59496 matches found
CVE-2025-39994
In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000release The original code uses canceldelayedwork in xc5000release, which does not guarantee that the delayed work item timersleep has fully completed if it was already running. Th...
CVE-2025-39993
In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imondisconnect Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in createpipe include/linux/usb.h:1945 inline BUG: KASAN: use-after-free in sendpacket+0xa2d/0xbc0...
CVE-2025-39991
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix NULL dereference in ath11kqmim3load If ab-fw.m3data points to data, then fw pointer remains null. Further, if m3mem is not allocated, then fw is dereferenced to be passed to ath11kerr function. Replace fw-size b...
CVE-2025-39992
In the Linux kernel, the following vulnerability has been resolved: mm: swap: check for stable address space before operating on the VMA It is possible to hit a zero entry while traversing the vmas in unusemm called from swapoff path and accessing it causes the OOPS: Unable to handle kernel NULL...
CVE-2025-39990
In the Linux kernel, the following vulnerability has been resolved: bpf: Check the helper function is valid in gethelperproto kernel test robot reported verifier bug 1 where the helper func pointer could be NULL due to disabled config option. As Alexei suggested we could check on that in...
CVE-2025-39988
In the Linux kernel, the following vulnerability has been resolved: can: etases58x: populate ndochangemtu to prevent buffer overflow Sending an PFPACKET allows to bypass the CAN framework logic and to directly reach the xmit function of a CAN driver. The only check which is performed by the...
CVE-2025-39987
In the Linux kernel, the following vulnerability has been resolved: can: hi311x: populate ndochangemtu to prevent buffer overflow Sending an PFPACKET allows to bypass the CAN framework logic and to directly reach the xmit function of a CAN driver. The only check which is performed by the PFPACKET...
CVE-2025-39986
In the Linux kernel, the following vulnerability has been resolved: can: sun4ican: populate ndochangemtu to prevent buffer overflow Sending an PFPACKET allows to bypass the CAN framework logic and to directly reach the xmit function of a CAN driver. The only check which is performed by the PFPACK...
CVE-2025-39985
In the Linux kernel, the following vulnerability has been resolved: can: mcbausb: populate ndochangemtu to prevent buffer overflow Sending an PFPACKET allows to bypass the CAN framework logic and to directly reach the xmit function of a CAN driver. The only check which is performed by the PFPACKE...
CVE-2025-39984
In the Linux kernel, the following vulnerability has been resolved: net: tun: Update napi-skb after XDP process The syzbot report a UAF issue: BUG: KASAN: slab-use-after-free in skbresetmacheader include/linux/skbuff.h:3150 inline BUG: KASAN: slab-use-after-free in napifragsskb net/core/gro.c:723...
CVE-2025-39983
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcievent: Fix UAF in hciconntxdequeue This fixes the following UAF caused by not properly locking hdev when processing HCIEVNUMCOMPPKTS: BUG: KASAN: slab-use-after-free in hciconntxdequeue+0x1be/0x220...
CVE-2025-39982
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcievent: Fix UAF in hciaclcreateconnsync This fixes the following UFA in hciaclcreateconnsync where a connection still pending is command submission conn-state == BTOPEN maybe freed, also since this also can happen wi...
CVE-2025-39981
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible UAFs This attemps to fix possible UAFs caused by struct mgmtpending being freed while still being processed like in the following trace, in order to fix mgmtpendingvalid is introduce and use to check...
CVE-2025-39980
In the Linux kernel, the following vulnerability has been resolved: nexthop: Forbid FDB status change while nexthop is in a group The kernel forbids the creation of non-FDB nexthop groups with FDB nexthops: ip nexthop add id 1 via 192.0.2.1 fdb ip nexthop add id 2 group 1 Error: Non FDB nexthop...
CVE-2025-39979
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fs, fix UAF in flow counter release Fix a kernel trace 1 caused by releasing an HWS action of a local flow counter in mlx5cmdhwsdeletefte, where the HWS action refcount and mutex were not initialized and the counter...
CVE-2025-39977
In the Linux kernel, the following vulnerability has been resolved: futex: Prevent use-after-free during requeue-PI syzbot managed to trigger the following race: T1 T2 futexwaitrequeuepi futexdowait schedule futexrequeue futexproxytrylockatomic futexrequeuepiprepare requeuepiwakefutex...
CVE-2025-39978
In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential use after free in otx2tcaddflow This code calls kfreercunewnode, rcu and then dereferences "newnode" and then dereferences it on the next line. Two lines later, we take a mutex so I don't think this is...
CVE-2025-39976
In the Linux kernel, the following vulnerability has been resolved: futex: Use correct exit on failure from futexhashallocatedefault copyprocess uses the wrong error exit path from futexhashallocatedefault. After exiting from futexhashallocatedefault, neither tasklistlock nor siglock has been...
CVE-2025-39975
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix wrong index reference in smb2compoundop In smb2compoundop, the loop that processes each command's response uses wrong indices when accessing response bufferes. This incorrect indexing leads to improper handling o...
CVE-2025-39974
In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix slab-out-of-bounds in parseintegerlimit When config osnoise cpus by write syscall, the following KASAN splat may be observed: BUG: KASAN: slab-out-of-bounds in parseintegerlimit+0x103/0x130 Read of size 1 at...
CVE-2025-39973
In the Linux kernel, the following vulnerability has been resolved: i40e: add validation for ringlen param The ringlen parameter provided by the virtual function VF is assigned directly to the hardware memory context HMC without any validation. To address this, introduce an upper boundary check f...
CVE-2025-39971
In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in config queues msg Ensure idx is within range of active/initialized TCs when iterating over vf-chidx in i40evcconfigqueuesmsg...
CVE-2025-39972
In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in i40evalidatequeuemap Ensure idx is within range of active/initialized TCs when iterating over vf-chidx in i40evalidatequeuemap...
CVE-2025-39970
In the Linux kernel, the following vulnerability has been resolved: i40e: fix input validation logic for actionmeta Fix condition to check 'greater or equal' to prevent OOB dereference...
CVE-2025-39969
In the Linux kernel, the following vulnerability has been resolved: i40e: fix validation of VF state in get resources VF state I40EVFSTATEACTIVE is not the only state in which VF is actually active so it should not be used to determine if a VF is allowed to obtain resources. Use...
CVE-2025-39968
In the Linux kernel, the following vulnerability has been resolved: i40e: add max boundary check for VF filters There is no check for max filters that VF can request. Add it...
CVE-2025-39967
In the Linux kernel, the following vulnerability has been resolved: fbcon: fix integer overflow in fbcondosetfont Fix integer overflow vulnerabilities in fbcondosetfont where font size calculations could overflow when handling user-controlled font parameters. The vulnerabilities occur when: 1...
CVE-2025-39966
In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix race during abort for file descriptors fput doesn't actually call fileoperations release synchronously, it puts the file on a work queue and it will be released eventually. This is normally fine, except for iommufd t...
CVE-2025-0033
Improper access control within AMD SEV-SNP could allow an admin privileged attacker to write to the RMP during SNP initialization, potentially resulting in a loss of SEV-SNP guest memory integrity...
CVE-2025-11720
The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This...
CVE-2025-11717
When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability was fixed in Firefox 144...
CVE-2025-11718
When the address bar was hidden due to scrolling on Android, a malicious page could create a fake address bar to fool the user in response to a visibilitychange event. This vulnerability was fixed in Firefox 144...
CVE-2025-11721
Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144 and Thunderbird 144...
CVE-2025-11715
Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in...
CVE-2025-11719
Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability was fixed in Firefox 144 and Thunderbird 144...
CVE-2025-11716
Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144...
CVE-2025-11713
Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and...
CVE-2025-11708
Use-after-free in MediaTrackGraphImpl::GetInstance. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4...
CVE-2025-11712
A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerabilit...
CVE-2025-11711
There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4...
CVE-2025-11710
A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4...
CVE-2025-11714
Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This...
CVE-2025-11709
A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4...
CVE-2025-11731
A flaw was found in the exsltFuncResultComp function of libxslt, which handles EXSLT elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads...
CVE-2025-39965
In the Linux kernel, the following vulnerability has been resolved: xfrm: xfrmallocspi shouldn't use 0 as SPI x-id.spi == 0 means "no SPI assigned", but since commit 94f39804d891 "xfrm: Duplicate SPI Handling", we now create states and add them to the byspi list with this value. xfrmstatedelete...
CVE-2025-39964
In the Linux kernel, the following vulnerability has been resolved: crypto: afalg - Disallow concurrent writes in afalgsendmsg Issuing two writes to the same afalg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencie...
CVE-2025-11626
MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to 4.2.13 allows denial of service...
CVE-2025-52885
Poppler ia a library for rendering PDF files, and examining or modifying their structure. A use-after-free write vulnerability has been detected in versions Poppler prior to 25.10.0 within the StructTreeRoot class. The issue arises from the use of raw pointers to elements of a std::vector, which...
CVE-2025-61912
python-ldap is a lightweight directory access protocol LDAP client API for Python. In versions prior to 3.4.5, ldap.dn.escapednchars escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that uses this helper to...
CVE-2025-61911
python-ldap is a lightweight directory access protocol LDAP client API for Python. In versions prior to 3.4.5, the sanitization method ldap.filter.escapefilterchars can be tricked to skip escaping of special characters when a crafted list or dict is supplied as the assertionvalue parameter, and t...