23 matches found
CVE-2026-54516
A flaw was found in jackson-databind. This vulnerability allows a remote attacker to bypass security controls by exploiting an issue in how properties are handled when both @JsonProperty for renaming and @JsonIgnore for ignoring annotations are used. By supplying a specially crafted JSON key, an...
kernel: mm/page_alloc: clear page->private in free_pages_prepare()
A flaw was found in the Linux kernel's memory management subsystem. When pages are freed, the page-private field is not properly cleared. If these pages are later reallocated as high-order pages and split, the tail pages can retain stale page-private values. This can lead to a use-after-free...
GHSA-9FXM-VC8V-HJ55 jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
Summary POJOPropertiesCollector.renameProperties allows a property with @JsonProperty"renamed" on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFERPROPERTYMUTATORS enabled default, the private backing field is retained; during deserialization...
CVE-2026-54516 jackson-databind: Renamed @JsonIgnore'd setters can deserialize via private fields
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector.renameProperties allows a property with @JsonProperty"renamed" on the getter and @JsonIgnore on the setter to be renamed...
kernel: mm/page_alloc: clear page->private in free_pages_prepare()
A flaw was found in the Linux kernel's memory management subsystem. When pages are freed, the page-private field is not properly cleared. If these pages are later reallocated as high-order pages and split, the tail pages can retain stale page-private values. This can lead to a use-after-free...
Linux Distros Unpatched Vulnerability : CVE-2026-43303
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - mm/pagealloc: clear page-private in freepagesprepare Several subsystems slub, shmem, ttm, etc. use page-private but don't clear it before freeing pages. When...
CVE-2025-68167
In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolibseqstart fails, the s-private field remains uninitialized and is later dereferenced without checking in gpiolibseqstop. Initialize s-private to NUL...
CVE-2025-68167
In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolibseqstart fails, the s-private field remains uninitialized and is later dereferenced without checking in gpiolibseqstop. Initialize s-private to NUL...
CVE-2025-68167 gpiolib: fix invalid pointer access in debugfs
In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolibseqstart fails, the s-private field remains uninitialized and is later dereferenced without checking in gpiolibseqstop. Initialize s-private to NUL...
Malicious code in sonic-ijos-aaaf (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67f73621e614fb3c63feaf4177bc8ae9890f8b437d21bae59b357ea17e0a5fda This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
kernel: fs: fix UAF/GPF bug in nilfs_mdt_destroy
In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfsmdtdestroy In allocinode, inodeinitalways could return -ENOMEM if securityinodealloc fails, which causes inode-iprivate uninitialized. Then nilfsismetadatafileinode returns true and nilfsfreeinode...
MAL-2025-57038 Malicious code in joko-lepet19-sukiwir (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a2f078c27458898d3991f8bcdb86c860c30e5140213db8b9adb256f2c763cae1 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-54416 Malicious code in putri-rojak84-sukiwir (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d52308bcc58e389356ea7c635ad0c3d7cb4d1be4644ea7b952183a8009722bd This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Linux kernel 安全漏洞
Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in Linux kernel that stems from accessing rproc-priv before the ISERRORNULL check, which could result in a null pointer dereference...
EUVD-2025-32762
In the Linux kernel, the following vulnerability has been resolved: perf trace: Really free the evsel-priv area In 3cb4d5e00e037c70 "perf trace: Free syscall tp fields in evsel-priv" it only was freeing if strcmpevsel-tpformat-system, "syscalls" returned zero, while the corresponding initializati...
CVE-2023-34235
Strapi is an open-source headless content management system. Prior to version 4.10.8, it is possible to leak private fields if one is using the tnumber prefix. Knex query allows users to change the default prefix. For example, if someone changes the prefix to be the same as it was before or to...
ForgeRock OpenIDM 安全漏洞
ForgeRock OpenIDM is an identity management system from ForgeRock USA. A security vulnerability exists in ForgeRock OpenIDM that stems from improper input validation of query search results for private field data, allowing an attacker to cause an information disclosure through the use of...
SUSE CVE-2023-52639
In the Linux kernel, the following vulnerability has been resolved: KVM: s390: vsie: fix race during shadow creation Right now it is possible to see gmap-private being zero in kvms390vsiegmapnotifier resulting in a crash. This is due to the fact that we add gmap-private == kvm after creation:...
DEBIAN-CVE-2023-52639
In the Linux kernel, the following vulnerability has been resolved: KVM: s390: vsie: fix race during shadow creation Right now it is possible to see gmap-private being zero in kvms390vsiegmapnotifier resulting in a crash. This is due to the fact that we add gmap-private == kvm after creation:...
CVE-2023-52639
In the Linux kernel, the following vulnerability has been resolved: KVM: s390: vsie: fix race during shadow creation Right now it is possible to see gmap-private being zero in kvms390vsiegmapnotifier resulting in a crash. This is due to the fact that we add gmap-private == kvm after creation:...