CVE-2023-53171 vfio/type1: prevent underflow of locked_vm via exec()

In the Linux kernel, the following vulnerability has been resolved: vfio/type1: prevent underflow of lockedvm via exec When a vfio container is preserved across exec, the task does not change, but it gets a new mm with lockedvm=0, and loses the count from existing dma mappings. If the user later...

CVE-2023-53171

CVE-2023-53171 affects the Linux kernel’s vfio/type1 path. The issue occurs when a vfio container is preserved across execs: the task’s mm can change to a new mm with locked_vm=0, causing undercounted DMA mappings and a later unmap to underflow locked_vm, leading to ENOMEM on a subsequent dma map...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from the vfio/type1 container not properly handling the lockedvm count when executing exec, which could result in...

PT-2025-37535

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: A flaw exists in the vfio/type1 component of the Linux kernel where an underflow of locked vm can occur during an exec operation within a vfio container. This happens when a container ...

PT-2025-46758

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A flaw exists in the Linux kernel related to race conditions when using task locktsk-group leader within the sys prlimit64 function and its associated do prlimit path. Specifically, the...

MAL-2025-47094 Malicious code in eth-exec-txs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 288cdf368821283de11f98ec0f9c5d0daf500ed6be174fd0c3c7811d4346cf1f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in eth-exec-txs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 288cdf368821283de11f98ec0f9c5d0daf500ed6be174fd0c3c7811d4346cf1f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Security update for go1.23-openssl

This update for go1.23-openssl fixes the following issues: Update to version 1.23.12 cut from the go1.23-fips-release branch at the revision tagged go1.23.12-1-openssl-fips. jscSLE-18320 Rebase to 1.23.12 Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil salt to be passed as a hash...

SUSE-SU-2025:03158-1 Security update for go1.24-openssl

This security update of go1.24-openssl fixes the following issues: Update to version 1.24.6 cut from the go1.24-fips-release branch at the revision tagged go1.24.6-1-openssl-fips. Refs jscSLE-18320 Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil salt to be passed as a hash length...

interactive-git-checkout has a Command Injection vulnerability

The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout. Resources: Project'...

Linux Distros Unpatched Vulnerability : CVE-2019-12618

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control via the exec driver. CVE-2019-12618 Note that Nessus relies on the presence of the package as...

PT-2025-49182

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions prior to 2.4.66 Description An issue exists in Apache HTTP Server on Windows when AllowEncodedSlashes is enabled and MergeSlashes is disabled. This can allow for Server-Side Request Forgery SSRF, potentially leading...

CVE-2025-59046

The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout. Versions up to and...

CVE-2025-59046

The CVE-2025-59046 entry concerns the npm package interactive-git-checkout. Affected versions (up to and including 1.1.4) are vulnerable because the code passes the user-provided branch name directly to git checkout via Node.js child_process.exec() without input validation or sanitization, enabli...

CVE-2025-59046 interactive-git-checkout has Command Injection vulnerability

The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout. Versions up to and...

CVE-2025-54994

@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP...

@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API

Command Injection in MCP Server The MCP Server at https://github.com/akoskm/create-mcp-server-stdio is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. Vulnerable tool The MCP Server exposes the to...

CVE-2025-54994 @akoskm/create-mcp-server-stdio has Command Injection in MCP Server due to unsafe `exec` API

@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP...

CVE-2025-54994 @akoskm/create-mcp-server-stdio has Command Injection in MCP Server due to unsafe `exec` API

@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Prior to version 0.0.13, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP...

CVE-2025-54994

CVE-2025-54994 affects the MCP Server Starter kit @akoskm/create-mcp-server-stdio. The vulnerable component is the which-app-on-port tool that uses Node.js child_process.exec, exposing command-injection risk when user input is unsafely concatenated into shell commands. Affected versions precede 0...