PT-2026-46006

Name of the Vulnerable Software and Affected Versions OP-TEE versions 3.16.0 through 4.10.x Description A use-after-free race condition exists in the shared memory teardown logic of FF-A within SPMC/SP flows. This occurs when OP-TEE is configured as an SPMC for S-EL0 SPs using CFG SECURE...

Linux Distros Unpatched Vulnerability : CVE-2026-40290

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OP-TEE is a Trusted Execution Environment TEE designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology...

Malicious Package

Overview backup3-ff is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate advertisi...

Input: uinput - fix circular locking dependency with ff-core

...

CVE-2026-31667

In the Linux kernel, the following vulnerability has been resolved: Input: uinput - fix circular locking dependency with ff-core A lockdep circular locking dependency warning can be triggered reproducibly when using a force-feedback gamepad with uinput for example, playing ELDEN RING under Wine...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007597)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007597 advisory. In the Linux kernel, the following vulnerability has been resolved: Input: uinput - zero-initialize uinputffuploadcompat to avoid info leak Struct ffeffectcompat is...

CGA-VXMP-RR98-57FF

Bulletin has no description...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-004283)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004283 advisory. In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-004135)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004135 advisory. In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka...

Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12

In the Linux kernel, the following vulnerability has been resolved: Input: uinput – Zero-initialize uinputff UploadCompat to avoid info leaks. The struct ffeffectcompat is embedded twice within uinputff UploadCompat and contains internal padding. In particular, there is a gap after struct ffrepla...

CVE-2025-40266

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value U32MAX - sizeofstruct ffacompositememregion + 1, U32MAX is...

AZL-71422 CVE-2025-40266 affecting package kernel for versions less than 6.6.119.3-1

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value U32MAX - sizeofstruct ffacompositememregion + 1, U32MAX is...

CVE-2025-40266 KVM: arm64: Check the untrusted offset in FF-A memory share

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value U32MAX - sizeofstruct ffacompositememregion + 1, U32MAX is...

CVE-2025-40266 KVM: arm64: Check the untrusted offset in FF-A memory share

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value U32MAX - sizeofstruct ffacompositememregion + 1, U32MAX is...

AlmaLinux 9 : gimp (ALSA-2025:21968)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2025:21968 advisory. gimp: GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability CVE-2025-10922 gimp: GIMP ICNS File Parsing Out-Of-Bounds Writ...

ff-build (>=2.4.0 <=2.6.1) potentially affected by unknown CVE via gulp-inject-envs (=1.2.0)

gulp-inject-envs NPM version =1.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on gulp-inject-envs and may be impacted: - ff-build =2.4.0, =2.6.1 Source cves: unknown CVE Source advisory: SNYK:JS-GULPINJECTENVS-14103633...

Malicious code in soniec-kat-ff (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5cd919172ff697f96b104ebacd4b023e561ff9ffdf628dff5178e47021b16e02 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-139454

Malicious code in nuilva-darde-ff npm...

Malicious code in messi-aa-ff (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3f75231ed32b957af26a1d5ddd99dbfdfdd0b821cb9321db6960faa8f26ec7ed This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

CVE-2025-10924

A remote code execution RCE vulnerability exists in GIMP’s FF file parsing functionality. The flaw stems from improper validation of user-supplied data, leading to an integer overflow before buffer allocation. When a user opens a malicious FF image file, the overflow can cause incorrect memory...