Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: unconditionally bump set-&gt;nelems before insertion<br /> <br /> In case that the set is full, a new element gets published then removed<br /> without waiting for the RCU grace period, while RCU reader can be<br /> walking over it already.<br /> <br /> To address this issue, add the element transaction even if set is full,<br /> but toggle the set_full flag to report -ENFILE so the abort path safely<br /> unwinds the set to its previous state.<br /> <br /> As for element updates, decrement set-&gt;nelems to restore it.<br /> <br /> A simpler fix is to call synchronize_rcu() in the error path.<br /> However, with a large batch adding elements to already maxed-out set,<br /> this could cause noticeable slowdown of such batches.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> macvlan: observe an RCU grace period in macvlan_common_newlink() error path<br /> <br /> valis reported that a race condition still happens after my prior patch.<br /> <br /> macvlan_common_newlink() might have made @dev visible before<br /> detecting an error, and its caller will directly call free_netdev(dev).<br /> <br /> We must respect an RCU period, either in macvlan or the core networking<br /> stack.<br /> <br /> After adding a temporary mdelay(1000) in macvlan_forward_source_one()<br /> to open the race window, valis repro was:<br /> <br /> ip link add p1 type veth peer p2<br /> ip link set address 00:00:00:00:00:20 dev p1<br /> ip link set up dev p1<br /> ip link set up dev p2<br /> ip link add mv0 link p2 type macvlan mode source<br /> <br /> (ip link add invalid% link p2 type macvlan mode source macaddr add<br /> 00:00:00:00:00:20 &amp;) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4<br /> PING 1.2.3.4 (1.2.3.4): 56 data bytes<br /> RTNETLINK answers: Invalid argument<br /> <br /> BUG: KASAN: slab-use-after-free in macvlan_forward_source<br /> (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)<br /> Read of size 8 at addr ffff888016bb89c0 by task e/175<br /> <br /> CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:123)<br /> print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)<br /> ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)<br /> kasan_report (mm/kasan/report.c:597)<br /> ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)<br /> macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)<br /> ? tasklet_init (kernel/softirq.c:983)<br /> macvlan_handle_frame (drivers/net/macvlan.c:501)<br /> <br /> Allocated by task 169:<br /> kasan_save_stack (mm/kasan/common.c:58)<br /> kasan_save_track (./arch/x86/include/asm/current.h:25<br /> mm/kasan/common.c:70 mm/kasan/common.c:79)<br /> __kasan_kmalloc (mm/kasan/common.c:419)<br /> __kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657<br /> mm/slub.c:7140)<br /> alloc_netdev_mqs (net/core/dev.c:12012)<br /> rtnl_create_link (net/core/rtnetlink.c:3648)<br /> rtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957<br /> net/core/rtnetlink.c:4072)<br /> rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)<br /> netlink_rcv_skb (net/netlink/af_netlink.c:2550)<br /> netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)<br /> netlink_sendmsg (net/netlink/af_netlink.c:1894)<br /> __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)<br /> __x64_sys_sendto (net/socket.c:2209)<br /> do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)<br /> <br /> Freed by task 169:<br /> kasan_save_stack (mm/kasan/common.c:58)<br /> kasan_save_track (./arch/x86/include/asm/current.h:25<br /> mm/kasan/common.c:70 mm/kasan/common.c:79)<br /> kasan_save_free_info (mm/kasan/generic.c:587)<br /> __kasan_slab_free (mm/kasan/common.c:287)<br /> kfree (mm/slub.c:6674 mm/slub.c:6882)<br /> rtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957<br /> net/core/rtnetlink.c:4072)<br /> rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)<br /> netlink_rcv_skb (net/netlink/af_netlink.c:2550)<br /> netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)<br /> netlink_sendmsg (net/netlink/af_netlink.c:1894)<br /> __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)<br /> __x64_sys_sendto (net/socket.c:2209)<br /> do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf: Fix __perf_event_overflow() vs perf_remove_from_context() race<br /> <br /> Make sure that __perf_event_overflow() runs with IRQs disabled for all<br /> possible callchains. Specifically the software events can end up running<br /> it with only preemption disabled.<br /> <br /> This opens up a race vs perf_event_exit_event() and friends that will go<br /> and free various things the overflow path expects to be present, like<br /> the BPF program.

Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling DELETE requests with an empty supi path parameter. This leaks internal error handling behavior and makes it difficult for clients to distinguish between client-side errors and server-side failures. When a client sends a DELETE request with an empty supi (e.g., double slashes // in URL path), the UDM forwards the malformed request to UDR, which correctly returns 400. However, UDM propagates this as 500 SYSTEM_FAILURE instead of returning the appropriate 400 error to the client. This violates REST API best practices for DELETE operations. The issue has been patched in version 1.4.2.

Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequences (../) and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go attempts to access a nil pointer without proper validation, causing a complete service crash with "runtime error: invalid memory address or nil pointer dereference". Exploitation would result in UDM functionality disruption until recovery by restart. This issue has been fixed in version 1.4.2.

Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2<br /> are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM&amp;#39;s Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go&amp;#39;s net/url package with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks. When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go&amp;#39;s URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request. This issue has been fixed in version 1.4.2.

Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {!! json_encode(...) !!} without safe encoding flags allows string values to break out of the JavaScript context and be interpreted as HTML/JS by the browser. If any serialized fields contain attacker-controlled content, such as a username, display name, or site config value, a malicious payload will execute arbitrary script for any user viewing the page (stored DOM XSS). This issue has been patched by commit e28edb204e80efab628d1241198ea4f079779cfd.

Mesop is a Python-based UI framework that allows users to build web applications. In versions 1.2.2 and below, an explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights. The AI codebase package includes a lightweight debugging Flask server inside ai/sandbox/wsgi_app.py. The /exec-py route accepts base_64 encoded raw string payloads inside the code parameter natively evaluated by a basic POST web request. It saves it rapidly to the operating system logic path and injects it recursively using execute_module(module_path...). This issue has been fixed in version 1.2.3.

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate&amp;#39;s unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness. This issue has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2 and 1.10.2.

CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckan_package_search and sparql_query that accept a base_url parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services. There is no URL validation on base_url parameter. No private IP blocking (RFC 1918, link-local 169.254.x.x), no cloud metadata blocking. The sparql_query and ckan_datastore_search_sql tools also accept arbitrary base URLs and expose injection surfaces. An attack can lead to internal network scanning, cloud metadata theft (IAM credentials via IMDS at 169.254.169.254), potential SQL/SPARQL injection via unsanitized query parameters. Attack requires prompt injection to control the base_url parameter. This issue has been fixed in version 0.4.85.

A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This impacts an unknown function of the file home/web/ipc of the component HTTP Firmware Update Handler. The manipulation leads to improper verification of cryptographic signature. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.