CVE-2025-38240 drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: dp: drmerr = deverr in HPD path to avoid NULL ptr The function mtkdpwaithpdasserted may be called before the mtkdp-drmdev pointer is assigned in mtkdpbridgeattach. Specifically it can be called via this callpath: -...

CVE-2025-22655

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Caio Web Dev CWD – Stealth Links cwd-stealth-links allows SQL Injection.This issue affects CWD – Stealth Links: from n/a through = 1.3...

The vulnerability of the dev_map_delete_elem() function in the kernel/bpf/devmap.c module of the Linux operating system allows a attacker to compromise the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of the devmapdeleteelem function in the kernel/bpf/devmap.c module of the Linux operating system is related to writing beyond the buffer boundaries. Exploiting this vulnerability could allow an attacker to compromise the confidentiality, integrity, and accessibility of the...

CVE-2025-1566

DNS Leak in Native System VPN in Google ChromeOS Dev Channel on ChromeOS 16002.23.0 allows network observers to expose plaintext DNS queries via failure to properly tunnel DNS traffic during VPN state transitions...

CVE-2025-31200

creationtimestamp| type| source ---|---|--- 2025-04-16 17:33:02+00:00| seen| https://infosec.exchange/users/applsec/statuses/114348836934305541 2025-04-16 17:33:04+00:00| seen| https://bsky.app/profile/applsec.bsky.social/post/3lmx4qr3utx2e 2025-04-16 18:18:24+00:00| seen|...

Security update for the Linux Kernel

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security bugfixes. The following security bugs were fixed: CVE-2021-46925: Fixed kernel panic caused by race of smcsock bsc1220466. CVE-2021-47645: media: staging: media: zoran: calculate the right buffer number for...

kernel: bonding: stop the device in bond_setup_by_slave()

In the Linux kernel, the following vulnerability has been resolved: bonding: stop the device in bondsetupbyslave Commit 9eed321cde22 "net: lapbether: only support ethernet devices" has been able to keep syzbot away from net/lapb, until today. In the following splat 1, the issue is that a lapbethe...

Important: Red Hat Security Advisory: Red Hat OpenShift Dev Spaces 3.20.0 release

Red Hat OpenShift Dev Spaces 3.20 has been released. All containers have been updated to include feature enhancements, bug fixes and CVE fixes. Red Hat OpenShift Dev Spaces provides a cloud developer workspace server and a browser-based IDE built for teams and organizations. Dev Spaces runs in...

The vulnerability of the Xen kernel component in the Linux operating system, which allows a hacker to trigger a service failure

The vulnerability of the xen component in the Linux operating system’s kernel is related to a memory leak in the xenbusdevprobe function. Exploiting this vulnerability can allow an attacker to cause a service failure...

CVE-2025-2814 Crypt::CBC versions between 1.21 and 3.05 for Perl may use insecure rand() function for cryptographic functions

Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable. In that case, Crypt::CBC will fallback to...

SUSE CVE-2025-32395

Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec RFC 9112 does not allow in request-target. Although an attacker can sen...

GHSA-356W-63V5-8WF4 Vite has an `server.fs.deny` bypass with an invalid `request-target`

Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network using --host or server.host config option - running the Vite de...

Information Exposure

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Information Exposure due to the handling of req.url which may contain unexpected characters such as . An attacker can access and retrieve the contents of arbitrary files by...

geneve: Fix use-after-free in geneve_find_dev().

...

The vulnerability of the net/core/dev.c component in the Linux operating system’s kernel allows a hacker to gain access to confidential data.

The vulnerability in the net/core/dev.c component of the Linux operating system’s kernel involves the simultaneous execution using shared resources with incorrect synchronization. Exploiting this vulnerability can allow an attacker to gain access to confidential data...

CVE-2025-3259

A vulnerability, which was classified as critical, has been found in Tenda RX3 16.03.13.11. This issue affects the function formSetDeviceName of the file /goform/SetOnlineDevName. The manipulation of the argument devName leads to stack-based buffer overflow. The attack may be initiated remotely...

Vite allows server.fs.deny to be bypassed with .svg or relative paths

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details .svg Requests ending with .svg are loaded at this line...

GHSA-XCJ6-PQ6G-QJ4X Vite allows server.fs.deny to be bypassed with .svg or relative paths

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details .svg Requests ending with .svg are loaded at this line...

SUSE CVE-2025-21925

In the Linux kernel, the following vulnerability has been resolved: llc: do not use skbget before devqueuexmit syzbot is able to crash hosts 1, using llc and devices not supporting IFFTXSKBSHARING. In this case, e1000 driver calls ethskbpad, while the skb is shared. Simply replace skbget by...

Incorrect Authorization

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Incorrect Authorization via the bypass of the server.fs.deny restriction. An attacker can access restricted files by appending ?.svg with ?.wasm?init or with sec-fetch-dest...