Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/x86: int3472: Fix double free of GPIO device during unregister<br /> <br /> regulator_unregister() already frees the associated GPIO device. On<br /> ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to<br /> random failures when other drivers (typically Intel THC) attempt to<br /> allocate interrupts. The root cause is that the reference count of the<br /> pinctrl_intel_platform module unexpectedly drops to zero when this<br /> driver defers its probe.<br /> <br /> This behavior can also be reproduced by unloading the module directly.<br /> <br /> Fix the issue by removing the redundant release of the GPIO device<br /> during regulator unregistration.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bridge: fix use-after-free due to MST port state bypass<br /> <br /> syzbot reported[1] a use-after-free when deleting an expired fdb. It is<br /> due to a race condition between learning still happening and a port being<br /> deleted, after all its fdbs have been flushed. The port&amp;#39;s state has been<br /> toggled to disabled so no learning should happen at that time, but if we<br /> have MST enabled, it will bypass the port&amp;#39;s state, that together with VLAN<br /> filtering disabled can lead to fdb learning at a time when it shouldn&amp;#39;t<br /> happen while the port is being deleted. VLAN filtering must be disabled<br /> because we flush the port VLANs when it&amp;#39;s being deleted which will stop<br /> learning. This fix adds a check for the port&amp;#39;s vlan group which is<br /> initialized to NULL when the port is getting deleted, that avoids the port<br /> state bypass. When MST is enabled there would be a minimal new overhead<br /> in the fast-path because the port&amp;#39;s vlan group pointer is cache-hot.<br /> <br /> [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gve: Implement settime64 with -EOPNOTSUPP<br /> <br /> ptp_clock_settime() assumes every ptp_clock has implemented settime64().<br /> Stub it with -EOPNOTSUPP to prevent a NULL dereference.

*** Pendiente de traducción *** A vulnerability was determined in SourceCodester Online Student Clearance System 1.0. The affected element is an unknown function of the file /Admin/delete-fee.php of the component Fee Table Handler. Executing manipulation of the argument ID can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

*** Pendiente de traducción *** A vulnerability was identified in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. The impacted element is an unknown function of the file /admin/invoiceprint.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.

*** Pendiente de traducción *** A security flaw has been discovered in D-Link DIR-823X up to 20250416. This affects the function sub_415028 of the file /goform/set_wan_settings. The manipulation of the argument ppp_username results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xsk: avoid data corruption on cq descriptor number<br /> <br /> Since commit 30f241fcf52a ("xsk: Fix immature cq descriptor<br /> production"), the descriptor number is stored in skb control block and<br /> xsk_cq_submit_addr_locked() relies on it to put the umem addrs onto<br /> pool&amp;#39;s completion queue.<br /> <br /> skb control block shouldn&amp;#39;t be used for this purpose as after transmit<br /> xsk doesn&amp;#39;t have control over it and other subsystems could use it. This<br /> leads to the following kernel panic due to a NULL pointer dereference.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014<br /> RIP: 0010:xsk_destruct_skb+0xd0/0x180<br /> [...]<br /> Call Trace:<br /> <br /> ? napi_complete_done+0x7a/0x1a0<br /> ip_rcv_core+0x1bb/0x340<br /> ip_rcv+0x30/0x1f0<br /> __netif_receive_skb_one_core+0x85/0xa0<br /> process_backlog+0x87/0x130<br /> __napi_poll+0x28/0x180<br /> net_rx_action+0x339/0x420<br /> handle_softirqs+0xdc/0x320<br /> ? handle_edge_irq+0x90/0x1e0<br /> do_softirq.part.0+0x3b/0x60<br /> <br /> <br /> __local_bh_enable_ip+0x60/0x70<br /> __dev_direct_xmit+0x14e/0x1f0<br /> __xsk_generic_xmit+0x482/0xb70<br /> ? __remove_hrtimer+0x41/0xa0<br /> ? __xsk_generic_xmit+0x51/0xb70<br /> ? _raw_spin_unlock_irqrestore+0xe/0x40<br /> xsk_sendmsg+0xda/0x1c0<br /> __sys_sendto+0x1ee/0x200<br /> __x64_sys_sendto+0x24/0x30<br /> do_syscall_64+0x84/0x2f0<br /> ? __pfx_pollwake+0x10/0x10<br /> ? __rseq_handle_notify_resume+0xad/0x4c0<br /> ? restore_fpregs_from_fpstate+0x3c/0x90<br /> ? switch_fpu_return+0x5b/0xe0<br /> ? do_syscall_64+0x204/0x2f0<br /> ? do_syscall_64+0x204/0x2f0<br /> ? do_syscall_64+0x204/0x2f0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> [...]<br /> Kernel panic - not syncing: Fatal exception in interrupt<br /> Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)<br /> <br /> Instead use the skb destructor_arg pointer along with pointer tagging.<br /> As pointers are always aligned to 8B, use the bottom bit to indicate<br /> whether this a single address or an allocated struct containing several<br /> addresses.

*** Pendiente de traducción *** A vulnerability was found in code-projects Chamber of Commerce Membership Management System 1.0. Impacted is an unknown function of the file /membership_profile.php of the component Your Info Handler. Performing manipulation of the argument Full Name/Address/City/State results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

*** Pendiente de traducción *** A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

*** Pendiente de traducción *** A flaw has been found in code-projects Question Paper Generator up to 1.0. This vulnerability affects unknown code of the file /selectquestionuser.php. This manipulation of the argument subid causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.

*** Pendiente de traducción *** A vulnerability was found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected by this vulnerability is an unknown functionality of the file /dishsub.php. The manipulation of the argument item.name results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** A vulnerability has been found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected is an unknown function of the file /usersub.php of the component Request Pending Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.