CVE-2026-22880 Mobile SSO authentication flow allows credential theft via malicious server

Mattermost Mobile Apps versions =2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO...

EUVD-2026-31250

Mattermost Mobile Apps versions =2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO...

CVE-2026-22880

Mattermost Mobile Apps versions =2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO...

PT-2026-42432

Mattermost Mobile Apps versions =2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO...

Astra Linux - уязвимость в linux, linux-5.15, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: spmi: Added a check for a remove callback when removing a SPMI driver. When removing a SPMI driver, a crash may occur due to a NULL pointer dereference if no remove callback is defined. This was observed in a call trace when...

Astra Linux - уязвимость в linux-5.10, linux, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: Wifi: ath9k: htchst: In the ath9khtcrxmsg function, if there is no callback function, the provided skb is not freed. It is stated that ath9khtcrxmsg either frees the provided skb or passes its management to another callback...

Astra Linux - уязвимость в golang-go.crypto

Applications and libraries that misuse the connection.serverAuthenticate function via the ServerConfig.PublicKeyCallback callback field may be susceptible to authorization bypasses. The documentation for ServerConfig.PublicKeyCallback states that “Calling this function does not guarantee that the...

Astra Linux - уязвимость в curl

There is an information disclosure vulnerability in curl v8.1.0 when performing HTTPS transfers. libcurl may incorrectly use the read callback CURLOPTREADFUNCTION to request data to be sent, even when the CURLOPTPOSTFIELDS option is set. This occurs if the same handle was previously used to issue...

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: NFSD: Prevent NULL dereference in nfsd4processcbupdate @ses is initialized to NULL. If nfsd4findbackchannel finds no available backchannel session, setupcallbackclient will attempt to dereference @ses, resulting in a segmentation...

Astra Linux - уязвимость в linux, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: Fixed a NULL dereferencing in sethvtscchangecb if the Hyper-V setup fails. Check for a valid hvvpindex array before dereferencing hvvpindex when setting Hyper-V’s TSC change callback. If Hyper-V setup fails in...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: clk: microchip: Fixed a potential UAF in the auxdev release callback. Similar to commit 1c11289b34ab “peci: cpu: Fixed a use-after-free in adevrelease”, the auxiliary device is not removed in the correct order. If...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: Tracing: Fixed the WARNON message in tracingbuffersmmapclose for split VMA instances. When a VMA is split e.g., through partial munmap or MAPFIXED, the kernel calls vmops-close on each portion of the VMA. For trace buffer mapping...

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: nfsd: When trying to queue dlrecall, if the call to nfsd4runcb fails, the reference count of dlstid is not decremented. This leads to a memory leak as follows: Unreferenced object 0xffff88812067b578 size 344: Comm “nfsd”, pid 276...

Astra Linux - уязвимость в linux, linux-5.10, linux-5.15, linux-6.1

In the Linux kernel, the following vulnerability has been resolved: Binder: Fix for use-after-free in shinker’s callback The mmap read lock is used during shinker’s callback, which means that using the alloc-vma pointer is not safe, as it may race with munmap. As of commit dd2283f2605e “mm: mmap:...

Astra Linux - уязвимость в linux, linux-5.15, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: net/sched: clsapi: remove blockcb from driverlist before freeing The error handler of tcfblockBind frees the entire bo-cblist when an error occurs. However, by that time, the flowblockCB instances are already in the driverlist...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: drivers: perf: marvellcn10k: Fixed a leak in the hotplug callback in tadpmuinit. The tadpmuinit function does not remove the callback added by cpuhpsetupstatemulti when platformdriverregister fails. The callback must be remove...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Added functions to register and unregister callback functions for the vblank register. We encountered a kernel panic issue where callback data would become NULL when used in the ovl irq handler. There is a timing...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: spi: stm32-ospi: Fixed a resource leak in the remove callback. The remove callback returned early if pmruntimeresumeandget failed, skipping the cleanup of the SPI controller and other resources. This issue has been addressed by...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: Platform/x86: x86-android-tablets: Fixed a problem where the touchscreen function was not working properly on the Chuwi Hi8 when using the Windows BIOS. The handling of touchscreen operations for the Chuwi Hi8 is only necessary...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fixed a NULL pointer dereference in dcn401inithw. dcn401inithw assumes that updatebwboundingbox is valid when entering the update path. However, the current condition: !fams2enable && updatebwboundingbox ||...