Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211_hwsim: fix typo in frequency notification<br /> <br /> The NAN notification is for 5745 MHz which corresponds to channel 149<br /> and not 5475 which is not actually a valid channel. This could result in<br /> a NULL pointer dereference in cfg80211_next_nan_dw_notif.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup<br /> <br /> When bnxt_init_one() fails during initialization (e.g.,<br /> bnxt_init_int_mode returns -ENODEV), the error path calls<br /> bnxt_free_hwrm_resources() which destroys the DMA pool and sets<br /> bp-&gt;hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called,<br /> which invokes ptp_clock_unregister().<br /> <br /> Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to<br /> disable events"), ptp_clock_unregister() now calls<br /> ptp_disable_all_events(), which in turn invokes the driver&amp;#39;s .enable()<br /> callback (bnxt_ptp_enable()) to disable PTP events before completing the<br /> unregistration.<br /> <br /> bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin()<br /> and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This<br /> function tries to allocate from bp-&gt;hwrm_dma_pool, causing a NULL<br /> pointer dereference:<br /> <br /> bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed<br /> KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]<br /> Call Trace:<br /> __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72)<br /> bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517)<br /> ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66)<br /> ptp_clock_unregister (drivers/ptp/ptp_clock.c:518)<br /> bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134)<br /> bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889)<br /> <br /> Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3")<br /> <br /> Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before<br /> freeing HWRM resources.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: fix aux device unplugging when rdma is not supported by vport<br /> <br /> If vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not<br /> allocate vdev_info for this vport. This leads to kernel NULL pointer<br /> dereference in idpf_idc_vport_dev_down(), which references vdev_info for<br /> every vport regardless.<br /> <br /> Check, if vdev_info was ever allocated before unplugging aux device.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix NULL pointer dereference in do_abort_log_replay()<br /> <br /> Coverity reported a NULL pointer dereference issue (CID 1666756) in<br /> do_abort_log_replay(). When btrfs_alloc_path() fails in<br /> replay_one_buffer(), wc-&gt;subvol_path is NULL, but btrfs_abort_log_replay()<br /> calls do_abort_log_replay() which unconditionally dereferences<br /> wc-&gt;subvol_path when attempting to print debug information. Fix this by<br /> adding a NULL check before dereferencing wc-&gt;subvol_path in<br /> do_abort_log_replay().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PM: hibernate: Fix crash when freeing invalid crypto compressor<br /> <br /> When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL.<br /> <br /> The cleanup code in save_compressed_image() and load_compressed_image()<br /> unconditionally calls crypto_free_acomp() without checking for ERR_PTR,<br /> which causes crypto_acomp_tfm() to dereference an invalid pointer and<br /> crash the kernel.<br /> <br /> This can be triggered when the compression algorithm is unavailable<br /> (e.g., CONFIG_CRYPTO_LZO not enabled).<br /> <br /> Fix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp()<br /> and acomp_request_free(), similar to the existing kthread_stop() check.<br /> <br /> [ rjw: Added 2 empty code lines ]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: ac97: fix a double free in snd_ac97_controller_register()<br /> <br /> If ac97_add_adapter() fails, put_device() is the correct way to drop<br /> the device reference. kfree() is not required.<br /> Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do<br /> the cleanup.<br /> <br /> Found by code review.

A stored cross-site scripting (XSS) vulnerability exists in the web management interface of the PPC (Belden) ONT 2K05X router running firmware v1.1.9_206L. The Common Gateway Interface (CGI) component improperly handles user-supplied input, allowing a remote, unauthenticated attacker to inject arbitrary JavaScript that is persistently stored and executed when the affected interface is accessed.

A vulnerability exists in BIG-IP Edge Client and browser VPN clients on Windows that may allow attackers to gain access to sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests along with conditions beyond the attacker&amp;#39;s control can cause the bd process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker&amp;#39;s control—may be able to inject plain text data into the response from an upstream proxied server.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

An arbitrary file overwrite vulnerability in the file import process of Tarot, Astro &amp; Healing v11.4.0 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information.