Fatal error 102 table overflow staging buffer

fatal error 102 table overflow staging buffer

Explanation: The Task Global Table did not point to the Module Control Block. User Response: Contact your internal technical support. XPD Configuring error handling for asynchronous invocation. the Lambda API, or you can configure an AWS service or resource to invoke your function. Fatal error messages are numbered from to buffer grows dynamically, so an overflow of the staging buffer basically is an “out of memory” error.

Fatal error 102 table overflow staging buffer - useful

NameDescriptionCVEzlib through has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). CVEnfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len. CVEAn issue was discovered in the Linux kernel through xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. CVEmat2 (aka metadata anonymisation toolkit) before allows ../ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive. CVEAn issue was discovered in the Linux kernel through A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. CVEGnuPG through , in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. CVEThe Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan. CVEdrivers/block/floppy.c in the Linux kernel before is vulnerable to a denial of service, because of a concurrency use-after-free flaw after deallocating raw_cmd in the raw_cmd_ioctl function. CVEA permission issue affects users that deployed the shipped version of the Checkmk Debian package. Packages created by the agent bakery (enterprise editions only) were not affected. Using the shipped version of the agents, the maintainer scripts located at /var/lib/dpkg/info/ will be owned by the user and the group with ID If such a user exists on the system, they can change the content of these files (which are then executed by root). This leads to a local privilege escalation on the monitored host. Version through p29, version through p26, version through p3, and version i1 are affected. CVEArm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages. CVEnetwork backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. CVELinux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE, CVE). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE, CVE). CVELinux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE, CVE). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE, CVE). CVELinux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE, CVE). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE, CVE). CVEAn out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS and iPadOS , macOS Monterey , Safari Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVEThe Linux kernel before allows TCP servers to identify clients by observing what source ports are used. CVEXFCE allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server. CVEnet/netfilter/nf_tables_api.c in the Linux kernel through allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free. CVEWhen curl < does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. CVEWhen curl < saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file sprers.eu that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. CVEcurl < supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression sprers.eu use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors. CVEA malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests ( bytes) and instead returns an sprers.eu denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `sprers.eu` can set cookies that also would match for `sprers.eu`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method. CVEBottle before mishandles errors during early request binding. CVEImproper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server to CVEImproper Input Validation vulnerability in HTTP/2 header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server to CVEImproper Input Validation vulnerability in handling the Transfer-Encoding header of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server to CVEVMware Tools (, x.y and x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine. CVEIn PHP versions x below , x below , and x below , when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability. CVEIn PHP versions x below , x below , and x below , when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service. CVEA Privilege Context Switching issue was discovered in join.c in Firejail By crafting a bogus Firejail container that is accepted by the Firejail setuid-root program as a join target, a local attacker can enter an environment in which the Linux user namespace is still the initial user namespace, the NO_NEW_PRIVS prctl is not activated, and the entered mount namespace is under the attacker's control. In this way, the filesystem layout can be adjusted to gain root privileges through execution of available setuid-root binaries such as su or sudo. CVELDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to the user name field at login could be used to enumerate LDAP data. This is only the case for LDAP search configuration. This issue has been fixed in version CVELDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to the tmp directory, which is accessible by /lam/tmp/, allows interpretation of .php (and .php5/.php4/.phpt/etc) files. An attacker capable of writing files under www-data privileges can write a web-shell into this directory, and gain a Code Execution on the host. This issue has been fixed in version Users unable to upgrade should disallow executing PHP scripts in (/var/lib/ldap-account-manager/)tmp directory. CVELDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version There are no known workarounds for this issue. CVELDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration. CVELDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code during object creation. This issue has been fixed in version CVEcontainerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd and Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used. CVEA crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array in NTFS-3G through CVEA crafted NTFS image can cause a heap-based buffer overflow in ntfs_mft_rec_alloc in NTFS-3G through CVEAn integer underflow in fuse_lib_readdir enables arbitrary memory read operations in NTFS-3G through when using libfuse-lite. CVEA crafted NTFS image can cause a heap-based buffer overflow in ntfs_names_full_collate in NTFS-3G through CVEA file handle created in fuse_lib_opendir, and later used in fuse_lib_readdir, enables arbitrary memory read and write operations in NTFS-3G through when using libfuse-lite. CVEA crafted NTFS image can cause heap exhaustion in ntfs_get_attribute_value in NTFS-3G through CVEAn invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic between NTFS-3G and the kernel in NTFS-3G through when using libfuse-lite. CVEneedrestart through before is prone to local privilege escalation. Regexes to detect the Perl, Python, and Ruby interpreters are not anchored, allowing a local user to escalate privileges when needrestart tries to detect if interpreters are using old source files. CVEThe Linux kernel before mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag. CVEIn WebKitGTK through (and WPE WebKit), there is a heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer in WebCore/platform/graphics/texmap/sprers.eu CVEIntel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions. CVEMis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions. CVEcifs-utils through , with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file. CVEIn libxml2 before , several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through , is affected as well. CVEIn the Linux kernel before , fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently. CVEImproper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to ; version and later versions. CVEIn GNOME Epiphany before and x before , an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process) via a long page title. The issue occurs because the number of bytes for a UTF-8 ellipsis character is not properly considered. CVESchedMD Slurm x through x has Incorrect Access Control that leads to Escalation of Privileges and code execution. CVESchedMD Slurm x through x has Incorrect Access Control that leads to Information Disclosure. CVESmarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions and , template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions or to receive a patch for this issue. There are currently no known workarounds. CVERundeck is an open source automation service with a web console, command line tools and a WebAPI. Rundeck community and rundeck-enterprise docker images contained a pre-generated SSH keypair. If the id_sprers.eu public key of the keypair was copied to authorized_keys files on remote host, those hosts would allow access to anyone with the exposed private credentials. This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version and earlier, not Debian, RPM or .WAR. Additionally, the id_sprers.eu file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host. A patch on Rundeck's `main` branch has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them. Two workarounds are available: Do not use any pre-existing public key file from the rundeck docker images to allow SSH access by adding it to authorized_keys files and, if you have copied the public key file included in the docker image, remove it from any authorized_keys files. CVEIn OpenLDAP 2.x before and x before , a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping. CVEThe SUNRPC subsystem in the Linux kernel through can call xs_xprt_free before ensuring that sockets are in the intended state. CVEems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through has a double free. CVEmcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through has a double free. CVEusb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through has a double free. CVEIn the Linux kernel before , a refcount leak bug was found in net/llc/af_llc.c. CVEImproper Input Validation vulnerability in HTTP/ header parsing of Apache Traffic Server allows an attacker to send invalid headers. This issue affects Apache Traffic Server to CVEIrzip v was discovered to contain a heap memory corruption via the component lrzip.c:initialise_control. CVElibcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited sprers.eul keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily. CVElibcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate sprers.eu to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation. CVEA insufficiently protected credentials vulnerability in fixed in curl might leak authentication or cookie header data on HTTP redirects to the same host but another port number. CVEAn information disclosure vulnerability exists in curl to are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead. CVEAn insufficiently protected credentials vulnerability exists in curl to and include curl are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers. CVEA heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat. CVEIn cifs-utils through , a stack-based buffer overflow when parsing the sprers.eu ip= command-line argument could lead to local attackers gaining root privileges. CVEA logic issue was addressed with improved state management. This issue is fixed in Security Update Catalina, macOS Monterey , macOS Big Sur An application may be able to gain elevated privileges. CVEAn XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through , 6.x through , and x and x through , and Tryton Application Platform (Command Line Client (proteus)) 5.x through , 6.x through , and x and x through An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server. CVEAn XXE issue was discovered in Tryton Application Platform (Server) 5.x through , 6.x through , and x and x through , and Tryton Application Platform (Command Line Client (proteus)) 5.x through , 6.x through , and x and x through An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system. CVE** DISPUTED ** In pgjdbc before , an attacker (who controls the jdbc URL or properties) can call sprers.eundler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties. CVEIn nbd-server in nbd before , there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value as the length of the name. CVEIn nbd-server in nbd before , there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer. This issue exists for the NBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages. CVEst21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through has EVT_TRANSACTION buffer overflows because of untrusted length parameters. CVELinux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE, CVE). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE, CVE). CVEx86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe. CVEx86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe. CVEx86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited. CVEIOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. CVEIOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. CVEIOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. CVEIOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. CVErace in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed. CVERacy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen ) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak. CVEA flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= CVEA flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: CVElrzip v was discovered to contain a multiple concurrency use-after-free between the functions zpaq_decompress_buf() and clear_rulist(). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted Irz file. CVEAn issue was discovered in HTCondor x before , x before , and x before When a user authenticates to an HTCondor daemon via the CLAIMTOBE method, the user can then impersonate any entity when issuing additional commands to that daemon. CVEImproper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server to CVEnet/netfilter/nf_dup_netdev.c in the Linux kernel through allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload. CVEThe authfile directive in the booth config file is ignored, preventing use of authentication in communications from node to node. As a result, nodes that do not have the correct authentication key are not prevented from communicating with other nodes in the cluster. CVEAn issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory. CVEIn Expat (aka libexpat) before , there is an integer overflow in storeRawNames. CVEIn Expat (aka libexpat) before , there is an integer overflow in copyString. CVEIn Expat (aka libexpat) before , an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. CVEAn issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur. CVExmlparse.c in Expat (aka libexpat) before allows attackers to insert namespace-separator characters into namespace URIs. CVExmltok_impl.c in Expat (aka libexpat) before lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. CVEA vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function. CVEAn issue was discovered in the Linux kernel before There is a memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c. CVERsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability. CVEecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: `ecdsa_verify_list_legacy()` will accept an arbitrary number of such forged signatures. Both the `ecdsautil verify` CLI command and the libecdsautil library are affected. The issue has been fixed in ecdsautils All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable. CVELDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an user can enter relative paths like ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/sprers.eu via tools like burpsuite. Later when a pdf is exported using the edited profile the pdf icon has the image on that path(if image is present). Both issues require an attacker to be able to login to LAM admin interface. The issue is fixed in version CVEPuma is a simple, fast, multi-threaded, parallel HTTP server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in and Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC standard. CVEMoby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting. CVEWaitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python's `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits; and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. This vulnerability has been patched in Waitress A workaround is available. When deploying a proxy in front of waitress, turning on any and all functionality to make sure that the request matches the RFC standard. Certain proxy servers may not have this functionality though and users are encouraged to upgrade to the latest version of waitress instead. CVEregex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to are affected by this issue. The fix is include starting from regex All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes. CVEGNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client CVEAn issue was discovered in fs/nfs/dir.c in the Linux kernel before If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. CVEIn Cyrus SASL through before , plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. CVEIn Minetest before , players can add or subtract items from a different player's inventory. CVEMinetest before allows attackers to add or modify arbitrary meta fields of the same item stack as saved user input, aka ItemStack meta injection. CVESubversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers through (inclusive). Servers that do not use mod_dav_svn are not affected. CVEExpat (aka libexpat) before has an integer overflow in the doProlog function. CVECertain Arm Cortex and Neoverse processors through do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. CVEIn Varnish Cache before and 7.x before , Varnish Cache LTS before , and and Varnish Enterprise (Cache Plus) x before r6 and x before r4, request smuggling can occur for HTTP/1 connections. CVEA stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon DCodeNumber parsing functionality of KiCad EDA and master commit defc A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVEA stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon GCodeNumber parsing functionality of KiCad EDA and master commit defc A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVEExpat (aka libexpat) before has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. CVEAliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure. CVEA stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon ReadIJCoord coordinate parsing functionality of KiCad EDA and master commit defc A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVEA stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon ReadXYCoord coordinate parsing functionality of KiCad EDA and master commit defc A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVEcontainerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions , , and where containers launched through containerd&#;s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd&#;s CRI implementation. This bug has been fixed in containerd , , and Users should update to these versions to resolve the issue. CVEPuma is a Ruby/Rack web server built for parallelism. Prior to `puma` version ``, `puma` may not always call `close` on the response body. Rails, prior to version ``, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions and This problem is fixed in Rails versions , , , and Upgrading to a patched Rails _or_ Puma version fixes the vulnerability. CVETwig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade. CVEkernel/bpf/verifier.c in the Linux kernel through allows local users to gain privileges because of the availability of pointer arithmetic via certain *_OR_NULL pointer types. CVEH2 Console before allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE CVEUSBView before allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo. CVEThere are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges. CVEJenkins Debian Package Builder Plugin and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller. CVELibreswan through allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists. This is fixed in CVEInsufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid. CVEA PV guest could DoS Xen while unmapping a grant To address XSA, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check. CVEarm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes. CVELibTIFF has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x as the second word of the DE field. CVEstoreAtts in xmlparse.c in Expat (aka libexpat) before has an integer overflow. CVEnextScaffoldPart in xmlparse.c in Expat (aka libexpat) before has an integer overflow. CVElookup in xmlparse.c in Expat (aka libexpat) before has an integer overflow. CVEdefineAttribute in xmlparse.c in Expat (aka libexpat) before has an integer overflow. CVEbuild_model in xmlparse.c in Expat (aka libexpat) before has an integer overflow. CVEaddBinding in xmlparse.c in Expat (aka libexpat) before has an integer overflow. CVEsprers.eu in Pillow before allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used, CVEpath_getbbox in path.c in Pillow before has a buffer over-read during initialization of sprers.eu CVEpath_getbbox in path.c in Pillow before improperly initializes sprers.eu CVEIn lighttpd through , the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a bit system is much more likely to be affected than a bit system. CVEAn improper authentication vulnerability exists in curl to and including which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). CVEDue to the formatting logic of the "sprers.eu()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object sprers.eu >= , >= , >= , and >= use a null protoype for the object these properties are being assigned to. CVEpgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue. CVEFlatpak is a Linux application sandboxing and distribution framework. A path traversal vulnerability affects versions of Flatpak prior to and flatpak-builder applies `finish-args` last in the build. At this point the build directory will have the full access that is specified in the manifest, so running `flatpak build` against it will gain those permissions. Normally this will not be done, so this is not problem. However, if `--mirror-screenshots-url` is specified, then flatpak-builder will launch `flatpak build --nofilesystem=host appstream-utils mirror-screenshots` after finalization, which can lead to issues even with the `--nofilesystem=host` protection. In normal use, the only issue is that these empty directories can be created wherever the user has write permissions. However, a malicious application could replace the `appstream-util` binary and potentially do something more hostile. This has been resolved in Flatpak and by changing the behaviour of `--nofilesystem=home` and `--nofilesystem=host`. CVEWordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version Older affected versions are also fixed via security release, that go back till We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. CVEWordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version Older affected versions are also fixed via security release, that go back till We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. CVEWordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version Older affected versions are also fixed via security release, that go back till We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. CVEWordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version Older affected versions are also fixed via security release, that go back till We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Integrity impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u, 8u, , , ; Oracle GraalVM Enterprise Edition: , and Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Integrity impacts). CVSS Vector: (CVSS/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u, 8u, , , ; Oracle GraalVM Enterprise Edition: , and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Confidentiality impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). CVEKGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown. An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. CVSS Base Score (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u, 8u, , , 18; Oracle GraalVM Enterprise Edition: , and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Integrity impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u, 8u, , , 18; Oracle GraalVM Enterprise Edition: , and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Confidentiality impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: and 18; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Integrity impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u, 8u, , , 18; Oracle GraalVM Enterprise Edition: , and Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Availability impacts). CVSS Vector: (CVSS/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u, 8u, , , 18; Oracle GraalVM Enterprise Edition: , and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Integrity impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u, 8u, , , 18; Oracle GraalVM Enterprise Edition: , and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Availability impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Availability impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u, 8u, , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Availability impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u, 8u, , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Availability impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u, 8u, , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Availability impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u, 8u, , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Availability impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u, 8u, , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Integrity impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u, 8u, , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Availability impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u, 8u, , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Confidentiality impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u, 8u, , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Availability impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u, 8u, , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Availability impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u, 8u, , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Integrity impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Availability impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u, 8u, , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Confidentiality impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: , ; Oracle GraalVM Enterprise Edition: and Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Availability impacts). CVSS Vector: (CVSS/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVEVulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u, 8u, , ; Oracle GraalVM Enterprise Edition: and Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS Base Score (Integrity impacts). CVSS Vector: (CVSS/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVEDOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. CVEIncomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVEProcessor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVEIncomplete cleanup in specific special register read operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVEIncomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVEIncomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVEIn addition to the c_rehash shell command injection identified in CVE, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL (Affected ,,,). Fixed in OpenSSL p (Affected o). Fixed in OpenSSL zf (Affected ze). CVEIn Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. CVEIn Eclipse Jetty versions thru , and thru , and thru versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. CVEDOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in matroskaparse element in gst_matroska_decompress_data function which causes a heap overflow. Due to restrictions on chunk sizes in the matroskademux element, the overflow can't be triggered, however the matroskaparse element has no size checks. CVEDOS / potential heap overwrite in mkv demuxing using lzo decompression. Integer overflow in matroskademux element in lzo decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite. CVEDOS / potential heap overwrite in mkv demuxing using bzip decompression. Integer overflow in matroskademux element in bzip decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite. CVEDOS / potential heap overwrite in mkv demuxing using zlib decompression. Integer overflow in matroskademux element in gst_matroska_decompress_data function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite. CVEInteger overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite. CVEInteger overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite. CVEWith shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with sprers.eu=0, the invlpg callback is not set and the result is a NULL pointer dereference. CVEA use-after-free flaw was found in the Linux kernel&#;s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a local user to crash or escalate their privileges on the system. CVEA flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine. CVEDpkg::Source::Archive in dpkg, the Debian package management system, before version , , , is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a sprers.eu, the in-place extraction can lead to directory traversal situations on specially crafted sprers.eu and sprers.eu tarballs. CVELinux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVEA NULL pointer dereference flaw was found in the Linux kernel&#;s X set of standardized network protocols functionality in the way a user terminates their session using a simulated Ethernet card and continued usage of this connection. This flaw allows a local user to crash the system. CVEThe root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of *drm_vgem_gem_object *(created in *vgem_gem_dumb_create*) concurrently, and *vgem_gem_dumb_create *will access the freed drm_vgem_gem_object. CVEA vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information. CVEThe c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL (Affected ,,). Fixed in OpenSSL o (Affected n). Fixed in OpenSSL ze (Affected zd). CVEA use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early. CVEA use-after-free flaw was found in the Linux kernel&#;s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system. CVEA use-after-free flaw was found in the Linux kernel&#;s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation. CVEOut-of-bounds Read error in tiffcp in libtiff allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit c4. CVEDivide By Zero error in tiffcrop in libtiff allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa. CVENull source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to could lead to Denial of Service via crafted TIFF file. CVEUnchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f2be2. CVEA heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact CVEReachable Assertion in tiffcp in libtiff allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e CVEA memory leak flaw was found in the Linux kernel&#;s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space. CVEThe BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions , and It was addressed in the releases of n and on the 15th March Fixed in OpenSSL (Affected ,). Fixed in OpenSSL n (Affected m). Fixed in OpenSSL zd (Affected zc). CVEA flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability. CVEA flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel rc1 till rc2. CVENull source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from to could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, a fix is available with commit c. CVENull source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from to could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, the fix is available with commit eecb CVEA missing bounds check in the image loader used in Blender 3.x and leads to out-of-bounds heap access, allowing an attacker to cause denial of service, memory corruption or potentially code execution. CVEAn integer overflow in the processing of loaded 2D images leads to a write-what-where vulnerability and an out-of-bounds read vulnerability, allowing an attacker to leak sensitive information or achieve code execution in the context of the Blender process when a specially crafted image file is loaded. This flaw affects Blender versions prior to , and CVEAn integer underflow in the DDS loader of Blender leads to an out-of-bounds read, possibly allowing an attacker to read sensitive data using a crafted DDS image file. This flaw affects Blender versions prior to , and CVEIt was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. CVEA flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. CVEA flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. CVEA vulnerability was found in kvm_s_guest_sida_op in the arch/s/kvm/kvm-sc function in KVM for s in the Linux kernel. This flaw allows a local attacker with a normal user privilege to obtain unauthorized memory write access. This flaw affects Linux kernel versions prior to rc4. CVEA kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality. CVEA vulnerability was found in the Linux kernel&#;s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly. CVEA use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to rc1. CVEIn libtirpc before rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections. CVEntfsck in NTFS-3G through has a heap-based buffer overflow involving buffer+* NOTE: the upstream position is that ntfsck is deprecated; however, it is shipped by some Linux distributions. CVERoundcube before and x before allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences. CVEIn doProlog in xmlparse.c in Expat (aka libexpat) before , an integer overflow exists for m_groupSize. CVEAn issue was discovered in uriparser before It performs invalid free operations in uriNormalizeSyntax. CVEAn issue was discovered in uriparser before It performs invalid free operations in uriFreeUriMembers and uriMakeOwner. CVEIn Expat (aka libexpat) before , a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). CVEGhostscript GhostPDL through has a heap-based buffer overflow in sampled_data_finish (called from sampled_data_continue and interp). CVEGhostscript GhostPDL through has a use-after-free in sampled_data_sample (called from sampled_data_continue and interp). CVEAn issue was discovered in the Linux kernel before There is a memory leak in the __rds_conn_create() function in net/rds/connection.c in a certain combination of circumstances. CVEIn __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through , there is an out-of-bounds memory access when an inode has an invalid last xattr entry. CVEIn zsh before , an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion. CVEAIDE before allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. CVEIn LibreCAD , a NULL pointer dereference in the HATCH handling of libdxfrw allows an attacker to crash the application using a crafted DXF document. CVEA buffer overflow vulnerability in CDataList of the jwwlib component of LibreCAD rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document. CVEA buffer overflow vulnerability in CDataMoji of the jwwlib component of LibreCAD rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document. CVEApache Log4j2 versions alpha1 through (excluding and ) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j , , and CVEpep_sock_accept in net/phonet/pep.c in the Linux kernel through has a refcount leak. CVEXSS can occur in GNOME Web (aka Epiphany) before and x before via an error page. CVEXSS can occur in GNOME Web (aka Epiphany) before and x before when View Source mode or Reader mode is used, as demonstrated by a a page title. CVEXSS can occur in GNOME Web (aka Epiphany) before and x before because a server's suggested_filename is used as the pdf_name value in sprers.eu CVEXSS can occur in GNOME Web (aka Epiphany) before and x before via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page often enough to place that page on the Most Visited list. CVEIt was found that the fix to address CVE in Apache Log4j was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j (Java 8) and (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default. CVEA carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server and earlier. CVEImproper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server to CVEA use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object. CVEA race condition existed in the snapd snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions +, + and + CVEsnapd did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions +, + and + CVEThe olm_session_describe function in Matrix libolm before is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web. CVEsprers.eu < , < , < , and < did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject sprers.eued versions of sprers.eu that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable. CVEsprers.eu < , < , < , and < converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name sprers.euns of sprers.eu with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option. CVEAccepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. sprers.eu < , < , < , and < was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, sprers.eu did not match the URI sprers.euns of sprers.eu with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option. CVEApache Log4j2 beta9 through (excluding security releases , , and ) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j , this behavior has been disabled by default. From version (along with , , and ), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. CVEA crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server up to (included). CVEImproper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server to and to CVERoundcube before and x before is prone to a potential SQL injection via search or search_params. CVERoundcube before and x before is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. CVEIn the Linux kernel through , mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic). CVEIn the Linux kernel through , hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value. CVEFlatpak is a Linux application sandboxing and distribution framework. Prior to versions and , Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a null byte in the metadata file of an app. Therefore apps can grant themselves permissions without the consent of the user. Flatpak shows permissions to the user during install by reading them from the "sprers.euta" key in the commit metadata. This cannot contain a null terminator, because it is an untrusted GVariant. Flatpak compares these permissions to the *actual* metadata, from the "metadata" file to ensure it wasn't lied to. However, the actual metadata contents are loaded in several places where they are read as simple C-style strings. That means that, if the metadata file includes a null terminator, only the content of the file from *before* the terminator gets compared to sprers.euta. Thus, any permissions that appear in the metadata file after a null terminator are applied at runtime but not shown to the user. So maliciously crafted apps can give themselves hidden permissions. Users who have Flatpaks installed from untrusted sources are at risk in case the Flatpak has a maliciously crafted metadata file, either initially or in an update. This issue is patched in versions and As a workaround, users can manually check the permissions of installed apps by checking the metadata file or the sprers.euta key on the commit metadata. CVElxml is a library for processing XML and HTML in the Python language. Prior to version , the HTML Cleaner in sprers.eu lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml to receive a patch. There are no known workarounds available. CVELaravel Framework through does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/sprers.eu lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload. CVEIt was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. This vulnerability affects Thunderbird < , Firefox ESR < , and Firefox < CVEUsing the Location API in a loop could have caused severe application hangs and crashes. This vulnerability affects Thunderbird < , Firefox ESR < , and Firefox < CVEDocuments loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content. This vulnerability affects Thunderbird < , Firefox ESR < , and Firefox < CVEUsing XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols. This vulnerability affects Thunderbird < , Firefox ESR < , and Firefox < CVEWhen invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped. This vulnerability affects Thunderbird < , Firefox ESR < , and Firefox < CVEFailure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Thunderbird < , Firefox ESR < , and Firefox < CVEBy misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < , Firefox ESR < , and Firefox < CVEAn incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Thunderbird < , Firefox ESR < , and Firefox < CVEUnder certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. This vulnerability affects Thunderbird < , Firefox ESR < , and Firefox < CVEA use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < , and Firefox ESR < CVEMozilla developers and community members reported memory safety bugs present in Firefox 93 and Firefox ESR Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 94, Thunderbird < , and Firefox ESR < CVEThunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities. This vulnerability affects Thunderbird < CVEAn issue was discovered in the Linux kernel before There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c. CVENLnet Labs Routinator versions up to and including , support the gzip transfer encoding when querying RRDP repositories. This encoding can be used by an RRDP repository to cause an out-of-memory crash in these versions of Routinator. RRDP uses XML which allows arbitrary amounts of white space in the encoded data. The gzip scheme compresses such white space extremely well, leading to very small compressed files that become huge when being decompressed for further processing, big enough that Routinator runs out of memory when parsing input data waiting for the next XML element. CVEIn NLnet Labs Routinator prior to , a validation run can be delayed significantly by an RRDP repository by not answering but slowly drip-feeding bytes to keep the connection alive. This can be used to effectively stall validation. While Routinator has a configurable time-out value for RRDP connections, this time-out was only applied to individual read or write operations rather than the complete request. Thus, if an RRDP repository sends a little bit of data before that time-out expired, it can continuously extend the time it takes for the request to finish. Since validation will only continue once the update of an RRDP repository has concluded, this delay will cause validation to stall, leading to Routinator continuing to serve the old data set or, if in the initial validation run directly after starting, never serve any data at all. CVEFORT Validator versions prior to will crash if an RPKI CA publishes an X EE certificate. This will lead to RTR clients such as BGP routers to lose access to the RPKI VRP data set, effectively disabling Route Origin Validation. CVEsprers.eu in Babel before allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution. CVEsprers.eu in WebKitGTK and WPE WebKit before allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE CVEModSecurity 3.x through mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include through CVEThe sprers.eunection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution. CVEThe fix for bug present in Apache Tomcat M1 to M5, M1 to , to and to introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. CVEGNU Mailman before may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover). CVEGNU Mailman before may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password. CVEA flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->sprers.eu` and `cursor->sprers.eu` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. CVEA flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. CVEThe in-memory certificate cache in strongSwan before has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility. CVEThe gmp plugin in strongSwan before has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. For example, this can be triggered by an unrelated self-signed CA certificate sent by an initiator. Remote code execution cannot occur. CVEAn unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system. CVEprealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel before allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write. CVEThere is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE This issue affects OpenSSL versions , and It was addressed in the releases of m and on the 15th of December For the release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL (Affected ). Fixed in OpenSSL m (Affected l). Fixed in OpenSSL zc-dev (Affected zb). CVEvpn-user-portal (aka eduVPN or Let's Connect!) before , as packaged for Debian 10, Debian 11, and Fedora, allows remote authenticated users to obtain OS filesystem access, because of the interaction of QR codes with an exec that uses the -r option. This can be leveraged to obtain additional VPN access. CVEPuma is a HTTP server for Ruby/Rack applications. Prior to versions and , using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma and As a workaround, do not use Apache Traffic Server with `puma`. CVEFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to and , Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process. They can do this by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted `/.flatpak-info` or make that file disappear entirely. Flatpak apps that act as clients for AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can escalate the privileges that the corresponding services will believe the Flatpak app has. Note that protocols that operate entirely over the D-Bus session bus (user bus), system bus or accessibility bus are not affected by this. This is due to the use of a proxy process `xdg-dbus-proxy`, whose VFS cannot be manipulated by the Flatpak app, when interacting with these buses. Patches exist for versions and , and as of time of publication, a patch for version is being planned. There are no workarounds aside from upgrading to a patched version. CVEcontainerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd and containerd Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories. CVERedis is an open source, in-memory database that persists on disk. An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted network payloads or commands. The problem is fixed in Redis versions , and An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command. CVEApache Tomcat to , M1 to and M1 to did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. CVEloop_rw_iter in fs/io_uring.c in the Linux kernel through allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation. CVEsquashfs_opendir in unsquashc in Squashfs-Tools allows Directory Traversal, a different vulnerability than CVE A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem. CVEA read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system. This flaw affects Linux kernel versions prior to rc4. CVEOut of bounds write in WebRTC in Google Chrome prior to allowed a remote attacker to potentially exploit heap corruption via crafted WebRTC packets. CVEType confusion in V8 in Google Chrome prior to allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVEAll versions of Apache Santuario - XML Security for Java prior to and are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. CVEInsufficient data validation in new tab page in Google Chrome prior to allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVEUse after free in window manager in Google Chrome on ChromeOS prior to allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVEInteger underflow in ANGLE in Google Chrome prior to allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVEUse after free in autofill in Google Chrome prior to allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVEUse after free in screen capture in Google Chrome on ChromeOS prior to allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVEUse after free in developer tools in Google Chrome prior to allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVEHeap buffer overflow in BFCache in Google Chrome prior to allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. CVEType confusion in V8 in Google Chrome prior to allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVEInsufficient data validation in loader in Google Chrome prior to allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVEHeap buffer overflow in ANGLE in Google Chrome prior to allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVEUse after free in file API in Google Chrome prior to allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. CVEType confusion in loader in Google Chrome prior to allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVEHeap buffer overflow in extensions in Google Chrome prior to allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. CVEIncorrect security UI in autofill in Google Chrome prior to allowed a remote attacker to perform domain spoofing via a crafted HTML page. CVEUse after free in UI in Google Chrome on Linux prior to allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVEUse after free in web apps in Google Chrome prior to allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. CVEA race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through CVEA crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server and earlier. CVEAn issue was discovered in views/sprers.eu in GNU Mailman Postorius before An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place. CVEAn integer overflow exists in HAProxy through in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs. CVEsquashfs_opendir in unsquashc in Squashfs-Tools stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination. CVEA flaw was found in xorg-xserver in versions before and before An out-of-bounds access can occur in the SwapCreateRegister function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVEA flaw was found in xorg-xserver in versions before and before An out-of-bounds access can occur in the SProcScreenSaverSuspend function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVEA flaw was found in xorg-xserver in versions before and before An out-of-bounds access can occur in the SProcXFixesCreatePointerBarrier function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVEAn issue was discovered in OpenStack Neutron before , x before , and x before Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value. CVEA flaw was found in xorg-xserver in versions before and before An out-of-bounds access can occur in the SProcRenderCompositeGlyphs function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVEA memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data. CVEUncontrolled Recursion in the Bluetooth DHT dissector in Wireshark to and to allows denial of service via packet injection or crafted capture file CVENULL pointer exception in the IEEE dissector in Wireshark to and to allows denial of service via packet injection or crafted capture file CVEBuffer overflow in the Bluetooth HCI_ISO dissector in Wireshark to allows denial of service via packet injection or crafted capture file CVEBuffer overflow in the Bluetooth SDP dissector in Wireshark to and to allows denial of service via packet injection or crafted capture file CVELarge loop in the Bluetooth DHT dissector in Wireshark to and to allows denial of service via packet injection or crafted capture file CVELarge loop in the PNRP dissector in Wireshark to and to allows denial of service via packet injection or crafted capture file CVEBuffer overflow in the C dissector in Wireshark to and to allows denial of service via packet injection or crafted capture file CVENULL pointer exception in the Modbus dissector in Wireshark to and to allows denial of service via packet injection or crafted capture file CVENULL pointer exception in the IPPUSB dissector in Wireshark to allows denial of service via packet injection or crafted capture file CVEUbuntu-specific modifications to accountsservice (in patch file debian/patches/sprers.eu) caused the fallback_locale variable, pointing to static storage, to be freed, in the user_change_language_authorized_cb function. This is reachable via the SetLanguage dbus function. This is fixed in versions ubuntu12~, ubuntu, ubuntu CVEIn GNOME grilo though , grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE CVEap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server and earlier. CVEA crafted NTFS image can trigger a heap-based buffer overflow, caused by an unsanitized attribute in ntfs_get_attribute_value, in NTFS-3G < CVEA crafted NTFS image can cause an out-of-bounds access in ntfs_decompress in NTFS-3G < CVEA crafted NTFS image can cause a heap-based buffer overflow in ntfs_compressed_pwrite in NTFS-3G < CVEA crafted NTFS image can cause an out-of-bounds access in ntfs_inode_sync_standard_information in NTFS-3G < CVEA crafted NTFS image can trigger an out-of-bounds access, caused by an unsanitized attribute length in ntfs_inode_lookup_by_name, in NTFS-3G < CVEA crafted NTFS image can cause out-of-bounds reads in ntfs_attr_find and ntfs_external_attr_find in NTFS-3G < CVEA crafted NTFS image with an unallocated bitmap can lead to a endless recursive function call chain (starting from ntfs_attr_pwrite), causing stack consumption in NTFS-3G < CVEA crafted NTFS image can cause a heap-based buffer overflow in ntfs_inode_lookup_by_name in NTFS-3G < CVEA crafted NTFS image can trigger an out-of-bounds read, caused by an invalid attribute in ntfs_attr_find_in_attrdef, in NTFS-3G < CVEA crafted NTFS image can cause an integer overflow in memmove, leading to a heap-based buffer overflow in the function ntfs_attr_record_resize, in NTFS-3G < CVE

Getting Started

Apache HBase is a database. It requires the ability to open a large number of files at once. Many Linux distributions limit the number of files a single user is allowed to open to (or on older versions of OS X). You can check this limit on your servers by running the command when logged in as the user which runs HBase. See the Troubleshooting section for some of the problems you may experience if the limit is too low. You may also notice errors such as the following:

It is recommended to raise the ulimit to at least 10,, but more likely 10,, because the value is usually expressed in multiples of Each ColumnFamily has at least one StoreFile, and possibly more than six StoreFiles if the region is under load. The number of open files required depends upon the number of ColumnFamilies and the number of regions. The following is a rough formula for calculating the potential number of open files on a RegionServer.

Calculate the Potential Number of Open Files

For example, assuming that a schema had 3 ColumnFamilies per region with an average of 3 StoreFiles per ColumnFamily, and there are regions per RegionServer, the JVM will open file descriptors, not counting open JAR files, configuration files, and others. Opening a file does not take many resources, and the risk of allowing a user to open too many files is minimal.

Another related setting is the number of processes a user is allowed to run at once. In Linux and Unix, the number of processes is set using the command. This should not be confused with the command, which controls the number of CPUs available to a given user. Under load, a that is too low can cause OutOfMemoryError exceptions.

Configuring the maximum number of file descriptors and processes for the user who is running the HBase process is an operating system configuration, rather than an HBase configuration. It is also important to be sure that the settings are changed for the user that actually runs HBase. To see which user started HBase, and that user&#;s ulimit configuration, look at the first line of the HBase log for that instance.

Example 1. Settings on Ubuntu

To configure ulimit settings on Ubuntu, edit /etc/security/sprers.eu, which is a space-delimited file with four columns. Refer to the man page for sprers.eu for details about the format of this file. In the following example, the first line sets both soft and hard limits for the number of open files (nofile) to for the operating system user with the username hadoop. The second line sets the number of processes to for the same user.

The settings are only applied if the Pluggable Authentication Module (PAM) environment is directed to use them. To configure PAM to use these limits, be sure that the /etc/pam.d/common-session file contains the following line:

VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation. CVEAn information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v and v The latest version (rc4) seems to still be vulnerable. A userland application can read the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process&#;s memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: CVEStack buffer overflow in GPU Process in Google Chrome on Linux prior to allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. CVEStack buffer overflow in Data Transfer in Google Chrome on Linux prior to allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. CVEA flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability. CVEA vulnerability in one of the diagnostic test CLI commands of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary code on an affected device. To exploit this vulnerability, the attacker would need to have valid user credentials at privilege level This vulnerability exists because the affected software permits modification of the run-time memory of an affected device under specific circumstances. An attacker could exploit this vulnerability by authenticating to the affected device and issuing a specific diagnostic test command at the CLI. A successful exploit could trigger a logic error in the code that was designed to restrict run-time memory modifications. The attacker could take advantage of this logic error to overwrite system memory locations and execute arbitrary code on the underlying Linux operating system (OS) of the affected device. CVENVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (sprers.eu) handler for control calls where the software reads or writes to a buffer by using an index or pointer that references a memory location after the end of the buffer, which may lead to data tampering or denial of service. CVEAn issue was discovered in the Linux kernel and through on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcdee6. This has been observed to cause heap corruption with the GNU C Library malloc implementation. CVEIn the Linux kernel and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux stable series, starting with v, as the introducing commit was backported to that branch. This vulnerability was fixed in , , and (issue is aka ZDI-CAN) CVEfs/namei.c in the Linux kernel before has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cbae9. One attack vector may be an open system call for a UNIX domain socket, if the socket is being moved to a new parent directory and its old parent directory is being removed. CVEIBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) , , , , and could allow a local attacker to perform unauthorized actions on the system, caused by improper usage of shared memory. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service. IBM X-Force ID: CVEIBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) , , , , and could allow an unauthenticated user to send specially crafted packets to cause a denial of service from excessive memory usage. CVEAn issue was discovered in the Linux kernel before virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-fc2d. CVEAn issue was discovered in the Linux kernel before arch/x86/kvm/svm/svm.c allows a set_memory_region_test infinite loop for certain nested page faults, aka CID-ebc3a CVEAn out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_xc in the Linux kernel version vrc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVEA vulnerability in Cisco AMP for Endpoints Linux Connector Software and Cisco AMP for Endpoints Mac Connector Software could allow an authenticated, local attacker to cause a buffer overflow on an affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted packet to an affected device. A successful exploit could allow the attacker to cause the Cisco AMP for Endpoints service to crash and restart. CVEA vulnerability in Cisco AMP for Endpoints Linux Connector Software and Cisco AMP for Endpoints Mac Connector Software could allow an authenticated, local attacker to cause a buffer overflow on an affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted packet to an affected device. A successful exploit could allow the attacker to cause the Cisco AMP for Endpoints service to crash and restart. CVEAn issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd. CVEA buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before could be used by local attackers to read kernel memory, aka CIDbdef. CVEAn information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel Stable and More specifically, this issue has been introduced in vrc4 (commit b7abacd02b88f4bc08b54ad4fc3e7c7c0) and is still present in vrc4, so it&#;s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents. CVEA flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVEA flaw was found in the Linux kernel&#;s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVEA flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel. CVEAn issue was discovered in the Linux kernel before kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CIDd2bb2e6b1d. CVEAn issue was discovered in the Linux kernel before kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-ff This affects pointer types that do not define a ptr_limit. CVEA flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service. CVEA memory leak vulnerability was found in Linux kernel in llcp_sock_connect CVEA Red Hat only CVE regression issue was found in the way the Linux kernel's Bluetooth stack implementation handled the initialization of stack memory when handling certain AMP packets. This flaw allows a remote attacker in an adjacent range to leak small portions of stack memory on the system by sending specially crafted AMP packets. The highest threat from this vulnerability is to data confidentiality. CVEA flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality. CVEA flaw was found in the HDLC_PPP module of the Linux kernel in versions before rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVEA race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CIDd CVEA TOCTOU mismatch in the NFS client code in the Linux kernel before could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-bb CVEThe standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data. CVEA malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using podman, or OpenShift Container Platform. An attacker can use this flaw to trick a user, with privileges to pull container images, into crashing the process responsible for pulling the image. This flaw affects containers-image versions before CVEIn the Linux kernel through , usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka CIDebeb8db CVEA flaw was found in the Linux kernel in versions before rc6. When changing screen size, an out-of-bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. CVEA flaw was found in the Linux kernel before rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity. CVEA flaw was found in the Linux kernel&#;s futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVEA flaw was found in grub2 in versions prior to , where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description Table (SSDT) containing code to overwrite the Linux kernel lockdown variable content directly into memory. The table is further loaded and executed by the kernel, defeating its Secure Boot lockdown and allowing the attacker to load unsigned code. The highest threat from this vulnerability is to data confidentiality and integrity, as well as system availability. CVEA flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVEA memory out-of-bounds read flaw was found in the Linux kernel before rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability. CVEIn grub2 versions before the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations which can be further used to cause possible integrity, confidentiality and availability impacts during the boot process. CVEAn out-of-bounds memory write flaw was found in how the Linux kernel&#;s Voice Over IP H connection tracking functionality handled connections on ipv6 port This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVEA memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality. CVEThe VFIO PCI driver in the Linux kernel through mishandles attempts to access disabled memory space. CVE** DISPUTED ** An issue was discovered in the Linux kernel before svm_cpu_uninit in arch/x86/kvm/svm.c has a memory leak, aka CID-d80b64ffe. NOTE: third parties dispute this issue because it's a one-time leak at the boot, the size is negligible, and it can't be triggered at will. CVE** DISPUTED ** gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through lacks certain domain_release calls, leading to a memory leak. Note: This was disputed with the assertion that the issue does not grant any access not already available. It is a problem that on unloading a specific kernel module some memory is leaked, but loading kernel modules is a privileged operation. A user could also write a kernel module to consume any amount of memory they like and load that replicating the effect of this bug. CVEAn array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before , aka CID-bf0ccf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages. CVEAn issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-ba2cece4. CVEA flaw was found in the Linux Kernel before rc6 in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable. CVEA memory disclosure flaw was found in the Linux kernel's versions before el8 in the sysctl subsystem when reading the /proc/sys/kernel/rh_features file. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality. CVEA stack information leak flaw was found in s/sx in the Linux kernel&#;s memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data. CVEAn information disclosure vulnerability exists when Windows Subsystem for Linux improperly handles objects in memory, aka 'Windows Subsystem for Linux Information Disclosure Vulnerability'. CVEA flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability. CVEAn issue has been found in PowerDNS Recursor up to and including It allows an attacker (with enough privileges to change the system's hostname) to cause disclosure of uninitialized memory content via a stack-based out-of-bounds read. It only occurs on systems where gethostname() does not have '\0' termination of the returned string if the hostname is larger than the supplied buffer. (Linux systems are not affected because the buffer is always large enough. OpenBSD systems are not affected because the returned hostname always has '\0' termination.) Under some conditions, this issue can lead to the writing of one '\0' byte out-of-bounds on the stack, causing a denial of service or possibly arbitrary code execution. CVEIn skb_headlen of /include/linux/skbuff.h, there is a possible out of bounds read due to memory corruption. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for sprers.eut: AndroidVersions: Android kernelAndroid ID: A CVEIn calc_vm_may_flags of ashmem.c, there is a possible arbitrary write to shared memory due to a permissions bypass. This could lead to local escalation of privilege by corrupting memory shared between processes, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A CVEIn the Linux kernel through , the function inotify_update_existing_watch() in fs/notify/inotify/inotify_user.c neglects to call fsnotify_put_mark() with IN_MASK_CREATE after fsnotify_find_mark(), which will cause a memory leak (aka refcount leak). Finally, this will cause a denial of service. CVEAn issue was discovered in 3S-Smart CODESYS V3 products. A crafted communication request may cause uncontrolled memory allocations in the affected CODESYS products and may result in a denial-of-service condition. All variants of the following CODESYS V3 products in all versions prior to v that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT, CODESYS Control for Linux, CODESYS Control for PFC, CODESYS Control for PFC, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System. CVEA memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures. CVEIn the Linux Kernel before versions and a use-after-free error in the "sctp_sendmsg()" function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory. CVEOn BIG-IP (ASM) , , , and , Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary processes. The attack requires an authenticated user with role of "Guest" or greater privilege. Note: "No Access" cannot login so technically it's a role but a user with this access role cannot perform the attack. CVEAn exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large memcpy, resulting in an access violation and termination of the process. An attacker can send a packet to a device running the sprers.eu to trigger this vulnerability. All variants of the CODESYS V3 products in all versions prior V containing the CmpRouter or CmpRouterEmbedded component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT, CODESYS Control for Linux, CODESYS Control for PLCnext, CODESYS Control for PFC, CODESYS Control for PFC, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS Control V3 Runtime System Toolkit, CODESYS V3 Embedded Target Visu Toolkit, CODESYS V3 Remote Target Visu Toolkit, CODESYS V3 Safety SIL2, CODESYS Edge Gateway V3, CODESYS Gateway V3, CODESYS HMI V3, CODESYS OPC Server V3, CODESYS PLCHandler SDK, CODESYS V3 Simulation Runtime (part of the CODESYS Development System). CVEAn exploitable vulnerability exists in the grsecurity PaX patch for the function read_kmem, in PaX from version pax-linuxtest1 to test7, grsecurity official from version grsecurity to grsecurity, grsecurity unofficial from version vunofficialgrsec to vunofficialgrsec. PaX adds a temp buffer to the read_kmem function, which is never freed when an invalid address is supplied. This results in a memory leakage that can lead to a crash of the system. An attacker needs to induce a read to /dev/kmem using an invalid address to exploit this vulnerability. CVEA flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions , and are vulnerable. CVEA flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network. CVEA memory leak was discovered in the backport of fixes for CVE in Red Hat Enterprise Linux. Function dispatch_message_real() in journald-server.c does not free the memory allocated by set_iovec_field_free() to store the `_CMDLINE=` entry. A local attacker may use this flaw to make systemd-journald crash. This issue only affects versions shipped with Red Hat Enterprise since v CVEAn issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. The privileged user "root" with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data length code a higher value than the available CAN frame data size. In combination with a configured checksum calculation where the result is stored relatively to the end of the data (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames. CVEIn a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel with a guest running linux kernel or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out. CVEgo_snd_init in drivers/media/usb/go/snd-goc in the Linux kernel before does not call snd_card_free for a failure path, which causes a memory leak, aka CIDef CVEIn the Linux kernel before , there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ffe2b. CVEmwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfgc in the Linux kernel before has some error-handling cases that did not free allocated hostcmd memory, aka CIDbace This will cause a memory leak and denial of service. CVEIn the Linux kernel through , there are information leaks of uninitialized memory to a USB device in the drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c driver, aka CID-daac. CVEfpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux kernel before , when GCC 9 is used, allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact because of incorrect fpu_fpregs_owner_ctx caching, as demonstrated by mishandling of signal-based non-cooperative preemption in Go prereleases on amd64, aka CIDc4bdabc. CVEIt was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries. A privileged guest user may use this flaw to induce a hardware Machine Check Error on the host processor, resulting in a severe DoS scenario by halting the processor. System software like OS OR Virtual Machine Monitor (VMM) use virtual memory system for storing program instructions and data in memory. Virtual Memory system uses Paging structures like Page Tables and Page Directories to manage system memory. The processor's Memory Management Unit (MMU) uses Paging structure entries to translate program's virtual memory addresses to physical memory addresses. The processor stores these address translations into its local cache buffer called - Translation Lookaside Buffer (TLB). TLB has two parts, one for instructions and other for data addresses. System software can modify its Paging structure entries to change address mappings OR certain attributes like page size etc. Upon such Paging structure alterations in memory, system software must invalidate the corresponding address translations in the processor's TLB cache. But before this TLB invalidation takes place, a privileged guest user may trigger an instruction fetch operation, which could use an already cached, but now invalid, virtual to physical address translation from Instruction TLB (ITLB). Thus accessing an invalid physical memory address and resulting in halting the processor due to the Machine Check Error (MCE) on Page Size Change. CVEAn out-of-bounds memory write issue was found in the Linux Kernel, version through , in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service. CVEMemory leaks in *clock_source_create() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel before allow attackers to cause a denial of service (memory consumption). This affects the dce_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce/dce_resource.c, the dce_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce/dce_resource.c, the dcn10_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, the dcn20_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c, the dce_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce/dce_resource.c, the dce_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce/dce_resource.c, and the dce80_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c, aka CIDea1. CVEMemory leaks in *create_resource_pool() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel through allow attackers to cause a denial of service (memory consumption). This affects the dce_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce/dce_resource.c, the dce_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce/dce_resource.c, the dce_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce/dce_resource.c, the dcn10_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, and the dce_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce/dce_resource.c, aka CIDcad. CVEA memory leak in the nfp_flower_spawn_vnic_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption), aka CID-8ce39eb5a67a. CVEFour memory leaks in the nfp_flower_spawn_phy_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel before allow attackers to cause a denial of service (memory consumption), aka CIDceaa. CVEA memory leak in the qrtr_tun_write_iter() function in net/qrtr/tun.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption), aka CID-a21b7f0cff CVEA memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-b8d17e7d93d2. CVEA memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering copy to udata failures, aka CID-4a9d46a9fe CVE** DISPUTED ** A memory leak in the nfp_abm_u32_knode_replace() function in drivers/net/ethernet/netronome/nfp/abm/cls.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption), aka CIDbeeffd9. NOTE: This has been argued as not a valid vulnerability. The upstream commit 78beeffd9 was reverted. CVEA memory leak in the ca_probe() function in drivers/net/ieee/cac in the Linux kernel before allows attackers to cause a denial of service (memory consumption) by triggering ca_get_platform_data() failures, aka CIDec86e. CVEA memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption), aka CIDc1e2a05e4. CVEMemory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CIDacf7caf CVEA memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption), aka CIDc5c6e6a5b6. CVEA memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-def23c. CVE** DISPUTED ** A memory leak in the spi_gpio_probe() function in drivers/spi/spi-gpio.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering devm_add_action_or_reset() failures, aka CID-d3b0ffa1d75d. NOTE: third parties dispute the relevance of this because the system must have already been out of memory before the probe began. CVEA memory leak in the fastrpc_dma_buf_attach() function in drivers/misc/fastrpc.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption) by triggering dma_get_sgtable() failures, aka CID-fcad CVEA memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-a2cdde6. CVE** DISPUTED ** Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel before allow attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures, aka CIDbe09c6e NOTE: third parties dispute the relevance of this because the attacker must already have privileges for module loading. CVEA memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures, aka CID-0eda2bd. CVE** DISPUTED ** A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures, aka CIDb3be18a04e. NOTE: This has been disputed as not a vulnerability because "rhashtable_init() can only fail if it is passed invalid values in the second parameter's struct, but when invoked from sdma_init() that is a pointer to a static const struct, so an attacker could only trigger failure if they could corrupt kernel memory (in which case a small memory leak is not a significant problem)." CVE** DISPUTED ** A memory leak in the fsl_lpspi_probe() function in drivers/spi/spi-fsl-lpspi.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering pm_runtime_get_sync() failures, aka CIDbf78f. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control these failures at probe time. CVETwo memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through allow attackers to cause a denial of service (memory consumption), aka CID-3f CVEA memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde CVEA memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption), aka CID-9cef3. CVEA memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption), aka CID-abb1daf CVEMultiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through allow attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4ffa. CVEA memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4bfec1a5. CVETwo memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcbc8e. CVEA memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-db8fd2cde CVE** DISPUTED ** A memory leak in the nl_get_ftm_responder_stats() function in net/wireless/nlc in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering nlhdr_put() failures, aka CIDc59fa NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred. CVEA memory leak in the cx_ir_probe() function in drivers/media/pci/cx/cxir.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b. CVEA memory leak in the rpmsg_eptdev_write_iter() function in drivers/rpmsg/rpmsg_char.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering copy_from_iter_full() failures, aka CID-bbeee2. CVEA memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-fb5be6a7b CVEA memory leak in the im_op_rfkill_sw_toggle() function in drivers/net/wimax/im/op-rfkill.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7. CVEA memory leak in the crypto_reportstat() function in crypto/crypto_user_stat.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering crypto_reportstat_alg() failures, aka CID-c03b04dcdba1. CVE** DISPUTED ** A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption) by triggering of_fdt_unflatten_tree() failures, aka CID-e13de8fe0d6a. NOTE: third parties dispute the relevance of this because unittest.c can only be reached during boot. CVEA memory leak in the crypto_reportstat() function in drivers/virt/vboxguest/vboxguest_utils.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption) by triggering copy_form_user() failures, aka CID-e0b0cb CVEA memory leak in the mlx5_fw_fatal_reporter_dump() function in drivers/net/ethernet/mellanox/mlx5/core/health.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption) by triggering mlx5_crdump_collect() failures, aka CID-c7ed6dd5. CVE** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time. CVEA memory leak in the mlx5_fpga_conn_create_cq() function in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2afdc7. CVETwo memory leaks in the v3d_submit_cl_ioctl() function in drivers/gpu/drm/v3d/v3d_gem.c in the Linux kernel before allow attackers to cause a denial of service (memory consumption) by triggering kcalloc() or v3d_job_init() failures, aka CIDcd13cfd CVEA memory leak in the i40e_setup_macvlans() function in drivers/net/ethernet/intel/i40e/i40e_main.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering i40e_setup_channel() failures, aka CIDd CVEA memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering platform_device_add_properties() failures, aka CID-9bbfceea12a8. CVEA memory leak in the sof_dfsentry_write() function in sound/soc/sof/debug.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption), aka CID-c0adef. CVEA memory leak in the sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption) by triggering sof_get_ctrl_copy_params() failures, aka CIDcb1. CVEA memory leak in the komeda_wb_connector_add() function in drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c in the Linux kernel before allows attackers to cause a denial of service (memory consumption) by triggering drm_writeback_connector_init() failures, aka CID-a0ecd6fdbf5d. CVEA memory leak in the af_identify_state() function in drivers/media/usb/dvb-usb/afc in the Linux kernel through allows attackers to cause a denial of service (memory consumption), aka CIDadbfa CVEA memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through allows attackers to cause a denial of service (memory consumption), aka CIDc CVETwo memory leaks in the sja_static_config_upload() function in drivers/net/dsa/sja/sja_spi.c in the Linux kernel before allow attackers to cause a denial of service (memory consumption) by triggering static_config_buf_prepare_for_upload() or sja_inhibit_tx() failures, aka CIDdf92d CVEA memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f. CVEIn the Linux kernel through , f->sprers.eued is uninitialized in rcar_drif_g_fmt_sdr_cap in drivers/media/platform/rcar_drif.c, which could cause a memory disclosure problem. CVEA vulnerability in the HostScan component of Cisco AnyConnect Secure Mobility Client for Linux could allow an unauthenticated, remote attacker to read sensitive information on an affected system. The vulnerability exists because the affected software performs improper bounds checks. An attacker could exploit this vulnerability by crafting HTTP traffic for the affected component to download and process. A successful exploit could allow the attacker to read sensitive information on the affected system. CVEIn the Linux kernel before , a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c CVEAn issue was discovered in drivers/xen/balloon.c in the Linux kernel before , as used in Xen through x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36abc7. CVEIn the Linux kernel before , a memory leak exits in hsr_dev_finalize() in net/hsr/hsr_device.c if hsr_add_port fails to add a port, which may cause denial of service, aka CID-6caabe7fd. CVEIn the Linux kernel before , a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CIDf12b26e21a. CVEIn the Linux kernel before , hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory, aka CID-df7e CVEIn the Linux kernel before , rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized. CVEAn issue was discovered in the Linux kernel before There is a memory leak issue when idr_alloc() fails in genl_register_family() in net/netlink/genetlink.c. CVEAn issue was discovered in the Linux kernel before SMB2_read in fs/cifs/smb2pdu.c has a use-after-free. NOTE: this was not fixed correctly in ; see the ChangeLog, which documents a memory leak. CVEAn issue was discovered in the Linux kernel before There is a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service. CVEIn the Linux kernel before , there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service. CVEAn issue was discovered in the Linux kernel before There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory. CVEparse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through mishandles a short descriptor, leading to out-of-bounds memory access. CVEIn the Linux kernel through on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process, because MSR_TM_ACTIVE is misused in arch/powerpc/kernel/process.c. CVEIn the Linux kernel through on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check. CVEAn out-of-bounds access issue was found in the Linux kernel, all versions through , in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system. CVEIn the Linux kernel through on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_c and arch/powerpc/kernel/signal_c. CVEarch/powerpc/mm/mmu_context_book3sc in the Linux kernel before for powerpc has a bug where unrelated processes may be able to read/write to one another's virtual memory under certain conditions via an mmap above TB. Only a subset of powerpc systems are affected. CVE** DISPUTED ** An issue was discovered in sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c in the Linux kernel through There is an unchecked kstrndup of derived_name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This id is disputed as not being an issue because &#;The memory allocation that was not checked is part of a code that only runs at boot time, before user processes are started. Therefore, there is no possibility for an unprivileged user to control it, and no denial of service.&#;. CVE**DISPUTED** An issue was discovered in the efi subsystem in the Linux kernel through phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because &#;All the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it.&#;. CVE** DISPUTED ** An issue was discovered in con_insert_unipair in drivers/tty/vt/consolemap.c in the Linux kernel through There is a memory leak in a certain case of an ENOMEM outcome of kmalloc. NOTE: This id is disputed as not being an issue. CVEThe do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\0' character. CVEfs/ext4/extents.c in the Linux kernel through does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem. CVEudp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x before allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have unspecified other impact via UDP packets with a 0 payload, because of mishandling of padded packets, aka the "GRO packet of death" issue. CVEMicroarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: sprers.eu CVEA flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions x up to, excluding A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the system, corrupt memory, or create other adverse security affects. CVEA flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences. CVEAn information disclosure vulnerability exists when Windows Subsystem for Linux improperly handles objects in memory, aka "Windows Subsystem for Linux Information Disclosure Vulnerability." This affects Windows 10 Servers, Windows 10, Windows Server CVEInsufficient memory protection in the Linux Administrative Tools for Intel(R) Network Adapters before version may allow an authenticated user to potentially enable escalation of privilege via local access. CVEA statement in the System Programming Guide of the Intel 64 and IA Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section ). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (sprers.eu) system flag (SDM Vol. 3A; section ). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs. CVEAn Elevation of Privilege vulnerability exists in Windows Subsystem for Linux when it fails to properly handle objects in memory, aka "Linux On Windows Elevation Of Privilege Vulnerability." This affects Windows 10, Windows 10 Servers. CVEMemory leak in the hwsim_new_radio_nl function in drivers/net/wireless/mac_hwsim.c in the Linux kernel through allows local users to cause a denial of service (memory consumption) by triggering an out-of-array error case. CVEMemory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel through allows local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy/invalid_dword_count file. CVEAn issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR. CVEIn FreeBSD before STABLE(r), RELEASE-p10, STABLE(r), and RELEASE-p9, due to insufficient initialization of memory copied to userland in the Linux subsystem and Atheros wireless driver, small amounts of kernel memory may be disclosed to userland processes. Unprivileged authenticated local users may be able to access small amounts of privileged kernel data. CVEMemory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket. CVEBad cast in DevTools in Google Chrome on Win, Linux, Mac, Chrome OS prior to allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension. CVEIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, a memory corruption can occur in kernel due to improper check in callers count parameter in display handlers. CVEIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, buffer overflow occur may occur in display handlers due to lack of checking in buffer size before copying into it and will lead to memory corruption. CVEA pointer in an ADSPRPC command is not properly validated in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android), which can lead to kernel memory being accessed. CVEIn Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level , in the function wma_tbttoffset_update_event_handler(), a parameter received from firmware is used to allocate memory for a local buffer and is not properly validated. This can potentially result in an integer overflow subsequently leading to a heap overwrite. CVESystems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. CVEIn a firmware memory dump feature in all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android), a Use After Free condition can occur. CVEType mismatch for ie_len can cause the WLAN driver to allocate less memory on the heap due to implicit casting leading to a heap buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. CVEIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, userspace can request ION cache maintenance on a secure ION buffer for which the ION_FLAG_SECURE ion flag is not set and cause the kernel to attempt to perform cache maintenance on memory which does not belong to HLOS. CVEIn the KGSL driver in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel, a Use After Free condition can occur when printing information about sparse memory allocations CVEAn issue was discovered in the Linux kernel before In create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace. CVEAn issue where a provided address with access_ok() is not checked was discovered in i_gem_execbuffer2_ioctl in drivers/gpu/drm/i/i_gem_execbuffer.c in the Linux kernel through A local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory, resulting in a Denial of Service or privilege escalation. CVEAn issue was discovered in the Linux kernel before crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE regression but with easier exploitability because the attacker does not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option). CVEAn issue was discovered in the Linux kernel through An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE and CVE CVEIn the Linux kernel x, x, x, x, and x before , faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandles bit right shifts. CVEImproper memory handling in Intel QuickAssist Technology for Linux (all versions) may allow an authenticated user to potentially enable a denial of service via local access. CVEThe Linux kernel mishandles certain interaction among XFRM Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows local users to cause a denial of service (memory consumption and system hang) by leveraging root access to execute crafted applications, as demonstrated on CentOS 7. CVEA flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length which causes the read beyond the buffer boundaries, in certain cases causing a memory access fault and a system halt by accessing invalid memory address. This issue only affects kernel version x as shipped with Red Hat Enterprise Linux 7. CVEA flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. CVEA flaw was found in the Linux kernel's handle_rx() function in the [vhost_net] driver. A malicious virtual guest, under specific conditions, can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. Versions from v and newer are vulnerable. CVEAn issue was discovered in the Linux kernel before An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE CVEAn issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through , as used in Xen through x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks. CVEAn issue was discovered in the Linux kernel through , as used in Xen through x. The xen_failsafe_callback entry point in arch/x86/entry/entry_S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges. CVEA missing address check in the callers of the show_opcodes() in the Linux kernel allows an attacker to dump the kernel memory at an arbitrary kernel address into the dmesg log. CVEA flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients. CVEIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Heap memory was accessed after it was freed CVEAn issue was discovered in fs/f2fs/inline.c in the Linux kernel through A denial of service (out-of-bounds memory access and BUG) can occur for a modified f2fs filesystem image in which an inline inode contains an invalid reserved blkaddr. CVEAn issue was discovered in fs/f2fs/super.c in the Linux kernel through A denial of service (out-of-bounds memory access and BUG) can occur upon encountering an abnormal bitmap size when mounting a crafted f2fs image. CVEAn issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork. CVEIn the ea_get function in fs/jfs/xattr.c in the Linux kernel through , a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr. CVEIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Absence of length sanity check may lead to possible stack overflow resulting in memory corruption in trustzone region. CVEIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, if there is an unlikely memory alloc failure for the secure pool in boot, it can result in wrong pointer access causing kernel panic. CVEIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Error in kernel observed while accessing freed mask pointers after reallocating memory for mask table. CVEIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing fastboot flash command, memory leak or unexpected behavior may occur due to processing of unintialized data buffers. CVEIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, there is a potential heap overflow and memory corruption due to improper error handling in SOC infrastructure. CVEIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, memory allocated is automatically released by the kernel if the 'probe' function fails with an error code. CVEIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper length check Validation in WLAN function can lead to driver writes the default rsn capabilities to the memory not allocated to the frame. CVEIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, when requesting rssi timeout, access invalid memory may occur since local variable 'context' stack data of wlan function is free. CVEIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, possibility of invalid memory access while processing driver command in WLAN function. CVEIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, during wlan association, driver allocates memory. In case the mem allocation fails driver does a mem free though the memory was not allocated. CVEIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of check on integer overflow while calculating memory can lead to Buffer overflow in WLAN ext scan handler. CVEIn all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, freeing device memory in driver probe failure will result in double free issue in power module. CVEThe compat_get_timex function in kernel/compat.c in the Linux kernel before allows local users to obtain sensitive information from kernel memory via adjtimex. CVEIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, callback executed from the other thread has freed memory which is also used in wlan function and may result in to a "Use after free" scenario. CVEIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, when WLAN FW has not filled the vdev id correctly in stats events then WLAN host driver tries to access interface array without proper bound check which can lead to invalid memory access and as a side effect kernel panic or page fault. CVEIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while processing user-space there is no size validation of the NAT entry input. If the user input size of the NAT entry is greater than the max allowed size, memory exhaustion will occur. CVEIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, double free of memory allocation is possible in Kernel when it explicitly tries to free that memory on driver probe failure, since memory allocated is automatically freed on probe. CVEIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, memory allocated with devm_kzalloc is automatically released by the kernel if the probe function fails with an error code. This may result in data corruption. CVEIn all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, possible buffer overflow while incrementing the log_buf of type uint64_t in memcpy function, since the log_buf pointer can access the memory beyond the size to store the data after pointer increment. CVEA flaw was found affecting the Linux kernel before version By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks). CVELinux kernel vhost since version does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file. CVEThe cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory. CVEIn the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before , a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service. CVEA flaw was found in the Linux 4.x kernel's implementation of bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. CVEThe Linux Kernel versions , , and has a null pointer dereference which can result in an out of memory (OOM) killing of large mlocked processes. The issue arises from an oom killed process's final thread calling exit_mmap(), which calls munlock_vma_pages_all() for mlocked sprers.eu can happen synchronously with the oom reaper's unmap_page_range() since the vma's VM_LOCKED bit is cleared before munlocking (to determine if any other vmas share the memory and are mlocked). CVEThe Linux Kernel version contains a dangerous feature vulnerability in modify_user_hw_breakpoint() that can result in crash and possibly memory corruption. This attack appear to be exploitable via local code execution and the ability to use ptrace. This vulnerability appears to have been fixed in git commit f67ba7a50c57f72e69a6dad90a0f0f. CVEWindows Subsystem for Linux in Windows 10 version , Windows 10 version , and Windows Server, version allows an elevation of privilege vulnerability due to the way objects are handled in memory, aka "Windows Subsystem for Linux Elevation of Privilege Vulnerability". CVEIn all Qualcomm products with Android releases from CAF using the Linux kernel, user-level permissions can be used to gain access to kernel memory, specifically the ION cache maintenance code is writing to a user supplied address. CVEIn Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, an out of bound memory access may happen in limCheckRxRSNIeMatch in case incorrect RSNIE is received from the client in assoc request. CVEIn android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing OEM unlock/unlock-go fastboot commands data leak may occur, resulting from writing uninitialized stack structure to non-volatile memory. CVEIn Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, improperly specified offset/size values for a submission command could cause a math operation to overflow and could result in an access to arbitrary memory. The combined pointer will overflow and possibly pass further checks intended to avoid accessing unintended memory. CVEIn Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a race condition can allow access to already freed memory while reading command registration table entries in diag_dbgfs_read_table. CVEIn Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a specially-crafted HDMI CEC message can be used to cause stack memory corruption. CVEIn Android before on Qualcomm MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel, if kernel memory address is passed from userspace through iris_vidioc_s_ext_ctrls ioctl, it will print kernel address data. A user could set it to an arbitrary kernel address, hence information disclosure (for kernel) could occur. CVEIn all Qualcomm products with Android releases from CAF using the Linux kernel, if a userspace string is not NULL-terminated, kernel memory contents can leak to system logs. CVEIn all Qualcomm products with Android releases from CAF using the Linux kernel, in a video driver, memory corruption can potentially occur due to lack of bounds checking in a memcpy(). CVEThe vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through defines a backup_handle variable but does not give it an initial value. If one attempts to create a GB surface, with a previously allocated DMA buffer to be used as a backup buffer, the backup_handle variable does not get written to and is then later returned to user space, allowing local users to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call. CVEThe edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before allows local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow. CVEThe Microsoft Windows Subsystem for Linux on Microsoft Windows 10 allows a denial of service vulnerability when it improperly handles objects in memory, aka "Windows Subsystem for Linux Denial of Service Vulnerability". CVEWindows Subsystem for Linux in Windows 10 , allows a denial of service vulnerability due to the way it handles objects in memory, aka "Windows Subsystem for Linux Denial of Service Vulnerability". CVEIn all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition can allow access to already freed memory while querying event status via DCI. CVEIn all Qualcomm products with Android releases from CAF using the Linux kernel, during the wlan calibration data store and retrieve operation, there are some potential race conditions which lead to a memory leak and a buffer overflow during the context switch. CVEIn android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, missing race condition protection while updating msg mask table can lead to buffer over-read. Also access to freed memory can happen while updating msg_mask information. CVEOut of bound memory write can happen in the MDSS Rotator driver in all Qualcomm products with Android releases from CAF using the Linux kernel by an unsanitized userspace-controlled parameter. CVEUserspace-controlled non null terminated parameter for IPA WAN ioctl in all Qualcomm products with Android releases from CAF using the Linux kernel can lead to exposure of kernel memory. CVEIn all Qualcomm products with Android releases from CAF using the Linux kernel, in some memory allocation and free functions, a race condition can potentially occur leading to a Use After Free condition. CVEIn all Qualcomm products with Android releases from CAF using the Linux kernel, kernel memory can potentially be overwritten if an invalid master is sent from userspace. CVEIn function msm_pcm_playback_close() in all Android releases from CAF using the Linux kernel, prtd is assigned substream->runtime->private_data. Later, prtd is freed. However, prtd is not sanitized and set to NULL, resulting in a dangling pointer. There are other functions that access the same memory (substream->runtime->private_data) with a NULL check, such as msm_pcm_volume_ctl_put(), which means this freed memory could be used. CVEIn all Android releases from CAF using the Linux kernel, while processing a voice SVC request which is nonstandard by specifying a payload size that will overflow its own declared size, an out of bounds memory copy occurs. CVEIn core_info_read and inst_info_read in all Android releases from CAF using the Linux kernel, variable "dbg_buf", "dbg_buf->curr" and "dbg_buf->filled_size" could be modified by different threads at the same time, but they are not protected with mutex or locks. Buffer overflow is possible on race conditions. "buffer->curr" itself could also be overwritten, which means that it may point to anywhere of kernel memory (for write). CVEIn all Android releases from CAF using the Linux kernel, a race condition exists in a QTEE driver potentially leading to an arbitrary memory write. CVEIn all Android releases from CAF using the Linux kernel, userspace-controlled parameters for flash initialization are not sanitized potentially leading to exposure of kernel memory. CVEIn all Android releases from CAF using the Linux kernel, a memory structure in a camera driver is not properly protected. CVEdrivers/net/usb/catc.c in the Linux kernel x before interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. CVEdrivers/net/usb/rtlc in the Linux kernel x before interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. CVEdrivers/net/usb/pegasus.c in the Linux kernel x before interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. CVEdrivers/char/virtio_console.c in the Linux kernel x and x before interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. CVEdrivers/net/can/usb/gs_usb.c in the Linux kernel x and x before interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. CVEcrypto/ccm.c in the Linux kernel x and x through interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. CVEdrivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel x and x before interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. CVEdrivers/media/usb/dvb-usb/dwc in the Linux kernel x and x before interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. CVEdrivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel x and x before interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. CVEThe cookie feature in the packet action API implementation in net/sched/act_api.c in the Linux kernel x through rc7 mishandles the tb nlattr array, which allows local users to cause a denial of service (uninitialized memory access and refcount underflow, and system hang or crash) or possibly have unspecified other impact via "tc filter add" commands in certain contexts. NOTE: this does not affect stable kernels, such as x, from sprers.eu CVEThe mm subsystem in the Linux kernel through does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c. CVERace condition in the fsnotify implementation in the Linux kernel through allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions. CVEIn the Linux kernel before version , Kerberos 5 tickets decoded when using the RXRPC keys incorrectly assumes the size of a field. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. This could possibly lead to memory corruption and possible privilege escalation. CVEThe KEYS subsystem in the Linux kernel before allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls. CVEOff-by-one error in the pipe_advance function in lib/iov_iter.c in the Linux kernel before allows local users to obtain sensitive information from uninitialized heap-memory locations in opportunistic circumstances by reading from a pipe after an incorrect buffer-release decision. CVEThe klsi__get_line_state function in drivers/usb/serial/kl5kusbc in the Linux kernel before places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log. CVEdrivers/net/ieee/atusb.c in the Linux kernel x before interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. CVEdrivers/hid/hid-corsair.c in the Linux kernel x before interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. CVEUse of an uninitialized value in Skia in Google Chrome prior to for Mac, Windows, and Linux, and for Android, allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. CVEUse of an uninitialized value in Skia in Google Chrome prior to for Linux and Windows allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. CVEInappropriate use of partition alloc in PDFium in Google Chrome prior to for Linux, Windows, and Mac, and for Android, allowed a remote attacker to potentially exploit memory corruption via a crafted PDF file. CVEA use after free in PDFium in Google Chrome prior to for Linux, Windows, and Mac allowed a remote attacker to potentially exploit memory corruption via a crafted PDF file. CVEUse of an uninitialized value in Skia in Google Chrome prior to for Linux, Windows, and Mac allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. CVEUse of an uninitialized value in Skia in Google Chrome prior to for Mac, Windows, Linux, and Android allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. CVEA use after free in V8 in Google Chrome prior to for Mac, Windows, Linux, and Android allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVEInsufficient validation of untrusted input in Skia in Google Chrome prior to for Linux allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVEA use after free in IndexedDB in Google Chrome prior to for Linux, Android, Windows, and Mac allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVEInsufficient validation of untrusted input in V8 in Google Chrome prior to for Mac, Windows, and Linux, and for Android, allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. CVEA use after free in Blink in Google Chrome prior to for Mac, Windows, and Linux, and for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page, aka an IndexedDB sandbox escape. CVEA use after free in credit card autofill in Google Chrome prior to for Linux and Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVEInsufficient validation of untrusted input in Skia in Google Chrome prior to for Linux, Windows, and Mac, and for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVEUse after free in print preview in Blink in Google Chrome prior to for Linux, Windows, and Mac, and for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVEInsufficient validation of untrusted input in V8 in Google Chrome prior to for Linux, Windows and Mac, and for Android allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVEA numeric overflow in Skia in Google Chrome prior to for Linux, Windows, and Mac, and for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVEA use after free in Chrome Apps in Google Chrome prior to for Mac, Windows, and Linux, and for Android, allowed a remote attacker to potentially perform out of bounds memory access via a crafted Chrome extension. CVEType confusion in PDFium in Google Chrome prior to for Mac, Windows, and Linux, and for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file. CVEA use after free in Blink in Google Chrome prior to for Linux, Windows, and Mac, and for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVEA use after free in printing in Google Chrome prior to for Linux and Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVEAn out-of-bounds read in V8 in Google Chrome prior to for Linux, Windows, and Mac, and for Android, allowed a remote attacker to obtain heap memory contents via a crafted HTML page. CVEAn incorrect assumption about block structure in Blink in Google Chrome prior to for Mac, Windows, and Linux, and for Android, allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page that triggers improper casting. CVEAn integer overflow in FFmpeg in Google Chrome prior to for Mac, Windows, and Linux and for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer. CVEAn integer overflow in FFmpeg in Google Chrome prior to for Mac, Windows, and Linux and for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer. CVEAn integer overflow in FFmpeg in Google Chrome prior to for Mac, Windows, and Linux and for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer. CVE