Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()<br /> <br /> I found a null pointer reference in arch_prepare_kprobe():<br /> <br /> # echo &amp;#39;p cmdline_proc_show&amp;#39; &gt; kprobe_events<br /> # echo &amp;#39;p cmdline_proc_show+16&amp;#39; &gt;&gt; kprobe_events<br /> Kernel attempted to read user page (0) - exploit attempt? (uid: 0)<br /> BUG: Kernel NULL pointer dereference on read at 0x00000000<br /> Faulting instruction address: 0xc000000000050bfc<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV<br /> Modules linked in:<br /> CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10<br /> NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc<br /> REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)<br /> MSR: 9000000000009033 CR: 88002444 XER: 20040006<br /> CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0<br /> ...<br /> NIP arch_prepare_kprobe+0x10c/0x2d0<br /> LR arch_prepare_kprobe+0xfc/0x2d0<br /> Call Trace:<br /> 0xc0000000012f77a0 (unreliable)<br /> register_kprobe+0x3c0/0x7a0<br /> __register_trace_kprobe+0x140/0x1a0<br /> __trace_kprobe_create+0x794/0x1040<br /> trace_probe_create+0xc4/0xe0<br /> create_or_delete_trace_kprobe+0x2c/0x80<br /> trace_parse_run_command+0xf0/0x210<br /> probes_write+0x20/0x40<br /> vfs_write+0xfc/0x450<br /> ksys_write+0x84/0x140<br /> system_call_exception+0x17c/0x3a0<br /> system_call_vectored_common+0xe8/0x278<br /> --- interrupt: 3000 at 0x7fffa5682de0<br /> NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000<br /> REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)<br /> MSR: 900000000280f033 CR: 44002408 XER: 00000000<br /> <br /> The address being probed has some special:<br /> <br /> cmdline_proc_show: Probe based on ftrace<br /> cmdline_proc_show+16: Probe for the next instruction at the ftrace location<br /> <br /> The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets<br /> set to NULL. In arch_prepare_kprobe() it will check for:<br /> <br /> ...<br /> prev = get_kprobe(p-&gt;addr - 1);<br /> preempt_enable_no_resched();<br /> if (prev &amp;&amp; ppc_inst_prefixed(ppc_inst_read(prev-&gt;ainsn.insn))) {<br /> ...<br /> <br /> If prev is based on ftrace, &amp;#39;ppc_inst_read(prev-&gt;ainsn.insn)&amp;#39; will occur<br /> with a null pointer reference. At this point prev-&gt;addr will not be a<br /> prefixed instruction, so the check can be skipped.<br /> <br /> Check if prev is ftrace-based kprobe before reading &amp;#39;prev-&gt;ainsn.insn&amp;#39;<br /> to fix this problem.<br /> <br /> [mpe: Trim oops]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: Fix pci_device_is_present() for VFs by checking PF<br /> <br /> pci_device_is_present() previously didn&amp;#39;t work for VFs because it reads the<br /> Vendor and Device ID, which are 0xffff for VFs, which looks like they<br /> aren&amp;#39;t present. Check the PF instead.<br /> <br /> Wei Gong reported that if virtio I/O is in progress when the driver is<br /> unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O<br /> operation hangs, which may result in output like this:<br /> <br /> task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002<br /> Call Trace:<br /> schedule+0x4f/0xc0<br /> blk_mq_freeze_queue_wait+0x69/0xa0<br /> blk_mq_freeze_queue+0x1b/0x20<br /> blk_cleanup_queue+0x3d/0xd0<br /> virtblk_remove+0x3c/0xb0 [virtio_blk]<br /> virtio_dev_remove+0x4b/0x80<br /> ...<br /> device_unregister+0x1b/0x60<br /> unregister_virtio_device+0x18/0x30<br /> virtio_pci_remove+0x41/0x80<br /> pci_device_remove+0x3e/0xb0<br /> <br /> This happened because pci_device_is_present(VF) returned "false" in<br /> virtio_pci_remove(), so it called virtio_break_device(). The broken vq<br /> meant that vring_interrupt() skipped the vq.callback() that would have<br /> completed the virtio I/O operation via virtblk_done().<br /> <br /> [bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()<br /> <br /> If "cpu_dev" fails to get opp table in qcom_cpufreq_hw_read_lut(),<br /> the program will return, resulting in "table" resource is not released.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RISC-V: kexec: Fix memory leak of fdt buffer<br /> <br /> This is reported by kmemleak detector:<br /> <br /> unreferenced object 0xff60000082864000 (size 9588):<br /> comm "kexec", pid 146, jiffies 4294900634 (age 64.788s)<br /> hex dump (first 32 bytes):<br /> d0 0d fe ed 00 00 12 ed 00 00 00 48 00 00 11 40 ...........H...@<br /> 00 00 00 28 00 00 00 11 00 00 00 02 00 00 00 00 ...(............<br /> backtrace:<br /> [] kmemleak_alloc+0x34/0x3e<br /> [] kmalloc_order+0x9c/0xc4<br /> [] kmalloc_order_trace+0x34/0xb6<br /> [] __kmalloc+0x5c2/0x62a<br /> [] kvmalloc_node+0x66/0xd6<br /> [] of_kexec_alloc_and_setup_fdt+0xa6/0x6ea<br /> [] elf_kexec_load+0x206/0x4ec<br /> [] kexec_image_load_default+0x40/0x4c<br /> [] sys_kexec_file_load+0x1c4/0x322<br /> [] ret_from_syscall+0x0/0x2<br /> <br /> In elf_kexec_load(), a buffer is allocated via kvmalloc() to store fdt.<br /> While it&amp;#39;s not freed back to system when kexec kernel is reloaded or<br /> unloaded. Then memory leak is caused. Fix it by introducing riscv<br /> specific function arch_kimage_file_post_load_cleanup(), and freeing the<br /> buffer there.

Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks

WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5.

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended or tags by injecting closing tags (e.g., or ), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0.

Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763803709 and Tuleap Enterprise Edition versions prior to 17.0-4 and 16.13-9 are mission CSRF protections in its tracker field dependencies, allowing attackers to modify tracker fields. This issue is fixed in Tuleap Community Edition version 17.0.99.1763803709 and Tuleap Enterprise Edition versions 17.0-4 and 16.13-9.

n8n is an open source workflow automation platform. Versions 0.123.1 through 1.119.1 do not have adequate protections to prevent RCE through the project&amp;#39;s pre-commit hooks. The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook that executes arbitrary commands on the n8n host during subsequent Git operations. Exploitation requires the ability to create or modify an n8n workflow using the Git node. This issue is fixed in version 1.119.2. Workarounds include excluding the Git Node (Docs) and avoiding cloning or interacting with untrusted repositories using the Git Node.

Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8.

Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap Community Edition versions below 17.0.99.1762444754 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 allow attackers trick victims into changing tracker general settings. This issue is fixed in version Tuleap Community Edition version 17.0.99.1762444754 and Tuleap Enterprise Edition versions 17.0-2, 16.13-7 and 16.12-10.

Tuleap is a free and open source suite for management of software development and collaboration. Tuleap Community Editon versions prior to 17.0.99.1762456922 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 are vulnerable to CSRF attacks through planning management API. Attackers have access to create, edit or remove plans. This issue is fixed in Tuleap Community Edition version 17.0.99.1762456922 and Tuleap Enterprise Edtion versions 17.0-2, 16.13-7 and 16.12-10.