Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac()<br /> <br /> ida_simple_get() returns an id between min (0) and max (NFP_MAX_MAC_INDEX)<br /> inclusive.<br /> So NFP_MAX_MAC_INDEX (0xff) is a valid id.<br /> <br /> In order for the error handling path to work correctly, the &amp;#39;invalid&amp;#39;<br /> value for &amp;#39;ida_idx&amp;#39; should not be in the 0..NFP_MAX_MAC_INDEX range,<br /> inclusive.<br /> <br /> So set it to -1.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: unregister flowtable hooks on netns exit<br /> <br /> Unregister flowtable hooks before they are releases via<br /> nf_tables_flowtable_destroy() otherwise hook core reports UAF.<br /> <br /> BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142<br /> Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666<br /> <br /> CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106<br /> dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106<br /> print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247<br /> __kasan_report mm/kasan/report.c:433 [inline]<br /> __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450<br /> kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450<br /> nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142<br /> __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429<br /> nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571<br /> nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232<br /> nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430<br /> nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline]<br /> nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]<br /> nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652<br /> nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652<br /> nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652<br /> <br /> __nft_release_hook() calls nft_unregister_flowtable_net_hooks() which<br /> only unregisters the hooks, then after RCU grace period, it is<br /> guaranteed that no packets add new entries to the flowtable (no flow<br /> offload rules and flowtable hooks are reachable from packet path), so it<br /> is safe to call nf_flow_table_free() which cleans up the remaining<br /> entries from the flowtable (both software and hardware) and it unbinds<br /> the flow_block.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: rndis: add spinlock for rndis response list<br /> <br /> There&amp;#39;s no lock for rndis response list. It could cause list corruption<br /> if there&amp;#39;re two different list_add at the same time like below.<br /> It&amp;#39;s better to add in rndis_add_response / rndis_free_response<br /> / rndis_get_next_response to prevent any race condition on response list.<br /> <br /> [ 361.894299] [1: irq/191-dwc3:16979] list_add corruption.<br /> next-&gt;prev should be prev (ffffff80651764d0),<br /> but was ffffff883dc36f80. (next=ffffff80651764d0).<br /> <br /> [ 361.904380] [1: irq/191-dwc3:16979] Call trace:<br /> [ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90<br /> [ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0<br /> [ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84<br /> [ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4<br /> [ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60<br /> [ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0<br /> [ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc<br /> [ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc<br /> [ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec<br /> [ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: adc: tsc2046: fix memory corruption by preventing array overflow<br /> <br /> On one side we have indio_dev-&gt;num_channels includes all physical channels +<br /> timestamp channel. On other side we have an array allocated only for<br /> physical channels. So, fix memory corruption by ARRAY_SIZE() instead of<br /> num_channels variable.<br /> <br /> Note the first case is a cleanup rather than a fix as the software<br /> timestamp channel bit in active_scanmask is never set by the IIO core.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: adc: men_z188_adc: Fix a resource leak in an error handling path<br /> <br /> If iio_device_register() fails, a previous ioremap() is left unbalanced.<br /> <br /> Update the error handling path and add the missing iounmap() call, as<br /> already done in the remove function.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix crash due to out of bounds access into reg2btf_ids.<br /> <br /> When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added<br /> kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier<br /> reg type to the appropriate btf_vmlinux BTF ID, however<br /> commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")<br /> moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after<br /> the base register types, and defined other variants using type flag<br /> composition. However, now, the direct usage of reg-&gt;type to index into<br /> reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to<br /> out of bounds access and kernel crash on dereference of bad pointer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/ib_srp: Fix a deadlock<br /> <br /> Remove the flush_workqueue(system_long_wq) call since flushing<br /> system_long_wq is deadlock-prone and since that call is redundant with a<br /> preceding cancel_work_sync()

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site&amp;#39;s server which may make remote code execution possible.

The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn&amp;#39;t be accessible to them.

Dell Power Manager (DPM), versions 3.15.0 and prior, contains an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution and Elevation of privileges.

The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the carousel_direction parameter of testimonials widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.