Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt: properly flush XDP redirect lists<br /> <br /> We encountered following crash when testing a XDP_REDIRECT feature<br /> in production:<br /> <br /> [56251.579676] list_add corruption. next-&gt;prev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740. (next=ffff93120dd<br /> 40f30).<br /> [56251.601413] ------------[ cut here ]------------<br /> [56251.611357] kernel BUG at lib/list_debug.c:29!<br /> [56251.621082] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> [56251.632073] CPU: 111 UID: 0 PID: 0 Comm: swapper/111 Kdump: loaded Tainted: P O 6.12.33-cloudflare-2025.6.<br /> 3 #1<br /> [56251.653155] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE<br /> [56251.663877] Hardware name: MiTAC GC68B-B8032-G11P6-GPU/S8032GM-HE-CFR, BIOS V7.020.B10-sig 01/22/2025<br /> [56251.682626] RIP: 0010:__list_add_valid_or_report+0x4b/0xa0<br /> [56251.693203] Code: 0e 48 c7 c7 68 e7 d9 97 e8 42 16 fe ff 0f 0b 48 8b 52 08 48 39 c2 74 14 48 89 f1 48 c7 c7 90 e7 d9 97 48<br /> 89 c6 e8 25 16 fe ff 0b 4c 8b 02 49 39 f0 74 14 48 89 d1 48 c7 c7 e8 e7 d9 97 4c 89<br /> [56251.725811] RSP: 0018:ffff93120dd40b80 EFLAGS: 00010246<br /> [56251.736094] RAX: 0000000000000075 RBX: ffffb301e6bba9d8 RCX: 0000000000000000<br /> [56251.748260] RDX: 0000000000000000 RSI: ffff9149afda0b80 RDI: ffff9149afda0b80<br /> [56251.760349] RBP: ffff9131e49c8000 R08: 0000000000000000 R09: ffff93120dd40a18<br /> [56251.772382] R10: ffff9159cf2ce1a8 R11: 0000000000000003 R12: ffff911a80850000<br /> [56251.784364] R13: ffff93120fbc7000 R14: 0000000000000010 R15: ffff9139e7510e40<br /> [56251.796278] FS: 0000000000000000(0000) GS:ffff9149afd80000(0000) knlGS:0000000000000000<br /> [56251.809133] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [56251.819561] CR2: 00007f5e85e6f300 CR3: 00000038b85e2006 CR4: 0000000000770ef0<br /> [56251.831365] PKRU: 55555554<br /> [56251.838653] Call Trace:<br /> [56251.845560] <br /> [56251.851943] cpu_map_enqueue.cold+0x5/0xa<br /> [56251.860243] xdp_do_redirect+0x2d9/0x480<br /> [56251.868388] bnxt_rx_xdp+0x1d8/0x4c0 [bnxt_en]<br /> [56251.877028] bnxt_rx_pkt+0x5f7/0x19b0 [bnxt_en]<br /> [56251.885665] ? cpu_max_write+0x1e/0x100<br /> [56251.893510] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [56251.902276] __bnxt_poll_work+0x190/0x340 [bnxt_en]<br /> [56251.911058] bnxt_poll+0xab/0x1b0 [bnxt_en]<br /> [56251.919041] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [56251.927568] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [56251.935958] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [56251.944250] __napi_poll+0x2b/0x160<br /> [56251.951155] bpf_trampoline_6442548651+0x79/0x123<br /> [56251.959262] __napi_poll+0x5/0x160<br /> [56251.966037] net_rx_action+0x3d2/0x880<br /> [56251.973133] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [56251.981265] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [56251.989262] ? __hrtimer_run_queues+0x162/0x2a0<br /> [56251.996967] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [56252.004875] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [56252.012673] ? bnxt_msix+0x62/0x70 [bnxt_en]<br /> [56252.019903] handle_softirqs+0xcf/0x270<br /> [56252.026650] irq_exit_rcu+0x67/0x90<br /> [56252.032933] common_interrupt+0x85/0xa0<br /> [56252.039498] <br /> [56252.044246] <br /> [56252.048935] asm_common_interrupt+0x26/0x40<br /> [56252.055727] RIP: 0010:cpuidle_enter_state+0xb8/0x420<br /> [56252.063305] Code: dc 01 00 00 e8 f9 79 3b ff e8 64 f7 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 a5 32 3a ff 45 84 ff 0f 85 ae<br /> 01 00 00 fb 45 85 f6 88 88 01 00 00 48 8b 04 24 49 63 ce 4c 89 ea 48 6b f1 68 48 29<br /> [56252.088911] RSP: 0018:ffff93120c97fe98 EFLAGS: 00000202<br /> [56252.096912] RAX: ffff9149afd80000 RBX: ffff9141d3a72800 RCX: 0000000000000000<br /> [56252.106844] RDX: 00003329176c6b98 RSI: ffffffe36db3fdc7 RDI: 0000000000000000<br /> [56252.116733] RBP: 0000000000000002 R08: 0000000000000002 R09: 000000000000004e<br /> [56252.126652] R10: ffff9149afdb30c4 R11: 071c71c71c71c71c R12: ffffffff985ff860<br /> [56252.136637] R13: 00003329176c6b98 R14: 0000000000000002 R15: 0000000000000000<br /> [56252.146667] ? cpuidle_enter_state+0xab/0x420<br /> [56252.153909] cpuidle_enter+0x2d/0x40<br /> [56252.160360] do_idle+0x176/0x1c0<br /> [56252.166456<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().<br /> <br /> syzbot reported a warning below during atm_dev_register(). [0]<br /> <br /> Before creating a new device and procfs/sysfs for it, atm_dev_register()<br /> looks up a duplicated device by __atm_dev_lookup(). These operations are<br /> done under atm_dev_mutex.<br /> <br /> However, when removing a device in atm_dev_deregister(), it releases the<br /> mutex just after removing the device from the list that __atm_dev_lookup()<br /> iterates over.<br /> <br /> So, there will be a small race window where the device does not exist on<br /> the device list but procfs/sysfs are still not removed, triggering the<br /> splat.<br /> <br /> Let&amp;#39;s hold the mutex until procfs/sysfs are removed in<br /> atm_dev_deregister().<br /> <br /> [0]:<br /> proc_dir_entry &amp;#39;atm/atmtcp:0&amp;#39; already registered<br /> WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025<br /> RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377<br /> Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48<br /> RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248<br /> RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001<br /> RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140<br /> R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444<br /> FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> proc_create_data+0xbe/0x110 fs/proc/generic.c:585<br /> atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361<br /> atm_dev_register+0x46d/0x890 net/atm/resources.c:113<br /> atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369<br /> atmtcp_attach drivers/atm/atmtcp.c:403 [inline]<br /> atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464<br /> do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159<br /> sock_do_ioctl+0x115/0x280 net/socket.c:1190<br /> sock_ioctl+0x227/0x6b0 net/socket.c:1311<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:907 [inline]<br /> __se_sys_ioctl fs/ioctl.c:893 [inline]<br /> __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f38b3b74459<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459<br /> RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005<br /> RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f<br /> R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac<br /> R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b<br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bridge: mcast: Fix use-after-free during router port configuration<br /> <br /> The bridge maintains a global list of ports behind which a multicast<br /> router resides. The list is consulted during forwarding to ensure<br /> multicast packets are forwarded to these ports even if the ports are not<br /> member in the matching MDB entry.<br /> <br /> When per-VLAN multicast snooping is enabled, the per-port multicast<br /> context is disabled on each port and the port is removed from the global<br /> router port list:<br /> <br /> # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1<br /> # ip link add name dummy1 up master br1 type dummy<br /> # ip link set dev dummy1 type bridge_slave mcast_router 2<br /> $ bridge -d mdb show | grep router<br /> router ports on br1: dummy1<br /> # ip link set dev br1 type bridge mcast_vlan_snooping 1<br /> $ bridge -d mdb show | grep router<br /> <br /> However, the port can be re-added to the global list even when per-VLAN<br /> multicast snooping is enabled:<br /> <br /> # ip link set dev dummy1 type bridge_slave mcast_router 0<br /> # ip link set dev dummy1 type bridge_slave mcast_router 2<br /> $ bridge -d mdb show | grep router<br /> router ports on br1: dummy1<br /> <br /> Since commit 4b30ae9adb04 ("net: bridge: mcast: re-implement<br /> br_multicast_{enable, disable}_port functions"), when per-VLAN multicast<br /> snooping is enabled, multicast disablement on a port will disable the<br /> per-{port, VLAN} multicast contexts and not the per-port one. As a<br /> result, a port will remain in the global router port list even after it<br /> is deleted. This will lead to a use-after-free [1] when the list is<br /> traversed (when adding a new port to the list, for example):<br /> <br /> # ip link del dev dummy1<br /> # ip link add name dummy2 up master br1 type dummy<br /> # ip link set dev dummy2 type bridge_slave mcast_router 2<br /> <br /> Similarly, stale entries can also be found in the per-VLAN router port<br /> list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN}<br /> contexts are disabled on each port and the port is removed from the<br /> per-VLAN router port list:<br /> <br /> # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1<br /> # ip link add name dummy1 up master br1 type dummy<br /> # bridge vlan add vid 2 dev dummy1<br /> # bridge vlan global set vid 2 dev br1 mcast_snooping 1<br /> # bridge vlan set vid 2 dev dummy1 mcast_router 2<br /> $ bridge vlan global show dev br1 vid 2 | grep router<br /> router ports: dummy1<br /> # ip link set dev br1 type bridge mcast_vlan_snooping 0<br /> $ bridge vlan global show dev br1 vid 2 | grep router<br /> <br /> However, the port can be re-added to the per-VLAN list even when<br /> per-VLAN multicast snooping is disabled:<br /> <br /> # bridge vlan set vid 2 dev dummy1 mcast_router 0<br /> # bridge vlan set vid 2 dev dummy1 mcast_router 2<br /> $ bridge vlan global show dev br1 vid 2 | grep router<br /> router ports: dummy1<br /> <br /> When the VLAN is deleted from the port, the per-{port, VLAN} multicast<br /> context will not be disabled since multicast snooping is not enabled<br /> on the VLAN. As a result, the port will remain in the per-VLAN router<br /> port list even after it is no longer member in the VLAN. This will lead<br /> to a use-after-free [2] when the list is traversed (when adding a new<br /> port to the list, for example):<br /> <br /> # ip link add name dummy2 up master br1 type dummy<br /> # bridge vlan add vid 2 dev dummy2<br /> # bridge vlan del vid 2 dev dummy1<br /> # bridge vlan set vid 2 dev dummy2 mcast_router 2<br /> <br /> Fix these issues by removing the port from the relevant (global or<br /> per-VLAN) router port list in br_multicast_port_ctx_deinit(). The<br /> function is invoked during port deletion with the per-port multicast<br /> context and during VLAN deletion with the per-{port, VLAN} multicast<br /> context.<br /> <br /> Note that deleting the multicast router timer is not enough as it only<br /> takes care of the temporary multicast router states (1 or 3) and not the<br /> permanent one (2).<br /> <br /> [1]<br /> BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560<br /> Write of size 8 at addr ffff888004a67328 by task ip/384<br /> [...]<br /> Call Trace:<br /> <br /> dump_stack<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out<br /> <br /> When both the RHBA and RPA FDMI requests time out, fnic reuses a frame to<br /> send ABTS for each of them. On send completion, this causes an attempt to<br /> free the same frame twice that leads to a crash.<br /> <br /> Fix crash by allocating separate frames for RHBA and RPA, and modify ABTS<br /> logic accordingly.<br /> <br /> Tested by checking MDS for FDMI information.<br /> <br /> Tested by using instrumented driver to:<br /> <br /> - Drop PLOGI response<br /> - Drop RHBA response<br /> - Drop RPA response<br /> - Drop RHBA and RPA response<br /> - Drop PLOGI response + ABTS response<br /> - Drop RHBA response + ABTS response<br /> - Drop RPA response + ABTS response<br /> - Drop RHBA and RPA response + ABTS response for both of them

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: megaraid_sas: Fix invalid node index<br /> <br /> On a system with DRAM interleave enabled, out-of-bound access is<br /> detected:<br /> <br /> megaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0<br /> ------------[ cut here ]------------<br /> UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28<br /> index -1 is out of range for type &amp;#39;cpumask *[1024]&amp;#39;<br /> dump_stack_lvl+0x5d/0x80<br /> ubsan_epilogue+0x5/0x2b<br /> __ubsan_handle_out_of_bounds.cold+0x46/0x4b<br /> megasas_alloc_irq_vectors+0x149/0x190 [megaraid_sas]<br /> megasas_probe_one.cold+0xa4d/0x189c [megaraid_sas]<br /> local_pci_probe+0x42/0x90<br /> pci_device_probe+0xdc/0x290<br /> really_probe+0xdb/0x340<br /> __driver_probe_device+0x78/0x110<br /> driver_probe_device+0x1f/0xa0<br /> __driver_attach+0xba/0x1c0<br /> bus_for_each_dev+0x8b/0xe0<br /> bus_add_driver+0x142/0x220<br /> driver_register+0x72/0xd0<br /> megasas_init+0xdf/0xff0 [megaraid_sas]<br /> do_one_initcall+0x57/0x310<br /> do_init_module+0x90/0x250<br /> init_module_from_file+0x85/0xc0<br /> idempotent_init_module+0x114/0x310<br /> __x64_sys_finit_module+0x65/0xc0<br /> do_syscall_64+0x82/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Fix it accordingly.

The Linux distribution underlying the Radiflow iSAP Smart Collector <br /> (CentOS 7 - VSAP 1.20) is obsolete and <br /> reached end of life (EOL) on<br /> June 30, 2024. Thus, any <br /> unmitigated vulnerability could be exploited to affect this product.

An unauthenticated user with management network access can get and <br /> modify the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) <br /> configuration. The device has two web servers that expose unauthenticated REST APIs on the management network (TCP<br /> ports 8084 and 8086). An attacker can use these APIs to get access to all system settings, modify the configuration<br /> and execute some commands (e.g., system reboot).

The device has two web servers that expose unauthenticated REST APIs on the management network (TCP<br /> ports 8084 and 8086). Exploiting OS command injection through these APIs, an attacker can send arbitrary<br /> commands that are executed with administrative permissions by the underlying operating system.

A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206.

The Linux deprivileged user vpuser in Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) can read the entire file system content, including files belonging to other users and having restricted access (like, for example, the root password hash).

A user with vpuser credentials that opens an SSH connection to the device, gets a restricted shell rbash that allows only a small list of allowed commands. This vulnerability enables the user to get a full-featured Linux shell, bypassing the rbash restrictions.

A vulnerability was found in Campcodes Payroll Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=save_deductions. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.