CVE Catalog

A vulnerability in the Linux kernel's GPIO character device handling has been addressed. The issue was a NULL dereference in the 'linehandle_create()' function, which could lead to a crash. This occurred because the function retained a NULL pointer and then attempted to dereference it shortly after, causing a failure. The vulnerability has been fixed by modifying the function to use a different value that avoids the NULL dereference.

A vulnerability in the Linux kernel's SP804 timer driver for ARM32 platforms has been addressed. The issue arose because the delay timer shared the same clock event instance with the scheduler clock. On certain platforms, the scheduler clock event was not properly initialized, leading to a kernel Oops error when the current timer was read. This vulnerability affected Linux kernel versions prior to the fix.

A vulnerability in the Linux kernel's NFS LOCALIO optimization can lead to a direct reclaim recursion deadlock. LOCALIO is designed to bypass network operations for NFS commands when the client and server are on the same system. However, this loopback mount can inadvertently cause a deadlock by recursing through the direct reclaim process, particularly when interacting with the XFS filesystem. The issue arises because LOCALIO can loop back into NFS during the reclaim process, creating a potential deadlock scenario.

A problem has been identified in the Linux kernel's fsl-edma DMA engine driver related to improper clock management during the removal of the driver. The issue arises because the clocks are allocated and enabled using a function that automatically handles resource cleanup. However, they are also manually disabled in the driver's removal function, leading to warnings about the clocks being already disabled. This mismanagement can cause unnecessary complications when the driver is unloaded.

A vulnerability in the Linux kernel's AppArmor component allows for unaligned memory accesses, which can lead to warnings and potential issues on various architectures. This vulnerability arises because the deterministic finite automaton (DFA) tables used by AppArmor can come from either the kernel or userspace, and are not always guaranteed to be properly aligned. The lack of alignment can trigger unaligned memory accesses, causing warnings during execution. This issue has been observed in Linux kernel version 6.18.0-rc6.

A heap buffer overflow vulnerability has been identified in the Linux kernel's pstore/ram component, specifically within the 'persistent_ram_save_old()' function. This vulnerability affects several versions of the Linux kernel stable tree. The issue arises because 'persistent_ram_save_old()' can be called multiple times for the same persistent_ram_zone, particularly through 'ramoops_pstore_read' for PSTORE_TYPE_DMESG records. The function only allocates a buffer for the old log when it is NULL, but it always updates the log size to the current buffer size before copying data from the I/O memory. If the buffer size increases between calls, this can lead to a heap buffer overflow during the memory copy operation. Additionally, this vulnerability can cause an out-of-bounds read when the 'ramoops_pstore_read()' function accesses the buffer using an incorrect, larger log size.

A locking vulnerability has been identified in the Linux kernel's regulator supply handling, specifically within the 'regulator_resolve_supply()' function. This issue arises when late enabling of a supply regulator fails, leading to a lockdep warning. The warning indicates that the 'regulator_list_mutex' must be held when calling '_regulator_put()', but the current implementation does not ensure this. As a result, concurrent access to the regulator device can occur while the supply pointer is being cleared, potentially causing inconsistencies.

A vulnerability in the Linux kernel's Btrfs file system has been identified, related to improper handling of the block group tree's dirty list. When the EXTENT_TREE_V2 flag is active, the block group tree is incorrectly added to the switch_commits list, disrupting the normal dirty tracking process. This flaw can lead to a corruption of the dirty_list, causing Btrfs to mix up its commit and dirty tracking processes. The issue becomes evident when the CONFIG_DEBUG_LIST option is enabled, as it triggers a warning about the corrupted list state. The corruption can cause Btrfs to fail in locating root keys during transactions, ultimately leading to a transaction abort and marking the file system as corrupted.

A vulnerability has been identified in the Linux kernel's handling of global register variables on MIPS architecture, specifically in versions 6.19.0-rc5 and prior to 6.19.0-rc5. The issue arises because the LLVM compiler incorrectly restores the global register variable '$gp', which is supposed to be preserved during kernel relocation. This mismanagement leads to a crash during the initialization of the idle process, as the '$gp' register points to an invalid memory address.

A vulnerability in the Linux kernel's OcteonTX2 AF driver can lead to a crash of the PF driver during a kexec reboot. This issue occurs because the hardware is not power-cycled, allowing the AF state from the old kernel to persist into the new one. When both AF and PF drivers are built as modules, the PF driver may initialize before the AF driver has a chance to reinitialize the hardware. The PF driver relies on the RVUM block revision to determine if AF initialization is complete. If this revision is not cleared before shutdown, the PF driver may mistakenly assume that AF is ready, leading to a crash by accessing outdated hardware state. The vulnerability has been addressed by clearing the RVUM block revision during AF shutdown, preventing the PF driver from misinterpreting AF's readiness after a kexec reboot.

A vulnerability in the Linux kernel's ath12k wireless driver can lead to improper management of virtual interface links. When a virtual interface (arvif) is initialized in non-AP station mode, but the preparation for a multi-link operation (MLO) connection fails before the interface is fully created, the driver attempts to delete link mappings. However, this deletion only occurs if the interface has been fully created. As a result, the link management retains a stale entry for the interface, which can trigger warnings when a new interface is initialized with the same link ID. This issue has been observed in the QCN9274 hardware version 2.0, under the PCI WLAN.WBE.1.5-01651-QCAHKSWPL_SILICONZ-1 firmware.

A vulnerability in the Linux kernel's handling of the GFX3D clock rate has been addressed. The issue arose after a previous commit that changed how clock rates are determined, leading to crashes because the parent map did not provide the expected best_parent_hw clock. This problem has been fixed by correctly setting the parent request map, preventing the crash. The vulnerability affects the clock management for the GFX3D component on Qualcomm platforms.

A use-after-free vulnerability has been identified in the Linux kernel's PM8916 LBC power supply driver. This issue arises in the IRQ handler due to the improper order of requesting the IRQ and registering the extcon handle. The extcon handle is freed before the IRQ handler is unregistered, creating a race condition. As a result, an interrupt can be processed with a deallocated extcon handle, leading to potential system crashes or memory corruption.

A vulnerability in the Linux kernel's AMD GPU display driver has been addressed. The issue arose in the hot plug detection (HPD) initialization process, where the code improperly handled cases where the display connector's link was NULL. This oversight could lead to errors when the system attempted to set up HPD interrupts, as the code unconditionally referenced a NULL link. The vulnerability affected the AMDGPU display manager's hot plug detection routine, which is crucial for managing analog connectors that can be hot-plugged.

A vulnerability in the Linux kernel's netfilter component has been identified, specifically within the inner packet processing of IPv6. When the function 'nft_inner_parse_l2l3()' handles inner IPv6 packets, it correctly calculates the transport header offset by traversing all extension headers. However, this accurate offset is then incorrectly overwritten, leading to a desynchronization between the inner header offset and the layer 4 protocol indicator. This flaw enables transport header forgery and could potentially bypass firewall rules. The vulnerability affects several stable versions of the Linux kernel starting from 6.2.

A user-after-free (UAF) race condition vulnerability has been identified in OP-TEE versions 3.16.0 prior to 4.11.0. This vulnerability occurs in the shared memory teardown process of the FF-A framework, specifically within OP-TEE's Secure Partition Manager (SPMC) handling for Secure EL0 (S-EL0) Secure Partitions (SPs). The issue arises because the function responsible for removing shared memory entries does not properly synchronize access, allowing one thread to free memory while another thread is still using it. As a result, the first thread can inadvertently access freed memory, leading to potential memory corruption and information leakage in the secure world.

A Cross-Site Scripting (XSS) vulnerability has been identified in the Kimi AI web interface version 1.0, specifically within the 'Preview' feature. The issue arises because the application does not adequately sanitize or encode HTML and JavaScript payloads generated by the AI model. When users switch to the 'Preview' tab to view AI-generated code, any embedded malicious payloads are rendered directly into the Document Object Model (DOM). This flaw allows for arbitrary execution of JavaScript in the user's browser session.

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the DNS resolver component running Unbound version 1.22.0. The router responds to CHAOS TXT queries for 'version.bind' and 'hostname.bind', disclosing the DNS software version and internal hostname. This information can aid targeted attacks against known vulnerabilities in the DNS resolver. The issue is present in the router's default configuration and can be exploited by any device on the local network that sends DNS queries to the router.

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. This vulnerability involves hardcoded WiFi driver credentials embedded in the production firmware binary. The credentials include a RADIUS shared secret, a WPS test key, and a default Pre-Shared Key (PSK). These hardcoded credentials, left over from development and testing, could be activated under certain conditions, such as a failure in configuration or the enabling of specific wireless modes without proper key management.

A buffer leak vulnerability has been identified in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The vulnerability arises from an undocumented endpoint, '/agileconfigreset', which is accessible without authentication. This endpoint leaks internal buffer contents, including parsed HTTP headers from the current request, to unauthenticated attackers on the adjacent network. The leaked data is formatted in a null-separated internal style and is sent as a malformed response that violates HTTP protocol standards.

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The issue arises when the device receives HTTP POST requests to undefined paths. Instead of returning appropriate error responses, the router's VxWorks HTTP server leaks 128 bytes of uninitialized internal buffer contents. This exposure allows unauthenticated adjacent network attackers to access sensitive server state information.

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The router enables Wi-Fi Protected Setup (WPS) 2.0 by default, but with a weak lockout policy that allows for repeated PIN guessing attacks. After 10 failed attempts, the router only locks out further attempts for 60 seconds. This weak policy can be exploited if WPS PIN mode is activated, allowing an attacker to recover Wi-Fi credentials in a single attempt using a predicted PIN derived from the router's BSSID MAC address.

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the UPnP HTTP server on port 1900. When the router receives POST requests without a SOAPAction header, it responds with 128 bytes of uninitialized buffer data. This response includes null-separated parsed header key-value pairs from the request, fragments of HTTP response templates from previous requests, and internal memory contents from the server's buffer management. The vulnerability allows unauthenticated adjacent network attackers to access sensitive internal memory data.

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The router's Dynamic Domain Name System (DDNS) client transmits user credentials, including usernames and passwords, to external DDNS providers over unencrypted HTTP. While the credentials are encoded in Base64 and sent in the 'Authorization: Basic' header, this encoding is easily reversible. The absence of any SSL/TLS implementation in the firmware allows for man-in-the-middle interception of these DDNS service credentials. This vulnerability affects users of DynDNS and No-IP services, as the intercepted credentials could be reused if shared with other services.

A vulnerability in the Mercusys AC12G (EU) V1 router's authentication mechanism allows for password recovery through the exploitation of a static nonce that does not change between requests from the same source IP. This issue arises in routers running the AC12G(EU)_V1_200909 firmware. The static nonce, combined with a predictable XOR-based password encoding, enables an attacker to reverse-engineer captured authentication tokens to retrieve the plaintext password. The vulnerability also allows for session token replay, as captured tokens remain valid indefinitely without expiration.

A vulnerability in the Mercusys AC12G (EU) V1 router, running firmware AC12G(EU)_V1_200909, allows for unauthorized port forwarding to the router's admin interface. This is achieved through the UPnP 'AddPortMapping' function, which accepts the router's own IP address or localhost as the 'InternalClient' parameter. An unauthenticated attacker on the local network can exploit this flaw to make the admin panel accessible from the internet.

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the TDDP password change endpoint, which allows for unauthenticated brute-force attacks. This issue arises because the password change endpoint lacks the rate limiting found on the login endpoint, enabling an attacker on the adjacent network to attempt unlimited password guesses without triggering an account lockout. The vulnerability affects routers running the AC12G(EU)_V1_200909 firmware, and has been tested on this version as well as AC12G(EU)_V1_210128.

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The router encrypts configuration backup files using a hardcoded DES key in ECB mode, a method that is no longer considered secure. This encryption flaw allows an attacker who obtains a backup file to decrypt it and access sensitive information, including the admin password, WiFi pre-shared keys, PPPoE credentials, and DDNS information. The same DES key is used across various TP-Link and Mercusys devices, amplifying the risk of credential exposure.

A denial-of-service vulnerability has been identified in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The issue arises in the router's HTTP server, which has a limited connection pool and no timeout for incomplete requests. By sending approximately 50 concurrent TCP connections with slow or incomplete HTTP headers, all available connection slots can be exhausted. This causes the HTTP server to become permanently unresponsive, requiring a physical power cycle to restore functionality. The UPnP service on port 1900 also crashes, indicating a shared resource issue.

A vulnerability in the Mercusys AC12G (EU) V1 router, running firmware AC12G(EU)_V1_200909, allows for DNS rebinding attacks due to improper validation of the HTTP Host header. This flaw enables external attackers to rebind a domain to the router's internal IP address, exploiting the CORS wildcard vulnerability (Access-Control-Allow-Origin: *) to launch internet-originated attacks. The issue arises because the router's DNS resolver (Unbound 1.22.0) fails to filter private IP addresses in DNS responses, and the HTTP server accepts requests with any Host header value, including external domain names.

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The router's UPnP IGD implementation on port 1900 exposes 15 out of 18 actions without authentication. This includes critical functions such as AddPortMapping, which allows arbitrary NAT port forwarding, and GetExternalIPAddress, which reveals the WAN IP address. UPnP is enabled by default and cannot be disabled through the admin interface, leaving any unauthenticated LAN device free to manipulate port forwarding rules and access WAN traffic statistics.

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The issue arises within the UPnP service, where the GetStatusInfo action improperly discloses kernel memory layout by returning a raw MIPS KSEG0 kernel pointer instead of the expected connection status. This vulnerability allows an unauthenticated attacker on the adjacent network to obtain sensitive kernel address information, which could be used for further exploitation, especially considering the lack of Address Space Layout Randomization (ASLR) in VxWorks, the underlying operating system.

A stored cross-site scripting vulnerability has been identified in Dovestones Software ADPhonebook versions prior to 4.0.1.1. The issue arises in the administrative configuration functionality, where authenticated admin users can inject malicious JavaScript payloads into various application configuration fields. This injection occurs through the '/Admin/Save' API, which lacks adequate input validation and output encoding. Once injected, the payloads are executed when the affected configuration data is viewed, potentially leading to session hijacking or impersonation of administrative accounts.

A cross-site scripting (XSS) vulnerability has been identified in the web-based user interface of Cisco Webex Meetings. This issue could have allowed an unauthenticated, remote attacker to execute arbitrary script code in the browser of a targeted user or access sensitive, browser-based information. The vulnerability arose from insufficient validation of user input, enabling an attacker to persuade a user to follow a malicious link. Cisco has addressed this vulnerability in the Webex Meetings service, and no customer action is needed.

A server-side request forgery (SSRF) vulnerability has been identified in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). This vulnerability allows an unauthenticated, remote attacker to send crafted HTTP requests that could be exploited to write files to the underlying operating system, potentially leading to privilege escalation to root. The vulnerability arises from improper input validation of certain HTTP requests. To exploit this vulnerability, the WebDialer service must be enabled, which is disabled by default.

A remote file inclusion vulnerability has been identified in Cisco Finesse. This issue allows an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, potentially leading to browser-based attacks. The vulnerability arises from inadequate validation of user-supplied input in HTTP requests sent to the device. An attacker aware of the device's address could exploit this by convincing a user to click a crafted link containing that address. Successful exploitation might enable the attacker to execute arbitrary script code in the context of the affected interface or access sensitive information on the device.

A vulnerability has been identified in the Linux kernel's handling of cache flush operations for the Panthor GPU. This issue can cause the entire memory subsystem to become blocked, with flush operations failing to complete. The vulnerability arises from the GPU's logical block not properly managing cache flush requests, especially when these requests are queued after a timeout. The problem can be triggered by faulty GPU jobs created by the User Mode Driver (UMD), leading to unresponsive memory blocks.

A NULL pointer dereference vulnerability has been identified in the Linux kernel's PCI endpoint functionality. This issue arises because the 'alloc_workqueue()' function can return NULL if memory allocation fails. Without proper error handling, this could lead to a NULL pointer dereference when 'queue_work()' is called with a NULL workqueue pointer, particularly in the 'epf_ntb_epc_init()' function. The vulnerability affects the Linux kernel stable tree.

A denial-of-service vulnerability has been identified in Dräger SC Monitoring devices, specifically in the SC 6002XL, SC 6802XL, SC 7000, SC 8000, and SC 9000 XL models. This vulnerability exists in all software versions and allows unauthenticated attackers to disrupt patient monitoring by sending malformed network packets. The monitors can be forced to reboot repeatedly, eventually reverting to default settings and losing network connectivity.

A vulnerability exists in Jupyter Server versions 1.12.0 through 2.17.0, allowing attackers to bypass Cross-Origin Resource Sharing (CORS) origin validation when the 'allow_origin_pat' configuration is applied. The issue stems from using 're.match()' for validating the 'Origin' header, which only checks the beginning of the string. This flaw enables domains controlled by attackers, such as 'trusted.example.com.evil.com', to be mistakenly validated as legitimate. The vulnerability impacts several areas, including CORS headers, WebSocket connections, referer validation, and login redirects, potentially leading to phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses.

A vulnerability exists in GLPI versions 11.0.0 prior to 11.0.7 and in versions 0.78 prior to 10.0.25. An authenticated user with 'config READ' permission can unauthorizedly read a specific asset object.

A stored cross-site scripting vulnerability has been identified in GLPI versions 10.0.4 prior to 10.0.25. This issue allows technicians to inject an XSS payload into the asset locked tab.

A vulnerability allowing arbitrary file read has been identified in GLPI versions 0.50 prior to 10.0.25 and 11.0.0 prior to 11.0.7. This issue allows technicians to access any file within the GLPI_DOC_DIR.

A vulnerability exists in GLPI versions 9.5.0 prior to 10.0.25 and 11.0.0 prior to 11.0.7, allowing low privilege users with access to planning to delete any object within the application. This issue arises from inadequate permission controls, enabling unauthorized deletion of items.

A vulnerability in GLPI versions 0.78 prior to 10.0.25 and 11.0.0 prior to 11.0.7 allows technicians to delete arbitrary files from the filesystem, provided the webserver has write permissions on those files. This issue arises from insufficient restrictions on file deletion capabilities.

A denial-of-service vulnerability has been identified in Python's CPython implementation, specifically within the unicodedata.normalize() function. This issue arises when the function processes specially crafted Unicode input that includes long sequences of combining characters with alternating Canonical Combining Class values. Such input can cause the normalization process to exhibit quadratic time complexity, leading to excessive CPU usage. A payload of approximately 0.5MB can consume over 30 seconds of processing time. This vulnerability affects all normalization forms.

An integer underflow vulnerability has been identified in GoBGP version 4.3.0, specifically within the BGPUpdate.DecodeFromBytes function. This vulnerability allows attackers to cause a denial-of-service condition by sending a crafted BGP UPDATE message. The underflow occurs when the message length is improperly validated, enabling the manipulation of data processing boundaries.

A cross-site scripting (XSS) vulnerability has been identified in Rock RMS versions through 17.7.0. This issue allows for the execution of arbitrary JavaScript in the context of an administrator's browser session, potentially leading to unauthorized privilege escalation. The vulnerability arises from inadequate input sanitization in the Social Media Links feature of user profiles. When an administrator views a profile containing a crafted XSS payload, the payload executes and can escalate the profile owner's privileges to that of an administrator.

A command injection vulnerability has been identified in the 'app.py' component of Openlabs Docker Wkhtmltopdf Aas, affecting all versions prior to the latest commit '9f50579'. This vulnerability allows remote attackers to execute arbitrary commands on the server with root privileges. The issue arises from the application accepting user-supplied options via JSON POST requests, which are then used to construct a shell command for 'wkhtmltopdf' without proper validation or sanitization. Exploitation can be achieved by injecting commands through option values or keys, leading to unauthorized command execution.

A DLL hijacking vulnerability has been identified in Wassimulator CactusViewer version 2.3.0. This vulnerability allows attackers to escalate privileges and execute arbitrary code by placing a malicious DLL in the same directory as the CactusViewer executable. When the application is launched, it loads the malicious DLL, leading to unauthorized code execution in the context of the user running the application.