Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations<br /> <br /> ieee80211_chan_bw_change() iterates all stations and accesses<br /> link-&gt;reserved.oper via sta-&gt;sdata-&gt;link[link_id]. For stations on<br /> AP_VLAN interfaces (e.g. 4addr WDS clients), sta-&gt;sdata points to<br /> the VLAN sdata, whose link never participates in chanctx reservations.<br /> This leaves link-&gt;reserved.oper zero-initialized with chan == NULL,<br /> causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()<br /> when accessing chandef-&gt;chan-&gt;band during CSA.<br /> <br /> Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata()<br /> before accessing link data.<br /> <br /> [also change sta-&gt;sdata in ARRAY_SIZE even if it doesn&amp;#39;t matter]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access<br /> <br /> l2cap_information_rsp() checks that cmd_len covers the fixed<br /> l2cap_info_rsp header (type + result, 4 bytes) but then reads<br /> rsp-&gt;data without verifying that the payload is present:<br /> <br /> - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp-&gt;data), which reads<br /> 4 bytes past the header (needs cmd_len &gt;= 8).<br /> <br /> - L2CAP_IT_FIXED_CHAN reads rsp-&gt;data[0], 1 byte past the header<br /> (needs cmd_len &gt;= 5).<br /> <br /> A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an<br /> out-of-bounds read of adjacent skb data.<br /> <br /> Guard each data access with the required payload length check. If the<br /> payload is too short, skip the read and let the state machine complete<br /> with safe defaults (feat_mask and remote_fixed_chan remain zero from<br /> kzalloc), so the info timer cleanup and l2cap_conn_start() still run<br /> and the connection is not stalled.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix krb5 mount with username option<br /> <br /> Customer reported that some of their krb5 mounts were failing against<br /> a single server as the client was trying to mount the shares with<br /> wrong credentials. It turned out the client was reusing SMB session<br /> from first mount to try mounting the other shares, even though a<br /> different username= option had been specified to the other mounts.<br /> <br /> By using username mount option along with sec=krb5 to search for<br /> principals from keytab is supported by cifs.upcall(8) since<br /> cifs-utils-4.8. So fix this by matching username mount option in<br /> match_session() even with Kerberos.<br /> <br /> For example, the second mount below should fail with -ENOKEY as there<br /> is no &amp;#39;foobar&amp;#39; principal in keytab (/etc/krb5.keytab). The client<br /> ends up reusing SMB session from first mount to perform the second<br /> one, which is wrong.<br /> <br /> ```<br /> $ ktutil<br /> ktutil: add_entry -password -p testuser -k 1 -e aes256-cts<br /> Password for testuser@ZELDA.TEST:<br /> ktutil: write_kt /etc/krb5.keytab<br /> ktutil: quit<br /> $ klist -ke<br /> Keytab name: FILE:/etc/krb5.keytab<br /> KVNO Principal<br /> ---- ----------------------------------------------------------------<br /> 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96)<br /> $ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser<br /> $ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar<br /> $ mount -t cifs | grep -Po &amp;#39;username=\K\w+&amp;#39;<br /> testuser<br /> testuser<br /> ```

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: atmel-sha204a - Fix OOM -&gt;tfm_count leak<br /> <br /> If memory allocation fails, decrement -&gt;tfm_count to avoid blocking<br /> future reads.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: fix use-after-free on controller registration failure<br /> <br /> Make sure to deregister from driver core also in the unlikely event that<br /> per-cpu statistics allocation fails during controller registration to<br /> avoid use-after-free (of driver resources) and unclocked register<br /> accesses.

immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authentication credentials. The impact of this vulnerability is the potential compromise of shared album access and unauthorized exposure of sensitive user data. This issue has been patched in version 2.6.0.

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user&amp;#39;s consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. This issue has been patched in version 3.2.0.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: Fix memory leak in xe_vm_madvise_ioctl<br /> <br /> When check_bo_args_are_sane() validation fails, jump to the new<br /> free_vmas cleanup label to properly free the allocated resources.<br /> This ensures proper cleanup in this error path.<br /> <br /> (cherry picked from commit 29bd06faf727a4b76663e4be0f7d770e2d2a7965)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: fix statistics allocation<br /> <br /> The controller per-cpu statistics is not allocated until after the<br /> controller has been registered with driver core, which leaves a window<br /> where accessing the sysfs attributes can trigger a NULL-pointer<br /> dereference.<br /> <br /> Fix this by moving the statistics allocation to controller allocation<br /> while tying its lifetime to that of the controller (rather than using<br /> implicit devres).

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase’s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the “Forgot Password” endpoint. An unauthenticated attacker can repeatedly trigger password reset requests for the same email address, resulting in hundreds of password reset emails being sent in a short time window. This enables large-scale email flooding, user harassment, denial of service (DoS) against user inboxes, and potential financial and reputational impact for Budibase. This issue has been patched in version 3.23.25.

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4.