CVE-2025-58056

A flaw in Netty’s HTTP/1.1 chunked encoding parser allows newline LF characters in chunk extensions to be incorrectly treated as the end of the chunk-size line instead of requiring the proper CRLF sequence. This discrepancy can be exploited in rare cases where a reverse proxy interprets the same...

Linux Distros Unpatched Vulnerability : CVE-2024-34006

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the errordescription query parameter, which is rendered directly on error pages without validation or sanitization. An attacker can display misleading messages within the trusted user interface by crafting...

GHSA-FGHV-69VJ-QJ49 Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions

Summary A flaw in netty's parsing of chunk extensions in HTTP/1.1 messages with chunked encoding can lead to request smuggling issues with some reverse proxies. Details When encountering a newline character LF while parsing a chunk extension, netty interprets the newline as the end of the...

DEBIAN-CVE-2025-38691

In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function exttreepreparecommit reallocates a larger buffer to retry encoding extents, the "layoutupdatepages" page arr...

CVE-2025-38691

In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function exttreepreparecommit reallocates a larger buffer to retry encoding extents, the "layoutupdatepages" page arr...

AZL-73920 CVE-2025-38691 affecting package kernel for versions less than 5.15.200.1-1

In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function exttreepreparecommit reallocates a larger buffer to retry encoding extents, the "layoutupdatepages" page arr...

AZL-66800 CVE-2025-38691 affecting package kernel for versions less than 6.6.104.2-1

In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function exttreepreparecommit reallocates a larger buffer to retry encoding extents, the "layoutupdatepages" page arr...

UBUNTU-CVE-2025-38691

In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function exttreepreparecommit reallocates a larger buffer to retry encoding extents, the "layoutupdatepages" page arr...

CVE-2025-38691

Technical details about CVE-2025-38691 are not publicly provided in the supplied connected documents. Monitor vendor advisories (Debian, Mageia, Amazon Linux) for patches and mitigations and update accordingly.

CVE-2025-38691 pNFS: Fix uninited ptr deref in block/scsi layout

In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function exttreepreparecommit reallocates a larger buffer to retry encoding extents, the "layoutupdatepages" page arr...

CVE-2025-41035

appRain CMF 4.0.5 contains an authenticated path traversal vulnerability in the /apprain/common/download/ endpoint. The issue arises from handling of base64-encoded path parameters after /download/, allowing an attacker with sufficient permissions to access files outside the document root. Connec...

AIDE null pointer dereference when reading incorrectly encoded xattr attributes from database (local DoS)

...

HDF5 H5Ofsinfo.c H5O__fsinfo_encode heap-based overflow

...

HDF5 H5Fint.c H5F_addr_encode_len heap-based overflow

...

ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()

...

HTTP Request Smuggling

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling via the parsing of chunk extensions in HTTP/1.1 messages with chunked...

Stack exhaustion in Decoder.Decode in encoding/gob

...

UBUNTU-CVE-2025-58056

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters LF as a chunk-size line...

GHSA-QWW7-89XH-X7M7 XWiki configuration files can be accessed through the webjars API

Impact It's possible to get access and read configuration files by using URLs such as http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg. The trick here is to encode the / which is decoded when parsing the URL segment, but not re-encoded when assembling...