:3394\n\n Freed by task 63:\n kfree+0x12a/0x3b0 mm/slub.c:4557\n tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539\n tipc_exit_net+0x8c/0x110 net/tipc/core.c:119\n ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173\n cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n\nAfter freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done\nmay still visit it in cryptd_queue_worker workqueue.\n\nI reproduce this issue by:\n ip netns add ns1\n ip link add veth1 type veth peer name veth2\n ip link set veth1 netns ns1\n ip netns exec ns1 tipc bearer enable media eth dev veth1\n ip netns exec ns1 tipc node set key this_is_a_master_key master\n ip netns exec ns1 tipc bearer disable media eth dev veth1\n ip netns del ns1\n\nThe key of reproduction is that, simd_aead_encrypt is interrupted, leading\nto crypto_simd_usable() return false. Thus, the cryptd_queue_worker is\ntriggered, and the tipc_crypto tx will be visited.\n\n tipc_disc_timeout\n tipc_bearer_xmit_skb\n tipc_crypto_xmit\n tipc_aead_encrypt\n crypto_aead_encrypt\n // encrypt()\n simd_aead_encrypt\n // crypto_simd_usable() is false\n child = \u0026ctx-\u003ecryptd_tfm-\u003ebase;\n\n simd_aead_encrypt\n crypto_aead_encrypt\n // encrypt()\n cryptd_aead_encrypt_enqueue\n cryptd_aead_enqueue\n cryptd_enqueue_request\n // trigger cryptd_queue_worker\n queue_work_on(smp_processor_id(), cryptd_wq, \u0026cpu_queue-\u003ework)\n\nFix this by holding net reference count before encrypt." } ], "providerMetadata": { "dateUpdated": "2025-06-18T09:33:33.427Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d42ed4de6aba232d946d20653a70f79158a6535b" }, { "url": "https://git.kernel.org/stable/c/f5c2c4eaaa5a8e7e0685ec031d480e588e263e59" }, { "url": "https://git.kernel.org/stable/c/b8fcae6d2e93c54cacb8f579a77d827c1c643eb5" }, { "url": "https://git.kernel.org/stable/c/b19fc1d0be3c3397e5968fe2627f22e7f84673b1" }, { "url": "https://git.kernel.org/stable/c/689a205cd968a1572ab561b0c4c2d50a10e9d3b0" }, { "url": "https://git.kernel.org/stable/c/4a0fddc2c0d5c28aec8c262ad4603be0bef1938c" }, { "url": "https://git.kernel.org/stable/c/e279024617134c94fd3e37470156534d5f2b3472" } ], "title": "net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38052", "datePublished": "2025-06-18T09:33:33.427Z", "dateReserved": "2025-04-16T04:51:23.979Z", "dateUpdated": "2025-06-18T09:33:33.427Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38086 (GCVE-0-2025-38086)
Vulnerability from cvelistv5
Published
2025-06-28 07:52
Modified
2025-07-28 04:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ch9200: fix uninitialised access during mii_nway_restart
In mii_nway_restart() the code attempts to call
mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read()
utilises a local buffer called "buff", which is initialised
with control_read(). However "buff" is conditionally
initialised inside control_read():
if (err == size) {
memcpy(data, buf, size);
}
If the condition of "err == size" is not met, then
"buff" remains uninitialised. Once this happens the
uninitialised "buff" is accessed and returned during
ch9200_mdio_read():
return (buff[0] | buff[1] << 8);
The problem stems from the fact that ch9200_mdio_read()
ignores the return value of control_read(), leading to
uinit-access of "buff".
To fix this we should check the return value of
control_read() and return early on error.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 4a476bd6d1d923922ec950ddc4c27b279f6901eb Version: 4a476bd6d1d923922ec950ddc4c27b279f6901eb Version: 4a476bd6d1d923922ec950ddc4c27b279f6901eb Version: 4a476bd6d1d923922ec950ddc4c27b279f6901eb Version: 4a476bd6d1d923922ec950ddc4c27b279f6901eb Version: 4a476bd6d1d923922ec950ddc4c27b279f6901eb Version: 4a476bd6d1d923922ec950ddc4c27b279f6901eb Version: 4a476bd6d1d923922ec950ddc4c27b279f6901eb |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/usb/ch9200.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "119766de4930ff40db9f36b960cb53b0c400e81b", "status": "affected", "version": "4a476bd6d1d923922ec950ddc4c27b279f6901eb", "versionType": "git" }, { "lessThan": "33163c68d2e3061fa3935b5f0a1867958b1cdbd2", "status": "affected", "version": "4a476bd6d1d923922ec950ddc4c27b279f6901eb", "versionType": "git" }, { "lessThan": "9da3e442714f7f4393ff01c265c4959c03e88c2f", "status": "affected", "version": "4a476bd6d1d923922ec950ddc4c27b279f6901eb", "versionType": "git" }, { "lessThan": "9a350f30d65197354706b7759b5c89d6c267b1a9", "status": "affected", "version": "4a476bd6d1d923922ec950ddc4c27b279f6901eb", "versionType": "git" }, { "lessThan": "6bd2569d0b2f918e9581f744df0263caf73ee76c", "status": "affected", "version": "4a476bd6d1d923922ec950ddc4c27b279f6901eb", "versionType": "git" }, { "lessThan": "4da7fcc098218ff92b2e83a43f545c02f714cedd", "status": "affected", "version": "4a476bd6d1d923922ec950ddc4c27b279f6901eb", "versionType": "git" }, { "lessThan": "cdaa6d1cb2ff1219c6c822b27655dd170ffb0f72", "status": "affected", "version": "4a476bd6d1d923922ec950ddc4c27b279f6901eb", "versionType": "git" }, { "lessThan": "9ad0452c0277b816a435433cca601304cfac7c21", "status": "affected", "version": "4a476bd6d1d923922ec950ddc4c27b279f6901eb", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/usb/ch9200.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.3" }, { "lessThan": "4.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.295", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.95", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.35", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.4", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.295", "versionStartIncluding": "4.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "4.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "4.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "4.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.95", "versionStartIncluding": "4.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.35", "versionStartIncluding": "4.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.4", "versionStartIncluding": "4.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ch9200: fix uninitialised access during mii_nway_restart\n\nIn mii_nway_restart() the code attempts to call\nmii-\u003emdio_read which is ch9200_mdio_read(). ch9200_mdio_read()\nutilises a local buffer called \"buff\", which is initialised\nwith control_read(). However \"buff\" is conditionally\ninitialised inside control_read():\n\n if (err == size) {\n memcpy(data, buf, size);\n }\n\nIf the condition of \"err == size\" is not met, then\n\"buff\" remains uninitialised. Once this happens the\nuninitialised \"buff\" is accessed and returned during\nch9200_mdio_read():\n\n return (buff[0] | buff[1] \u003c\u003c 8);\n\nThe problem stems from the fact that ch9200_mdio_read()\nignores the return value of control_read(), leading to\nuinit-access of \"buff\".\n\nTo fix this we should check the return value of\ncontrol_read() and return early on error." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:11:59.998Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/119766de4930ff40db9f36b960cb53b0c400e81b" }, { "url": "https://git.kernel.org/stable/c/33163c68d2e3061fa3935b5f0a1867958b1cdbd2" }, { "url": "https://git.kernel.org/stable/c/9da3e442714f7f4393ff01c265c4959c03e88c2f" }, { "url": "https://git.kernel.org/stable/c/9a350f30d65197354706b7759b5c89d6c267b1a9" }, { "url": "https://git.kernel.org/stable/c/6bd2569d0b2f918e9581f744df0263caf73ee76c" }, { "url": "https://git.kernel.org/stable/c/4da7fcc098218ff92b2e83a43f545c02f714cedd" }, { "url": "https://git.kernel.org/stable/c/cdaa6d1cb2ff1219c6c822b27655dd170ffb0f72" }, { "url": "https://git.kernel.org/stable/c/9ad0452c0277b816a435433cca601304cfac7c21" } ], "title": "net: ch9200: fix uninitialised access during mii_nway_restart", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38086", "datePublished": "2025-06-28T07:52:58.293Z", "dateReserved": "2025-04-16T04:51:23.981Z", "dateUpdated": "2025-07-28T04:11:59.998Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-24495 (GCVE-0-2025-24495)
Vulnerability from cvelistv5
Published
2025-05-13 21:02
Modified
2025-05-14 17:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
- CWE-1419 - Incorrect Initialization of Resource
Summary
Incorrect initialization of resource in the branch prediction unit for some Intel(R) Core™ Ultra Processors may allow an authenticated user to potentially enable information disclosure via local access.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
n/a | Intel(R) Core™ Ultra Processors |
Version: See references |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-24495", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-14T17:16:37.903788Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-14T17:18:39.190Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Intel(R) Core\u2122 Ultra Processors", "vendor": "n/a", "versions": [ { "status": "affected", "version": "See references" } ] } ], "descriptions": [ { "lang": "en", "value": "Incorrect initialization of resource in the branch prediction unit for some Intel(R) Core\u2122 Ultra Processors may allow an authenticated user to potentially enable information disclosure via local access." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "cvssV4_0": { "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 6.8, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en" }, { "cweId": "CWE-1419", "description": "Incorrect Initialization of Resource", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-05-13T21:02:51.390Z", "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "shortName": "intel" }, "references": [ { "name": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01322.html", "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01322.html" } ] } }, "cveMetadata": { "assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "assignerShortName": "intel", "cveId": "CVE-2025-24495", "datePublished": "2025-05-13T21:02:51.390Z", "dateReserved": "2025-02-04T04:00:22.133Z", "dateUpdated": "2025-05-14T17:18:39.190Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-54661 (GCVE-0-2024-54661)
Vulnerability from cvelistv5
Published
2024-12-04 00:00
Modified
2025-01-09 16:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Summary
readline.sh in socat before1.8.0.2 relies on the /tmp/$USER/stderr2 file.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
dest-unreach | socat |
Version: 1.6.0.0 < 1.8.0.2 Version: 2.0.0-b1 < |
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:dest-unreach:socat:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "socat", "vendor": "dest-unreach", "versions": [ { "lessThanOrEqual": "1.8.0.1", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-54661", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-04T14:54:07.899241Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-01-09T16:30:38.380Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "socat", "vendor": "dest-unreach", "versions": [ { "lessThan": "1.8.0.2", "status": "affected", "version": "1.6.0.0", "versionType": "custom" }, { "lessThanOrEqual": "2.0.0-b9", "status": "affected", "version": "2.0.0-b1", "versionType": "custom" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:dest-unreach:socat:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.8.0.2", "versionStartIncluding": "1.6.0.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:dest-unreach:socat:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.0.0-b9", "versionStartIncluding": "2.0.0-b1", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "readline.sh in socat before1.8.0.2 relies on the /tmp/$USER/stderr2 file." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-61", "description": "CWE-61 UNIX Symbolic Link (Symlink) Following", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-01-07T01:00:11.506Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://repo.or.cz/socat.git/blob/6ff391324d2d3b9f6bfb58e7d16a20be43b47af7:/readline.sh#l29" }, { "url": "http://www.dest-unreach.org/socat/contrib/socat-secadv9.html" } ], "x_generator": { "engine": "enrichogram 0.0.1" } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2024-54661", "datePublished": "2024-12-04T00:00:00", "dateReserved": "2024-12-04T00:00:00", "dateUpdated": "2025-01-09T16:30:38.380Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-55668 (GCVE-0-2025-55668)
Vulnerability from cvelistv5
Published
2025-08-13 13:21
Modified
2025-08-13 13:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-384 - Session Fixation
Summary
Session Fixation vulnerability in Apache Tomcat via rewrite valve.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
References
▼ | URL | Tags |
---|---|---|
https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47 | vendor-advisory |
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Apache Software Foundation | Apache Tomcat |
Version: 11.0.0-M1 ≤ 11.0.7 Version: 10.1.0-M1 ≤ 10.1.41 Version: 9.0.0.M1 ≤ 9.0.105 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-55668", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-08-13T13:38:12.498649Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-08-13T13:39:26.761Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "11.0.7", "status": "affected", "version": "11.0.0-M1", "versionType": "semver" }, { "lessThanOrEqual": "10.1.41", "status": "affected", "version": "10.1.0-M1", "versionType": "semver" }, { "lessThanOrEqual": "9.0.105", "status": "affected", "version": "9.0.0.M1", "versionType": "semver" }, { "lessThan": "9.0.0.M1", "status": "unknown", "version": "8", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Greg K (https://github.com/gregk4sec)" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eSession Fixation vulnerability in Apache Tomcat via rewrite valve.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.\u003cbr\u003eOlder, EOL versions may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.\u003c/p\u003e" } ], "value": "Session Fixation vulnerability in Apache Tomcat via rewrite valve.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.\nOlder, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue." } ], "metrics": [ { "other": { "content": { "text": "moderate" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-384", "description": "CWE-384 Session Fixation", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-08-13T13:21:35.743Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47" } ], "source": { "discovery": "EXTERNAL" }, "title": "Apache Tomcat: session fixation via rewrite valve", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2025-55668", "datePublished": "2025-08-13T13:21:35.743Z", "dateReserved": "2025-08-13T12:16:36.881Z", "dateUpdated": "2025-08-13T13:39:26.761Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-58002 (GCVE-0-2024-58002)
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-05-04 10:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Remove dangling pointers
When an async control is written, we copy a pointer to the file handle
that started the operation. That pointer will be used when the device is
done. Which could be anytime in the future.
If the user closes that file descriptor, its structure will be freed,
and there will be one dangling pointer per pending async control, that
the driver will try to use.
Clean all the dangling pointers during release().
To avoid adding a performance penalty in the most common case (no async
operation), a counter has been introduced with some logic to make sure
that it is properly handled.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 Version: e5225c820c057537dc780244760e2e24c7d27366 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/media/usb/uvc/uvc_ctrl.c", "drivers/media/usb/uvc/uvc_v4l2.c", "drivers/media/usb/uvc/uvcvideo.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2a29413ace64627e178fd422dd8a5d95219a2c0b", "status": "affected", "version": "e5225c820c057537dc780244760e2e24c7d27366", "versionType": "git" }, { "lessThan": "653993f46861f2971e95e9a0e36a34b49dec542c", "status": "affected", "version": "e5225c820c057537dc780244760e2e24c7d27366", "versionType": "git" }, { "lessThan": "117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50", "status": "affected", "version": "e5225c820c057537dc780244760e2e24c7d27366", "versionType": "git" }, { "lessThan": "ac18d781466252cd35a3e311e0a4b264260fd927", "status": "affected", "version": "e5225c820c057537dc780244760e2e24c7d27366", "versionType": "git" }, { "lessThan": "4dbaa738c583a0e947803c69e8996e88cf98d971", "status": "affected", "version": "e5225c820c057537dc780244760e2e24c7d27366", "versionType": "git" }, { "lessThan": "438bda062b2c40ddd7df23b932e29ffe0a448cac", "status": "affected", "version": "e5225c820c057537dc780244760e2e24c7d27366", "versionType": "git" }, { "lessThan": "9edc7d25f7e49c33a1ce7a5ffadea2222065516c", "status": "affected", "version": "e5225c820c057537dc780244760e2e24c7d27366", "versionType": "git" }, { "lessThan": "221cd51efe4565501a3dbf04cc011b537dcce7fb", "status": "affected", "version": "e5225c820c057537dc780244760e2e24c7d27366", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/media/usb/uvc/uvc_ctrl.c", "drivers/media/usb/uvc/uvc_v4l2.c", "drivers/media/usb/uvc/uvcvideo.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.19" }, { "lessThan": "4.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.291", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.235", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.179", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.130", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.80", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.14", "versionType": "semver" }, { "lessThanOrEqual": "6.13.*", "status": "unaffected", "version": "6.13.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.14", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.291", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.235", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.179", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.130", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.80", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.14", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.3", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14", "versionStartIncluding": "4.19", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Remove dangling pointers\n\nWhen an async control is written, we copy a pointer to the file handle\nthat started the operation. That pointer will be used when the device is\ndone. Which could be anytime in the future.\n\nIf the user closes that file descriptor, its structure will be freed,\nand there will be one dangling pointer per pending async control, that\nthe driver will try to use.\n\nClean all the dangling pointers during release().\n\nTo avoid adding a performance penalty in the most common case (no async\noperation), a counter has been introduced with some logic to make sure\nthat it is properly handled." } ], "providerMetadata": { "dateUpdated": "2025-05-04T10:08:09.163Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2a29413ace64627e178fd422dd8a5d95219a2c0b" }, { "url": "https://git.kernel.org/stable/c/653993f46861f2971e95e9a0e36a34b49dec542c" }, { "url": "https://git.kernel.org/stable/c/117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50" }, { "url": "https://git.kernel.org/stable/c/ac18d781466252cd35a3e311e0a4b264260fd927" }, { "url": "https://git.kernel.org/stable/c/4dbaa738c583a0e947803c69e8996e88cf98d971" }, { "url": "https://git.kernel.org/stable/c/438bda062b2c40ddd7df23b932e29ffe0a448cac" }, { "url": "https://git.kernel.org/stable/c/9edc7d25f7e49c33a1ce7a5ffadea2222065516c" }, { "url": "https://git.kernel.org/stable/c/221cd51efe4565501a3dbf04cc011b537dcce7fb" } ], "title": "media: uvcvideo: Remove dangling pointers", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-58002", "datePublished": "2025-02-27T02:12:00.223Z", "dateReserved": "2025-02-27T02:04:28.915Z", "dateUpdated": "2025-05-04T10:08:09.163Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2020-5260 (GCVE-0-2020-5260)
Vulnerability from cvelistv5
Published
2020-04-14 22:50
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
git | git |
Version: < 2.17.4 Version: >= 2.18.0, < 2.18.3 Version: >= 2.19.0, 2.19.4 Version: >= 2.20.0, < 2.20.3 Version: >= 2.21.0, < 2.21.2 Version: >= 2.22.0, < 2.22.3 Version: >= 2.23.0, < 2.23.2 Version: >= 2.24.0, < 2.24.2 Version: >= 2.25.0, < 2.25.3 Version: >= 2.26.0, < 2.26.1 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T08:22:09.095Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lore.kernel.org/git/xmqqy2qy7xn8.fsf%40gitster.c.googlers.com/" }, { "name": "DSA-4657", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4657" }, { "name": "[debian-lts-announce] 20200415 [SECURITY] [DLA 2177-1] git security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00010.html" }, { "name": "[oss-security] 20200415 CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2020/04/15/5" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html" }, { "name": "[oss-security] 20200415 Re: CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2020/04/15/6" }, { "name": "openSUSE-SU-2020:0524", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.apple.com/kb/HT211141" }, { "name": "FEDORA-2020-cdef88bb89", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/" }, { "name": "[oss-security] 20200420 CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2020/04/20/1" }, { "name": "GLSA-202004-13", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202004-13" }, { "name": "FEDORA-2020-c6548b488f", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/" }, { "name": "FEDORA-2020-f6b3b6fb18", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/" }, { "name": "FEDORA-2020-b2a2c830cf", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/" }, { "name": "USN-4329-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4329-1/" }, { "name": "FEDORA-2020-4e093619bb", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/" }, { "name": "openSUSE-SU-2020:0598", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "git", "vendor": "git", "versions": [ { "status": "affected", "version": "\u003c 2.17.4" }, { "status": "affected", "version": "\u003e= 2.18.0, \u003c 2.18.3" }, { "status": "affected", "version": "\u003e= 2.19.0, 2.19.4" }, { "status": "affected", "version": "\u003e= 2.20.0, \u003c 2.20.3" }, { "status": "affected", "version": "\u003e= 2.21.0, \u003c 2.21.2" }, { "status": "affected", "version": "\u003e= 2.22.0, \u003c 2.22.3" }, { "status": "affected", "version": "\u003e= 2.23.0, \u003c 2.23.2" }, { "status": "affected", "version": "\u003e= 2.24.0, \u003c 2.24.2" }, { "status": "affected", "version": "\u003e= 2.25.0, \u003c 2.25.3" }, { "status": "affected", "version": "\u003e= 2.26.0, \u003c 2.26.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external \"credential helper\" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-05-06T18:06:08", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lore.kernel.org/git/xmqqy2qy7xn8.fsf%40gitster.c.googlers.com/" }, { "name": "DSA-4657", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4657" }, { "name": "[debian-lts-announce] 20200415 [SECURITY] [DLA 2177-1] git security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00010.html" }, { "name": "[oss-security] 20200415 CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2020/04/15/5" }, { "tags": [ "x_refsource_MISC" ], "url": "http://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html" }, { "name": "[oss-security] 20200415 Re: CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2020/04/15/6" }, { "name": "openSUSE-SU-2020:0524", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.apple.com/kb/HT211141" }, { "name": "FEDORA-2020-cdef88bb89", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/" }, { "name": "[oss-security] 20200420 CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2020/04/20/1" }, { "name": "GLSA-202004-13", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202004-13" }, { "name": "FEDORA-2020-c6548b488f", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/" }, { "name": "FEDORA-2020-f6b3b6fb18", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/" }, { "name": "FEDORA-2020-b2a2c830cf", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/" }, { "name": "USN-4329-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4329-1/" }, { "name": "FEDORA-2020-4e093619bb", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/" }, { "name": "openSUSE-SU-2020:0598", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html" } ], "source": { "advisory": "GHSA-qm7j-c969-7j4q", "discovery": "UNKNOWN" }, "title": "malicious URLs may cause Git to present stored credentials to the wrong server", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5260", "STATE": "PUBLIC", "TITLE": "malicious URLs may cause Git to present stored credentials to the wrong server" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "git", "version": { "version_data": [ { "version_value": "\u003c 2.17.4" }, { "version_value": "\u003e= 2.18.0, \u003c 2.18.3" }, { "version_value": "\u003e= 2.19.0, 2.19.4" }, { "version_value": "\u003e= 2.20.0, \u003c 2.20.3" }, { "version_value": "\u003e= 2.21.0, \u003c 2.21.2" }, { "version_value": "\u003e= 2.22.0, \u003c 2.22.3" }, { "version_value": "\u003e= 2.23.0, \u003c 2.23.2" }, { "version_value": "\u003e= 2.24.0, \u003c 2.24.2" }, { "version_value": "\u003e= 2.25.0, \u003c 2.25.3" }, { "version_value": "\u003e= 2.26.0, \u003c 2.26.1" } ] } } ] }, "vendor_name": "git" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external \"credential helper\" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-20: Improper Input Validation" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q", "refsource": "CONFIRM", "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q" }, { "name": "https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b", "refsource": "MISC", "url": "https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b" }, { "name": "https://lore.kernel.org/git/xmqqy2qy7xn8.fsf@gitster.c.googlers.com/", "refsource": "MISC", "url": "https://lore.kernel.org/git/xmqqy2qy7xn8.fsf@gitster.c.googlers.com/" }, { "name": "DSA-4657", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4657" }, { "name": "[debian-lts-announce] 20200415 [SECURITY] [DLA 2177-1] git security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00010.html" }, { "name": "[oss-security] 20200415 CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/04/15/5" }, { "name": "http://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html" }, { "name": "[oss-security] 20200415 Re: CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/04/15/6" }, { "name": "openSUSE-SU-2020:0524", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.html" }, { "name": "https://support.apple.com/kb/HT211141", "refsource": "CONFIRM", "url": "https://support.apple.com/kb/HT211141" }, { "name": "FEDORA-2020-cdef88bb89", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/" }, { "name": "[oss-security] 20200420 CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/04/20/1" }, { "name": "GLSA-202004-13", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202004-13" }, { "name": "FEDORA-2020-c6548b488f", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/" }, { "name": "FEDORA-2020-f6b3b6fb18", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/" }, { "name": "FEDORA-2020-b2a2c830cf", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/" }, { "name": "USN-4329-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4329-1/" }, { "name": "FEDORA-2020-4e093619bb", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/" }, { "name": "openSUSE-SU-2020:0598", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html" } ] }, "source": { "advisory": "GHSA-qm7j-c969-7j4q", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5260", "datePublished": "2020-04-14T22:50:12", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:09.095Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-20012 (GCVE-0-2025-20012)
Vulnerability from cvelistv5
Published
2025-05-13 21:01
Modified
2025-05-15 19:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
- CWE-696 - Incorrect Behavior Order
Summary
Incorrect behavior order for some Intel(R) Core™ Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
n/a | Intel(R) Core™ Ultra Processors |
Version: See references |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-20012", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-14T20:19:54.668389Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-15T19:36:01.074Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Intel(R) Core\u2122 Ultra Processors", "vendor": "n/a", "versions": [ { "status": "affected", "version": "See references" } ] } ], "descriptions": [ { "lang": "en", "value": "Incorrect behavior order for some Intel(R) Core\u2122 Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "cvssV4_0": { "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "PHYSICAL", "baseScore": 4.1, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en" }, { "cweId": "CWE-696", "description": "Incorrect Behavior Order", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-05-13T21:01:33.504Z", "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "shortName": "intel" }, "references": [ { "name": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01322.html", "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01322.html" } ] } }, "cveMetadata": { "assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "assignerShortName": "intel", "cveId": "CVE-2025-20012", "datePublished": "2025-05-13T21:01:33.504Z", "dateReserved": "2025-01-24T04:00:26.691Z", "dateUpdated": "2025-05-15T19:36:01.074Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-37890 (GCVE-0-2025-37890)
Vulnerability from cvelistv5
Published
2025-05-16 13:01
Modified
2025-06-04 12:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
As described in Gerrard's report [1], we have a UAF case when an hfsc class
has a netem child qdisc. The crux of the issue is that hfsc is assuming
that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted
the class in the vttree or eltree (which is not true for the netem
duplicate case).
This patch checks the n_active class variable to make sure that the code
won't insert the class in the vttree or eltree twice, catering for the
reentrant case.
[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea Version: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/sched/sch_hfsc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "273bbcfa53541cde38b2003ad88a59b770306421", "status": "affected", "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea", "versionType": "git" }, { "lessThan": "e0cf8ee23e1915431f262a7b2dee0c7a7d699af0", "status": "affected", "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea", "versionType": "git" }, { "lessThan": "e3e949a39a91d1f829a4890e7dfe9417ac72e4d0", "status": "affected", "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea", "versionType": "git" }, { "lessThan": "8df7d37d626430035b413b97cee18396b3450bef", "status": "affected", "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea", "versionType": "git" }, { "lessThan": "6082a87af4c52f58150d40dec1716011d871ac21", "status": "affected", "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea", "versionType": "git" }, { "lessThan": "2e7093c7a8aba5d4f8809f271488e5babe75e202", "status": "affected", "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea", "versionType": "git" }, { "lessThan": "ac39fd4a757584d78ed062d4f6fd913f83bd98b5", "status": "affected", "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea", "versionType": "git" }, { "lessThan": "141d34391abbb315d68556b7c67ad97885407547", "status": "affected", "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/sched/sch_hfsc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.0" }, { "lessThan": "5.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.294", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.238", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.182", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.138", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.90", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.28", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.294", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.238", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.182", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.138", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.90", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.28", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.6", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "versionStartIncluding": "5.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc\n\nAs described in Gerrard\u0027s report [1], we have a UAF case when an hfsc class\nhas a netem child qdisc. The crux of the issue is that hfsc is assuming\nthat checking for cl-\u003eqdisc-\u003eq.qlen == 0 guarantees that it hasn\u0027t inserted\nthe class in the vttree or eltree (which is not true for the netem\nduplicate case).\n\nThis patch checks the n_active class variable to make sure that the code\nwon\u0027t insert the class in the vttree or eltree twice, catering for the\nreentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/" } ], "providerMetadata": { "dateUpdated": "2025-06-04T12:57:24.484Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/273bbcfa53541cde38b2003ad88a59b770306421" }, { "url": "https://git.kernel.org/stable/c/e0cf8ee23e1915431f262a7b2dee0c7a7d699af0" }, { "url": "https://git.kernel.org/stable/c/e3e949a39a91d1f829a4890e7dfe9417ac72e4d0" }, { "url": "https://git.kernel.org/stable/c/8df7d37d626430035b413b97cee18396b3450bef" }, { "url": "https://git.kernel.org/stable/c/6082a87af4c52f58150d40dec1716011d871ac21" }, { "url": "https://git.kernel.org/stable/c/2e7093c7a8aba5d4f8809f271488e5babe75e202" }, { "url": "https://git.kernel.org/stable/c/ac39fd4a757584d78ed062d4f6fd913f83bd98b5" }, { "url": "https://git.kernel.org/stable/c/141d34391abbb315d68556b7c67ad97885407547" } ], "title": "net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-37890", "datePublished": "2025-05-16T13:01:12.798Z", "dateReserved": "2025-04-16T04:51:23.963Z", "dateUpdated": "2025-06-04T12:57:24.484Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-52520 (GCVE-0-2025-52520)
Vulnerability from cvelistv5
Published
2025-07-10 19:05
Modified
2025-08-08 12:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-190 - Integer Overflow or Wraparound
Summary
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions
may also be affected.
Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
References
▼ | URL | Tags |
---|---|---|
https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5 | vendor-advisory |
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Apache Software Foundation | Apache Tomcat |
Version: 11.0.0-M1 ≤ 11.0.8 Version: 10.1.0-M1 ≤ 10.1.42 Version: 9.0.0.M1 ≤ 9.0.106 Version: 8.5.0 ≤ 8.5.100 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-52520", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-11T14:08:03.553602Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-07-11T14:10:55.719Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "11.0.8", "status": "affected", "version": "11.0.0-M1", "versionType": "semver" }, { "lessThanOrEqual": "10.1.42", "status": "affected", "version": "10.1.0-M1", "versionType": "semver" }, { "lessThanOrEqual": "9.0.106", "status": "affected", "version": "9.0.0.M1", "versionType": "semver" }, { "lessThanOrEqual": "8.5.100", "status": "affected", "version": "8.5.0", "versionType": "semver" }, { "lessThan": "8.5.0", "status": "unknown", "version": "6", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Saravana Kumar" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eFor some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.\u003cbr\u003eThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions \nmay also be affected.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.\u003c/p\u003e" } ], "value": "For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions \nmay also be affected.\n\n\nUsers are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue." } ], "metrics": [ { "other": { "content": { "text": "low" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-08-08T12:13:57.665Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5" } ], "source": { "discovery": "EXTERNAL" }, "title": "Apache Tomcat: DoS via integer overflow in multipart file upload", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2025-52520", "datePublished": "2025-07-10T19:05:41.637Z", "dateReserved": "2025-06-17T07:31:32.117Z", "dateUpdated": "2025-08-08T12:13:57.665Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-27613 (GCVE-0-2025-27613)
Vulnerability from cvelistv5
Published
2025-07-10 14:58
Modified
2025-07-10 15:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-27613", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-10T15:55:29.551008Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-07-10T15:55:34.975Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "gitk", "vendor": "j6t", "versions": [ { "status": "affected", "version": "\u003e= 1.7.0, \u003c 2.43.7" }, { "status": "affected", "version": "\u003e= 2.44.0, \u003c 2.44.4" }, { "status": "affected", "version": "\u003e= 2.45.0, \u003c 2.45.4" }, { "status": "affected", "version": "\u003e= 2.46.0, \u003c 2.46.4" }, { "status": "affected", "version": "\u003e= 2.47.0, \u003c 2.47.3" }, { "status": "affected", "version": "\u003e= 2.48.0, \u003c 2.48.2" }, { "status": "affected", "version": "\u003e= 2.49.0, \u003c 2.49.1" }, { "status": "affected", "version": "\u003e= 2.50.0, \u003c 2.50.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk\u0027s Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-10T14:58:16.752Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/j6t/gitk/security/advisories/GHSA-f3cw-xrj3-wr2v", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/j6t/gitk/security/advisories/GHSA-f3cw-xrj3-wr2v" }, { "name": "https://github.com/j6t/gitk/compare/465f03869ae11acd04abfa1b83c67879c867410c..026c397d911cde55924d7eb1311d0fd6e2e105d5", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/j6t/gitk/compare/465f03869ae11acd04abfa1b83c67879c867410c..026c397d911cde55924d7eb1311d0fd6e2e105d5" }, { "name": "https://github.com/j6t/gitk/compare/7dd272eca153058da2e8d5b9960bbbf0b4f0cbaa..67a128b91e25978a15f9f7e194d81b441d603652", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/j6t/gitk/compare/7dd272eca153058da2e8d5b9960bbbf0b4f0cbaa..67a128b91e25978a15f9f7e194d81b441d603652" } ], "source": { "advisory": "GHSA-f3cw-xrj3-wr2v", "discovery": "UNKNOWN" }, "title": "Gitk can create and truncate files in the user\u0027s home directory" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-27613", "datePublished": "2025-07-10T14:58:16.752Z", "dateReserved": "2025-03-03T15:10:34.079Z", "dateUpdated": "2025-07-10T15:55:34.975Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-6021 (GCVE-0-2025-6021)
Vulnerability from cvelistv5
Published
2025-06-12 12:49
Modified
2025-09-03 14:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.
References
Impacted products
Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
▼ | Red Hat | Red Hat Enterprise Linux 10 |
Unaffected: 0:2.12.5-7.el10_0 < * cpe:/o:redhat:enterprise_linux:10.0 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-6021", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-09-03T14:41:19.578427Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-09-03T14:46:43.637Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit", "issue-tracking" ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/926" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:10.0" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.12.5-7.el10_0", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_els:7" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.1-6.el7_9.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:enterprise_linux:8::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-21.el8_10.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:enterprise_linux:8::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-21.el8_10.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_aus:8.2::baseos", "cpe:/a:redhat:rhel_aus:8.2::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-9.el8_2.3", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream", "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos", "cpe:/o:redhat:rhel_aus:8.4::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-9.el8_4.6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream", "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos", "cpe:/o:redhat:rhel_aus:8.4::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-9.el8_4.6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_tus:8.6::baseos", "cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/o:redhat:rhel_e4s:8.6::baseos", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/o:redhat:rhel_aus:8.6::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-13.el8_6.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_tus:8.6::baseos", "cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/o:redhat:rhel_e4s:8.6::baseos", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/o:redhat:rhel_aus:8.6::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-13.el8_6.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_tus:8.6::baseos", "cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/o:redhat:rhel_e4s:8.6::baseos", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/o:redhat:rhel_aus:8.6::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-13.el8_6.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:8.8::appstream", "cpe:/a:redhat:rhel_tus:8.8::appstream", "cpe:/o:redhat:rhel_tus:8.8::baseos", "cpe:/o:redhat:rhel_e4s:8.8::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-16.el8_8.9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:8.8::appstream", "cpe:/a:redhat:rhel_tus:8.8::appstream", "cpe:/o:redhat:rhel_tus:8.8::baseos", "cpe:/o:redhat:rhel_e4s:8.8::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-16.el8_8.9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9::baseos", "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-10.el9_6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9::baseos", "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-10.el9_6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:9.0::appstream", "cpe:/o:redhat:rhel_e4s:9.0::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-1.el9_0.5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_e4s:9.2::baseos", "cpe:/a:redhat:rhel_e4s:9.2::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-3.el9_2.7", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_eus:9.4::baseos", "cpe:/a:redhat:rhel_eus:9.4::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9.4 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-10.el9_4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.14::el8", "cpe:/a:redhat:openshift:4.14::el9" ], "defaultStatus": "affected", "packageName": "rhcos", "product": "Red Hat OpenShift Container Platform 4.14", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "414.92.202508041909-0", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.15::el9" ], "defaultStatus": "unaffected", "packageName": "rhcos", "product": "Red Hat OpenShift Container Platform 4.15", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.16::el9" ], "defaultStatus": "affected", "packageName": "rhcos", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "416.94.202508050040-0", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.17::el9" ], "defaultStatus": "unaffected", "packageName": "rhcos", "product": "Red Hat OpenShift Container Platform 4.17", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift:4.18::el9" ], "defaultStatus": "affected", "packageName": "rhcos", "product": "Red Hat OpenShift Container Platform 4.18", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "418.94.202508060022-0", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:discovery:2::el9" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/discovery/discovery-server-rhel9", "product": "Red Hat Discovery 2", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:c517869dacaf4d3650310d4a52e83706e0b311d6ebb4a9b37b1c7acff5c142ec", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:insights_proxy:1.5::el9" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/insights-proxy/insights-proxy-container-rhel9", "product": "Red Hat Insights proxy 1.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:c26d589f12647890b67aaa986f54d3f7c6f7f2563fb5a73f38d559e6138739d7", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:6" ], "defaultStatus": "unknown", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_core_services:1" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat JBoss Core Services", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "Red Hat would like to thank Ahmed Lekssays for reporting this issue." } ], "datePublic": "2025-06-12T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "A flaw was found in libxml2\u0027s xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-121", "description": "Stack-based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-08-31T11:45:20.705Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2025:10630", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:10630" }, { "name": "RHSA-2025:10698", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:10698" }, { "name": "RHSA-2025:10699", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:10699" }, { "name": "RHSA-2025:11580", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:11580" }, { "name": "RHSA-2025:12098", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12098" }, { "name": "RHSA-2025:12099", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12099" }, { "name": "RHSA-2025:12199", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12199" }, { "name": "RHSA-2025:12237", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12237" }, { "name": "RHSA-2025:12239", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12239" }, { "name": "RHSA-2025:12240", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12240" }, { "name": "RHSA-2025:12241", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12241" }, { "name": "RHSA-2025:13267", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13267" }, { "name": "RHSA-2025:13289", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13289" }, { "name": "RHSA-2025:13325", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13325" }, { "name": "RHSA-2025:13335", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13335" }, { "name": "RHSA-2025:13336", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13336" }, { "name": "RHSA-2025:14059", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:14059" }, { "name": "RHSA-2025:14396", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:14396" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2025-6021" }, { "name": "RHBZ#2372406", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372406" } ], "timeline": [ { "lang": "en", "time": "2025-06-12T07:55:45.428000+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2025-06-12T00:00:00+00:00", "value": "Made public." } ], "title": "Libxml2: integer overflow in xmlbuildqname() leads to stack buffer overflow in libxml2", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. Users are strongly advised to apply vendor-supplied patches as soon as they become available to address the underlying integer overflow flaw in the affected code." } ], "x_redhatCweChain": "(CWE-190|CWE-121): Integer Overflow or Wraparound or Stack-based Buffer Overflow" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2025-6021", "datePublished": "2025-06-12T12:49:16.157Z", "dateReserved": "2025-06-12T05:52:54.211Z", "dateUpdated": "2025-09-03T14:46:43.637Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-21919 (GCVE-0-2025-21919)
Vulnerability from cvelistv5
Published
2025-04-01 15:40
Modified
2025-05-04 07:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/fair: Fix potential memory corruption in child_cfs_rq_on_list
child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq.
This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list,
making the conversion invalid and potentially leading to memory
corruption. Depending on the relative positions of leaf_cfs_rq_list and
the task group (tg) pointer within the struct, this can cause a memory
fault or access garbage data.
The issue arises in list_add_leaf_cfs_rq, where both
cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same
leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list.
This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main
conditional in child_cfs_rq_on_list. This ensures that the container_of
operation will convert a correct cfs_rq struct.
This check is sufficient because only cfs_rqs on the same CPU are added
to the list, so verifying the 'prev' pointer against the current rq's list
head is enough.
Fixes a potential memory corruption issue that due to current struct
layout might not be manifesting as a crash but could lead to unpredictable
behavior when the layout changes.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: fdaba61ef8a268d4136d0a113d153f7a89eb9984 Version: fdaba61ef8a268d4136d0a113d153f7a89eb9984 Version: fdaba61ef8a268d4136d0a113d153f7a89eb9984 Version: fdaba61ef8a268d4136d0a113d153f7a89eb9984 Version: fdaba61ef8a268d4136d0a113d153f7a89eb9984 Version: fdaba61ef8a268d4136d0a113d153f7a89eb9984 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "kernel/sched/fair.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5cb300dcdd27e6a351ac02541e0231261c775852", "status": "affected", "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984", "versionType": "git" }, { "lessThan": "000c9ee43928f2ce68a156dd40bab7616256f4dd", "status": "affected", "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984", "versionType": "git" }, { "lessThan": "9cc7f0018609f75a349e42e3aebc3b0e905ba775", "status": "affected", "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984", "versionType": "git" }, { "lessThan": "b5741e4b9ef3567613b2351384f91d3f16e59986", "status": "affected", "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984", "versionType": "git" }, { "lessThan": "e1dd09df30ba86716cb2ffab97dc35195c01eb8f", "status": "affected", "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984", "versionType": "git" }, { "lessThan": "3b4035ddbfc8e4521f85569998a7569668cccf51", "status": "affected", "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "kernel/sched/fair.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.13" }, { "lessThan": "5.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.179", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.131", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.83", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.19", "versionType": "semver" }, { "lessThanOrEqual": "6.13.*", "status": "unaffected", "version": "6.13.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.14", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.179", "versionStartIncluding": "5.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.131", "versionStartIncluding": "5.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.83", "versionStartIncluding": "5.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.19", "versionStartIncluding": "5.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.7", "versionStartIncluding": "5.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14", "versionStartIncluding": "5.13", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix potential memory corruption in child_cfs_rq_on_list\n\nchild_cfs_rq_on_list attempts to convert a \u0027prev\u0027 pointer to a cfs_rq.\nThis \u0027prev\u0027 pointer can originate from struct rq\u0027s leaf_cfs_rq_list,\nmaking the conversion invalid and potentially leading to memory\ncorruption. Depending on the relative positions of leaf_cfs_rq_list and\nthe task group (tg) pointer within the struct, this can cause a memory\nfault or access garbage data.\n\nThe issue arises in list_add_leaf_cfs_rq, where both\ncfs_rq-\u003eleaf_cfs_rq_list and rq-\u003eleaf_cfs_rq_list are added to the same\nleaf list. Also, rq-\u003etmp_alone_branch can be set to rq-\u003eleaf_cfs_rq_list.\n\nThis adds a check `if (prev == \u0026rq-\u003eleaf_cfs_rq_list)` after the main\nconditional in child_cfs_rq_on_list. This ensures that the container_of\noperation will convert a correct cfs_rq struct.\n\nThis check is sufficient because only cfs_rqs on the same CPU are added\nto the list, so verifying the \u0027prev\u0027 pointer against the current rq\u0027s list\nhead is enough.\n\nFixes a potential memory corruption issue that due to current struct\nlayout might not be manifesting as a crash but could lead to unpredictable\nbehavior when the layout changes." } ], "providerMetadata": { "dateUpdated": "2025-05-04T07:24:33.615Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5cb300dcdd27e6a351ac02541e0231261c775852" }, { "url": "https://git.kernel.org/stable/c/000c9ee43928f2ce68a156dd40bab7616256f4dd" }, { "url": "https://git.kernel.org/stable/c/9cc7f0018609f75a349e42e3aebc3b0e905ba775" }, { "url": "https://git.kernel.org/stable/c/b5741e4b9ef3567613b2351384f91d3f16e59986" }, { "url": "https://git.kernel.org/stable/c/e1dd09df30ba86716cb2ffab97dc35195c01eb8f" }, { "url": "https://git.kernel.org/stable/c/3b4035ddbfc8e4521f85569998a7569668cccf51" } ], "title": "sched/fair: Fix potential memory corruption in child_cfs_rq_on_list", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-21919", "datePublished": "2025-04-01T15:40:54.075Z", "dateReserved": "2024-12-29T08:45:45.787Z", "dateUpdated": "2025-05-04T07:24:33.615Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-52434 (GCVE-0-2025-52434)
Vulnerability from cvelistv5
Published
2025-07-10 19:03
Modified
2025-08-08 12:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Summary
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections.
This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions
may also be affected.
Users are recommended to upgrade to version 9.0.107, which fixes the issue.
References
▼ | URL | Tags |
---|---|---|
https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030 | vendor-advisory |
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Apache Software Foundation | Apache Tomcat |
Version: 9.0.0.M1 ≤ 9.0.106 Version: 8.5.0 ≤ 8.5.100 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-52434", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-11T14:02:46.073154Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-07-11T14:04:04.250Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "9.0.106", "status": "affected", "version": "9.0.0.M1", "versionType": "semver" }, { "lessThanOrEqual": "8.5.100", "status": "affected", "version": "8.5.0", "versionType": "semver" }, { "lessThan": "8.5.0", "status": "unknown", "version": "5", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Nacl" }, { "lang": "en", "type": "finder", "value": "12SqweR" }, { "lang": "en", "type": "finder", "value": "WHOAMI" }, { "lang": "en", "type": "finder", "value": "yyzmoon" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eConcurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106.\u003cbr\u003eThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions \nmay also be affected.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 9.0.107, which fixes the issue.\u003c/p\u003e" } ], "value": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections.\n\nThis issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions \nmay also be affected.\n\n\nUsers are recommended to upgrade to version 9.0.107, which fixes the issue." } ], "metrics": [ { "other": { "content": { "text": "important" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-362", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-08-08T12:10:07.868Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030" } ], "source": { "discovery": "EXTERNAL" }, "title": "Apache Tomcat: APR/Native Connector crash leading to DoS", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2025-52434", "datePublished": "2025-07-10T19:03:47.225Z", "dateReserved": "2025-06-16T07:00:46.986Z", "dateUpdated": "2025-08-08T12:10:07.868Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-49111 (GCVE-0-2022-49111)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix use after free in hci_send_acl
This fixes the following trace caused by receiving
HCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without
first checking if conn->type is in fact AMP_LINK and in case it is
do properly cleanup upper layers with hci_disconn_cfm:
==================================================================
BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50
Read of size 8 at addr ffff88800e404818 by task bluetoothd/142
CPU: 0 PID: 142 Comm: bluetoothd Not tainted
5.17.0-rc5-00006-gda4022eeac1a #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x45/0x59
print_address_description.constprop.0+0x1f/0x150
kasan_report.cold+0x7f/0x11b
hci_send_acl+0xaba/0xc50
l2cap_do_send+0x23f/0x3d0
l2cap_chan_send+0xc06/0x2cc0
l2cap_sock_sendmsg+0x201/0x2b0
sock_sendmsg+0xdc/0x110
sock_write_iter+0x20f/0x370
do_iter_readv_writev+0x343/0x690
do_iter_write+0x132/0x640
vfs_writev+0x198/0x570
do_writev+0x202/0x280
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3
0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05
<48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015
RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77
R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580
RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001
</TASK>
R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0
Allocated by task 45:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0x81/0xa0
hci_chan_create+0x9a/0x2f0
l2cap_conn_add.part.0+0x1a/0xdc0
l2cap_connect_cfm+0x236/0x1000
le_conn_complete_evt+0x15a7/0x1db0
hci_le_conn_complete_evt+0x226/0x2c0
hci_le_meta_evt+0x247/0x450
hci_event_packet+0x61b/0xe90
hci_rx_work+0x4d5/0xc50
process_one_work+0x8fb/0x15a0
worker_thread+0x576/0x1240
kthread+0x29d/0x340
ret_from_fork+0x1f/0x30
Freed by task 45:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0xfb/0x130
kfree+0xac/0x350
hci_conn_cleanup+0x101/0x6a0
hci_conn_del+0x27e/0x6c0
hci_disconn_phylink_complete_evt+0xe0/0x120
hci_event_packet+0x812/0xe90
hci_rx_work+0x4d5/0xc50
process_one_work+0x8fb/0x15a0
worker_thread+0x576/0x1240
kthread+0x29d/0x340
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff88800c0f0500
The buggy address is located 24 bytes inside of
which belongs to the cache kmalloc-128 of size 128
The buggy address belongs to the page:
128-byte region [ffff88800c0f0500, ffff88800c0f0580)
flags: 0x100000000000200(slab|node=0|zone=1)
page:00000000fe45cd86 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0xc0f0
raw: 0000000000000000 0000000080100010 00000001ffffffff
0000000000000000
raw: 0100000000000200 ffffea00003a2c80 dead000000000004
ffff8880078418c0
page dumped because: kasan: bad access detected
ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
Memory state around the buggy address:
>ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2022-49111", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-02-27T18:17:22.265818Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-02-27T18:22:35.037Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/bluetooth/hci_event.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c41de54b0a963e59e4dd04c029a4a6d73f45ef9c", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "643a6c26bd32e339d00ad97b8822b6db009e803c", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "684e505406abaeabe0058e9776f9210bf2747953", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "3803d896ddd97c7c16689a5381c0960040727647", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "2cc803804ec9a296b3156855d6c8c4ca1c6b84be", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d404765dffdbd8dcd14758695d0c96c52fb2e624", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "4da302b90b96c309987eb9b37c8547f939f042d2", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "b3c2ea1fd444b3bb7b82bfd2c3a45418f85c2502", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f63d24baff787e13b723d86fe036f84bdbc35045", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/bluetooth/hci_event.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.9.*", "status": "unaffected", "version": "4.9.311", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.276", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.238", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.189", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.111", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.34", "versionType": "semver" }, { "lessThanOrEqual": "5.16.*", "status": "unaffected", "version": "5.16.20", "versionType": "semver" }, { "lessThanOrEqual": "5.17.*", "status": "unaffected", "version": "5.17.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.18", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.9.311", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.14.276", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.19.238", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.189", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.111", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.34", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.16.20", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.17.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.18", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use after free in hci_send_acl\n\nThis fixes the following trace caused by receiving\nHCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without\nfirst checking if conn-\u003etype is in fact AMP_LINK and in case it is\ndo properly cleanup upper layers with hci_disconn_cfm:\n\n ==================================================================\n BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50\n Read of size 8 at addr ffff88800e404818 by task bluetoothd/142\n\n CPU: 0 PID: 142 Comm: bluetoothd Not tainted\n 5.17.0-rc5-00006-gda4022eeac1a #7\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x45/0x59\n print_address_description.constprop.0+0x1f/0x150\n kasan_report.cold+0x7f/0x11b\n hci_send_acl+0xaba/0xc50\n l2cap_do_send+0x23f/0x3d0\n l2cap_chan_send+0xc06/0x2cc0\n l2cap_sock_sendmsg+0x201/0x2b0\n sock_sendmsg+0xdc/0x110\n sock_write_iter+0x20f/0x370\n do_iter_readv_writev+0x343/0x690\n do_iter_write+0x132/0x640\n vfs_writev+0x198/0x570\n do_writev+0x202/0x280\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\n Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3\n 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05\n \u003c48\u003e 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\n RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015\n RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77\n R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580\n RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001\n \u003c/TASK\u003e\n R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0\n\n Allocated by task 45:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n hci_chan_create+0x9a/0x2f0\n l2cap_conn_add.part.0+0x1a/0xdc0\n l2cap_connect_cfm+0x236/0x1000\n le_conn_complete_evt+0x15a7/0x1db0\n hci_le_conn_complete_evt+0x226/0x2c0\n hci_le_meta_evt+0x247/0x450\n hci_event_packet+0x61b/0xe90\n hci_rx_work+0x4d5/0xc50\n process_one_work+0x8fb/0x15a0\n worker_thread+0x576/0x1240\n kthread+0x29d/0x340\n ret_from_fork+0x1f/0x30\n\n Freed by task 45:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_set_free_info+0x20/0x30\n __kasan_slab_free+0xfb/0x130\n kfree+0xac/0x350\n hci_conn_cleanup+0x101/0x6a0\n hci_conn_del+0x27e/0x6c0\n hci_disconn_phylink_complete_evt+0xe0/0x120\n hci_event_packet+0x812/0xe90\n hci_rx_work+0x4d5/0xc50\n process_one_work+0x8fb/0x15a0\n worker_thread+0x576/0x1240\n kthread+0x29d/0x340\n ret_from_fork+0x1f/0x30\n\n The buggy address belongs to the object at ffff88800c0f0500\n The buggy address is located 24 bytes inside of\n which belongs to the cache kmalloc-128 of size 128\n The buggy address belongs to the page:\n 128-byte region [ffff88800c0f0500, ffff88800c0f0580)\n flags: 0x100000000000200(slab|node=0|zone=1)\n page:00000000fe45cd86 refcount:1 mapcount:0\n mapping:0000000000000000 index:0x0 pfn:0xc0f0\n raw: 0000000000000000 0000000080100010 00000001ffffffff\n 0000000000000000\n raw: 0100000000000200 ffffea00003a2c80 dead000000000004\n ffff8880078418c0\n page dumped because: kasan: bad access detected\n ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc\n Memory state around the buggy address:\n \u003effff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n \n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-05-04T08:30:07.124Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c41de54b0a963e59e4dd04c029a4a6d73f45ef9c" }, { "url": "https://git.kernel.org/stable/c/643a6c26bd32e339d00ad97b8822b6db009e803c" }, { "url": "https://git.kernel.org/stable/c/684e505406abaeabe0058e9776f9210bf2747953" }, { "url": "https://git.kernel.org/stable/c/3803d896ddd97c7c16689a5381c0960040727647" }, { "url": "https://git.kernel.org/stable/c/2cc803804ec9a296b3156855d6c8c4ca1c6b84be" }, { "url": "https://git.kernel.org/stable/c/d404765dffdbd8dcd14758695d0c96c52fb2e624" }, { "url": "https://git.kernel.org/stable/c/4da302b90b96c309987eb9b37c8547f939f042d2" }, { "url": "https://git.kernel.org/stable/c/b3c2ea1fd444b3bb7b82bfd2c3a45418f85c2502" }, { "url": "https://git.kernel.org/stable/c/f63d24baff787e13b723d86fe036f84bdbc35045" } ], "title": "Bluetooth: Fix use after free in hci_send_acl", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2022-49111", "datePublished": "2025-02-26T01:54:56.622Z", "dateReserved": "2025-02-26T01:49:39.261Z", "dateUpdated": "2025-05-04T08:30:07.124Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-28956 (GCVE-0-2024-28956)
Vulnerability from cvelistv5
Published
2025-05-13 21:02
Modified
2025-05-14 14:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
- CWE-1421 - Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
Summary
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
n/a | Intel(R) Processors |
Version: See references |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2025-05-13T22:03:18.846Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "url": "http://xenbits.xen.org/xsa/advisory-469.html" }, { "url": "http://www.openwall.com/lists/oss-security/2025/05/12/5" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-28956", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-14T14:42:03.518493Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-14T14:43:48.581Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Intel(R) Processors", "vendor": "n/a", "versions": [ { "status": "affected", "version": "See references" } ] } ], "descriptions": [ { "lang": "en", "value": "Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "cvssV4_0": { "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.7, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en" }, { "cweId": "CWE-1421", "description": "Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-05-13T21:02:56.170Z", "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "shortName": "intel" }, "references": [ { "name": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01153.html", "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01153.html" } ] } }, "cveMetadata": { "assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "assignerShortName": "intel", "cveId": "CVE-2024-28956", "datePublished": "2025-05-13T21:02:56.170Z", "dateReserved": "2024-05-23T17:14:54.799Z", "dateUpdated": "2025-05-14T14:43:48.581Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53506 (GCVE-0-2025-53506)
Vulnerability from cvelistv5
Published
2025-07-10 19:14
Modified
2025-08-08 12:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100.
Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
References
▼ | URL | Tags |
---|---|---|
https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0 | vendor-advisory |
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Apache Software Foundation | Apache Tomcat |
Version: 11.0.0-M1 ≤ 11.0.8 Version: 10.1.0-M1 ≤ 10.1.42 Version: 9.0.0.M1 ≤ 9.0.106 Version: 8.5.0 ≤ 8.5.100 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53506", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-11T13:46:01.043076Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-07-11T13:49:02.483Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "11.0.8", "status": "affected", "version": "11.0.0-M1", "versionType": "semver" }, { "lessThanOrEqual": "10.1.42", "status": "affected", "version": "10.1.0-M1", "versionType": "semver" }, { "lessThanOrEqual": "9.0.106", "status": "affected", "version": "9.0.0.M1", "versionType": "semver" }, { "lessThanOrEqual": "8.5.100", "status": "affected", "version": "8.5.0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Kanatoko" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eUncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.\u003cbr\u003eThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.\u003c/p\u003e" } ], "value": "Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100.\n\n\nUsers are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue." } ], "metrics": [ { "other": { "content": { "text": "important" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-08-08T12:14:53.022Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0" } ], "source": { "discovery": "EXTERNAL" }, "title": "Apache Tomcat: DoS via excessive h2 streams at connection start", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2025-53506", "datePublished": "2025-07-10T19:14:23.249Z", "dateReserved": "2025-07-01T14:22:04.137Z", "dateUpdated": "2025-08-08T12:14:53.022Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-48060 (GCVE-0-2025-48060)
Vulnerability from cvelistv5
Published
2025-05-21 17:32
Modified
2025-05-21 18:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.
References
▼ | URL | Tags |
---|---|---|
https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-48060", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-21T18:39:23.263839Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-21T18:39:28.901Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "jq", "vendor": "jqlang", "versions": [ { "status": "affected", "version": "\u003c= 1.7.1" } ] } ], "descriptions": [ { "lang": "en", "value": "jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available." } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-05-21T17:32:43.602Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w" } ], "source": { "advisory": "GHSA-p7rr-28xf-3m5w", "discovery": "UNKNOWN" }, "title": "AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt)" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-48060", "datePublished": "2025-05-21T17:32:43.602Z", "dateReserved": "2025-05-15T16:06:40.940Z", "dateUpdated": "2025-05-21T18:39:28.901Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-49796 (GCVE-0-2025-49796)
Vulnerability from cvelistv5
Published
2025-06-16 15:14
Modified
2025-09-02 16:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-125 - Out-of-bounds Read
Summary
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.
References
Impacted products
Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
▼ | Red Hat | Red Hat Enterprise Linux 10 |
Unaffected: 0:2.12.5-7.el10_0 < * cpe:/o:redhat:enterprise_linux:10.0 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-49796", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-06-16T15:32:55.790163Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-06-16T15:33:08.296Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:10.0" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.12.5-7.el10_0", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_els:7" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.1-6.el7_9.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8::baseos", "cpe:/a:redhat:enterprise_linux:8::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-21.el8_10.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8::baseos", "cpe:/a:redhat:enterprise_linux:8::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-21.el8_10.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/o:redhat:rhel_aus:8.2::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-9.el8_2.3", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream", "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos", "cpe:/o:redhat:rhel_aus:8.4::baseos", "cpe:/a:redhat:rhel_aus:8.4::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-9.el8_4.6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream", "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos", "cpe:/o:redhat:rhel_aus:8.4::baseos", "cpe:/a:redhat:rhel_aus:8.4::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-9.el8_4.6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/o:redhat:rhel_aus:8.6::baseos", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/o:redhat:rhel_e4s:8.6::baseos", "cpe:/o:redhat:rhel_tus:8.6::baseos", "cpe:/a:redhat:rhel_aus:8.6::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-13.el8_6.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/o:redhat:rhel_aus:8.6::baseos", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/o:redhat:rhel_e4s:8.6::baseos", "cpe:/o:redhat:rhel_tus:8.6::baseos", "cpe:/a:redhat:rhel_aus:8.6::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-13.el8_6.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/o:redhat:rhel_aus:8.6::baseos", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/o:redhat:rhel_e4s:8.6::baseos", "cpe:/o:redhat:rhel_tus:8.6::baseos", "cpe:/a:redhat:rhel_aus:8.6::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-13.el8_6.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.8::appstream", "cpe:/a:redhat:rhel_e4s:8.8::appstream", "cpe:/o:redhat:rhel_tus:8.8::baseos", "cpe:/o:redhat:rhel_e4s:8.8::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-16.el8_8.9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.8::appstream", "cpe:/a:redhat:rhel_e4s:8.8::appstream", "cpe:/o:redhat:rhel_tus:8.8::baseos", "cpe:/o:redhat:rhel_e4s:8.8::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-16.el8_8.9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/o:redhat:enterprise_linux:9::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-10.el9_6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/o:redhat:enterprise_linux:9::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-10.el9_6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_e4s:9.0::baseos", "cpe:/a:redhat:rhel_e4s:9.0::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-1.el9_0.5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_e4s:9.2::baseos", "cpe:/a:redhat:rhel_e4s:9.2::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-3.el9_2.7", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_eus:9.4::baseos", "cpe:/a:redhat:rhel_eus:9.4::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9.4 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-10.el9_4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:discovery:2::el9" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/discovery/discovery-server-rhel9", "product": "Red Hat Discovery 2", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:c517869dacaf4d3650310d4a52e83706e0b311d6ebb4a9b37b1c7acff5c142ec", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:insights_proxy:1.5::el9" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/insights-proxy/insights-proxy-container-rhel9", "product": "Red Hat Insights proxy 1.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:e54a5a5f9d69dd6a03e2bcd845e2202910a188d266d4a79b12c387ceffc36f2d", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:6" ], "defaultStatus": "unknown", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_core_services:1" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat JBoss Core Services", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "rhcos", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" } ], "datePublic": "2025-06-11T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-125", "description": "Out-of-bounds Read", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-09-02T16:03:18.689Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2025:10630", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:10630" }, { "name": "RHSA-2025:10698", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:10698" }, { "name": "RHSA-2025:10699", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:10699" }, { "name": "RHSA-2025:11580", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:11580" }, { "name": "RHSA-2025:12098", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12098" }, { "name": "RHSA-2025:12099", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12099" }, { "name": "RHSA-2025:12199", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12199" }, { "name": "RHSA-2025:12237", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12237" }, { "name": "RHSA-2025:12239", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12239" }, { "name": "RHSA-2025:12240", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12240" }, { "name": "RHSA-2025:12241", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12241" }, { "name": "RHSA-2025:13267", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13267" }, { "name": "RHSA-2025:13335", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13335" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2025-49796" }, { "name": "RHBZ#2372385", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372385" } ], "timeline": [ { "lang": "en", "time": "2025-06-12T00:35:26.470000+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2025-06-11T00:00:00+00:00", "value": "Made public." } ], "title": "Libxml: type confusion leads to denial of service (dos)", "workarounds": [ { "lang": "en", "value": "There\u0027s no available mitigation other than to avoid processing untrusted XML documents if the user is unable/unwilling to update the library." } ], "x_redhatCweChain": "CWE-125: Out-of-bounds Read" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2025-49796", "datePublished": "2025-06-16T15:14:28.251Z", "dateReserved": "2025-06-10T22:17:05.287Z", "dateUpdated": "2025-09-02T16:03:18.689Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-49977 (GCVE-0-2022-49977)
Vulnerability from cvelistv5
Published
2025-06-18 11:00
Modified
2025-06-18 11:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead
ftrace_startup does not remove ops from ftrace_ops_list when
ftrace_startup_enable fails:
register_ftrace_function
ftrace_startup
__register_ftrace_function
...
add_ftrace_ops(&ftrace_ops_list, ops)
...
...
ftrace_startup_enable // if ftrace failed to modify, ftrace_disabled is set to 1
...
return 0 // ops is in the ftrace_ops_list.
When ftrace_disabled = 1, unregister_ftrace_function simply returns without doing anything:
unregister_ftrace_function
ftrace_shutdown
if (unlikely(ftrace_disabled))
return -ENODEV; // return here, __unregister_ftrace_function is not executed,
// as a result, ops is still in the ftrace_ops_list
__unregister_ftrace_function
...
If ops is dynamically allocated, it will be free later, in this case,
is_ftrace_trampoline accesses NULL pointer:
is_ftrace_trampoline
ftrace_ops_trampoline
do_for_each_ftrace_op(op, ftrace_ops_list) // OOPS! op may be NULL!
Syzkaller reports as follows:
[ 1203.506103] BUG: kernel NULL pointer dereference, address: 000000000000010b
[ 1203.508039] #PF: supervisor read access in kernel mode
[ 1203.508798] #PF: error_code(0x0000) - not-present page
[ 1203.509558] PGD 800000011660b067 P4D 800000011660b067 PUD 130fb8067 PMD 0
[ 1203.510560] Oops: 0000 [#1] SMP KASAN PTI
[ 1203.511189] CPU: 6 PID: 29532 Comm: syz-executor.2 Tainted: G B W 5.10.0 #8
[ 1203.512324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 1203.513895] RIP: 0010:is_ftrace_trampoline+0x26/0xb0
[ 1203.514644] Code: ff eb d3 90 41 55 41 54 49 89 fc 55 53 e8 f2 00 fd ff 48 8b 1d 3b 35 5d 03 e8 e6 00 fd ff 48 8d bb 90 00 00 00 e8 2a 81 26 00 <48> 8b ab 90 00 00 00 48 85 ed 74 1d e8 c9 00 fd ff 48 8d bb 98 00
[ 1203.518838] RSP: 0018:ffffc900012cf960 EFLAGS: 00010246
[ 1203.520092] RAX: 0000000000000000 RBX: 000000000000007b RCX: ffffffff8a331866
[ 1203.521469] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000000000010b
[ 1203.522583] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8df18b07
[ 1203.523550] R10: fffffbfff1be3160 R11: 0000000000000001 R12: 0000000000478399
[ 1203.524596] R13: 0000000000000000 R14: ffff888145088000 R15: 0000000000000008
[ 1203.525634] FS: 00007f429f5f4700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
[ 1203.526801] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1203.527626] CR2: 000000000000010b CR3: 0000000170e1e001 CR4: 00000000003706e0
[ 1203.528611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1203.529605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Therefore, when ftrace_startup_enable fails, we need to rollback registration
process and remove ops from ftrace_ops_list.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "kernel/trace/ftrace.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8569b4ada1e0b9bfaa125bd0c0967918b6560fa2", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "4c34a2a6c9927c239dd2e295a03d49b37b618d2c", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "ddffe882d74ef43a3494f0ab0c24baf076c45f96", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "934e49f7d696afdae9f979abe3f308408184e17b", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "dbd8c8fc60480e3faa3ae7e27ebe03371ecd1b77", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "e4ae97295984ff1b9b340ed18ae1b066f36b7835", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d81bd6671f45fde4c3ac7fd7733c6e3082ae9d8e", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "c3b0f72e805f0801f05fa2aa52011c4bfc694c44", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "kernel/trace/ftrace.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.9.*", "status": "unaffected", "version": "4.9.327", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.292", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.257", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.212", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.141", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.65", "versionType": "semver" }, { "lessThanOrEqual": "5.19.*", "status": "unaffected", "version": "5.19.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.0", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.9.327", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.14.292", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.19.257", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.212", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.141", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.65", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.19.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead\n\nftrace_startup does not remove ops from ftrace_ops_list when\nftrace_startup_enable fails:\n\nregister_ftrace_function\n ftrace_startup\n __register_ftrace_function\n ...\n add_ftrace_ops(\u0026ftrace_ops_list, ops)\n ...\n ...\n ftrace_startup_enable // if ftrace failed to modify, ftrace_disabled is set to 1\n ...\n return 0 // ops is in the ftrace_ops_list.\n\nWhen ftrace_disabled = 1, unregister_ftrace_function simply returns without doing anything:\nunregister_ftrace_function\n ftrace_shutdown\n if (unlikely(ftrace_disabled))\n return -ENODEV; // return here, __unregister_ftrace_function is not executed,\n // as a result, ops is still in the ftrace_ops_list\n __unregister_ftrace_function\n ...\n\nIf ops is dynamically allocated, it will be free later, in this case,\nis_ftrace_trampoline accesses NULL pointer:\n\nis_ftrace_trampoline\n ftrace_ops_trampoline\n do_for_each_ftrace_op(op, ftrace_ops_list) // OOPS! op may be NULL!\n\nSyzkaller reports as follows:\n[ 1203.506103] BUG: kernel NULL pointer dereference, address: 000000000000010b\n[ 1203.508039] #PF: supervisor read access in kernel mode\n[ 1203.508798] #PF: error_code(0x0000) - not-present page\n[ 1203.509558] PGD 800000011660b067 P4D 800000011660b067 PUD 130fb8067 PMD 0\n[ 1203.510560] Oops: 0000 [#1] SMP KASAN PTI\n[ 1203.511189] CPU: 6 PID: 29532 Comm: syz-executor.2 Tainted: G B W 5.10.0 #8\n[ 1203.512324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 1203.513895] RIP: 0010:is_ftrace_trampoline+0x26/0xb0\n[ 1203.514644] Code: ff eb d3 90 41 55 41 54 49 89 fc 55 53 e8 f2 00 fd ff 48 8b 1d 3b 35 5d 03 e8 e6 00 fd ff 48 8d bb 90 00 00 00 e8 2a 81 26 00 \u003c48\u003e 8b ab 90 00 00 00 48 85 ed 74 1d e8 c9 00 fd ff 48 8d bb 98 00\n[ 1203.518838] RSP: 0018:ffffc900012cf960 EFLAGS: 00010246\n[ 1203.520092] RAX: 0000000000000000 RBX: 000000000000007b RCX: ffffffff8a331866\n[ 1203.521469] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000000000010b\n[ 1203.522583] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8df18b07\n[ 1203.523550] R10: fffffbfff1be3160 R11: 0000000000000001 R12: 0000000000478399\n[ 1203.524596] R13: 0000000000000000 R14: ffff888145088000 R15: 0000000000000008\n[ 1203.525634] FS: 00007f429f5f4700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000\n[ 1203.526801] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1203.527626] CR2: 000000000000010b CR3: 0000000170e1e001 CR4: 00000000003706e0\n[ 1203.528611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1203.529605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nTherefore, when ftrace_startup_enable fails, we need to rollback registration\nprocess and remove ops from ftrace_ops_list." } ], "providerMetadata": { "dateUpdated": "2025-06-18T11:00:39.871Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8569b4ada1e0b9bfaa125bd0c0967918b6560fa2" }, { "url": "https://git.kernel.org/stable/c/4c34a2a6c9927c239dd2e295a03d49b37b618d2c" }, { "url": "https://git.kernel.org/stable/c/ddffe882d74ef43a3494f0ab0c24baf076c45f96" }, { "url": "https://git.kernel.org/stable/c/934e49f7d696afdae9f979abe3f308408184e17b" }, { "url": "https://git.kernel.org/stable/c/dbd8c8fc60480e3faa3ae7e27ebe03371ecd1b77" }, { "url": "https://git.kernel.org/stable/c/e4ae97295984ff1b9b340ed18ae1b066f36b7835" }, { "url": "https://git.kernel.org/stable/c/d81bd6671f45fde4c3ac7fd7733c6e3082ae9d8e" }, { "url": "https://git.kernel.org/stable/c/c3b0f72e805f0801f05fa2aa52011c4bfc694c44" } ], "title": "ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2022-49977", "datePublished": "2025-06-18T11:00:39.871Z", "dateReserved": "2025-06-18T10:57:27.385Z", "dateUpdated": "2025-06-18T11:00:39.871Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-6531 (GCVE-0-2024-6531)
Vulnerability from cvelistv5
This was not a security issue in Bootstrap. Bootstrap’s JavaScript is not intended to sanitize unsafe or intentionally dangerous HTML. As such, the reported behavior fell outside the scope of Bootstrap’s security model, and the associated CVE has been rescinded.
Show details on NVD website{ "containers": { "cna": { "providerMetadata": { "dateUpdated": "2025-08-01T17:12:55.431Z", "orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "shortName": "HeroDevs" }, "rejectedReasons": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "This was not a security issue in Bootstrap. Bootstrap\u2019s JavaScript is not intended to sanitize unsafe or intentionally dangerous HTML. As such, the reported behavior fell outside the scope of Bootstrap\u2019s security model, and the associated CVE has been rescinded." } ], "value": "This was not a security issue in Bootstrap. Bootstrap\u2019s JavaScript is not intended to sanitize unsafe or intentionally dangerous HTML. As such, the reported behavior fell outside the scope of Bootstrap\u2019s security model, and the associated CVE has been rescinded." } ], "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "assignerShortName": "HeroDevs", "cveId": "CVE-2024-6531", "datePublished": "2024-07-11T17:15:57.820Z", "dateRejected": "2025-08-01T17:12:55.431Z", "dateReserved": "2024-07-05T13:56:42.257Z", "dateUpdated": "2025-08-01T17:12:55.431Z", "state": "REJECTED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-7425 (GCVE-0-2025-7425)
Vulnerability from cvelistv5
Published
2025-07-10 13:53
Modified
2025-09-02 19:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-416 - Use After Free
Summary
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.
References
Impacted products
Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
▼ | Red Hat | Red Hat Enterprise Linux 7 Extended Lifecycle Support |
Unaffected: 0:2.9.1-6.el7_9.12 < * cpe:/o:redhat:rhel_els:7 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-7425", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-07-10T15:21:27.766014Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-07-10T15:21:30.858Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/140" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_els:7" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.1-6.el7_9.12", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:enterprise_linux:8::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-21.el8_10.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:enterprise_linux:8::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-21.el8_10.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/o:redhat:rhel_aus:8.2::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-9.el8_2.4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos", "cpe:/o:redhat:rhel_aus:8.4::baseos", "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-9.el8_4.7", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos", "cpe:/o:redhat:rhel_aus:8.4::baseos", "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-9.el8_4.7", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_aus:8.6::baseos", "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/o:redhat:rhel_e4s:8.6::baseos", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/o:redhat:rhel_tus:8.6::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-13.el8_6.11", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_aus:8.6::baseos", "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/o:redhat:rhel_e4s:8.6::baseos", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/o:redhat:rhel_tus:8.6::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-13.el8_6.11", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_aus:8.6::baseos", "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/o:redhat:rhel_e4s:8.6::baseos", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/o:redhat:rhel_tus:8.6::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-13.el8_6.11", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_tus:8.8::baseos", "cpe:/o:redhat:rhel_e4s:8.8::baseos", "cpe:/a:redhat:rhel_tus:8.8::appstream", "cpe:/a:redhat:rhel_e4s:8.8::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-16.el8_8.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_tus:8.8::baseos", "cpe:/o:redhat:rhel_e4s:8.8::baseos", "cpe:/a:redhat:rhel_tus:8.8::appstream", "cpe:/a:redhat:rhel_e4s:8.8::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-16.el8_8.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9::baseos", "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-11.el9_6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9::baseos", "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-11.el9_6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:9.0::appstream", "cpe:/o:redhat:rhel_e4s:9.0::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-1.el9_0.6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:9.2::appstream", "cpe:/o:redhat:rhel_e4s:9.2::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-3.el9_2.8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:9.4::appstream", "cpe:/o:redhat:rhel_eus:9.4::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9.4 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-11.el9_4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.15::el9" ], "defaultStatus": "unaffected", "packageName": "rhcos", "product": "Red Hat OpenShift Container Platform 4.15", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.17::el9" ], "defaultStatus": "unaffected", "packageName": "rhcos", "product": "Red Hat OpenShift Container Platform 4.17", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4.19::el9" ], "defaultStatus": "unaffected", "packageName": "rhcos", "product": "Red Hat OpenShift Container Platform 4.19", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:discovery:2::el9" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/discovery/discovery-server-rhel9", "product": "Red Hat Discovery 2", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:ad07f55ee75fb20310c88f154a04665bd8465d138d66c665c300f61447858344", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:insights_proxy:1.5::el9" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/insights-proxy/insights-proxy-container-rhel9", "product": "Red Hat Insights proxy 1.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:e54a5a5f9d69dd6a03e2bcd845e2202910a188d266d4a79b12c387ceffc36f2d", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-agent-rhel8", "product": "Red Hat OpenShift distributed tracing 3.5.3", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:a3e7ac42823a2f58d15b52b5c729ae34f3e119122fb4defae4754e6ab14dabcd", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-all-in-one-rhel8", "product": "Red Hat OpenShift distributed tracing 3.5.3", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:1ed7ca9ba1fe229bb04b4b59b0a7161286786c025d5dbe688d3e68e0af85945b", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-collector-rhel8", "product": "Red Hat OpenShift distributed tracing 3.5.3", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:6f60741c03460bfdc70789640b83b8c2611f62bd3971a7eeb8316c895e4cbf48", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-es-index-cleaner-rhel8", "product": "Red Hat OpenShift distributed tracing 3.5.3", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:9b7a37d182cfba30af3697887ee7c4faa3768f600dd6ec7dc35be26eba9b123d", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-es-rollover-rhel8", "product": "Red Hat OpenShift distributed tracing 3.5.3", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:802a78aa94df0a14b8a0ddd350e128141ebc0b8c18730b7a54947ba7431d6bc2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-ingester-rhel8", "product": "Red Hat OpenShift distributed tracing 3.5.3", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:453d643c17511e3e981706e5ba5b88ee8df3334dc38232ecb2069f67e269cc8b", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-operator-bundle", "product": "Red Hat OpenShift distributed tracing 3.5.3", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:264613b2add0f32e5f537ee7cf9ba8019e5e9a347fdf20bc3de8d1678157ba66", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-query-rhel8", "product": "Red Hat OpenShift distributed tracing 3.5.3", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:43ce372ddc2de4dc633322ec84fca9927d5a6649068f58cfaa238de39d03a0d2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-rhel8-operator", "product": "Red Hat OpenShift distributed tracing 3.5.3", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:c6f9ee5f306766c0502419fe691e9e14aad8b0d1a4ced7ff9b1738c272fba80b", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:10" ], "defaultStatus": "affected", "packageName": "libxslt", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:6" ], "defaultStatus": "unknown", "packageName": "libxslt", "product": "Red Hat Enterprise Linux 6", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "Red Hat would like to thank Sergei Glazunov (Google Project Zero) for reporting this issue." } ], "datePublic": "2025-07-10T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-09-02T19:27:13.161Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2025:12447", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12447" }, { "name": "RHSA-2025:12450", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12450" }, { "name": "RHSA-2025:13267", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13267" }, { "name": "RHSA-2025:13308", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13308" }, { "name": "RHSA-2025:13309", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13309" }, { "name": "RHSA-2025:13310", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13310" }, { "name": "RHSA-2025:13311", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13311" }, { "name": "RHSA-2025:13312", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13312" }, { "name": "RHSA-2025:13313", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13313" }, { "name": "RHSA-2025:13314", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13314" }, { "name": "RHSA-2025:13335", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13335" }, { "name": "RHSA-2025:13464", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13464" }, { "name": "RHSA-2025:13622", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13622" }, { "name": "RHSA-2025:14059", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:14059" }, { "name": "RHSA-2025:14396", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:14396" }, { "name": "RHSA-2025:14819", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:14819" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2025-7425" }, { "name": "RHBZ#2379274", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379274" }, { "url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/140" } ], "timeline": [ { "lang": "en", "time": "2025-07-10T09:37:28.172000+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2025-07-10T00:00:00+00:00", "value": "Made public." } ], "title": "Libxslt: heap use-after-free in libxslt caused by atype corruption in xmlattrptr", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_redhatCweChain": "CWE-416: Use After Free" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2025-7425", "datePublished": "2025-07-10T13:53:37.295Z", "dateReserved": "2025-07-10T08:44:06.287Z", "dateUpdated": "2025-09-02T19:27:13.161Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-23337 (GCVE-0-2024-23337)
Vulnerability from cvelistv5
Published
2025-05-21 14:34
Modified
2025-05-21 14:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-190 - Integer Overflow or Wraparound
Summary
jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.
References
▼ | URL | Tags |
---|---|---|
https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46 | x_refsource_CONFIRM | |
https://github.com/jqlang/jq/issues/3262 | x_refsource_MISC | |
https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e | x_refsource_MISC |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-23337", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-21T14:57:14.962759Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-21T14:57:18.378Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "jq", "vendor": "jqlang", "versions": [ { "status": "affected", "version": "\u003c= 1.7.1" } ] } ], "descriptions": [ { "lang": "en", "value": "jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-05-21T14:34:51.007Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-2q6r-344g-cx46" }, { "name": "https://github.com/jqlang/jq/issues/3262", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/jqlang/jq/issues/3262" }, { "name": "https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e" } ], "source": { "advisory": "GHSA-2q6r-344g-cx46", "discovery": "UNKNOWN" }, "title": "jq has signed integer overflow in jv.c:jvp_array_write" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-23337", "datePublished": "2025-05-21T14:34:51.007Z", "dateReserved": "2024-01-15T15:19:19.443Z", "dateUpdated": "2025-05-21T14:57:18.378Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-47273 (GCVE-0-2025-47273)
Vulnerability from cvelistv5
Published
2025-05-17 15:46
Modified
2025-05-28 15:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
pypa | setuptools |
Version: < 78.1.1 |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-47273", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-19T14:45:34.580341Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-19T14:45:39.012Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://github.com/pypa/setuptools/issues/4946" } ], "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2025-05-28T15:03:15.516Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "setuptools", "vendor": "pypa", "versions": [ { "status": "affected", "version": "\u003c 78.1.1" } ] } ], "descriptions": [ { "lang": "en", "value": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue." } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-05-17T15:46:11.399Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf" }, { "name": "https://github.com/pypa/setuptools/issues/4946", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pypa/setuptools/issues/4946" }, { "name": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b" }, { "name": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88" } ], "source": { "advisory": "GHSA-5rjg-fvgr-3xxf", "discovery": "UNKNOWN" }, "title": "setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-47273", "datePublished": "2025-05-17T15:46:11.399Z", "dateReserved": "2025-05-05T16:53:10.372Z", "dateUpdated": "2025-05-28T15:03:15.516Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2019-17543 (GCVE-0-2019-17543)
Vulnerability from cvelistv5
Published
2019-10-14 01:09
Modified
2024-08-05 01:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T01:40:15.850Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[arrow-issues] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3%40%3Cissues.arrow.apache.org%3E" }, { "name": "[arrow-dev] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3%40%3Cdev.arrow.apache.org%3E" }, { "name": "[arrow-issues] 20191024 [jira] [Updated] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357%40%3Cissues.arrow.apache.org%3E" }, { "name": "[arrow-issues] 20191024 [jira] [Assigned] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316%40%3Cissues.arrow.apache.org%3E" }, { "name": "[arrow-issues] 20191025 [jira] [Commented] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17%40%3Cissues.arrow.apache.org%3E" }, { "name": "openSUSE-SU-2019:2399", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html" }, { "name": "openSUSE-SU-2019:2398", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html" }, { "name": "[arrow-issues] 20191106 [jira] [Resolved] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6%40%3Cissues.arrow.apache.org%3E" }, { "name": "[kudu-issues] 20200621 [jira] [Updated] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7bc72200f94298bc9a0e35637f388deb53467ca4b2e2ad1ff66d8960%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20200709 [jira] [Resolved] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4068ba81066792f2b4d208b39c4c4713c5d4c79bd8cb6c1904af5720%40%3Cissues.kudu.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/lz4/lz4/pull/756" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/lz4/lz4/pull/760" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/lz4/lz4/issues/801" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0fb226357e7988a241b06b93bab065bcea2eb38658b382e485960e26%40%3Cissues.kudu.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210723-0001/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"" } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-07-23T11:06:58", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "[arrow-issues] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3%40%3Cissues.arrow.apache.org%3E" }, { "name": "[arrow-dev] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3%40%3Cdev.arrow.apache.org%3E" }, { "name": "[arrow-issues] 20191024 [jira] [Updated] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357%40%3Cissues.arrow.apache.org%3E" }, { "name": "[arrow-issues] 20191024 [jira] [Assigned] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316%40%3Cissues.arrow.apache.org%3E" }, { "name": "[arrow-issues] 20191025 [jira] [Commented] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17%40%3Cissues.arrow.apache.org%3E" }, { "name": "openSUSE-SU-2019:2399", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html" }, { "name": "openSUSE-SU-2019:2398", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html" }, { "name": "[arrow-issues] 20191106 [jira] [Resolved] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6%40%3Cissues.arrow.apache.org%3E" }, { "name": "[kudu-issues] 20200621 [jira] [Updated] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7bc72200f94298bc9a0e35637f388deb53467ca4b2e2ad1ff66d8960%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20200709 [jira] [Resolved] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4068ba81066792f2b4d208b39c4c4713c5d4c79bd8cb6c1904af5720%40%3Cissues.kudu.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/lz4/lz4/pull/756" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/lz4/lz4/pull/760" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/lz4/lz4/issues/801" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r0fb226357e7988a241b06b93bab065bcea2eb38658b382e485960e26%40%3Cissues.kudu.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210723-0001/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-17543", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "[arrow-issues] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E" }, { "name": "[arrow-dev] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E" }, { "name": "[arrow-issues] 20191024 [jira] [Updated] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E" }, { "name": "[arrow-issues] 20191024 [jira] [Assigned] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E" }, { "name": "[arrow-issues] 20191025 [jira] [Commented] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E" }, { "name": "openSUSE-SU-2019:2399", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html" }, { "name": "openSUSE-SU-2019:2398", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html" }, { "name": "[arrow-issues] 20191106 [jira] [Resolved] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E" }, { "name": "[kudu-issues] 20200621 [jira] [Updated] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7bc72200f94298bc9a0e35637f388deb53467ca4b2e2ad1ff66d8960@%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20200709 [jira] [Resolved] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4068ba81066792f2b4d208b39c4c4713c5d4c79bd8cb6c1904af5720@%3Cissues.kudu.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "name": "https://github.com/lz4/lz4/pull/756", "refsource": "MISC", "url": "https://github.com/lz4/lz4/pull/756" }, { "name": "https://github.com/lz4/lz4/pull/760", "refsource": "MISC", "url": "https://github.com/lz4/lz4/pull/760" }, { "name": "https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2", "refsource": "MISC", "url": "https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2" }, { "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941", "refsource": "MISC", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941" }, { "name": "https://github.com/lz4/lz4/issues/801", "refsource": "MISC", "url": "https://github.com/lz4/lz4/issues/801" }, { "name": "https://lists.apache.org/thread.html/r0fb226357e7988a241b06b93bab065bcea2eb38658b382e485960e26@%3Cissues.kudu.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r0fb226357e7988a241b06b93bab065bcea2eb38658b382e485960e26@%3Cissues.kudu.apache.org%3E" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210723-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210723-0001/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-17543", "datePublished": "2019-10-14T01:09:00", "dateReserved": "2019-10-14T00:00:00", "dateUpdated": "2024-08-05T01:40:15.850Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-49788 (GCVE-0-2022-49788)
Vulnerability from cvelistv5
Published
2025-05-01 14:09
Modified
2025-05-04 08:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()
`struct vmci_event_qp` allocated by qp_notify_peer() contains padding,
which may carry uninitialized data to the userspace, as observed by
KMSAN:
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user ./include/linux/instrumented.h:121
instrument_copy_to_user ./include/linux/instrumented.h:121
_copy_to_user+0x5f/0xb0 lib/usercopy.c:33
copy_to_user ./include/linux/uaccess.h:169
vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431
vmci_host_unlocked_ioctl+0x33d/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:925
vfs_ioctl fs/ioctl.c:51
...
Uninit was stored to memory at:
kmemdup+0x74/0xb0 mm/util.c:131
dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271
vmci_datagram_dispatch+0x4f8/0xfc0 drivers/misc/vmw_vmci/vmci_datagram.c:339
qp_notify_peer+0x19a/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479
qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662
qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750
vmci_qp_broker_alloc+0x96/0xd0 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940
vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488
vmci_host_unlocked_ioctl+0x24fd/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:927
...
Local variable ev created at:
qp_notify_peer+0x54/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456
qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662
qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750
Bytes 28-31 of 48 are uninitialized
Memory access of size 48 starts at ffff888035155e00
Data copied to user address 0000000020000100
Use memset() to prevent the infoleaks.
Also speculatively fix qp_notify_peer_local(), which may suffer from the
same problem.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 06164d2b72aa752ce4633184b3e0d97601017135 Version: 06164d2b72aa752ce4633184b3e0d97601017135 Version: 06164d2b72aa752ce4633184b3e0d97601017135 Version: 06164d2b72aa752ce4633184b3e0d97601017135 Version: 06164d2b72aa752ce4633184b3e0d97601017135 Version: 06164d2b72aa752ce4633184b3e0d97601017135 Version: 06164d2b72aa752ce4633184b3e0d97601017135 Version: 06164d2b72aa752ce4633184b3e0d97601017135 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/misc/vmw_vmci/vmci_queue_pair.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7ccf7229b96fadc3a185d1391f814a604c7ef609", "status": "affected", "version": "06164d2b72aa752ce4633184b3e0d97601017135", "versionType": "git" }, { "lessThan": "f04586c2315cfd03d72ad0395705435e7ed07b1a", "status": "affected", "version": "06164d2b72aa752ce4633184b3e0d97601017135", "versionType": "git" }, { "lessThan": "5a275528025ae4bc7e2232866856dfebf84b2fad", "status": "affected", "version": "06164d2b72aa752ce4633184b3e0d97601017135", "versionType": "git" }, { "lessThan": "e7061dd1fef2dfb6458cd521aef27aa66f510d31", "status": "affected", "version": "06164d2b72aa752ce4633184b3e0d97601017135", "versionType": "git" }, { "lessThan": "62634b43d3c4e1bf62fd540196f7081bf0885c0a", "status": "affected", "version": "06164d2b72aa752ce4633184b3e0d97601017135", "versionType": "git" }, { "lessThan": "8e2f33c598370bcf828bab4d667d1d38bcd3c57d", "status": "affected", "version": "06164d2b72aa752ce4633184b3e0d97601017135", "versionType": "git" }, { "lessThan": "76c50d77b928a33e5290aaa9fdc10e88254ff8c7", "status": "affected", "version": "06164d2b72aa752ce4633184b3e0d97601017135", "versionType": "git" }, { "lessThan": "e5b0d06d9b10f5f43101bd6598b076c347f9295f", "status": "affected", "version": "06164d2b72aa752ce4633184b3e0d97601017135", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/misc/vmw_vmci/vmci_queue_pair.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.9" }, { "lessThan": "3.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.9.*", "status": "unaffected", "version": "4.9.334", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.300", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.267", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.225", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.156", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.80", "versionType": "semver" }, { "lessThanOrEqual": "6.0.*", "status": "unaffected", "version": "6.0.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.1", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.9.334", "versionStartIncluding": "3.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.14.300", "versionStartIncluding": "3.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.19.267", "versionStartIncluding": "3.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.225", "versionStartIncluding": "3.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.156", "versionStartIncluding": "3.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.80", "versionStartIncluding": "3.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.0.10", "versionStartIncluding": "3.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1", "versionStartIncluding": "3.9", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()\n\n`struct vmci_event_qp` allocated by qp_notify_peer() contains padding,\nwhich may carry uninitialized data to the userspace, as observed by\nKMSAN:\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user ./include/linux/instrumented.h:121\n instrument_copy_to_user ./include/linux/instrumented.h:121\n _copy_to_user+0x5f/0xb0 lib/usercopy.c:33\n copy_to_user ./include/linux/uaccess.h:169\n vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431\n vmci_host_unlocked_ioctl+0x33d/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:925\n vfs_ioctl fs/ioctl.c:51\n ...\n\n Uninit was stored to memory at:\n kmemdup+0x74/0xb0 mm/util.c:131\n dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271\n vmci_datagram_dispatch+0x4f8/0xfc0 drivers/misc/vmw_vmci/vmci_datagram.c:339\n qp_notify_peer+0x19a/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479\n qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662\n qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750\n vmci_qp_broker_alloc+0x96/0xd0 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940\n vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488\n vmci_host_unlocked_ioctl+0x24fd/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:927\n ...\n\n Local variable ev created at:\n qp_notify_peer+0x54/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456\n qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662\n qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750\n\n Bytes 28-31 of 48 are uninitialized\n Memory access of size 48 starts at ffff888035155e00\n Data copied to user address 0000000020000100\n\nUse memset() to prevent the infoleaks.\n\nAlso speculatively fix qp_notify_peer_local(), which may suffer from the\nsame problem." } ], "providerMetadata": { "dateUpdated": "2025-05-04T08:45:22.950Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7ccf7229b96fadc3a185d1391f814a604c7ef609" }, { "url": "https://git.kernel.org/stable/c/f04586c2315cfd03d72ad0395705435e7ed07b1a" }, { "url": "https://git.kernel.org/stable/c/5a275528025ae4bc7e2232866856dfebf84b2fad" }, { "url": "https://git.kernel.org/stable/c/e7061dd1fef2dfb6458cd521aef27aa66f510d31" }, { "url": "https://git.kernel.org/stable/c/62634b43d3c4e1bf62fd540196f7081bf0885c0a" }, { "url": "https://git.kernel.org/stable/c/8e2f33c598370bcf828bab4d667d1d38bcd3c57d" }, { "url": "https://git.kernel.org/stable/c/76c50d77b928a33e5290aaa9fdc10e88254ff8c7" }, { "url": "https://git.kernel.org/stable/c/e5b0d06d9b10f5f43101bd6598b076c347f9295f" } ], "title": "misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2022-49788", "datePublished": "2025-05-01T14:09:20.506Z", "dateReserved": "2025-05-01T14:05:17.223Z", "dateUpdated": "2025-05-04T08:45:22.950Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38079 (GCVE-0-2025-38079)
Vulnerability from cvelistv5
Published
2025-06-18 09:33
Modified
2025-06-18 09:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_hash - fix double free in hash_accept
If accept(2) is called on socket type algif_hash with
MSG_MORE flag set and crypto_ahash_import fails,
sk2 is freed. However, it is also freed in af_alg_release,
leading to slab-use-after-free error.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 Version: fe869cdb89c95d060c77eea20204d6c91f233b53 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "crypto/algif_hash.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5bff312b59b3f2a54ff504e4f4e47272b64f3633", "status": "affected", "version": "fe869cdb89c95d060c77eea20204d6c91f233b53", "versionType": "git" }, { "lessThan": "bf7bba75b91539e93615f560893a599c1e1c98bf", "status": "affected", "version": "fe869cdb89c95d060c77eea20204d6c91f233b53", "versionType": "git" }, { "lessThan": "c3059d58f79fdfb2201249c2741514e34562b547", "status": "affected", "version": "fe869cdb89c95d060c77eea20204d6c91f233b53", "versionType": "git" }, { "lessThan": "f0f3d09f53534ea385d55ced408f2b67059b16e4", "status": "affected", "version": "fe869cdb89c95d060c77eea20204d6c91f233b53", "versionType": "git" }, { "lessThan": "134daaba93193df9e988524b5cd2f52d15eb1993", "status": "affected", "version": "fe869cdb89c95d060c77eea20204d6c91f233b53", "versionType": "git" }, { "lessThan": "2f45a8d64fb4ed4830a4b3273834ecd6ca504896", "status": "affected", "version": "fe869cdb89c95d060c77eea20204d6c91f233b53", "versionType": "git" }, { "lessThan": "0346f4b742345d1c733c977f3a7aef5a6419a967", "status": "affected", "version": "fe869cdb89c95d060c77eea20204d6c91f233b53", "versionType": "git" }, { "lessThan": "b2df03ed4052e97126267e8c13ad4204ea6ba9b6", "status": "affected", "version": "fe869cdb89c95d060c77eea20204d6c91f233b53", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "crypto/algif_hash.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.38" }, { "lessThan": "2.6.38", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.294", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.238", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.185", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.141", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.93", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.31", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.294", "versionStartIncluding": "2.6.38", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.238", "versionStartIncluding": "2.6.38", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.185", "versionStartIncluding": "2.6.38", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.141", "versionStartIncluding": "2.6.38", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.93", "versionStartIncluding": "2.6.38", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.31", "versionStartIncluding": "2.6.38", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.9", "versionStartIncluding": "2.6.38", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "versionStartIncluding": "2.6.38", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_hash - fix double free in hash_accept\n\nIf accept(2) is called on socket type algif_hash with\nMSG_MORE flag set and crypto_ahash_import fails,\nsk2 is freed. However, it is also freed in af_alg_release,\nleading to slab-use-after-free error." } ], "providerMetadata": { "dateUpdated": "2025-06-18T09:33:53.251Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5bff312b59b3f2a54ff504e4f4e47272b64f3633" }, { "url": "https://git.kernel.org/stable/c/bf7bba75b91539e93615f560893a599c1e1c98bf" }, { "url": "https://git.kernel.org/stable/c/c3059d58f79fdfb2201249c2741514e34562b547" }, { "url": "https://git.kernel.org/stable/c/f0f3d09f53534ea385d55ced408f2b67059b16e4" }, { "url": "https://git.kernel.org/stable/c/134daaba93193df9e988524b5cd2f52d15eb1993" }, { "url": "https://git.kernel.org/stable/c/2f45a8d64fb4ed4830a4b3273834ecd6ca504896" }, { "url": "https://git.kernel.org/stable/c/0346f4b742345d1c733c977f3a7aef5a6419a967" }, { "url": "https://git.kernel.org/stable/c/b2df03ed4052e97126267e8c13ad4204ea6ba9b6" } ], "title": "crypto: algif_hash - fix double free in hash_accept", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38079", "datePublished": "2025-06-18T09:33:53.251Z", "dateReserved": "2025-04-16T04:51:23.980Z", "dateUpdated": "2025-06-18T09:33:53.251Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-48385 (GCVE-0-2025-48385)
Vulnerability from cvelistv5
Published
2025-07-08 18:23
Modified
2025-07-08 18:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
References
▼ | URL | Tags |
---|---|---|
https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655 | x_refsource_CONFIRM |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-48385", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-07-08T18:38:28.946672Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-07-08T18:38:41.309Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "git", "vendor": "git", "versions": [ { "status": "affected", "version": "\u003c 2.43.7" }, { "status": "affected", "version": "\u003e= 2.44.0-rc0, \u003c 2.44.4" }, { "status": "affected", "version": "\u003e= 2.45.0-rc0, \u003c 2.45.4" }, { "status": "affected", "version": "\u003e= 2.46.0-rc0, \u003c 2.46.4" }, { "status": "affected", "version": "\u003e= 2.47.0-rc0, \u003c 2.47.3" }, { "status": "affected", "version": "\u003e= 2.48.0-rc0, \u003c 2.48.2" }, { "status": "affected", "version": "\u003e= 2.49.0-rc0, \u003c 2.49.1" }, { "status": "affected", "version": "\u003e= 2.50.0-rc0, \u003c 2.50.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1." } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.6, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-08T18:23:44.405Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655" } ], "source": { "advisory": "GHSA-m98c-vgpc-9655", "discovery": "UNKNOWN" }, "title": "Git alllows arbitrary file writes via bundle-uri parameter injection" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-48385", "datePublished": "2025-07-08T18:23:44.405Z", "dateReserved": "2025-05-19T15:46:00.397Z", "dateUpdated": "2025-07-08T18:38:41.309Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-45332 (GCVE-0-2024-45332)
Vulnerability from cvelistv5
Published
2025-05-13 21:03
Modified
2025-05-14 13:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
- CWE-1423 - Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
Summary
Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution in the indirect branch predictors for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
n/a | Intel(R) Processors |
Version: See references |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2025-05-14T13:53:21.208Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "url": "http://www.openwall.com/lists/oss-security/2025/05/13/7" }, { "url": "https://comsec.ethz.ch/research/microarch/branch-privilege-injection/" } ], "title": "CVE Program Container", "x_generator": { "engine": "ADPogram 0.0.1" } }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-45332", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-14T13:56:46.683867Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-14T13:57:24.912Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Intel(R) Processors", "vendor": "n/a", "versions": [ { "status": "affected", "version": "See references" } ] } ], "descriptions": [ { "lang": "en", "value": "Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution in the indirect branch predictors for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "cvssV4_0": { "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.7, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en" }, { "cweId": "CWE-1423", "description": "Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-05-13T21:03:12.207Z", "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "shortName": "intel" }, "references": [ { "name": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01247.html", "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01247.html" } ] } }, "cveMetadata": { "assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "assignerShortName": "intel", "cveId": "CVE-2024-45332", "datePublished": "2025-05-13T21:03:12.207Z", "dateReserved": "2024-09-19T03:00:23.104Z", "dateUpdated": "2025-05-14T13:57:24.912Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-43420 (GCVE-0-2024-43420)
Vulnerability from cvelistv5
Published
2025-05-13 21:03
Modified
2025-05-14 14:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
- CWE-1423 - Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
Summary
Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel Atom(R) processors may allow an authenticated user to potentially enable information disclosure via local access.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
n/a | Intel Atom(R) processors |
Version: See references |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-43420", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-14T13:59:10.424631Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-14T14:01:31.886Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Intel Atom(R) processors", "vendor": "n/a", "versions": [ { "status": "affected", "version": "See references" } ] } ], "descriptions": [ { "lang": "en", "value": "Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel Atom(R) processors may allow an authenticated user to potentially enable information disclosure via local access." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "cvssV4_0": { "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.7, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en" }, { "cweId": "CWE-1423", "description": "Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-05-13T21:03:09.384Z", "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "shortName": "intel" }, "references": [ { "name": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01247.html", "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01247.html" } ] } }, "cveMetadata": { "assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "assignerShortName": "intel", "cveId": "CVE-2024-43420", "datePublished": "2025-05-13T21:03:09.384Z", "dateReserved": "2024-09-19T03:00:23.071Z", "dateUpdated": "2025-05-14T14:01:31.886Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-50349 (GCVE-0-2024-50349)
Vulnerability from cvelistv5
Published
2025-01-14 18:43
Modified
2025-01-21 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.
References
▼ | URL | Tags |
---|---|---|
https://github.com/git/git/security/advisories/GHSA-hmg8-h7qf-7cxr | x_refsource_CONFIRM | |
https://github.com/git/git/commit/7725b8100ffbbff2750ee4d61a0fcc1f53a086e8 | x_refsource_MISC | |
https://github.com/git/git/commit/c903985bf7e772e2d08275c1a95c8a55ab011577 | x_refsource_MISC |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-50349", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-01-14T19:22:40.959774Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-01-14T19:22:53.506Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "git", "vendor": "git", "versions": [ { "status": "affected", "version": "\u003c= 2.40.3" }, { "status": "affected", "version": "\u003e= 2.41.0, \u003c= 2.41.2" }, { "status": "affected", "version": "\u003e= 2.42.0, \u003c= 2.42.3" }, { "status": "affected", "version": "\u003e= 2.43.0, \u003c= 2.43.5" }, { "status": "affected", "version": "\u003e= 2.44.0, \u003c= 2.44.2" }, { "status": "affected", "version": "\u003e= 2.45.0, \u003c= 2.45.2" }, { "status": "affected", "version": "\u003e= 2.46.0, \u003c= 2.46.2" }, { "status": "affected", "version": "\u003e= 2.47.0, \u003c 2.47.2" }, { "status": "affected", "version": "= 2.48.0" } ] } ], "descriptions": [ { "lang": "en", "value": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker\u0027s control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones." } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 2.1, "baseSeverity": "LOW", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-147", "description": "CWE-147: Improper Neutralization of Input Terminators", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-150", "description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-01-21T17:02:46.639Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/git/git/security/advisories/GHSA-hmg8-h7qf-7cxr", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/git/git/security/advisories/GHSA-hmg8-h7qf-7cxr" }, { "name": "https://github.com/git/git/commit/7725b8100ffbbff2750ee4d61a0fcc1f53a086e8", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/git/git/commit/7725b8100ffbbff2750ee4d61a0fcc1f53a086e8" }, { "name": "https://github.com/git/git/commit/c903985bf7e772e2d08275c1a95c8a55ab011577", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/git/git/commit/c903985bf7e772e2d08275c1a95c8a55ab011577" } ], "source": { "advisory": "GHSA-hmg8-h7qf-7cxr", "discovery": "UNKNOWN" }, "title": "Git does not sanitize URLs when asking for credentials interactively" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-50349", "datePublished": "2025-01-14T18:43:42.620Z", "dateReserved": "2024-10-22T17:54:40.957Z", "dateUpdated": "2025-01-21T17:02:46.639Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-49846 (GCVE-0-2022-49846)
Vulnerability from cvelistv5
Published
2025-05-01 14:10
Modified
2025-05-04 08:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udf: Fix a slab-out-of-bounds write bug in udf_find_entry()
Syzbot reported a slab-out-of-bounds Write bug:
loop0: detected capacity change from 0 to 2048
==================================================================
BUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0
fs/udf/namei.c:253
Write of size 105 at addr ffff8880123ff896 by task syz-executor323/3610
CPU: 0 PID: 3610 Comm: syz-executor323 Not tainted
6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS
Google 10/11/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:284
print_report+0x107/0x1f0 mm/kasan/report.c:395
kasan_report+0xcd/0x100 mm/kasan/report.c:495
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
memcpy+0x3c/0x60 mm/kasan/shadow.c:66
udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253
udf_lookup+0xef/0x340 fs/udf/namei.c:309
lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x10e6/0x2df0 fs/namei.c:3710
do_filp_open+0x264/0x4f0 fs/namei.c:3740
do_sys_openat2+0x124/0x4e0 fs/open.c:1310
do_sys_open fs/open.c:1326 [inline]
__do_sys_creat fs/open.c:1402 [inline]
__se_sys_creat fs/open.c:1396 [inline]
__x64_sys_creat+0x11f/0x160 fs/open.c:1396
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ffab0d164d9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89
f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9
RDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180
RBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000
R10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Allocated by task 3610:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
__kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380
kmalloc include/linux/slab.h:576 [inline]
udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243
udf_lookup+0xef/0x340 fs/udf/namei.c:309
lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x10e6/0x2df0 fs/namei.c:3710
do_filp_open+0x264/0x4f0 fs/namei.c:3740
do_sys_openat2+0x124/0x4e0 fs/open.c:1310
do_sys_open fs/open.c:1326 [inline]
__do_sys_creat fs/open.c:1402 [inline]
__se_sys_creat fs/open.c:1396 [inline]
__x64_sys_creat+0x11f/0x160 fs/open.c:1396
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880123ff800
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 150 bytes inside of
256-byte region [ffff8880123ff800, ffff8880123ff900)
The buggy address belongs to the physical page:
page:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x123fe
head:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(),
pid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0
create_dummy_stack mm/page_owner.c:
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 Version: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 Version: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 Version: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 Version: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 Version: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 Version: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 Version: 066b9cded00b8e3212df74a417bb074f3f3a1fe0 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/udf/namei.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "583fdd98d94acba1e7225e5cc29063aef0741030", "status": "affected", "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0", "versionType": "git" }, { "lessThan": "f1517721c408631f09d54c743aa70cb07fd3eebd", "status": "affected", "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0", "versionType": "git" }, { "lessThan": "7a6051d734f1ed0031e2216f9a538621235c11a4", "status": "affected", "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0", "versionType": "git" }, { "lessThan": "d8971f410739a864c537e0ac29344a7b6c450232", "status": "affected", "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0", "versionType": "git" }, { "lessThan": "03f9582a6a2ebd25a440896475c968428c4b63e7", "status": "affected", "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0", "versionType": "git" }, { "lessThan": "c736ed8541605e3a25075bb1cbf8f38cb3083238", "status": "affected", "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0", "versionType": "git" }, { "lessThan": "ac79001b8e603226fab17240a79cb9ef679d3cd9", "status": "affected", "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0", "versionType": "git" }, { "lessThan": "c8af247de385ce49afabc3bf1cf4fd455c94bfe8", "status": "affected", "version": "066b9cded00b8e3212df74a417bb074f3f3a1fe0", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/udf/namei.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.6" }, { "lessThan": "4.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.9.*", "status": "unaffected", "version": "4.9.334", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.300", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.267", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.225", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.155", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.79", "versionType": "semver" }, { "lessThanOrEqual": "6.0.*", "status": "unaffected", "version": "6.0.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.1", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.9.334", "versionStartIncluding": "4.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.14.300", "versionStartIncluding": "4.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.19.267", "versionStartIncluding": "4.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.225", "versionStartIncluding": "4.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.155", "versionStartIncluding": "4.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.79", "versionStartIncluding": "4.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.0.9", "versionStartIncluding": "4.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1", "versionStartIncluding": "4.6", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Fix a slab-out-of-bounds write bug in udf_find_entry()\n\nSyzbot reported a slab-out-of-bounds Write bug:\n\nloop0: detected capacity change from 0 to 2048\n==================================================================\nBUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0\nfs/udf/namei.c:253\nWrite of size 105 at addr ffff8880123ff896 by task syz-executor323/3610\n\nCPU: 0 PID: 3610 Comm: syz-executor323 Not tainted\n6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS\nGoogle 10/11/2022\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n print_address_description+0x74/0x340 mm/kasan/report.c:284\n print_report+0x107/0x1f0 mm/kasan/report.c:395\n kasan_report+0xcd/0x100 mm/kasan/report.c:495\n kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189\n memcpy+0x3c/0x60 mm/kasan/shadow.c:66\n udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253\n udf_lookup+0xef/0x340 fs/udf/namei.c:309\n lookup_open fs/namei.c:3391 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x10e6/0x2df0 fs/namei.c:3710\n do_filp_open+0x264/0x4f0 fs/namei.c:3740\n do_sys_openat2+0x124/0x4e0 fs/open.c:1310\n do_sys_open fs/open.c:1326 [inline]\n __do_sys_creat fs/open.c:1402 [inline]\n __se_sys_creat fs/open.c:1396 [inline]\n __x64_sys_creat+0x11f/0x160 fs/open.c:1396\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7ffab0d164d9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01\nf0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9\nRDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180\nRBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000\nR10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAllocated by task 3610:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x3d/0x60 mm/kasan/common.c:52\n ____kasan_kmalloc mm/kasan/common.c:371 [inline]\n __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380\n kmalloc include/linux/slab.h:576 [inline]\n udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243\n udf_lookup+0xef/0x340 fs/udf/namei.c:309\n lookup_open fs/namei.c:3391 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x10e6/0x2df0 fs/namei.c:3710\n do_filp_open+0x264/0x4f0 fs/namei.c:3740\n do_sys_openat2+0x124/0x4e0 fs/open.c:1310\n do_sys_open fs/open.c:1326 [inline]\n __do_sys_creat fs/open.c:1402 [inline]\n __se_sys_creat fs/open.c:1396 [inline]\n __x64_sys_creat+0x11f/0x160 fs/open.c:1396\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe buggy address belongs to the object at ffff8880123ff800\n which belongs to the cache kmalloc-256 of size 256\nThe buggy address is located 150 bytes inside of\n 256-byte region [ffff8880123ff800, ffff8880123ff900)\n\nThe buggy address belongs to the physical page:\npage:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000\nindex:0x0 pfn:0x123fe\nhead:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0\nflags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40\nraw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(),\npid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0\n create_dummy_stack mm/page_owner.c:\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-05-04T08:46:46.900Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/583fdd98d94acba1e7225e5cc29063aef0741030" }, { "url": "https://git.kernel.org/stable/c/f1517721c408631f09d54c743aa70cb07fd3eebd" }, { "url": "https://git.kernel.org/stable/c/7a6051d734f1ed0031e2216f9a538621235c11a4" }, { "url": "https://git.kernel.org/stable/c/d8971f410739a864c537e0ac29344a7b6c450232" }, { "url": "https://git.kernel.org/stable/c/03f9582a6a2ebd25a440896475c968428c4b63e7" }, { "url": "https://git.kernel.org/stable/c/c736ed8541605e3a25075bb1cbf8f38cb3083238" }, { "url": "https://git.kernel.org/stable/c/ac79001b8e603226fab17240a79cb9ef679d3cd9" }, { "url": "https://git.kernel.org/stable/c/c8af247de385ce49afabc3bf1cf4fd455c94bfe8" } ], "title": "udf: Fix a slab-out-of-bounds write bug in udf_find_entry()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2022-49846", "datePublished": "2025-05-01T14:10:00.703Z", "dateReserved": "2025-05-01T14:05:17.230Z", "dateUpdated": "2025-05-04T08:46:46.900Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-53920 (GCVE-0-2024-53920)
Vulnerability from cvelistv5
Published
2024-11-27 00:00
Modified
2025-03-13 19:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.)
References
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:gnu:emacs:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "emacs", "vendor": "gnu", "versions": [ { "status": "affected", "version": "30.0.92" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-53920", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-02T16:55:56.437957Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-03-13T19:25:55.594Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.)" } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2025-03-01T05:20:27.548Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4" }, { "url": "https://git.savannah.gnu.org/cgit/emacs.git/tag/?h=emacs-30.0.92" }, { "url": "https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html" }, { "url": "https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg@mail.gmail.com/" }, { "url": "https://news.ycombinator.com/item?id=42256409" }, { "url": "https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2024-53920", "datePublished": "2024-11-27T00:00:00.000Z", "dateReserved": "2024-11-25T00:00:00.000Z", "dateUpdated": "2025-03-13T19:25:55.594Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-52006 (GCVE-0-2024-52006)
Vulnerability from cvelistv5
Published
2025-01-14 18:39
Modified
2025-01-21 17:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.
References
▼ | URL | Tags |
---|---|---|
https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp | x_refsource_CONFIRM | |
https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g | x_refsource_MISC | |
https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q | x_refsource_MISC | |
https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060 | x_refsource_MISC |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-52006", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-01-14T18:52:03.897787Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-01-14T18:52:11.014Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "git", "vendor": "git", "versions": [ { "status": "affected", "version": "\u003c= 2.40.3" }, { "status": "affected", "version": "\u003e= 2.41.0, \u003c= 2.41.2" }, { "status": "affected", "version": "\u003e= 2.42.0, \u003c= 2.42.3" }, { "status": "affected", "version": "\u003e= 2.43.0, \u003c= 2.43.5" }, { "status": "affected", "version": "\u003e= 2.44.0, \u003c= 2.44.2" }, { "status": "affected", "version": "\u003e= 2.45.0, \u003c= 2.45.2" }, { "status": "affected", "version": "\u003e= 2.46.0, \u003c= 2.46.2" }, { "status": "affected", "version": "\u003e= 2.47.0, \u003c 2.47.2" }, { "status": "affected", "version": "= 2.48.0" } ] } ], "descriptions": [ { "lang": "en", "value": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones." } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 2.1, "baseSeverity": "LOW", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-147", "description": "CWE-147: Improper Neutralization of Input Terminators", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-150", "description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-01-21T17:03:14.854Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp" }, { "name": "https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g" }, { "name": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q" }, { "name": "https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060" } ], "source": { "advisory": "GHSA-r5ph-xg7q-xfrp", "discovery": "UNKNOWN" }, "title": "Newline confusion in credential helpers can lead to credential exfiltration in git" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-52006", "datePublished": "2025-01-14T18:39:52.748Z", "dateReserved": "2024-11-04T17:46:16.779Z", "dateUpdated": "2025-01-21T17:03:14.854Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-52533 (GCVE-0-2024-52533)
Vulnerability from cvelistv5
Published
2024-11-11 00:00
Modified
2024-12-06 13:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.
References
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:gnome:glib:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "glib", "vendor": "gnome", "versions": [ { "lessThan": "2.82.1", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-52533", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-11-12T15:46:58.614686Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-12T15:49:33.348Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-12-06T13:09:32.561Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "url": "http://www.openwall.com/lists/oss-security/2024/11/12/11" }, { "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00020.html" }, { "url": "https://security.netapp.com/advisory/ntap-20241206-0009/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing \u0027\\0\u0027 character." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-11T22:57:28.795674", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://gitlab.gnome.org/Teams/Releng/security/-/wikis/home" }, { "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3461" }, { "url": "https://gitlab.gnome.org/GNOME/glib/-/releases/2.82.1" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2024-52533", "datePublished": "2024-11-11T00:00:00", "dateReserved": "2024-11-11T00:00:00", "dateUpdated": "2024-12-06T13:09:32.561Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-49136 (GCVE-0-2022-49136)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 08:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set
hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has
been set as that means hci_unregister_dev has been called so it will
likely cause a uaf after the timeout as the hdev will be freed.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2022-49136", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-02-27T17:59:07.674181Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-02-27T18:02:29.693Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/bluetooth/hci_sync.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "1c69ef84a808676cceb69210addf5df45b741323", "status": "affected", "version": "6a98e3836fa2077b169f10a35c2ca9952d53f987", "versionType": "git" }, { "lessThan": "0b94f2651f56b9e4aa5f012b0d7eb57308c773cf", "status": "affected", "version": "6a98e3836fa2077b169f10a35c2ca9952d53f987", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/bluetooth/hci_sync.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.17" }, { "lessThan": "5.17", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.17.*", "status": "unaffected", "version": "5.17.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.18", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.17.3", "versionStartIncluding": "5.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.18", "versionStartIncluding": "5.17", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set\n\nhci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has\nbeen set as that means hci_unregister_dev has been called so it will\nlikely cause a uaf after the timeout as the hdev will be freed." } ], "providerMetadata": { "dateUpdated": "2025-05-04T08:30:46.681Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/1c69ef84a808676cceb69210addf5df45b741323" }, { "url": "https://git.kernel.org/stable/c/0b94f2651f56b9e4aa5f012b0d7eb57308c773cf" } ], "title": "Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2022-49136", "datePublished": "2025-02-26T01:55:09.345Z", "dateReserved": "2025-02-26T01:49:39.268Z", "dateUpdated": "2025-05-04T08:30:46.681Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-21928 (GCVE-0-2025-21928)
Vulnerability from cvelistv5
Published
2025-04-01 15:40
Modified
2025-05-04 07:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()
The system can experience a random crash a few minutes after the driver is
removed. This issue occurs due to improper handling of memory freeing in
the ishtp_hid_remove() function.
The function currently frees the `driver_data` directly within the loop
that destroys the HID devices, which can lead to accessing freed memory.
Specifically, `hid_destroy_device()` uses `driver_data` when it calls
`hid_ishtp_set_feature()` to power off the sensor, so freeing
`driver_data` beforehand can result in accessing invalid memory.
This patch resolves the issue by storing the `driver_data` in a temporary
variable before calling `hid_destroy_device()`, and then freeing the
`driver_data` after the device is destroyed.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 Version: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 Version: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 Version: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 Version: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 Version: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 Version: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 Version: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 |
||||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-21928", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-04-16T13:15:05.405186Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-04-16T13:19:52.863Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hid/intel-ish-hid/ishtp-hid.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "0c1fb475ef999d6c22fc3f963fdf20cb3ed1b03d", "status": "affected", "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6", "versionType": "git" }, { "lessThan": "d3faae7f42181865c799d88c5054176f38ae4625", "status": "affected", "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6", "versionType": "git" }, { "lessThan": "01b18a330cda61cc21423a7d1af92cf31ded8f60", "status": "affected", "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6", "versionType": "git" }, { "lessThan": "cf1a6015d2f6b1f0afaa0fd6a0124ff2c7943394", "status": "affected", "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6", "versionType": "git" }, { "lessThan": "560f4d1299342504a6ab8a47f575b5e6b8345ada", "status": "affected", "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6", "versionType": "git" }, { "lessThan": "dea6a349bcaf243fff95dfd0428a26be6a0fb44e", "status": "affected", "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6", "versionType": "git" }, { "lessThan": "eb0695d87a81e7c1f0509b7d8ee7c65fbc26aec9", "status": "affected", "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6", "versionType": "git" }, { "lessThan": "07583a0010696a17fb0942e0b499a62785c5fc9f", "status": "affected", "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hid/intel-ish-hid/ishtp-hid.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.9" }, { "lessThan": "4.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.291", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.235", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.179", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.131", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.83", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.19", "versionType": "semver" }, { "lessThanOrEqual": "6.13.*", "status": "unaffected", "version": "6.13.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.14", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.291", "versionStartIncluding": "4.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.235", "versionStartIncluding": "4.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.179", "versionStartIncluding": "4.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.131", "versionStartIncluding": "4.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.83", "versionStartIncluding": "4.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.19", "versionStartIncluding": "4.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.7", "versionStartIncluding": "4.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14", "versionStartIncluding": "4.9", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()\n\nThe system can experience a random crash a few minutes after the driver is\nremoved. This issue occurs due to improper handling of memory freeing in\nthe ishtp_hid_remove() function.\n\nThe function currently frees the `driver_data` directly within the loop\nthat destroys the HID devices, which can lead to accessing freed memory.\nSpecifically, `hid_destroy_device()` uses `driver_data` when it calls\n`hid_ishtp_set_feature()` to power off the sensor, so freeing\n`driver_data` beforehand can result in accessing invalid memory.\n\nThis patch resolves the issue by storing the `driver_data` in a temporary\nvariable before calling `hid_destroy_device()`, and then freeing the\n`driver_data` after the device is destroyed." } ], "providerMetadata": { "dateUpdated": "2025-05-04T07:24:45.899Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/0c1fb475ef999d6c22fc3f963fdf20cb3ed1b03d" }, { "url": "https://git.kernel.org/stable/c/d3faae7f42181865c799d88c5054176f38ae4625" }, { "url": "https://git.kernel.org/stable/c/01b18a330cda61cc21423a7d1af92cf31ded8f60" }, { "url": "https://git.kernel.org/stable/c/cf1a6015d2f6b1f0afaa0fd6a0124ff2c7943394" }, { "url": "https://git.kernel.org/stable/c/560f4d1299342504a6ab8a47f575b5e6b8345ada" }, { "url": "https://git.kernel.org/stable/c/dea6a349bcaf243fff95dfd0428a26be6a0fb44e" }, { "url": "https://git.kernel.org/stable/c/eb0695d87a81e7c1f0509b7d8ee7c65fbc26aec9" }, { "url": "https://git.kernel.org/stable/c/07583a0010696a17fb0942e0b499a62785c5fc9f" } ], "title": "HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-21928", "datePublished": "2025-04-01T15:40:59.033Z", "dateReserved": "2024-12-29T08:45:45.788Z", "dateUpdated": "2025-05-04T07:24:45.899Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-22004 (GCVE-0-2025-22004)
Vulnerability from cvelistv5
Published
2025-04-03 07:19
Modified
2025-05-04 07:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: atm: fix use after free in lec_send()
The ->send() operation frees skb so save the length before calling
->send() to avoid a use after free.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-22004", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-04-03T15:25:36.800582Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-04-03T15:27:39.003Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/atm/lec.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "50e288097c2c6e5f374ae079394436fc29d1e88e", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "8cd90c7db08f32829bfa1b5b2b11fbc542afbab7", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "82d9084a97892de1ee4881eb5c17911fcd9be6f6", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "51e8be9578a2e74f9983d8fd8de8cafed191f30c", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "9566f6ee13b17a15d0a47667ad1b1893c539f730", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "326223182e4703cde99fdbd36d07d0b3de9980fb", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f3271f7548385e0096739965961c7cbf7e6b4762", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f3009d0d6ab78053117f8857b921a8237f4d17b3", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/atm/lec.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.12" }, { "lessThan": "2.6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.292", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.236", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.180", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.132", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.85", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.21", "versionType": "semver" }, { "lessThanOrEqual": "6.13.*", "status": "unaffected", "version": "6.13.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.14", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.292", "versionStartIncluding": "2.6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.236", "versionStartIncluding": "2.6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.180", "versionStartIncluding": "2.6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.132", "versionStartIncluding": "2.6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.85", "versionStartIncluding": "2.6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.21", "versionStartIncluding": "2.6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.9", "versionStartIncluding": "2.6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14", "versionStartIncluding": "2.6.12", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix use after free in lec_send()\n\nThe -\u003esend() operation frees skb so save the length before calling\n-\u003esend() to avoid a use after free." } ], "providerMetadata": { "dateUpdated": "2025-05-04T07:27:15.270Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/50e288097c2c6e5f374ae079394436fc29d1e88e" }, { "url": "https://git.kernel.org/stable/c/8cd90c7db08f32829bfa1b5b2b11fbc542afbab7" }, { "url": "https://git.kernel.org/stable/c/82d9084a97892de1ee4881eb5c17911fcd9be6f6" }, { "url": "https://git.kernel.org/stable/c/51e8be9578a2e74f9983d8fd8de8cafed191f30c" }, { "url": "https://git.kernel.org/stable/c/9566f6ee13b17a15d0a47667ad1b1893c539f730" }, { "url": "https://git.kernel.org/stable/c/326223182e4703cde99fdbd36d07d0b3de9980fb" }, { "url": "https://git.kernel.org/stable/c/f3271f7548385e0096739965961c7cbf7e6b4762" }, { "url": "https://git.kernel.org/stable/c/f3009d0d6ab78053117f8857b921a8237f4d17b3" } ], "title": "net: atm: fix use after free in lec_send()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-22004", "datePublished": "2025-04-03T07:19:06.022Z", "dateReserved": "2024-12-29T08:45:45.802Z", "dateUpdated": "2025-05-04T07:27:15.270Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-23150 (GCVE-0-2025-23150)
Vulnerability from cvelistv5
Published
2025-05-01 12:55
Modified
2025-05-26 05:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix off-by-one error in do_split
Syzkaller detected a use-after-free issue in ext4_insert_dentry that was
caused by out-of-bounds access due to incorrect splitting in do_split.
BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847
CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
vfs_symlink+0x137/0x2e0 fs/namei.c:4615
do_symlinkat+0x222/0x3a0 fs/namei.c:4641
__do_sys_symlink fs/namei.c:4662 [inline]
__se_sys_symlink fs/namei.c:4660 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
The following loop is located right above 'if' statement.
for (i = count-1; i >= 0; i--) {
/* is more than half of this entry in 2nd half of the block? */
if (size + map[i].size/2 > blocksize/2)
break;
size += map[i].size;
move++;
}
'i' in this case could go down to -1, in which case sum of active entries
wouldn't exceed half the block size, but previous behaviour would also do
split in half if sum would exceed at the very last block, which in case of
having too many long name files in a single block could lead to
out-of-bounds access and following use-after-free.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ea54176e5821936d109bb45dc2c19bd53559e735 Version: 5872331b3d91820e14716632ebb56b1399b34fe1 Version: 5872331b3d91820e14716632ebb56b1399b34fe1 Version: 5872331b3d91820e14716632ebb56b1399b34fe1 Version: 5872331b3d91820e14716632ebb56b1399b34fe1 Version: 5872331b3d91820e14716632ebb56b1399b34fe1 Version: 5872331b3d91820e14716632ebb56b1399b34fe1 Version: 5872331b3d91820e14716632ebb56b1399b34fe1 Version: 5872331b3d91820e14716632ebb56b1399b34fe1 Version: 059b1480105478c5f68cf664301545b8cad6a7cf Version: 539ae3e03875dacaa9c388aff141ccbb4ef4ecb5 Version: fbbfd55a40d5d0806b59ee0403c75d5ac517533f Version: b3ddf6ba5e28a57729fff1605ae08e21be5c92e3 Version: e50fe43e3062e18846e99d9646b9c07b097eb1ed Version: 88e79f7a9841278fa8ff7ff6178bad12da002ffc |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/ext4/namei.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "b96bd2c3db26ad0daec5b78c85c098b53900e2e1", "status": "affected", "version": "ea54176e5821936d109bb45dc2c19bd53559e735", "versionType": "git" }, { "lessThan": "515c34cff899eb5dae6aa7eee01c1295b07d81af", "status": "affected", "version": "5872331b3d91820e14716632ebb56b1399b34fe1", "versionType": "git" }, { "lessThan": "2883e9e74f73f9265e5f8d1aaaa89034b308e433", "status": "affected", "version": "5872331b3d91820e14716632ebb56b1399b34fe1", "versionType": "git" }, { "lessThan": "35d0aa6db9d93307085871ceab8a729594a98162", "status": "affected", "version": "5872331b3d91820e14716632ebb56b1399b34fe1", "versionType": "git" }, { "lessThan": "2eeb1085bf7bd5c7ba796ca4119925fa5d336a3f", "status": "affected", "version": "5872331b3d91820e14716632ebb56b1399b34fe1", "versionType": "git" }, { "lessThan": "16d9067f00e3a7d1df7c3aa9c20d214923d27e10", "status": "affected", "version": "5872331b3d91820e14716632ebb56b1399b34fe1", "versionType": "git" }, { "lessThan": "17df39f455f1289319d4d09e4826aa46852ffd17", "status": "affected", "version": "5872331b3d91820e14716632ebb56b1399b34fe1", "versionType": "git" }, { "lessThan": "ab0cc5c25552ae0d20eae94b40a93be11b080fc5", "status": "affected", "version": "5872331b3d91820e14716632ebb56b1399b34fe1", "versionType": "git" }, { "lessThan": "94824ac9a8aaf2fb3c54b4bdde842db80ffa555d", "status": "affected", "version": "5872331b3d91820e14716632ebb56b1399b34fe1", "versionType": "git" }, { "status": "affected", "version": "059b1480105478c5f68cf664301545b8cad6a7cf", "versionType": "git" }, { "status": "affected", "version": "539ae3e03875dacaa9c388aff141ccbb4ef4ecb5", "versionType": "git" }, { "status": "affected", "version": "fbbfd55a40d5d0806b59ee0403c75d5ac517533f", "versionType": "git" }, { "status": "affected", "version": "b3ddf6ba5e28a57729fff1605ae08e21be5c92e3", "versionType": "git" }, { "status": "affected", "version": "e50fe43e3062e18846e99d9646b9c07b097eb1ed", "versionType": "git" }, { "status": "affected", "version": "88e79f7a9841278fa8ff7ff6178bad12da002ffc", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/ext4/namei.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.9" }, { "lessThan": "5.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.293", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.237", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.181", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.135", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.88", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.24", "versionType": "semver" }, { "lessThanOrEqual": "6.13.*", "status": "unaffected", "version": "6.13.12", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.293", "versionStartIncluding": "5.4.61", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.237", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.181", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.135", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.88", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.24", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.12", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.3", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.234", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.234", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.195", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.142", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7.18", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8.4", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off-by-one error in do_split\n\nSyzkaller detected a use-after-free issue in ext4_insert_dentry that was\ncaused by out-of-bounds access due to incorrect splitting in do_split.\n\nBUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\nWrite of size 251 at addr ffff888074572f14 by task syz-executor335/5847\n\nCPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109\n add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154\n make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351\n ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455\n ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796\n ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431\n vfs_symlink+0x137/0x2e0 fs/namei.c:4615\n do_symlinkat+0x222/0x3a0 fs/namei.c:4641\n __do_sys_symlink fs/namei.c:4662 [inline]\n __se_sys_symlink fs/namei.c:4660 [inline]\n __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nThe following loop is located right above \u0027if\u0027 statement.\n\nfor (i = count-1; i \u003e= 0; i--) {\n\t/* is more than half of this entry in 2nd half of the block? */\n\tif (size + map[i].size/2 \u003e blocksize/2)\n\t\tbreak;\n\tsize += map[i].size;\n\tmove++;\n}\n\n\u0027i\u0027 in this case could go down to -1, in which case sum of active entries\nwouldn\u0027t exceed half the block size, but previous behaviour would also do\nsplit in half if sum would exceed at the very last block, which in case of\nhaving too many long name files in a single block could lead to\nout-of-bounds access and following use-after-free.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller." } ], "providerMetadata": { "dateUpdated": "2025-05-26T05:19:31.900Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/b96bd2c3db26ad0daec5b78c85c098b53900e2e1" }, { "url": "https://git.kernel.org/stable/c/515c34cff899eb5dae6aa7eee01c1295b07d81af" }, { "url": "https://git.kernel.org/stable/c/2883e9e74f73f9265e5f8d1aaaa89034b308e433" }, { "url": "https://git.kernel.org/stable/c/35d0aa6db9d93307085871ceab8a729594a98162" }, { "url": "https://git.kernel.org/stable/c/2eeb1085bf7bd5c7ba796ca4119925fa5d336a3f" }, { "url": "https://git.kernel.org/stable/c/16d9067f00e3a7d1df7c3aa9c20d214923d27e10" }, { "url": "https://git.kernel.org/stable/c/17df39f455f1289319d4d09e4826aa46852ffd17" }, { "url": "https://git.kernel.org/stable/c/ab0cc5c25552ae0d20eae94b40a93be11b080fc5" }, { "url": "https://git.kernel.org/stable/c/94824ac9a8aaf2fb3c54b4bdde842db80ffa555d" } ], "title": "ext4: fix off-by-one error in do_split", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-23150", "datePublished": "2025-05-01T12:55:38.190Z", "dateReserved": "2025-01-11T14:28:41.513Z", "dateUpdated": "2025-05-26T05:19:31.900Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-37738 (GCVE-0-2025-37738)
Vulnerability from cvelistv5
Published
2025-05-01 12:55
Modified
2025-05-26 05:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: ignore xattrs past end
Once inside 'ext4_xattr_inode_dec_ref_all' we should
ignore xattrs entries past the 'end' entry.
This fixes the following KASAN reported issue:
==================================================================
BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
Read of size 4 at addr ffff888012c120c4 by task repro/2065
CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x1fd/0x300
? tcp_gro_dev_warn+0x260/0x260
? _printk+0xc0/0x100
? read_lock_is_recursive+0x10/0x10
? irq_work_queue+0x72/0xf0
? __virt_addr_valid+0x17b/0x4b0
print_address_description+0x78/0x390
print_report+0x107/0x1f0
? __virt_addr_valid+0x17b/0x4b0
? __virt_addr_valid+0x3ff/0x4b0
? __phys_addr+0xb5/0x160
? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
kasan_report+0xcc/0x100
? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
? ext4_xattr_delete_inode+0xd30/0xd30
? __ext4_journal_ensure_credits+0x5f0/0x5f0
? __ext4_journal_ensure_credits+0x2b/0x5f0
? inode_update_timestamps+0x410/0x410
ext4_xattr_delete_inode+0xb64/0xd30
? ext4_truncate+0xb70/0xdc0
? ext4_expand_extra_isize_ea+0x1d20/0x1d20
? __ext4_mark_inode_dirty+0x670/0x670
? ext4_journal_check_start+0x16f/0x240
? ext4_inode_is_fast_symlink+0x2f2/0x3a0
ext4_evict_inode+0xc8c/0xff0
? ext4_inode_is_fast_symlink+0x3a0/0x3a0
? do_raw_spin_unlock+0x53/0x8a0
? ext4_inode_is_fast_symlink+0x3a0/0x3a0
evict+0x4ac/0x950
? proc_nr_inodes+0x310/0x310
? trace_ext4_drop_inode+0xa2/0x220
? _raw_spin_unlock+0x1a/0x30
? iput+0x4cb/0x7e0
do_unlinkat+0x495/0x7c0
? try_break_deleg+0x120/0x120
? 0xffffffff81000000
? __check_object_size+0x15a/0x210
? strncpy_from_user+0x13e/0x250
? getname_flags+0x1dc/0x530
__x64_sys_unlinkat+0xc8/0xf0
do_syscall_64+0x65/0x110
entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x434ffd
Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8
RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001
</TASK>
The buggy address belongs to the object at ffff888012c12000
which belongs to the cache filp of size 360
The buggy address is located 196 bytes inside of
freed 360-byte region [ffff888012c12000, ffff888012c12168)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x40(head|node=0|zone=0)
page_type: f5(slab)
raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
ffff888012c12180: fc fc fc fc fc fc fc fc fc
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/ext4/xattr.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6aff941cb0f7d0c897c3698ad2e30672709135e3", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f737418b6de31c962c7192777ee4018906975383", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "cf9291a3449b04688b81e32621e88de8f4314b54", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "362a90cecd36e8a5c415966d0b75b04a0270e4dd", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "eb59cc31b6ea076021d14b04e7faab1636b87d0e", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "3bc6317033f365ce578eb6039445fb66162722fd", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "836e625b03a666cf93ff5be328c8cb30336db872", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "c8e008b60492cf6fd31ef127aea6d02fd3d314cd", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/ext4/xattr.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.293", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.237", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.181", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.135", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.88", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.24", "versionType": "semver" }, { "lessThanOrEqual": "6.13.*", "status": "unaffected", "version": "6.13.12", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.293", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.237", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.181", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.135", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.88", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.24", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: ignore xattrs past end\n\nOnce inside \u0027ext4_xattr_inode_dec_ref_all\u0027 we should\nignore xattrs entries past the \u0027end\u0027 entry.\n\nThis fixes the following KASAN reported issue:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\nRead of size 4 at addr ffff888012c120c4 by task repro/2065\n\nCPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x1fd/0x300\n ? tcp_gro_dev_warn+0x260/0x260\n ? _printk+0xc0/0x100\n ? read_lock_is_recursive+0x10/0x10\n ? irq_work_queue+0x72/0xf0\n ? __virt_addr_valid+0x17b/0x4b0\n print_address_description+0x78/0x390\n print_report+0x107/0x1f0\n ? __virt_addr_valid+0x17b/0x4b0\n ? __virt_addr_valid+0x3ff/0x4b0\n ? __phys_addr+0xb5/0x160\n ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\n kasan_report+0xcc/0x100\n ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\n ext4_xattr_inode_dec_ref_all+0xb8c/0xe90\n ? ext4_xattr_delete_inode+0xd30/0xd30\n ? __ext4_journal_ensure_credits+0x5f0/0x5f0\n ? __ext4_journal_ensure_credits+0x2b/0x5f0\n ? inode_update_timestamps+0x410/0x410\n ext4_xattr_delete_inode+0xb64/0xd30\n ? ext4_truncate+0xb70/0xdc0\n ? ext4_expand_extra_isize_ea+0x1d20/0x1d20\n ? __ext4_mark_inode_dirty+0x670/0x670\n ? ext4_journal_check_start+0x16f/0x240\n ? ext4_inode_is_fast_symlink+0x2f2/0x3a0\n ext4_evict_inode+0xc8c/0xff0\n ? ext4_inode_is_fast_symlink+0x3a0/0x3a0\n ? do_raw_spin_unlock+0x53/0x8a0\n ? ext4_inode_is_fast_symlink+0x3a0/0x3a0\n evict+0x4ac/0x950\n ? proc_nr_inodes+0x310/0x310\n ? trace_ext4_drop_inode+0xa2/0x220\n ? _raw_spin_unlock+0x1a/0x30\n ? iput+0x4cb/0x7e0\n do_unlinkat+0x495/0x7c0\n ? try_break_deleg+0x120/0x120\n ? 0xffffffff81000000\n ? __check_object_size+0x15a/0x210\n ? strncpy_from_user+0x13e/0x250\n ? getname_flags+0x1dc/0x530\n __x64_sys_unlinkat+0xc8/0xf0\n do_syscall_64+0x65/0x110\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x434ffd\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8\nRSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107\nRAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd\nRDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005\nRBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001\n \u003c/TASK\u003e\n\nThe buggy address belongs to the object at ffff888012c12000\n which belongs to the cache filp of size 360\nThe buggy address is located 196 bytes inside of\n freed 360-byte region [ffff888012c12000, ffff888012c12168)\n\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12\nhead: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nflags: 0x40(head|node=0|zone=0)\npage_type: f5(slab)\nraw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004\nraw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000\nhead: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004\nhead: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000\nhead: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000\nhead: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003e ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc\n ffff888012c12180: fc fc fc fc fc fc fc fc fc\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-05-26T05:19:49.644Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6aff941cb0f7d0c897c3698ad2e30672709135e3" }, { "url": "https://git.kernel.org/stable/c/76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3" }, { "url": "https://git.kernel.org/stable/c/f737418b6de31c962c7192777ee4018906975383" }, { "url": "https://git.kernel.org/stable/c/cf9291a3449b04688b81e32621e88de8f4314b54" }, { "url": "https://git.kernel.org/stable/c/362a90cecd36e8a5c415966d0b75b04a0270e4dd" }, { "url": "https://git.kernel.org/stable/c/eb59cc31b6ea076021d14b04e7faab1636b87d0e" }, { "url": "https://git.kernel.org/stable/c/3bc6317033f365ce578eb6039445fb66162722fd" }, { "url": "https://git.kernel.org/stable/c/836e625b03a666cf93ff5be328c8cb30336db872" }, { "url": "https://git.kernel.org/stable/c/c8e008b60492cf6fd31ef127aea6d02fd3d314cd" } ], "title": "ext4: ignore xattrs past end", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-37738", "datePublished": "2025-05-01T12:55:47.981Z", "dateReserved": "2025-04-16T04:51:23.935Z", "dateUpdated": "2025-05-26T05:19:49.644Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-4373 (GCVE-0-2025-4373)
Vulnerability from cvelistv5
Published
2025-05-06 14:48
Modified
2025-09-02 03:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-124 - Buffer Underwrite ('Buffer Underflow')
Summary
A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.
References
Impacted products
Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
▼ |
Version: 0 ≤ |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-4373", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-06T15:09:21.791020Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-06T15:09:46.724Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://gitlab.gnome.org/GNOME/glib", "defaultStatus": "unaffected", "packageName": "glib", "versions": [ { "lessThan": "2.84.2", "status": "affected", "version": "0", "versionType": "semver" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:10.0" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.80.4-4.el10_0.6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::crb", "cpe:/o:redhat:enterprise_linux:8::baseos" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.56.4-166.el8_10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_aus:8.2::baseos" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.56.4-8.el8_2.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos", "cpe:/o:redhat:rhel_aus:8.4::baseos" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.56.4-10.el8_4.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos", "cpe:/o:redhat:rhel_aus:8.4::baseos" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.56.4-10.el8_4.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_tus:8.6::baseos", "cpe:/o:redhat:rhel_aus:8.6::baseos", "cpe:/o:redhat:rhel_e4s:8.6::baseos" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.56.4-158.el8_6.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_tus:8.6::baseos", "cpe:/o:redhat:rhel_aus:8.6::baseos", "cpe:/o:redhat:rhel_e4s:8.6::baseos" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.56.4-158.el8_6.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_tus:8.6::baseos", "cpe:/o:redhat:rhel_aus:8.6::baseos", "cpe:/o:redhat:rhel_e4s:8.6::baseos" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.56.4-158.el8_6.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_tus:8.8::baseos", "cpe:/o:redhat:rhel_e4s:8.8::baseos" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.56.4-162.el8_8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_tus:8.8::baseos", "cpe:/o:redhat:rhel_e4s:8.8::baseos" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.56.4-162.el8_8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9::baseos", "cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/a:redhat:enterprise_linux:9::crb" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.68.4-16.el9_6.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9::baseos", "cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/a:redhat:enterprise_linux:9::crb" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.68.4-16.el9_6.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:9.0::appstream", "cpe:/o:redhat:rhel_e4s:9.0::baseos" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.68.4-5.el9_0.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_e4s:9.2::baseos", "cpe:/a:redhat:rhel_e4s:9.2::appstream" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.68.4-7.el9_2.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_eus:9.4::baseos", "cpe:/a:redhat:rhel_eus:9.4::crb", "cpe:/a:redhat:rhel_eus:9.4::appstream" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 9.4 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.68.4-14.el9_4.3", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:insights_proxy:1.5::el9" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/insights-proxy/insights-proxy-container-rhel9", "product": "Red Hat Insights proxy 1.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:e54a5a5f9d69dd6a03e2bcd845e2202910a188d266d4a79b12c387ceffc36f2d", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-agent-rhel8", "product": "Red Hat OpenShift distributed tracing 3.6.1", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:31e117f467424af472a05c52c52397e949cf7838bce643a3d9d24c0f57a06458", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-all-in-one-rhel8", "product": "Red Hat OpenShift distributed tracing 3.6.1", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:3b00e2fec645e140fa304e5823bcb1d0fcd1ddac7f4cbf6e9a9c0fbeaf29682d", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-collector-rhel8", "product": "Red Hat OpenShift distributed tracing 3.6.1", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:a15009fde9c0a63168d82fb07363d2c6ce05f2096dc1a9992a09fe1d76bcf4a7", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-es-index-cleaner-rhel8", "product": "Red Hat OpenShift distributed tracing 3.6.1", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:caadc05a8195f41d48d502458183cef05a1011c6edee343ac212b873ae98c763", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-es-rollover-rhel8", "product": "Red Hat OpenShift distributed tracing 3.6.1", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:b91fe4769ad1e0cf809e3db4d494a5526608b2fa2114fc5e28624372858bb203", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-ingester-rhel8", "product": "Red Hat OpenShift distributed tracing 3.6.1", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:8c5dddd29d08fe8234edbbcda055fe6b0f9a7d7a0edfc3cd130797fdf78cce5c", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-operator-bundle", "product": "Red Hat OpenShift distributed tracing 3.6.1", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:be3feca3b19ac609e5ef829887b6d03ca3c504163ed0f9e10b2410cdfb175b72", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-query-rhel8", "product": "Red Hat OpenShift distributed tracing 3.6.1", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:3d37f30462f237f5087ef8ac90e39f5cd2cbaf5c143f7cae9d6155eb574726f2", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/rhosdt/jaeger-rhel8-operator", "product": "Red Hat OpenShift distributed tracing 3.6.1", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:b29bd499f9889e6de6728e4f8e5d18bf59ed8bd46c6fb598bf6fee150bf49449", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:10" ], "defaultStatus": "affected", "packageName": "bootc", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:10" ], "defaultStatus": "affected", "packageName": "glycin-loaders", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:10" ], "defaultStatus": "affected", "packageName": "loupe", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:10" ], "defaultStatus": "affected", "packageName": "mingw-glib2", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:6" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:7" ], "defaultStatus": "affected", "packageName": "glib2", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "affected", "packageName": "librsvg2", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "affected", "packageName": "mingw-glib2", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "affected", "packageName": "bootc", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "affected", "packageName": "librsvg2", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "affected", "packageName": "mingw-glib2", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" } ], "datePublic": "2025-05-06T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-124", "description": "Buffer Underwrite (\u0027Buffer Underflow\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-09-02T03:01:03.963Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2025:10855", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:10855" }, { "name": "RHSA-2025:11140", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:11140" }, { "name": "RHSA-2025:11327", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:11327" }, { "name": "RHSA-2025:11373", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:11373" }, { "name": "RHSA-2025:11374", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:11374" }, { "name": "RHSA-2025:11662", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:11662" }, { "name": "RHSA-2025:12275", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12275" }, { "name": "RHSA-2025:13335", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13335" }, { "name": "RHSA-2025:14988", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:14988" }, { "name": "RHSA-2025:14989", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:14989" }, { "name": "RHSA-2025:14990", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:14990" }, { "name": "RHSA-2025:14991", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:14991" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2025-4373" }, { "name": "RHBZ#2364265", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2364265" }, { "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3677" } ], "timeline": [ { "lang": "en", "time": "2025-05-06T00:33:30.003000+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2025-05-06T00:00:00+00:00", "value": "Made public." } ], "title": "Glib: buffer underflow on glib through glib/gstring.c via function g_string_insert_unichar", "workarounds": [ { "lang": "en", "value": "Currently, no mitigation is available for this vulnerability." } ], "x_redhatCweChain": "CWE-124: Buffer Underwrite (\u0027Buffer Underflow\u0027)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2025-4373", "datePublished": "2025-05-06T14:48:39.264Z", "dateReserved": "2025-05-06T00:35:29.069Z", "dateUpdated": "2025-09-02T03:01:03.963Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-50020 (GCVE-0-2022-50020)
Vulnerability from cvelistv5
Published
2025-06-18 11:01
Modified
2025-06-18 11:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid resizing to a partial cluster size
This patch avoids an attempt to resize the filesystem to an
unaligned cluster boundary. An online resize to a size that is not
integral to cluster size results in the last iteration attempting to
grow the fs by a negative amount, which trips a BUG_ON and leaves the fs
with a corrupted in-memory superblock.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/ext4/resize.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "53f62a4201be1cfc1e3c971e566888b182c3ffb0", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "952b3dc02baaae6a69c71c0aca23e06741182d9a", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "7bdfb01fc5f6b3696728aeb527c50386e0ee09a1", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "a6805b3dcf5cd41f2ae3a03dca43411135b99849", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "80288883294c5b4ed18bae0d8bd9c4a12f297074", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "72b850a2a996f72541172e7cf686d54a2b29bcd8", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "0082e99a9074ff88eff729c70c93454c8588d8e1", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "69cb8e9d8cd97cdf5e293b26d70a9dee3e35e6bd", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/ext4/resize.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.9.*", "status": "unaffected", "version": "4.9.326", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.291", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.256", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.211", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.138", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.63", "versionType": "semver" }, { "lessThanOrEqual": "5.19.*", "status": "unaffected", "version": "5.19.4", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.0", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.9.326", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.14.291", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.19.256", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.211", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.138", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.63", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.19.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid resizing to a partial cluster size\n\nThis patch avoids an attempt to resize the filesystem to an\nunaligned cluster boundary. An online resize to a size that is not\nintegral to cluster size results in the last iteration attempting to\ngrow the fs by a negative amount, which trips a BUG_ON and leaves the fs\nwith a corrupted in-memory superblock." } ], "providerMetadata": { "dateUpdated": "2025-06-18T11:01:24.227Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/53f62a4201be1cfc1e3c971e566888b182c3ffb0" }, { "url": "https://git.kernel.org/stable/c/952b3dc02baaae6a69c71c0aca23e06741182d9a" }, { "url": "https://git.kernel.org/stable/c/7bdfb01fc5f6b3696728aeb527c50386e0ee09a1" }, { "url": "https://git.kernel.org/stable/c/a6805b3dcf5cd41f2ae3a03dca43411135b99849" }, { "url": "https://git.kernel.org/stable/c/80288883294c5b4ed18bae0d8bd9c4a12f297074" }, { "url": "https://git.kernel.org/stable/c/72b850a2a996f72541172e7cf686d54a2b29bcd8" }, { "url": "https://git.kernel.org/stable/c/0082e99a9074ff88eff729c70c93454c8588d8e1" }, { "url": "https://git.kernel.org/stable/c/69cb8e9d8cd97cdf5e293b26d70a9dee3e35e6bd" } ], "title": "ext4: avoid resizing to a partial cluster size", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2022-50020", "datePublished": "2025-06-18T11:01:24.227Z", "dateReserved": "2025-06-18T10:57:27.393Z", "dateUpdated": "2025-06-18T11:01:24.227Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-46835 (GCVE-0-2025-46835)
Vulnerability from cvelistv5
Published
2025-07-10 15:09
Modified
2025-07-10 15:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Summary
Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-46835", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-07-10T15:53:11.968495Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-07-10T15:53:21.530Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "git-gui", "vendor": "j6t", "versions": [ { "status": "affected", "version": "\u003c 2.43.7" }, { "status": "affected", "version": "\u003e= 2.44.0, \u003c 2.44.4" }, { "status": "affected", "version": "\u003e= 2.45.0, \u003c 2.45.4" }, { "status": "affected", "version": "\u003e= 2.46.0, \u003c 2.46.4" }, { "status": "affected", "version": "\u003e= 2.47.0, \u003c 2.47.3" }, { "status": "affected", "version": "\u003e= 2.48.0, \u003c 2.48.2" }, { "status": "affected", "version": "\u003e= 2.49.0, \u003c 2.49.1" }, { "status": "affected", "version": "\u003e= 2.50.0, \u003c 2.50.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-10T15:09:42.735Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg" }, { "name": "https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da" } ], "source": { "advisory": "GHSA-xfx7-68v4-v8fg", "discovery": "UNKNOWN" }, "title": "Git GUI can create and overwrite files for which the user has write permission" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-46835", "datePublished": "2025-07-10T15:09:42.735Z", "dateReserved": "2025-04-30T19:41:58.135Z", "dateUpdated": "2025-07-10T15:53:21.530Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-21905 (GCVE-0-2025-21905)
Vulnerability from cvelistv5
Published
2025-04-01 15:40
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: limit printed string from FW file
There's no guarantee here that the file is always with a
NUL-termination, so reading the string may read beyond the
end of the TLV. If that's the last TLV in the file, it can
perhaps even read beyond the end of the file buffer.
Fix that by limiting the print format to the size of the
buffer we have.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: aee1b6385e29e472ae5592b9652b750a29bf702e Version: aee1b6385e29e472ae5592b9652b750a29bf702e Version: aee1b6385e29e472ae5592b9652b750a29bf702e Version: aee1b6385e29e472ae5592b9652b750a29bf702e Version: aee1b6385e29e472ae5592b9652b750a29bf702e Version: aee1b6385e29e472ae5592b9652b750a29bf702e Version: aee1b6385e29e472ae5592b9652b750a29bf702e Version: aee1b6385e29e472ae5592b9652b750a29bf702e |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/intel/iwlwifi/iwl-drv.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "38f0d398b6d7640d223db69df022c4a232f24774", "status": "affected", "version": "aee1b6385e29e472ae5592b9652b750a29bf702e", "versionType": "git" }, { "lessThan": "c0e626f2b2390472afac52dfe72b29daf9ed8e1d", "status": "affected", "version": "aee1b6385e29e472ae5592b9652b750a29bf702e", "versionType": "git" }, { "lessThan": "47616b82f2d42ea2060334746fed9a2988d845c9", "status": "affected", "version": "aee1b6385e29e472ae5592b9652b750a29bf702e", "versionType": "git" }, { "lessThan": "88ed69f924638c7503644e1f8eed1e976f3ffa7a", "status": "affected", "version": "aee1b6385e29e472ae5592b9652b750a29bf702e", "versionType": "git" }, { "lessThan": "b02f8d5a71c8571ccf77f285737c566db73ef5e5", "status": "affected", "version": "aee1b6385e29e472ae5592b9652b750a29bf702e", "versionType": "git" }, { "lessThan": "f265e6031d0bc4fc40c4619cb42466722b46eaa9", "status": "affected", "version": "aee1b6385e29e472ae5592b9652b750a29bf702e", "versionType": "git" }, { "lessThan": "59cdda202829d1d6a095d233386870a59aff986f", "status": "affected", "version": "aee1b6385e29e472ae5592b9652b750a29bf702e", "versionType": "git" }, { "lessThan": "e0dc2c1bef722cbf16ae557690861e5f91208129", "status": "affected", "version": "aee1b6385e29e472ae5592b9652b750a29bf702e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/wireless/intel/iwlwifi/iwl-drv.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.2" }, { "lessThan": "5.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.291", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.235", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.179", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.131", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.83", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.19", "versionType": "semver" }, { "lessThanOrEqual": "6.13.*", "status": "unaffected", "version": "6.13.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.14", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.291", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.235", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.179", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.131", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.83", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.19", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.7", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14", "versionStartIncluding": "5.2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: limit printed string from FW file\n\nThere\u0027s no guarantee here that the file is always with a\nNUL-termination, so reading the string may read beyond the\nend of the TLV. If that\u0027s the last TLV in the file, it can\nperhaps even read beyond the end of the file buffer.\n\nFix that by limiting the print format to the size of the\nbuffer we have." } ], "providerMetadata": { "dateUpdated": "2025-05-04T07:23:55.412Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/38f0d398b6d7640d223db69df022c4a232f24774" }, { "url": "https://git.kernel.org/stable/c/c0e626f2b2390472afac52dfe72b29daf9ed8e1d" }, { "url": "https://git.kernel.org/stable/c/47616b82f2d42ea2060334746fed9a2988d845c9" }, { "url": "https://git.kernel.org/stable/c/88ed69f924638c7503644e1f8eed1e976f3ffa7a" }, { "url": "https://git.kernel.org/stable/c/b02f8d5a71c8571ccf77f285737c566db73ef5e5" }, { "url": "https://git.kernel.org/stable/c/f265e6031d0bc4fc40c4619cb42466722b46eaa9" }, { "url": "https://git.kernel.org/stable/c/59cdda202829d1d6a095d233386870a59aff986f" }, { "url": "https://git.kernel.org/stable/c/e0dc2c1bef722cbf16ae557690861e5f91208129" } ], "title": "wifi: iwlwifi: limit printed string from FW file", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-21905", "datePublished": "2025-04-01T15:40:46.465Z", "dateReserved": "2024-12-29T08:45:45.785Z", "dateUpdated": "2025-05-04T07:23:55.412Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-48384 (GCVE-0-2025-48384)
Vulnerability from cvelistv5
Published
2025-07-08 18:23
Modified
2025-08-26 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
References
▼ | URL | Tags |
---|---|---|
https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9 | x_refsource_CONFIRM |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-48384", "options": [ { "Exploitation": "active" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-08-22T00:00:00+00:00", "version": "2.0.3" }, "type": "ssvc" } }, { "other": { "content": { "dateAdded": "2025-08-25", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384" }, "type": "kev" } } ], "providerMetadata": { "dateUpdated": "2025-08-26T03:55:22.708Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "timeline": [ { "lang": "en", "time": "2025-08-25T00:00:00+00:00", "value": "CVE-2025-48384 added to CISA KEV" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "git", "vendor": "git", "versions": [ { "status": "affected", "version": "\u003c 2.43.7" }, { "status": "affected", "version": "\u003e= 2.44.0-rc0, \u003c 2.44.4" }, { "status": "affected", "version": "\u003e= 2.45.0-rc0, \u003c 2.45.4" }, { "status": "affected", "version": "\u003e= 2.46.0-rc0, \u003c 2.46.4" }, { "status": "affected", "version": "\u003e= 2.47.0-rc0, \u003c 2.47.3" }, { "status": "affected", "version": "\u003e= 2.48.0-rc0, \u003c 2.48.2" }, { "status": "affected", "version": "\u003e= 2.49.0-rc0, \u003c 2.49.1" }, { "status": "affected", "version": "\u003e= 2.50.0-rc0, \u003c 2.50.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-08T18:23:48.710Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9" } ], "source": { "advisory": "GHSA-vwqx-4fm8-6qc9", "discovery": "UNKNOWN" }, "title": "Git allows arbitrary code execution through broken config quoting" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-48384", "datePublished": "2025-07-08T18:23:48.710Z", "dateReserved": "2025-05-19T15:46:00.397Z", "dateUpdated": "2025-08-26T03:55:22.708Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-49058 (GCVE-0-2022-49058)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 08:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: potential buffer overflow in handling symlinks
Smatch printed a warning:
arch/x86/crypto/poly1305_glue.c:198 poly1305_update_arch() error:
__memcpy() 'dctx->buf' too small (16 vs u32max)
It's caused because Smatch marks 'link_len' as untrusted since it comes
from sscanf(). Add a check to ensure that 'link_len' is not larger than
the size of the 'link_str' buffer.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 Version: c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/cifs/link.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "3e582749e742e662a8e9bb37cffac62dccaaa1e2", "status": "affected", "version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131", "versionType": "git" }, { "lessThan": "1316c28569a80ab3596eeab05bf5e01991e7e739", "status": "affected", "version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131", "versionType": "git" }, { "lessThan": "eb5f51756944735ac70cd8bb38637cc202e29c91", "status": "affected", "version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131", "versionType": "git" }, { "lessThan": "22d658c6c5affed10c8907e67160cef0b6c92186", "status": "affected", "version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131", "versionType": "git" }, { "lessThan": "4e166a41180be2f1e66bbb6d46448e80a9a5ec05", "status": "affected", "version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131", "versionType": "git" }, { "lessThan": "9901b07ba42b39266b34a888e48d7306fd707bee", "status": "affected", "version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131", "versionType": "git" }, { "lessThan": "515e7ba11ef043d6febe69389949c8ef5f25e9d0", "status": "affected", "version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131", "versionType": "git" }, { "lessThan": "64c4a37ac04eeb43c42d272f6e6c8c12bfcf4304", "status": "affected", "version": "c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/cifs/link.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.37" }, { "lessThan": "2.6.37", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.9.*", "status": "unaffected", "version": "4.9.311", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.276", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.239", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.190", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.112", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.35", "versionType": "semver" }, { "lessThanOrEqual": "5.17.*", "status": "unaffected", "version": "5.17.4", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.18", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.9.311", "versionStartIncluding": "2.6.37", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.14.276", "versionStartIncluding": "2.6.37", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.19.239", "versionStartIncluding": "2.6.37", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.190", "versionStartIncluding": "2.6.37", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.112", "versionStartIncluding": "2.6.37", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.35", "versionStartIncluding": "2.6.37", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.17.4", "versionStartIncluding": "2.6.37", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.18", "versionStartIncluding": "2.6.37", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: potential buffer overflow in handling symlinks\n\nSmatch printed a warning:\n\tarch/x86/crypto/poly1305_glue.c:198 poly1305_update_arch() error:\n\t__memcpy() \u0027dctx-\u003ebuf\u0027 too small (16 vs u32max)\n\nIt\u0027s caused because Smatch marks \u0027link_len\u0027 as untrusted since it comes\nfrom sscanf(). Add a check to ensure that \u0027link_len\u0027 is not larger than\nthe size of the \u0027link_str\u0027 buffer." } ], "providerMetadata": { "dateUpdated": "2025-05-04T08:28:50.644Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/3e582749e742e662a8e9bb37cffac62dccaaa1e2" }, { "url": "https://git.kernel.org/stable/c/1316c28569a80ab3596eeab05bf5e01991e7e739" }, { "url": "https://git.kernel.org/stable/c/eb5f51756944735ac70cd8bb38637cc202e29c91" }, { "url": "https://git.kernel.org/stable/c/22d658c6c5affed10c8907e67160cef0b6c92186" }, { "url": "https://git.kernel.org/stable/c/4e166a41180be2f1e66bbb6d46448e80a9a5ec05" }, { "url": "https://git.kernel.org/stable/c/9901b07ba42b39266b34a888e48d7306fd707bee" }, { "url": "https://git.kernel.org/stable/c/515e7ba11ef043d6febe69389949c8ef5f25e9d0" }, { "url": "https://git.kernel.org/stable/c/64c4a37ac04eeb43c42d272f6e6c8c12bfcf4304" } ], "title": "cifs: potential buffer overflow in handling symlinks", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2022-49058", "datePublished": "2025-02-26T01:54:29.195Z", "dateReserved": "2025-02-26T01:49:39.243Z", "dateUpdated": "2025-05-04T08:28:50.644Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-27614 (GCVE-0-2025-27614)
Vulnerability from cvelistv5
Published
2025-07-10 15:02
Modified
2025-07-10 15:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
References
▼ | URL | Tags |
---|---|---|
https://github.com/j6t/gitk/security/advisories/GHSA-g4v5-fjv9-mhhc | x_refsource_CONFIRM | |
https://github.com/j6t/gitk/commit/8e3070aa5e331be45d4d03e3be41f84494fce129 | x_refsource_MISC |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-27614", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-07-10T15:54:41.814461Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-07-10T15:54:47.537Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "gitk", "vendor": "j6t", "versions": [ { "status": "affected", "version": "\u003e= 2.41.0, \u003c 2.43.7" }, { "status": "affected", "version": "\u003e= 2.44.0, \u003c 2.44.4" }, { "status": "affected", "version": "\u003e= 2.45.0, \u003c 2.45.4" }, { "status": "affected", "version": "\u003e= 2.46.0, \u003c 2.46.4" }, { "status": "affected", "version": "\u003e= 2.47.0, \u003c 2.47.3" }, { "status": "affected", "version": "\u003e= 2.48.0, \u003c 2.48.2" }, { "status": "affected", "version": "\u003e= 2.49.0, \u003c 2.49.1" }, { "status": "affected", "version": "\u003e= 2.50.0, \u003c 2.50.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-10T15:02:25.947Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/j6t/gitk/security/advisories/GHSA-g4v5-fjv9-mhhc", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/j6t/gitk/security/advisories/GHSA-g4v5-fjv9-mhhc" }, { "name": "https://github.com/j6t/gitk/commit/8e3070aa5e331be45d4d03e3be41f84494fce129", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/j6t/gitk/commit/8e3070aa5e331be45d4d03e3be41f84494fce129" } ], "source": { "advisory": "GHSA-g4v5-fjv9-mhhc", "discovery": "UNKNOWN" }, "title": "Gitk allows arbitrary command execution" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-27614", "datePublished": "2025-07-10T15:02:25.947Z", "dateReserved": "2025-03-03T15:10:34.080Z", "dateUpdated": "2025-07-10T15:54:47.537Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-49794 (GCVE-0-2025-49794)
Vulnerability from cvelistv5
Published
2025-06-16 15:24
Modified
2025-09-02 15:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-825 - Expired Pointer Dereference
Summary
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
References
Impacted products
Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
▼ | Red Hat | Red Hat Enterprise Linux 10 |
Unaffected: 0:2.12.5-7.el10_0 < * cpe:/o:redhat:enterprise_linux:10.0 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-49794", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-06-16T15:50:46.041375Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-06-16T15:51:46.475Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:10.0" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.12.5-7.el10_0", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_els:7" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.1-6.el7_9.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:enterprise_linux:8::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-21.el8_10.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:enterprise_linux:8::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-21.el8_10.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/o:redhat:rhel_aus:8.2::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-9.el8_2.3", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos", "cpe:/o:redhat:rhel_aus:8.4::baseos", "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-9.el8_4.6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos", "cpe:/o:redhat:rhel_aus:8.4::baseos", "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-9.el8_4.6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_aus:8.6::baseos", "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/o:redhat:rhel_e4s:8.6::baseos", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/o:redhat:rhel_tus:8.6::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-13.el8_6.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_aus:8.6::baseos", "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/o:redhat:rhel_e4s:8.6::baseos", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/o:redhat:rhel_tus:8.6::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-13.el8_6.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_aus:8.6::baseos", "cpe:/a:redhat:rhel_tus:8.6::appstream", "cpe:/o:redhat:rhel_e4s:8.6::baseos", "cpe:/a:redhat:rhel_e4s:8.6::appstream", "cpe:/a:redhat:rhel_aus:8.6::appstream", "cpe:/o:redhat:rhel_tus:8.6::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-13.el8_6.10", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_tus:8.8::baseos", "cpe:/o:redhat:rhel_e4s:8.8::baseos", "cpe:/a:redhat:rhel_tus:8.8::appstream", "cpe:/a:redhat:rhel_e4s:8.8::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-16.el8_8.9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_tus:8.8::baseos", "cpe:/o:redhat:rhel_e4s:8.8::baseos", "cpe:/a:redhat:rhel_tus:8.8::appstream", "cpe:/a:redhat:rhel_e4s:8.8::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.7-16.el8_8.9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9::baseos", "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-10.el9_6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9::baseos", "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-10.el9_6", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:9.0::appstream", "cpe:/o:redhat:rhel_e4s:9.0::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-1.el9_0.5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:9.2::appstream", "cpe:/o:redhat:rhel_e4s:9.2::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-3.el9_2.7", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:9.4::appstream", "cpe:/o:redhat:rhel_eus:9.4::baseos" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 9.4 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.9.13-10.el9_4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:insights_proxy:1.5::el9" ], "defaultStatus": "affected", "packageName": "registry.redhat.io/insights-proxy/insights-proxy-container-rhel9", "product": "Red Hat Insights proxy 1.5", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "sha256:c26d589f12647890b67aaa986f54d3f7c6f7f2563fb5a73f38d559e6138739d7", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:6" ], "defaultStatus": "unknown", "packageName": "libxml2", "product": "Red Hat Enterprise Linux 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_core_services:1" ], "defaultStatus": "affected", "packageName": "libxml2", "product": "Red Hat JBoss Core Services", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "packageName": "rhcos", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" } ], "datePublic": "2025-06-10T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the \u003csch:name path=\"...\"/\u003e schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program\u0027s crash using libxml or other possible undefined behaviors." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-825", "description": "Expired Pointer Dereference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-09-02T15:53:16.314Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2025:10630", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:10630" }, { "name": "RHSA-2025:10698", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:10698" }, { "name": "RHSA-2025:10699", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:10699" }, { "name": "RHSA-2025:11580", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:11580" }, { "name": "RHSA-2025:12098", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12098" }, { "name": "RHSA-2025:12099", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12099" }, { "name": "RHSA-2025:12199", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12199" }, { "name": "RHSA-2025:12237", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12237" }, { "name": "RHSA-2025:12239", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12239" }, { "name": "RHSA-2025:12240", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12240" }, { "name": "RHSA-2025:12241", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:12241" }, { "name": "RHSA-2025:13335", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2025:13335" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2025-49794" }, { "name": "RHBZ#2372373", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372373" } ], "timeline": [ { "lang": "en", "time": "2025-06-11T21:33:43.044000+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2025-06-10T00:00:00+00:00", "value": "Made public." } ], "title": "Libxml: heap use after free (uaf) leads to denial of service (dos)", "workarounds": [ { "lang": "en", "value": "There\u0027s no available mitigation other than avoid processing untrusted XML documents before updating to the libxml version containing the fix." } ], "x_redhatCweChain": "CWE-825: Expired Pointer Dereference" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2025-49794", "datePublished": "2025-06-16T15:24:31.020Z", "dateReserved": "2025-06-10T22:17:05.286Z", "dateUpdated": "2025-09-02T15:53:16.314Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-22020 (GCVE-0-2025-22020)
Vulnerability from cvelistv5
Published
2025-04-16 10:20
Modified
2025-05-26 05:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove
This fixes the following crash:
==================================================================
BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241
CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1
Tainted: [E]=UNSIGNED_MODULE
Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024
Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms]
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x70
print_address_description.constprop.0+0x27/0x320
? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
print_report+0x3e/0x70
kasan_report+0xab/0xe0
? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]
? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms]
? __pfx___schedule+0x10/0x10
? kick_pool+0x3b/0x270
process_one_work+0x357/0x660
worker_thread+0x390/0x4c0
? __pfx_worker_thread+0x10/0x10
kthread+0x190/0x1d0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2d/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 161446:
kasan_save_stack+0x20/0x40
kasan_save_track+0x10/0x30
__kasan_kmalloc+0x7b/0x90
__kmalloc_noprof+0x1a7/0x470
memstick_alloc_host+0x1f/0xe0 [memstick]
rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms]
platform_probe+0x60/0xe0
call_driver_probe+0x35/0x120
really_probe+0x123/0x410
__driver_probe_device+0xc7/0x1e0
driver_probe_device+0x49/0xf0
__device_attach_driver+0xc6/0x160
bus_for_each_drv+0xe4/0x160
__device_attach+0x13a/0x2b0
bus_probe_device+0xbd/0xd0
device_add+0x4a5/0x760
platform_device_add+0x189/0x370
mfd_add_device+0x587/0x5e0
mfd_add_devices+0xb1/0x130
rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb]
usb_probe_interface+0x15c/0x460
call_driver_probe+0x35/0x120
really_probe+0x123/0x410
__driver_probe_device+0xc7/0x1e0
driver_probe_device+0x49/0xf0
__device_attach_driver+0xc6/0x160
bus_for_each_drv+0xe4/0x160
__device_attach+0x13a/0x2b0
rebind_marked_interfaces.isra.0+0xcc/0x110
usb_reset_device+0x352/0x410
usbdev_do_ioctl+0xe5c/0x1860
usbdev_ioctl+0xa/0x20
__x64_sys_ioctl+0xc5/0xf0
do_syscall_64+0x59/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 161506:
kasan_save_stack+0x20/0x40
kasan_save_track+0x10/0x30
kasan_save_free_info+0x36/0x60
__kasan_slab_free+0x34/0x50
kfree+0x1fd/0x3b0
device_release+0x56/0xf0
kobject_cleanup+0x73/0x1c0
rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms]
platform_remove+0x2f/0x50
device_release_driver_internal+0x24b/0x2e0
bus_remove_device+0x124/0x1d0
device_del+0x239/0x530
platform_device_del.part.0+0x19/0xe0
platform_device_unregister+0x1c/0x40
mfd_remove_devices_fn+0x167/0x170
device_for_each_child_reverse+0xc9/0x130
mfd_remove_devices+0x6e/0xa0
rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb]
usb_unbind_interface+0xf3/0x3f0
device_release_driver_internal+0x24b/0x2e0
proc_disconnect_claim+0x13d/0x220
usbdev_do_ioctl+0xb5e/0x1860
usbdev_ioctl+0xa/0x20
__x64_sys_ioctl+0xc5/0xf0
do_syscall_64+0x59/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Last potentially related work creation:
kasan_save_stack+0x20/0x40
kasan_record_aux_stack+0x85/0x90
insert_work+0x29/0x100
__queue_work+0x34a/0x540
call_timer_fn+0x2a/0x160
expire_timers+0x5f/0x1f0
__run_timer_base.part.0+0x1b6/0x1e0
run_timer_softirq+0x8b/0xe0
handle_softirqs+0xf9/0x360
__irq_exit_rcu+0x114/0x130
sysvec_apic_timer_interrupt+0x72/0x90
asm_sysvec_apic_timer_interrupt+0x16/0x20
Second to last potentially related work creation:
kasan_save_stack+0x20/0x40
kasan_record_aux_stack+0x85/0x90
insert_work+0x29/0x100
__queue_work+0x34a/0x540
call_timer_fn+0x2a/0x160
expire_timers+0x5f/0x1f0
__run_timer_base.part.0+0x1b6/0x1e0
run_timer_softirq+0x8b/0xe0
handle_softirqs+0xf9/0x
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 6827ca573c03385439fdfc8b512d556dc7c54fc9 Version: 6827ca573c03385439fdfc8b512d556dc7c54fc9 Version: 6827ca573c03385439fdfc8b512d556dc7c54fc9 Version: 6827ca573c03385439fdfc8b512d556dc7c54fc9 Version: 6827ca573c03385439fdfc8b512d556dc7c54fc9 Version: 6827ca573c03385439fdfc8b512d556dc7c54fc9 Version: 6827ca573c03385439fdfc8b512d556dc7c54fc9 Version: 6827ca573c03385439fdfc8b512d556dc7c54fc9 Version: 6827ca573c03385439fdfc8b512d556dc7c54fc9 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/memstick/host/rtsx_usb_ms.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185", "status": "affected", "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9", "versionType": "git" }, { "lessThan": "9dfaf4d723c62bda8d9d1340e2e78acf0c190439", "status": "affected", "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9", "versionType": "git" }, { "lessThan": "31f0eaed6914333f42501fc7e0f6830879f5ef2d", "status": "affected", "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9", "versionType": "git" }, { "lessThan": "52d942a5302eefb3b7a3bfee310a5a33feeedc21", "status": "affected", "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9", "versionType": "git" }, { "lessThan": "6186fb2cd36317277a8423687982140a7f3f7841", "status": "affected", "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9", "versionType": "git" }, { "lessThan": "b094e8e3988e02e8cef7a756c8d2cea9c12509ab", "status": "affected", "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9", "versionType": "git" }, { "lessThan": "0067cb7d7e7c277e91a0887a3c24e71462379469", "status": "affected", "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9", "versionType": "git" }, { "lessThan": "75123adf204f997e11bbddee48408c284f51c050", "status": "affected", "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9", "versionType": "git" }, { "lessThan": "4676741a3464b300b486e70585c3c9b692be1632", "status": "affected", "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/memstick/host/rtsx_usb_ms.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.0" }, { "lessThan": "5.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.292", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.236", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.180", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.133", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.86", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.22", "versionType": "semver" }, { "lessThanOrEqual": "6.13.*", "status": "unaffected", "version": "6.13.10", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.1", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.292", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.236", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.180", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.133", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.86", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.22", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.10", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.1", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "versionStartIncluding": "5.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove\n\nThis fixes the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\nRead of size 8 at addr ffff888136335380 by task kworker/6:0/140241\n\nCPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1\nTainted: [E]=UNSIGNED_MODULE\nHardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024\nWorkqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x51/0x70\n print_address_description.constprop.0+0x27/0x320\n ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n print_report+0x3e/0x70\n kasan_report+0xab/0xe0\n ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms]\n ? __pfx___schedule+0x10/0x10\n ? kick_pool+0x3b/0x270\n process_one_work+0x357/0x660\n worker_thread+0x390/0x4c0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x190/0x1d0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 161446:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0x7b/0x90\n __kmalloc_noprof+0x1a7/0x470\n memstick_alloc_host+0x1f/0xe0 [memstick]\n rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms]\n platform_probe+0x60/0xe0\n call_driver_probe+0x35/0x120\n really_probe+0x123/0x410\n __driver_probe_device+0xc7/0x1e0\n driver_probe_device+0x49/0xf0\n __device_attach_driver+0xc6/0x160\n bus_for_each_drv+0xe4/0x160\n __device_attach+0x13a/0x2b0\n bus_probe_device+0xbd/0xd0\n device_add+0x4a5/0x760\n platform_device_add+0x189/0x370\n mfd_add_device+0x587/0x5e0\n mfd_add_devices+0xb1/0x130\n rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb]\n usb_probe_interface+0x15c/0x460\n call_driver_probe+0x35/0x120\n really_probe+0x123/0x410\n __driver_probe_device+0xc7/0x1e0\n driver_probe_device+0x49/0xf0\n __device_attach_driver+0xc6/0x160\n bus_for_each_drv+0xe4/0x160\n __device_attach+0x13a/0x2b0\n rebind_marked_interfaces.isra.0+0xcc/0x110\n usb_reset_device+0x352/0x410\n usbdev_do_ioctl+0xe5c/0x1860\n usbdev_ioctl+0xa/0x20\n __x64_sys_ioctl+0xc5/0xf0\n do_syscall_64+0x59/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 161506:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x36/0x60\n __kasan_slab_free+0x34/0x50\n kfree+0x1fd/0x3b0\n device_release+0x56/0xf0\n kobject_cleanup+0x73/0x1c0\n rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms]\n platform_remove+0x2f/0x50\n device_release_driver_internal+0x24b/0x2e0\n bus_remove_device+0x124/0x1d0\n device_del+0x239/0x530\n platform_device_del.part.0+0x19/0xe0\n platform_device_unregister+0x1c/0x40\n mfd_remove_devices_fn+0x167/0x170\n device_for_each_child_reverse+0xc9/0x130\n mfd_remove_devices+0x6e/0xa0\n rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb]\n usb_unbind_interface+0xf3/0x3f0\n device_release_driver_internal+0x24b/0x2e0\n proc_disconnect_claim+0x13d/0x220\n usbdev_do_ioctl+0xb5e/0x1860\n usbdev_ioctl+0xa/0x20\n __x64_sys_ioctl+0xc5/0xf0\n do_syscall_64+0x59/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nLast potentially related work creation:\n kasan_save_stack+0x20/0x40\n kasan_record_aux_stack+0x85/0x90\n insert_work+0x29/0x100\n __queue_work+0x34a/0x540\n call_timer_fn+0x2a/0x160\n expire_timers+0x5f/0x1f0\n __run_timer_base.part.0+0x1b6/0x1e0\n run_timer_softirq+0x8b/0xe0\n handle_softirqs+0xf9/0x360\n __irq_exit_rcu+0x114/0x130\n sysvec_apic_timer_interrupt+0x72/0x90\n asm_sysvec_apic_timer_interrupt+0x16/0x20\n\nSecond to last potentially related work creation:\n kasan_save_stack+0x20/0x40\n kasan_record_aux_stack+0x85/0x90\n insert_work+0x29/0x100\n __queue_work+0x34a/0x540\n call_timer_fn+0x2a/0x160\n expire_timers+0x5f/0x1f0\n __run_timer_base.part.0+0x1b6/0x1e0\n run_timer_softirq+0x8b/0xe0\n handle_softirqs+0xf9/0x\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-05-26T05:16:43.813Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185" }, { "url": "https://git.kernel.org/stable/c/9dfaf4d723c62bda8d9d1340e2e78acf0c190439" }, { "url": "https://git.kernel.org/stable/c/31f0eaed6914333f42501fc7e0f6830879f5ef2d" }, { "url": "https://git.kernel.org/stable/c/52d942a5302eefb3b7a3bfee310a5a33feeedc21" }, { "url": "https://git.kernel.org/stable/c/6186fb2cd36317277a8423687982140a7f3f7841" }, { "url": "https://git.kernel.org/stable/c/b094e8e3988e02e8cef7a756c8d2cea9c12509ab" }, { "url": "https://git.kernel.org/stable/c/0067cb7d7e7c277e91a0887a3c24e71462379469" }, { "url": "https://git.kernel.org/stable/c/75123adf204f997e11bbddee48408c284f51c050" }, { "url": "https://git.kernel.org/stable/c/4676741a3464b300b486e70585c3c9b692be1632" } ], "title": "memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-22020", "datePublished": "2025-04-16T10:20:37.045Z", "dateReserved": "2024-12-29T08:45:45.807Z", "dateUpdated": "2025-05-26T05:16:43.813Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-6965 (GCVE-0-2025-6965)
Vulnerability from cvelistv5
Published
2025-07-15 13:44
Modified
2025-07-15 13:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-197 - Numeric Truncation Error
Summary
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-6965", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-15T13:55:28.325825Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-07-15T13:55:46.280Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://www.sqlite.org/src", "defaultStatus": "unaffected", "packageName": "expr.c", "product": "SQLite", "programFiles": [ "expr.c" ], "vendor": "SQLite", "versions": [ { "lessThan": "3.50.2", "status": "affected", "version": "0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Vlad Stolyarov of Google\u0027s Threat Analysis Group, with assistance from Google Big Sleep" } ], "datePublic": "2025-06-27T22:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above." } ], "value": "There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above." } ], "impacts": [ { "capecId": "CAPEC-679", "descriptions": [ { "lang": "en", "value": "CAPEC-679 Exploitation of Improperly Configured or Implemented Memory Protections" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NO", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 7.2, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "GREEN", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/S:N/AU:N/R:U/V:D/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-197", "description": "CWE-197: Numeric Truncation Error", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-15T13:44:00.784Z", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google" }, "references": [ { "url": "https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8" } ], "source": { "discovery": "UNKNOWN" }, "title": "Integer Truncation on SQLite", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2025-6965", "datePublished": "2025-07-15T13:44:00.784Z", "dateReserved": "2025-07-01T09:19:04.750Z", "dateUpdated": "2025-07-15T13:55:46.280Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-57980 (GCVE-0-2024-57980)
Vulnerability from cvelistv5
Published
2025-02-27 02:07
Modified
2025-05-04 10:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Fix double free in error path
If the uvc_status_init() function fails to allocate the int_urb, it will
free the dev->status pointer but doesn't reset the pointer to NULL. This
results in the kfree() call in uvc_status_cleanup() trying to
double-free the memory. Fix it by resetting the dev->status pointer to
NULL after freeing it.
Reviewed by: Ricardo Ribalda <ribalda@chromium.org>
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 Version: a31a4055473bf0a7b2b06cb2262347200d0711e1 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/media/usb/uvc/uvc_status.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d", "status": "affected", "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1", "versionType": "git" }, { "lessThan": "87522ef165e5b6de8ef98cc318f3335166a1512c", "status": "affected", "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1", "versionType": "git" }, { "lessThan": "3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277", "status": "affected", "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1", "versionType": "git" }, { "lessThan": "9232719ac9ce4d5c213cebda23d72aec3e1c4c0d", "status": "affected", "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1", "versionType": "git" }, { "lessThan": "6c36dcd662ec5276782838660f8533a7cb26be49", "status": "affected", "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1", "versionType": "git" }, { "lessThan": "d1f8e69eec91d5a75ef079778a5d0151db2a7f22", "status": "affected", "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1", "versionType": "git" }, { "lessThan": "d8e63dd7b6683969d3d47c7b8e9635f96d554ad4", "status": "affected", "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1", "versionType": "git" }, { "lessThan": "c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac", "status": "affected", "version": "a31a4055473bf0a7b2b06cb2262347200d0711e1", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/media/usb/uvc/uvc_status.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.28" }, { "lessThan": "2.6.28", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.291", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.235", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.179", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.129", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.76", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.13", "versionType": "semver" }, { "lessThanOrEqual": "6.13.*", "status": "unaffected", "version": "6.13.2", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.14", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.291", "versionStartIncluding": "2.6.28", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.235", "versionStartIncluding": "2.6.28", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.179", "versionStartIncluding": "2.6.28", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.129", "versionStartIncluding": "2.6.28", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.76", "versionStartIncluding": "2.6.28", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.13", "versionStartIncluding": "2.6.28", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.13.2", "versionStartIncluding": "2.6.28", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14", "versionStartIncluding": "2.6.28", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix double free in error path\n\nIf the uvc_status_init() function fails to allocate the int_urb, it will\nfree the dev-\u003estatus pointer but doesn\u0027t reset the pointer to NULL. This\nresults in the kfree() call in uvc_status_cleanup() trying to\ndouble-free the memory. Fix it by resetting the dev-\u003estatus pointer to\nNULL after freeing it.\n\nReviewed by: Ricardo Ribalda \u003cribalda@chromium.org\u003e" } ], "providerMetadata": { "dateUpdated": "2025-05-04T10:07:38.248Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d" }, { "url": "https://git.kernel.org/stable/c/87522ef165e5b6de8ef98cc318f3335166a1512c" }, { "url": "https://git.kernel.org/stable/c/3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277" }, { "url": "https://git.kernel.org/stable/c/9232719ac9ce4d5c213cebda23d72aec3e1c4c0d" }, { "url": "https://git.kernel.org/stable/c/6c36dcd662ec5276782838660f8533a7cb26be49" }, { "url": "https://git.kernel.org/stable/c/d1f8e69eec91d5a75ef079778a5d0151db2a7f22" }, { "url": "https://git.kernel.org/stable/c/d8e63dd7b6683969d3d47c7b8e9635f96d554ad4" }, { "url": "https://git.kernel.org/stable/c/c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac" } ], "title": "media: uvcvideo: Fix double free in error path", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-57980", "datePublished": "2025-02-27T02:07:06.849Z", "dateReserved": "2025-02-27T02:04:28.912Z", "dateUpdated": "2025-05-04T10:07:38.248Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-50154 (GCVE-0-2024-50154)
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2025-05-04 12:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().
Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().
"""
We are seeing a use-after-free from a bpf prog attached to
trace_tcp_retransmit_synack. The program passes the req->sk to the
bpf_sk_storage_get_tracing kernel helper which does check for null
before using it.
"""
The commit 83fccfc3940c ("inet: fix potential deadlock in
reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not
to call del_timer_sync() from reqsk_timer_handler(), but it introduced a
small race window.
Before the timer is called, expire_timers() calls detach_timer(timer, true)
to clear timer->entry.pprev and marks it as not pending.
If reqsk_queue_unlink() checks timer_pending() just after expire_timers()
calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will
continue running and send multiple SYN+ACKs until it expires.
The reported UAF could happen if req->sk is close()d earlier than the timer
expiration, which is 63s by default.
The scenario would be
1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),
but del_timer_sync() is missed
2. reqsk timer is executed and scheduled again
3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but
reqsk timer still has another one, and inet_csk_accept() does not
clear req->sk for non-TFO sockets
4. sk is close()d
5. reqsk timer is executed again, and BPF touches req->sk
Let's not use timer_pending() by passing the caller context to
__inet_csk_reqsk_queue_drop().
Note that reqsk timer is pinned, so the issue does not happen in most
use cases. [1]
[0]
BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0
Use-after-free read at 0x00000000a891fb3a (in kfence-#1):
bpf_sk_storage_get_tracing+0x2e/0x1b0
bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda
bpf_trace_run2+0x4c/0xc0
tcp_rtx_synack+0xf9/0x100
reqsk_timer_handler+0xda/0x3d0
run_timer_softirq+0x292/0x8a0
irq_exit_rcu+0xf5/0x320
sysvec_apic_timer_interrupt+0x6d/0x80
asm_sysvec_apic_timer_interrupt+0x16/0x20
intel_idle_irq+0x5a/0xa0
cpuidle_enter_state+0x94/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6
allocated by task 0 on cpu 9 at 260507.901592s:
sk_prot_alloc+0x35/0x140
sk_clone_lock+0x1f/0x3f0
inet_csk_clone_lock+0x15/0x160
tcp_create_openreq_child+0x1f/0x410
tcp_v6_syn_recv_sock+0x1da/0x700
tcp_check_req+0x1fb/0x510
tcp_v6_rcv+0x98b/0x1420
ipv6_list_rcv+0x2258/0x26e0
napi_complete_done+0x5b1/0x2990
mlx5e_napi_poll+0x2ae/0x8d0
net_rx_action+0x13e/0x590
irq_exit_rcu+0xf5/0x320
common_interrupt+0x80/0x90
asm_common_interrupt+0x22/0x40
cpuidle_enter_state+0xfb/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
freed by task 0 on cpu 9 at 260507.927527s:
rcu_core_si+0x4ff/0xf10
irq_exit_rcu+0xf5/0x320
sysvec_apic_timer_interrupt+0x6d/0x80
asm_sysvec_apic_timer_interrupt+0x16/0x20
cpuidle_enter_state+0xfb/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: d3a1196bfc462943694623412d8e03aaf172bdc1 |
||||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-50154", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-11T14:25:48.087506Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-11T14:58:32.999Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/ipv4/inet_connection_sock.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "106e457953315e476b3642ef24be25ed862aaba3", "status": "affected", "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af", "versionType": "git" }, { "lessThan": "c964bf65f80a14288d767023a1b300b30f5b9cd0", "status": "affected", "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af", "versionType": "git" }, { "lessThan": "8459d61fbf24967839a70235165673148c7c7f17", "status": "affected", "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af", "versionType": "git" }, { "lessThan": "5071beb59ee416e8ab456ac8647a4dabcda823b1", "status": "affected", "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af", "versionType": "git" }, { "lessThan": "997ae8da14f1639ce6fb66a063dab54031cd61b3", "status": "affected", "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af", "versionType": "git" }, { "lessThan": "51e34db64f4e43c7b055ccf881b7f3e0c31bb26d", "status": "affected", "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af", "versionType": "git" }, { "lessThan": "e8c526f2bdf1845bedaf6a478816a3d06fa78b8f", "status": "affected", "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af", "versionType": "git" }, { "status": "affected", "version": "d3a1196bfc462943694623412d8e03aaf172bdc1", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/ipv4/inet_connection_sock.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.2" }, { "lessThan": "4.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.293", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.237", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.170", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.293", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.237", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.170", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.115", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.59", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.11.6", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1.11", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp/dccp: Don\u0027t use timer_pending() in reqsk_queue_unlink().\n\nMartin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().\n\n \"\"\"\n We are seeing a use-after-free from a bpf prog attached to\n trace_tcp_retransmit_synack. The program passes the req-\u003esk to the\n bpf_sk_storage_get_tracing kernel helper which does check for null\n before using it.\n \"\"\"\n\nThe commit 83fccfc3940c (\"inet: fix potential deadlock in\nreqsk_queue_unlink()\") added timer_pending() in reqsk_queue_unlink() not\nto call del_timer_sync() from reqsk_timer_handler(), but it introduced a\nsmall race window.\n\nBefore the timer is called, expire_timers() calls detach_timer(timer, true)\nto clear timer-\u003eentry.pprev and marks it as not pending.\n\nIf reqsk_queue_unlink() checks timer_pending() just after expire_timers()\ncalls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will\ncontinue running and send multiple SYN+ACKs until it expires.\n\nThe reported UAF could happen if req-\u003esk is close()d earlier than the timer\nexpiration, which is 63s by default.\n\nThe scenario would be\n\n 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),\n but del_timer_sync() is missed\n\n 2. reqsk timer is executed and scheduled again\n\n 3. req-\u003esk is accept()ed and reqsk_put() decrements rsk_refcnt, but\n reqsk timer still has another one, and inet_csk_accept() does not\n clear req-\u003esk for non-TFO sockets\n\n 4. sk is close()d\n\n 5. reqsk timer is executed again, and BPF touches req-\u003esk\n\nLet\u0027s not use timer_pending() by passing the caller context to\n__inet_csk_reqsk_queue_drop().\n\nNote that reqsk timer is pinned, so the issue does not happen in most\nuse cases. [1]\n\n[0]\nBUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0\n\nUse-after-free read at 0x00000000a891fb3a (in kfence-#1):\nbpf_sk_storage_get_tracing+0x2e/0x1b0\nbpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda\nbpf_trace_run2+0x4c/0xc0\ntcp_rtx_synack+0xf9/0x100\nreqsk_timer_handler+0xda/0x3d0\nrun_timer_softirq+0x292/0x8a0\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\nintel_idle_irq+0x5a/0xa0\ncpuidle_enter_state+0x94/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nkfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6\n\nallocated by task 0 on cpu 9 at 260507.901592s:\nsk_prot_alloc+0x35/0x140\nsk_clone_lock+0x1f/0x3f0\ninet_csk_clone_lock+0x15/0x160\ntcp_create_openreq_child+0x1f/0x410\ntcp_v6_syn_recv_sock+0x1da/0x700\ntcp_check_req+0x1fb/0x510\ntcp_v6_rcv+0x98b/0x1420\nipv6_list_rcv+0x2258/0x26e0\nnapi_complete_done+0x5b1/0x2990\nmlx5e_napi_poll+0x2ae/0x8d0\nnet_rx_action+0x13e/0x590\nirq_exit_rcu+0xf5/0x320\ncommon_interrupt+0x80/0x90\nasm_common_interrupt+0x22/0x40\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nfreed by task 0 on cpu 9 at 260507.927527s:\nrcu_core_si+0x4ff/0xf10\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb" } ], "providerMetadata": { "dateUpdated": "2025-05-04T12:59:37.593Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/106e457953315e476b3642ef24be25ed862aaba3" }, { "url": "https://git.kernel.org/stable/c/c964bf65f80a14288d767023a1b300b30f5b9cd0" }, { "url": "https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17" }, { "url": "https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1" }, { "url": "https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3" }, { "url": "https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d" }, { "url": "https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f" } ], "title": "tcp/dccp: Don\u0027t use timer_pending() in reqsk_queue_unlink().", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50154", "datePublished": "2024-11-07T09:31:30.855Z", "dateReserved": "2024-10-21T19:36:19.960Z", "dateUpdated": "2025-05-04T12:59:37.593Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-20623 (GCVE-0-2025-20623)
Vulnerability from cvelistv5
Published
2025-05-13 21:02
Modified
2025-05-14 15:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
- CWE-1423 - Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
Summary
Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel(R) Core™ processors (10th Generation) may allow an authenticated user to potentially enable information disclosure via local access.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
n/a | Intel(R) Core™ processors (10th Generation) |
Version: See references |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-20623", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-14T15:10:08.956006Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-14T15:10:55.376Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Intel(R) Core\u2122 processors (10th Generation)", "vendor": "n/a", "versions": [ { "status": "affected", "version": "See references" } ] } ], "descriptions": [ { "lang": "en", "value": "Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel(R) Core\u2122 processors (10th Generation) may allow an authenticated user to potentially enable information disclosure via local access." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "cvssV4_0": { "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.7, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en" }, { "cweId": "CWE-1423", "description": "Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-05-13T21:02:26.040Z", "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "shortName": "intel" }, "references": [ { "name": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01247.html", "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01247.html" } ] } }, "cveMetadata": { "assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "assignerShortName": "intel", "cveId": "CVE-2025-20623", "datePublished": "2025-05-13T21:02:26.040Z", "dateReserved": "2025-01-06T23:39:39.905Z", "dateUpdated": "2025-05-14T15:10:55.376Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…