Vulnerabilities

Improper Control of Generation of Code ('Code Injection') vulnerability in pilgrimage233 Minecraft-Rcon-Manage.This issue affects Minecraft-Rcon-Manage: before 3.0.

improper pointer arithmetic<br /> <br /> vulnerability in ProjectSkyfire SkyFire_548.This issue affects SkyFire_548: before 5.4.8-stable5.

Out-of-bounds Read vulnerability in Rinnegatamante lpp-vita.This issue affects lpp-vita: before lpp-vita r6.

Access of Resource Using Incompatible Type (&amp;#39;Type Confusion&amp;#39;) vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.

Use-after-free in the Layout: Scrolling and Overflow component. This vulnerability affects Firefox

The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @osek_get_counter() actually returns E_OS_SYS_STACK (defined as 12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted.<br /> <br /> As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption.<br /> <br /> This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access.

Issue summary: An invalid or NULL pointer dereference can happen in<br /> an application processing a malformed PKCS#12 file.<br /> <br /> Impact summary: An application processing a malformed PKCS#12 file can be<br /> caused to dereference an invalid or NULL pointer on memory read, resulting<br /> in a Denial of Service.<br /> <br /> A type confusion vulnerability exists in PKCS#12 parsing code where<br /> an ASN1_TYPE union member is accessed without first validating the type,<br /> causing an invalid pointer read.<br /> <br /> The location is constrained to a 1-byte address space, meaning any<br /> attempted pointer manipulation can only target addresses between 0x00 and 0xFF.<br /> This range corresponds to the zero page, which is unmapped on most modern<br /> operating systems and will reliably result in a crash, leading only to a<br /> Denial of Service. Exploiting this issue also requires a user or application<br /> to process a maliciously crafted PKCS#12 file. It is uncommon to accept<br /> untrusted PKCS#12 files in applications as they are usually used to store<br /> private keys which are trusted by definition. For these reasons, the issue<br /> was assessed as Low severity.<br /> <br /> The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,<br /> as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.<br /> <br /> OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br /> <br /> OpenSSL 1.0.2 is not affected by this issue.

Loop with Unreachable Exit Condition (&amp;#39;Infinite Loop&amp;#39;) vulnerability in ixray-team ixray-1.6-stcop.This issue affects ixray-1.6-stcop: before 1.3.

Issue summary: A type confusion vulnerability exists in the signature<br /> verification of signed PKCS#7 data where an ASN1_TYPE union member is<br /> accessed without first validating the type, causing an invalid or NULL<br /> pointer dereference when processing malformed PKCS#7 data.<br /> <br /> Impact summary: An application performing signature verification of PKCS#7<br /> data or calling directly the PKCS7_digest_from_attributes() function can be<br /> caused to dereference an invalid or NULL pointer when reading, resulting in<br /> a Denial of Service.<br /> <br /> The function PKCS7_digest_from_attributes() accesses the message digest attribute<br /> value without validating its type. When the type is not V_ASN1_OCTET_STRING,<br /> this results in accessing invalid memory through the ASN1_TYPE union, causing<br /> a crash.<br /> <br /> Exploiting this vulnerability requires an attacker to provide a malformed<br /> signed PKCS#7 to an application that verifies it. The impact of the<br /> exploit is just a Denial of Service, the PKCS7 API is legacy and applications<br /> should be using the CMS API instead. For these reasons the issue was<br /> assessed as Low severity.<br /> <br /> The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,<br /> as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module<br /> boundary.<br /> <br /> OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously<br /> crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing<br /> non-ASCII BMP code point can trigger a one byte write before the allocated<br /> buffer.<br /> <br /> Impact summary: The out-of-bounds write can cause a memory corruption<br /> which can have various consequences including a Denial of Service.<br /> <br /> The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12<br /> BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,<br /> the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16<br /> source byte count as the destination buffer capacity to UTF8_putc(). For BMP<br /> code points above U+07FF, UTF-8 requires three bytes, but the forwarded<br /> capacity can be just two bytes. UTF8_putc() then returns -1, and this negative<br /> value is added to the output length without validation, causing the<br /> length to become negative. The subsequent trailing NUL byte is then written<br /> at a negative offset, causing write outside of heap allocated buffer.<br /> <br /> The vulnerability is reachable via the public PKCS12_get_friendlyname() API<br /> when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a<br /> different code path that avoids this issue, PKCS12_get_friendlyname() directly<br /> invokes the vulnerable function. Exploitation requires an attacker to provide<br /> a malicious PKCS#12 file to be parsed by the application and the attacker<br /> can just trigger a one zero byte write before the allocated buffer.<br /> For that reason the issue was assessed as Low severity according to our<br /> Security Policy.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,<br /> as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.<br /> <br /> OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br /> <br /> OpenSSL 1.0.2 is not affected by this issue.

Issue summary: A type confusion vulnerability exists in the TimeStamp Response<br /> verification code where an ASN1_TYPE union member is accessed without first<br /> validating the type, causing an invalid or NULL pointer dereference when<br /> processing a malformed TimeStamp Response file.<br /> <br /> Impact summary: An application calling TS_RESP_verify_response() with a<br /> malformed TimeStamp Response can be caused to dereference an invalid or<br /> NULL pointer when reading, resulting in a Denial of Service.<br /> <br /> The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()<br /> access the signing cert attribute value without validating its type.<br /> When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory<br /> through the ASN1_TYPE union, causing a crash.<br /> <br /> Exploiting this vulnerability requires an attacker to provide a malformed<br /> TimeStamp Response to an application that verifies timestamp responses. The<br /> TimeStamp protocol (RFC 3161) is not widely used and the impact of the<br /> exploit is just a Denial of Service. For these reasons the issue was<br /> assessed as Low severity.<br /> <br /> The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,<br /> as the TimeStamp Response implementation is outside the OpenSSL FIPS module<br /> boundary.<br /> <br /> OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br /> <br /> OpenSSL 1.0.2 is not affected by this issue.

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer<br /> dereference in the PKCS12_item_decrypt_d2i_ex() function.<br /> <br /> Impact summary: A NULL pointer dereference can trigger a crash which leads to<br /> Denial of Service for an application processing PKCS#12 files.<br /> <br /> The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct<br /> parameter is NULL before dereferencing it. When called from<br /> PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can<br /> be NULL, causing a crash. The vulnerability is limited to Denial of Service<br /> and cannot be escalated to achieve code execution or memory disclosure.<br /> <br /> Exploiting this issue requires an attacker to provide a malformed PKCS#12 file<br /> to an application that processes it. For that reason the issue was assessed as<br /> Low severity according to our Security Policy.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,<br /> as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.<br /> <br /> OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.