10998 matches found
kernel: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds read of dfv17channelnumber Check the fbchannelnumber range to avoid the array out-of-bounds read error...
kernel: wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()
In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: add range check for connrspepid in htcconnectservice I found the following bug in my fuzzer: UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htchst.c:26:51 index 255 is out of range for type...
kernel: wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()
In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix memcpy field-spanning write warning in mwifiexcmd80211scanext Replace one-element array with a flexible-array member in struct hostcmdds80211scanext. With this, fix the following warning: elo 16 17:51:58...
kernel: bpf: Fix array bounds error with may_goto
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix array bounds error with maygoto maygoto uses an additional 8 bytes on the stack, which causes the interpreters array to go out of bounds when calculating index by stacksize. 1. If a BPF program is rewritten, re-evaluate...
kernel: gpio: prevent potential speculation leaks in gpio_device_get_desc()
In the Linux kernel, the following vulnerability has been resolved: gpio: prevent potential speculation leaks in gpiodevicegetdesc Userspace may trigger a speculative read of an address outside the gpio descriptor array. Users can do that by calling gpioioctl with an offset out of range. Offset i...
kernel: powercap: intel_rapl: Fix off by one in get_rpi()
In the Linux kernel, the following vulnerability has been resolved: powercap: intelrapl: Fix off by one in getrpi The rp-priv-rpi array is either rpimsr or rpitpmi which have NRRAPLPRIMITIVES number of elements. Thus the needs to be = to prevent an off by one access...
kernel: usb: typec: fix potential array underflow in ucsi_ccg_sync_control()
In the Linux kernel, the following vulnerability has been resolved: usb: typec: fix potential array underflow in ucsiccgsynccontrol The "command" variable can be controlled by the user via debugfs. The worry is that if conindex is zero then "&uc-ucsi-connectorconindex - 1" would be an array...
kernel: dm array: fix releasing a faulty array block twice in dm_array_cursor_end
In the Linux kernel, the following vulnerability has been resolved: dm array: fix releasing a faulty array block twice in dmarraycursorend When dmbmreadlock fails due to locking or checksum errors, it releases the faulty block implicitly while leaving an invalid output pointer behind. The caller ...
kernel: fs: prevent out-of-bounds array speculation when closing a file descriptor
In the Linux kernel, the following vulnerability has been resolved: fs: prevent out-of-bounds array speculation when closing a file descriptor Google-Bug-Id: 114199369...
kernel: udmabuf: change folios array from kmalloc to kvmalloc
In the Linux kernel, the following vulnerability has been resolved: udmabuf: change folios array from kmalloc to kvmalloc When PAGESIZE 4096, MAXPAGEORDER 10, 64bit machine, pagealloc only support 4MB. If above this, trigger this warn and return NULL. udmabuf can change size limit, if change it t...
kernel: drm/amd/display: Increase array size of dummy_boolean
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase array size of dummyboolean WHY dml2coresharedmodesupport and dmlcoremodesupport access the third element of dummyboolean, i.e. hwdebug5 = &s-dummyboolean2, when dummyboolean has size of 2. Any assignment...
kernel: protect the fetch of ->fd[fd] in do_dup2() from mispredictions
In the Linux kernel, the following vulnerability has been resolved: protect the fetch of -fdfd in dodup2 from mispredictions both callers have verified that fd is not greater than -maxfds; however, misprediction might end up with tofree = fdt-fdfd; being speculatively executed. That's wrong for t...
Browser Security Posture Analysis: a Client-Side Security Assessment Framework
Modern web browsers have effectively become the new operating system for business applications, yet their security posture is often under-scrutinized. This paper presents a novel, comprehensive Browser Security Posture Analysis Framework1, a browser-based client-side security assessment toolkit...
SUSE CVE-2025-37857
In the Linux kernel, the following vulnerability has been resolved: scsi: st: Fix array overflow in stsetup Change the array size to follow parms size instead of a fixed value...
CVE-2025-37857
In the Linux kernel, the following vulnerability has been resolved: scsi: st: Fix array overflow in stsetup Change the array size to follow parms size instead of a fixed value...
UBUNTU-CVE-2025-37857
In the Linux kernel, the following vulnerability has been resolved: scsi: st: Fix array overflow in stsetup Change the array size to follow parms size instead of a fixed value...
CVE-2025-37857 scsi: st: Fix array overflow in st_setup()
In the Linux kernel, the following vulnerability has been resolved: scsi: st: Fix array overflow in stsetup Change the array size to follow parms size instead of a fixed value...
CVE-2025-37857 scsi: st: Fix array overflow in st_setup()
In the Linux kernel, the following vulnerability has been resolved: scsi: st: Fix array overflow in stsetup Change the array size to follow parms size instead of a fixed value...
CVE-2025-37857
In the Linux kernel, the following vulnerability has been resolved: scsi: st: Fix array overflow in stsetup Change the array size to follow parms size instead of a fixed value...
CVE-2025-37857
CVE-2025-37857 affects the Linux kernel scsi: st driver. It fixes an array overflow in st_setup() by changing the array size from a fixed value to follow the parms size.