CVE Catalog

An OS command injection vulnerability has been identified in the Tenda F451 wireless router, specifically in the web management interface of firmware versions 1.0.0.7 and 1.0.0.9. The vulnerability arises in the 'formWriteFacMac' function within the '/goform/WriteFacMac' endpoint. Here, the 'mac' parameter can be manipulated to inject shell metacharacters, allowing for remote code execution with root privileges.

A vulnerability exists in the D-Link DGS-1100-08PD switch, specifically in version 1.00.006. The issue arises from an unknown processing flaw in the web interface component, related to the file /etc/boa.conf. This flaw allows for a least privilege violation, potentially enabling unauthorized actions or access. The vulnerability can be exploited remotely, but doing so requires a high level of complexity, making the exploitation difficult.

A vulnerability in TOTOLINK CP450 version 4.1.0cu.747 has been identified, affecting the vsftpd configuration file. This issue arises from an unknown code manipulation that leads to a least privilege violation, allowing remote exploitation.

A stack-based buffer overflow vulnerability has been identified in the Tenda HG10 router, specifically in the web management interface under the 'formPPPEdit' handler. This vulnerability arises from the 'encodename' parameter, which can be manipulated to overflow a stack buffer. The issue can be exploited remotely, potentially leading to a crash of the Boa web service or arbitrary code execution, as the affected process runs with elevated privileges.

A vulnerability exists in SourceCodester Online Examination & Learning Management System and the Syllabus-aligned Learning Management and Examination System 1.0. The issue arises in the file import_users.php, where the argument raw_password can be manipulated to use a hard-coded password. This vulnerability can be exploited remotely.

A vulnerability exists in Snipe-IT versions prior to 8.6.0, allowing non-admin users with the 'users.edit' permission to lock admins out of the system. This is achieved by editing the 'activated' flag, which controls user login access, and the 'ldap_import' flag, which manages password reset requests. The issue has been patched in version 8.6.0.

A vulnerability in OpenMetadata versions prior to 1.12.4 allows non-admin SSO users to leak sensitive information by triggering a TEST_CONNECTION workflow for a Database Service. The HTTP 201 response from the POST /api/v1/automations/workflows endpoint includes both the cleartext database password and a JWT for the ingestion bot, which can be used to access sensitive service APIs with bot-level privileges.

A denial-of-service vulnerability has been identified in the Linux kernel's V3D graphics driver. The issue arises in the handling of multisync extensions, where the driver processes a user-supplied, self-referential linked list of extensions without any limit on its length. A local user can create an extension with zero synchronization counts that bypasses existing checks, causing the driver to enter an infinite loop. This loop blocks the executing thread and fully utilizes a CPU core, effectively freezing that core until the loop is manually interrupted. The vulnerability affects the Linux kernel stable tree.

A vulnerability in the Linux kernel's Intel IPU6 PCI device driver allows for an erroneous pointer dereference. During an error handling process, the 'isp->psys' pointer is incorrectly assumed to be valid, leading to a potential dereference of an error pointer. This issue arises in versions of the Linux kernel prior to the latest stable release.

A vulnerability exists in the Linux kernel's videobuf2 DMA scatter/gather memory management, specifically in the handling of virtual memory area (VMA) flags. The issue arises because the vb2_dma_sg_mmap function does not set the VMA flags VM_DONTEXPAND and VM_DONTDUMP, unlike the vb2_dma_contig function, which does. This discrepancy can lead to warnings during the memory mapping of imported DMA buffers from certain camera drivers that utilize the videobuf2 DMA scatter/gather operations.

A vulnerability in the Linux kernel's AMDGPU driver related to user queues has been addressed. The issue involved improper management of write pointer (wptr) object mappings, which could lead to accessing outdated data. This vulnerability was present because the wptr object could be unmapped while a queue was still being created, causing conflicts with other buffer objects at the same address. The problem has been fixed by using the 'drm_exec' function to properly manage locks on the virtual memory root buffer object and the write pointer object buffer object, ensuring that the mapping data is accessed correctly.

A NULL pointer dereference vulnerability has been identified in the Linux kernel's VSP1 module for Generation 4. This issue occurs during the module unload process, where the cleanup code incorrectly calls the 'vsp1_drm_cleanup()' function instead of the appropriate 'vsp1_vspx_cleanup()' function. The error arises because the cleanup code does not properly check the IP version before calling the cleanup functions, leading to a crash when the module is unloaded.

A vulnerability exists in the Linux kernel's DRM/xe user API, specifically in the memory advice (madvise) handling. The issue arises from the acceptance of certain memory coherency modes that can lead to the leakage of sensitive data. When the kernel clears memory pages before they are reallocated, the cleared data can remain in the CPU cache. A GPU operating under the 'coh_none' mode can bypass the CPU cache and access this stale data directly from the DRAM. This could potentially expose information from previously freed memory pages of other processes. The vulnerability affects Linux kernel versions 6.18 and later.

A use-after-free vulnerability has been identified in the Linux kernel's PMDomain Mediatek driver, specifically within the 'scpsys_get_bus_protection_legacy()' function. The issue arises because the function improperly manages the reference count of a device node. It calls 'of_node_put()' to decrement the reference count before verifying if 'syscon_regmap_lookup_by_phandle()' encounters an error. If an error does occur, 'dev_err_probe()' attempts to access the node to provide error details, but the node may have already been freed, leading to a use-after-free condition. This vulnerability affects the Linux kernel stable tree.

A vulnerability in the ath5k wireless driver of the Linux kernel has been identified, where the driver improperly accesses an array, leading to an array-index-out-of-bounds condition. This issue was highlighted by a Undefined Behavior Sanitizer (UBSAN) message indicating that an index was out of range for the expected data type. The problem arises because the driver does not correctly validate array indices before use, which can potentially lead to memory corruption, although in this case, the out-of-bounds write only overwrites a nearby variable related to acknowledgment signals.

A vulnerability exists in the Linux kernel's handling of PPPoE frames with Protocol Field Compression (PFC) on MIPS architecture. RFC 2516 advises against using PFC with PPPoE, and while the pppd utility does not negotiate PFC for PPPoE sessions, the flow dissector driver incorrectly assumed frames were uncompressed. This oversight can lead to a 4-byte misalignment in the network header, causing an unaligned access exception on MIPS boards. The issue arises when a PPPoE PFC frame is sent to an Ethernet interface with Receive Packet Steering (RPS) enabled, even if no active PPPoE session is present.

A vulnerability in the Linux kernel's staging driver for the RTL8723BS wireless chipset can lead to a NULL pointer dereference. This issue arises because the return value of the memory allocation function 'kzalloc_flex()' is used without checking if the allocation was successful, allowing for an unguarded dereference of the pointer. The vulnerability affects the Linux kernel stable tree.

A vulnerability exists in the Linux kernel's NVM Express (NVMe) subsystem, specifically within the NVMe over TCP implementation. The issue arises in the asynchronous event handling of NVMe controllers, which can lead to a deadlock situation. When the NVMe TCP release queue work is processed, it can inadvertently drop the last reference to the controller. This action triggers the controller's cleanup routine, which attempts to flush pending asynchronous events on the same workqueue. Such a flush is unnecessary and can cause a recursive locking problem, as the workqueue is already engaged in processing the release work, creating a potential deadlock scenario.

A vulnerability exists in the Linux kernel's ISO 9660 file system handling, specifically within the Rock Ridge extension. The issue arises because the 'rock_continue()' function reads the continuation extent directly from the Rock Ridge Common Extension (CE) record and sends it to 'sb_bread()' without verifying that the block number is within the limits of the mounted ISO 9660 volume. This flaw can lead to improper handling of directory entries, potentially allowing a crafted ISO to be exploited. The vulnerability affects several versions of the Linux kernel.

A vulnerability in the Linux kernel's SELinux implementation allows multiple processes to open the policy file at /sys/fs/selinux/policy simultaneously. Previously, only one process could access the file at a time, which could lead to interference with other processes trying to read the kernel policy. This restriction was intended to prevent an inconsistent view of the policy size and to control userspace memory allocation, but it created a new problem by allowing processes to block each other. The vulnerability has been addressed by removing the single-open restriction, reducing the critical section where the policy mutex is held, and eliminating unnecessary error checks.

A use-after-free vulnerability has been identified in the Linux kernel's SPI Topcliff PCH driver. This issue arises during the unbinding process of the driver, where the DMA buffers are released before the driver has a chance to flush its message queue. As a result, there is a potential for memory corruption or exploitation.

A vulnerability in the Linux kernel's HFS+ file system implementation can lead to a warning about a held lock being freed improperly. This issue occurs in the 'hfsplus_fill_super()' function, which initializes a search structure and acquires a lock. If an error occurs during key building, the function exits without releasing the lock, causing a warning when the lock is still held but the associated data structure is freed. The vulnerability has been present since at least version 6.13-rc1 and was detected using a static analysis tool under development.

A race condition vulnerability has been identified in the Linux kernel's pseries/papr-hvpipe component. This issue arises when an interrupt is received on the same CPU while executing the ioctl or release handlers, potentially leading to a deadlock. The vulnerability affects several versions of the Linux kernel.

A vulnerability has been identified in the Linux kernel's handling of virtual function (VF) miscellaneous interrupts within the net: libwx component. The issue arises from the use of request_threaded_irq() with a primary handler and a NULL threaded handler, while also applying the IRQF_ONESHOT flag. This combination triggers a warning, as it violates the expected usage of threaded interrupt handlers. The vulnerability affects several versions of the Linux kernel.

A NULL pointer dereference vulnerability has been identified in the Linux kernel's SPI S3C64XX driver. This issue arises when the DMA channel allocation is moved back to the transfer preparation function without properly removing the corresponding deallocation from the driver removal process. As a result, the erroneous DMA channel release can trigger a NULL-pointer dereference during the driver unbinding phase. This vulnerability affects several versions of the Linux kernel.

A vulnerability in the Linux kernel's KVM module for x86 architecture has been addressed. The issue arose because the Interrupt Request Register (IRR) scan was not performed in the '__kvm_apic_update_irr' function when the Pending Interrupt Register (PIR) was empty. This oversight could lead to incorrect reporting of the highest pending interrupt, causing a spurious warning and unnecessary overhead during virtual machine operations. The vulnerability was triggered by a race condition between synchronizing the PIR to the IRR on the target virtual CPU and delivering posted interrupts from a sender virtual CPU, particularly under nested virtual machine stress tests.

A buffer overflow vulnerability has been identified in the Linux kernel's device mapper (DM) IOCTL processing, specifically within the 'retrieve_status' function of the DM IOCTL driver. This vulnerability arises because the function aligns a pointer to the output buffer without properly checking for overflow, potentially allowing data to be written past the end of the buffer. Although this issue has been addressed in the Linux kernel, it is important to note that it does not pose a security risk, as only root users can issue device mapper IOCTL commands. Furthermore, commonly used libraries that interact with the device mapper, such as 'libdevmapper' and 'devicemapper-rs', utilize buffer sizes that are already aligned to 8 bytes, preventing the overflow from occurring in practice.

A vulnerability in the Linux kernel clock driver for Microchip PolarFire SoC has been addressed. The issue involved an out-of-bounds access during the registration of output dividers for certain clock IDs. This occurred because the driver only allocated space for two Phase-Locked Loops (PLLs) and their corresponding output dividers, while the defined IDs included two Delay-Locked Loops (DLLs) and their outputs, which the driver does not support. The vulnerability has been fixed by adjusting the output IDs to prevent the out-of-bounds access.

A vulnerability in the Linux kernel's power management domain handling for virtual devices has been addressed. When a device is attached to a power management (PM) domain, the kernel enables runtime PM for the virtual device. However, there was no mechanism to disable runtime PM when the device is detached from the PM domain. This oversight could lead to runtime PM remaining active for detached virtual devices, causing potential NULL pointer dereference errors and unnecessary performance state votes. The vulnerability affects the Linux kernel stable tree.

A vulnerability in the Linux kernel's CAAM crypto driver has been addressed. The issue involved improper handling of HMAC key hex dumps, which could lead to unintentional leakage of sensitive key information at runtime, especially when dynamic debugging was enabled. The vulnerability affected the hash_digest_key function, where the HMAC key bytes were dumped in a way that could expose secrets. This issue has been resolved by modifying the key dumping method to a more secure approach.

A vulnerability in the Linux kernel's EFI handling can lead to system freezes. This issue arises from changes in how the kernel manages floating-point operations during EFI runtime service calls. The problem was introduced in a commit that aimed to improve cryptographic performance by allowing kernel-mode floating-point operations to be safely used in softirqs. However, this change inadvertently caused the EFI fault handler to misinterpret the task context, leading to unhandled page faults on systems with problematic firmware. As a result, instead of a graceful recovery, the system experiences a severe hang.

A vulnerability exists in the Linux kernel's handling of scatterlist length calculations when extracting data from kvec and user buffers. This issue, present in versions 6.3 prior to 6.5, can lead to incorrect length calculations that allow an sglist entry to exceed the actual number of bytes in a page. Additionally, when extracting user buffers, the sglist is used as a temporary scratch space for page pointers, which can overlap with existing sglist entries if not managed properly. The vulnerability was introduced in kernel 6.3 and remained unaddressed until the extraction function was revised in version 6.5. The flaw has been documented and tested, with the necessary fix applied in the latest version.

A use-after-free vulnerability has been identified in the Linux kernel's unittest component. The issue arises in the 'of_unittest_changeset' function, where the 'parent' variable is assigned the same value as 'nchangeset', pointing to the same struct device_node. The vulnerability occurs when 'of_node_put(nchangeset)' is called, potentially freeing the node if no other references exist. Subsequently, the code still uses 'parent' to access properties, leading to a use-after-free condition. This vulnerability affects the Linux kernel stable tree.

A vulnerability in the Linux kernel's TXGBE network driver can lead to a Real-Time Networking Layer (RTNL) assertion failure. This issue occurs when the driver disconnects from the physical layer (PHY) during module removal, particularly for copper network interface cards (NICs) with external PHYs. The problem arises because the disconnection process triggers an assertion warning, indicating a potential flaw in how the driver manages its connection to the PHY when the module is unloaded.

An array overflow vulnerability has been identified in the Linux kernel's QCOM LED driver. This issue arises when high-resolution values are selected from an array using the FIELD_GET() macro, which retrieves data from a 3-bit register. The problem occurs because the array being accessed contains only five values, creating a risk of reading random data. Although the hardware is likely functioning correctly, it is essential to implement proper checks to prevent overflow and ensure that only valid data is read before configuring chip values.

A use-after-free vulnerability has been identified in the Linux kernel's MTD DOCG3 driver. The issue arises in the 'docg3_release' function, where a pointer to a 'docg3' structure is obtained from 'cascade->floors[0]->priv' before a loop that calls 'doc_release_device()' on each floor. The 'doc_release_device()' function frees the 'docg3' structure, leading to a dereference of a freed pointer when accessing 'docg3->cascade->bch' after the loop. This vulnerability affects the Linux kernel stable tree.

A vulnerability in the Linux kernel's handling of hugepage parameters during early boot has been fixed. When hugepages, hugepagesz, or default_hugepagesz are specified on the kernel command line without the '=' separator, the parameter parsing incorrectly passes a NULL value to the 'hugetlb_add_param()' function. This NULL dereference can lead to a system crash. The vulnerability has been addressed by modifying 'hugetlb_add_param()' to reject NULL values and return an error instead.

A vulnerability exists in the Linux kernel's handling of TPM (Trusted Platform Module) authentication session data. The issue arises in the 'tpm_dev_release()' function, which uses the standard 'kfree()' to deallocate memory containing sensitive cryptographic information, such as HMAC session keys, nonces, and passphrase data. This approach leaves critical data in freed memory until it is overwritten, creating a potential security risk. In contrast, other functions that manage this data correctly use 'kfree_sensitive()' to clear the information before freeing it. This vulnerability affects Linux kernel versions 6.10 and later.

A NULL pointer dereference vulnerability has been identified in the Linux kernel ADMV1013 driver. When the function 'device_property_read_string()' fails, the string variable 'str' remains uninitialized. The code then proceeds to compare 'str' using 'strcmp()', which leads to dereferencing a garbage pointer. This vulnerability has been addressed by replacing the manual string read and comparison with 'device_property_match_property_string()'. Additionally, the single-ended mode enums have been consolidated into a sequential enum, mapping to hardware register values via a switch, in line with other bitfields in the driver. This issue affects the Linux kernel IIO frequency ADMV1013 driver.

A buffer overflow vulnerability has been identified in the Linux kernel's memory management component, specifically within the 'vmalloc' subsystem. The issue arises in the 'vrealloc_node_align' function, where a new allocation can inadvertently lead to an out-of-bounds write. This occurs when the function is used to shrink an allocation while simultaneously enforcing alignment or NUMA node constraints, causing data to be copied beyond the bounds of the newly allocated buffer.

A use-after-free vulnerability has been identified in the Linux kernel's handling of device private pages during the release of certain file operations. This issue arises in the 'test_hmm' library, specifically within the 'dmirror_fops_release' function. When this function is called, it frees the 'dmirror' structure without first migrating device private pages back to system memory. As a result, these pages are left with a dangling pointer to the freed structure. If a fault occurs on these pages later, such as during a core dump, it can lead to a kernel panic by dereferencing the stale pointer. This vulnerability was reported while running the HMM kernel self-tests on arm64, where a test failure caused a similar fault, triggering the panic.

A vulnerability in the Linux kernel's memory allocation system can lead to uninitialized codetags for certain pages. This issue arises because the page extension, which manages codetags, is not fully initialized during the early boot process. As a result, some pages allocated before this initialization lack a proper codetag. This vulnerability is particularly relevant when the kernel is configured with memory allocation profiling enabled, as it can trigger warnings related to the missing codetag when these pages are freed.

A NULL pointer dereference vulnerability has been identified in the Linux kernel's DRM imagination component. This issue leads to a segmentation fault when updating the ftrace mask, causing an invalid data access. The vulnerability arises from incorrect data being passed to a debugfs entry, which can be exploited by writing to the 'trace_mask' file in the debugfs.

A vulnerability has been identified in the Linux kernel's handling of device folios within the zone device memory management. After a device folio is freed, its contents can be quickly altered by a driver, potentially leading to inconsistencies. The vulnerability arises because the kernel code may attempt to access the folio again to retrieve the page map, not accounting for the possibility that the folio has been reallocated. This issue affects the Linux kernel stable tree.

A vulnerability in the Linux kernel's AMDGPU driver for RDNA4 (GFX 12) hardware has been identified, where the removal of certain on-chip memory resources leads to a kernel crash. The issue arises because the initialization code correctly sets the sizes of these resources to zero, reflecting their absence. However, the resource manager initialization process does not account for this, causing a crash during the module loading process for the AMDGPU driver on affected graphics cards, such as the RX 9070 XT. The problem has been present since the hardware was released over a year ago, but it was only recently reported.

A vulnerability exists in Hyperledger Fabric Chaincode Java versions 2.3.1 prior to 2.5.10, when deployed in chaincode-as-a-service mode with TLS enabled. The chaincode server's INFO level logs inadvertently include the TLS private key password in plaintext. An attacker with access to these logs could retrieve the password, and if they also obtain the TLS private key, they could impersonate the chaincode server.

A vulnerability allowing HTTP response splitting has been identified in ninenines cowlib version 2.9.0 and later. This issue arises from improper handling of non-visible characters in structured-fields string values, which can be exploited to inject carriage return and line feed sequences into HTTP headers. The cow_http_struct_hd:escape_string/2 function fails to adequately escape these bytes, creating a mismatch between the encoding and parsing of header values. As a result, applications that use cow_http_struct_hd:item/1 to build structured HTTP headers from untrusted input may inadvertently introduce CRLF injection, facilitating HTTP response splitting attacks.

An authentication bypass vulnerability has been identified in AdGuard Home versions prior to 0.107.77, when the application is started with the --glinet flag. This vulnerability allows unauthenticated attackers to gain full administrative access by injecting a path traversal sequence into the Admin-Token cookie. The issue arises from unsanitized string concatenation in the token file path construction within the authglinet middleware, enabling attackers to redirect file reads to arbitrary paths.

A missing authorization check vulnerability has been identified in the STACKIT IaaS API, affecting versions prior to the 2026-05-28 update. This vulnerability allows authenticated, low-privileged attackers to escalate privileges and compromise entire organizations. By attaching arbitrary service accounts to virtual machines they control, attackers can exploit the unvalidated PUT servers service-accounts endpoint to gain access to high-privileged service accounts. This access enables them to query the Instance Metadata Service for OAuth2 tokens, bypass tenant boundaries, and gain unauthorized control over the organization's environment.

A credential disclosure vulnerability exists in OpenBullet2 versions through 0.3.2 on Windows. This vulnerability allows remote attackers to capture the NTLMv2 hash of the process user. Exploitation involves configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job is executed, the application attempts to load proxies from the UNC path, inadvertently triggering an SMB authentication attempt that discloses the NTLMv2 hash. This hash can then be relayed or cracked offline.