Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: validate the whole DACL before rewriting it in cifsacl<br /> <br /> build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a<br /> server-supplied dacloffset and then use the incoming ACL to rebuild the<br /> chmod/chown security descriptor.<br /> <br /> The original fix only checked that the struct smb_acl header fits before<br /> reading dacl_ptr-&gt;size or dacl_ptr-&gt;num_aces. That avoids the immediate<br /> header-field OOB read, but the rewrite helpers still walk ACEs based on<br /> pdacl-&gt;num_aces with no structural validation of the incoming DACL body.<br /> <br /> A malicious server can return a truncated DACL that still contains a<br /> header, claims one or more ACEs, and then drive<br /> replace_sids_and_copy_aces() or set_chmod_dacl() past the validated<br /> extent while they compare or copy attacker-controlled ACEs.<br /> <br /> Factor the DACL structural checks into validate_dacl(), extend them to<br /> validate each ACE against the DACL bounds, and use the shared validator<br /> before the chmod/chown rebuild paths. parse_dacl() reuses the same<br /> validator so the read-side parser and write-side rewrite paths agree on<br /> what constitutes a well-formed incoming DACL.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/packet: fix TOCTOU race on mmap&amp;#39;d vnet_hdr in tpacket_snd()<br /> <br /> In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points<br /> directly into the mmap&amp;#39;d TX ring buffer shared with userspace. The<br /> kernel validates the header via __packet_snd_vnet_parse() but then<br /> re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent<br /> userspace thread can modify the vnet_hdr fields between validation<br /> and use, bypassing all safety checks.<br /> <br /> The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr<br /> to a stack-local variable. All other vnet_hdr consumers in the kernel<br /> (tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX<br /> path is the only caller of virtio_net_hdr_to_skb() that reads directly<br /> from user-controlled shared memory.<br /> <br /> Fix this by copying vnet_hdr from the mmap&amp;#39;d ring buffer to a<br /> stack-local variable before validation and use, consistent with the<br /> approach used in packet_snd() and all other callers.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ccp: Don&amp;#39;t attempt to copy CSR to userspace if PSP command failed<br /> <br /> When retrieving the PEK CSR, don&amp;#39;t attempt to copy the blob to userspace<br /> if the firmware command failed. If the failure was due to an invalid<br /> length, i.e. the userspace buffer+length was too small, copying the number<br /> of bytes _firmware_ requires will overflow the kernel-allocated buffer and<br /> leak data to userspace.<br /> <br /> BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]<br /> BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]<br /> BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26<br /> Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405<br /> <br /> CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY<br /> Tainted: [U]=USER, [O]=OOT_MODULE<br /> Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120<br /> print_address_description ../mm/kasan/report.c:378 [inline]<br /> print_report+0xbc/0x260 ../mm/kasan/report.c:482<br /> kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595<br /> check_region_inline ../mm/kasan/generic.c:-1 [inline]<br /> kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200<br /> instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]<br /> _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]<br /> _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26<br /> copy_to_user ../include/linux/uaccess.h:236 [inline]<br /> sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872<br /> sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562<br /> vfs_ioctl ../fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl ../fs/ioctl.c:597 [inline]<br /> __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583<br /> do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> <br /> WARN if the driver says the command succeeded, but the firmware error code<br /> says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any<br /> firwmware error.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ccp: Don&amp;#39;t attempt to copy PDH cert to userspace if PSP command failed<br /> <br /> When retrieving the PDH cert, don&amp;#39;t attempt to copy the blobs to userspace<br /> if the firmware command failed. If the failure was due to an invalid<br /> length, i.e. the userspace buffer+length was too small, copying the number<br /> of bytes _firmware_ requires will overflow the kernel-allocated buffer and<br /> leak data to userspace.<br /> <br /> BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]<br /> BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]<br /> BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26<br /> Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033<br /> <br /> CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY<br /> Tainted: [U]=USER, [O]=OOT_MODULE<br /> Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120<br /> print_address_description ../mm/kasan/report.c:378 [inline]<br /> print_report+0xbc/0x260 ../mm/kasan/report.c:482<br /> kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595<br /> check_region_inline ../mm/kasan/generic.c:-1 [inline]<br /> kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200<br /> instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]<br /> _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]<br /> _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26<br /> copy_to_user ../include/linux/uaccess.h:236 [inline]<br /> sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347<br /> sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568<br /> vfs_ioctl ../fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl ../fs/ioctl.c:597 [inline]<br /> __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583<br /> do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> <br /> WARN if the driver says the command succeeded, but the firmware error code<br /> says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any<br /> firwmware error.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ccp: Don&amp;#39;t attempt to copy ID to userspace if PSP command failed<br /> <br /> When retrieving the ID for the CPU, don&amp;#39;t attempt to copy the ID blob to<br /> userspace if the firmware command failed. If the failure was due to an<br /> invalid length, i.e. the userspace buffer+length was too small, copying<br /> the number of bytes _firmware_ requires will overflow the kernel-allocated<br /> buffer and leak data to userspace.<br /> <br /> BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]<br /> BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]<br /> BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26<br /> Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388<br /> <br /> CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY<br /> Tainted: [U]=USER, [O]=OOT_MODULE<br /> Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120<br /> print_address_description ../mm/kasan/report.c:378 [inline]<br /> print_report+0xbc/0x260 ../mm/kasan/report.c:482<br /> kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595<br /> check_region_inline ../mm/kasan/generic.c:-1 [inline]<br /> kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200<br /> instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]<br /> _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]<br /> _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26<br /> copy_to_user ../include/linux/uaccess.h:236 [inline]<br /> sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222<br /> sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575<br /> vfs_ioctl ../fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl ../fs/ioctl.c:597 [inline]<br /> __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583<br /> do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> <br /> WARN if the driver says the command succeeded, but the firmware error code<br /> says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any<br /> firwmware error.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix missing validation of ticket length in non-XDR key preparsing<br /> <br /> In rxrpc_preparse(), there are two paths for parsing key payloads: the<br /> XDR path (for large payloads) and the non-XDR path (for payloads

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free<br /> <br /> Currently we execute `SET_NETDEV_DEV(dev, &amp;priv-&gt;lowerdev-&gt;dev)` for<br /> the virt_wifi net devices. However, unregistering a virt_wifi device in<br /> netdev_run_todo() can happen together with the device referenced by<br /> SET_NETDEV_DEV().<br /> <br /> It can result in use-after-free during the ethtool operations performed<br /> on a virt_wifi device that is currently being unregistered. Such a net<br /> device can have the `dev.parent` field pointing to the freed memory,<br /> but ethnl_ops_begin() calls `pm_runtime_get_sync(dev-&gt;dev.parent)`.<br /> <br /> Let&amp;#39;s remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0<br /> Read of size 2 at addr ffff88810cfc46f8 by task pm/606<br /> <br /> Call Trace:<br /> <br /> dump_stack_lvl+0x4d/0x70<br /> print_report+0x170/0x4f3<br /> ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> kasan_report+0xda/0x110<br /> ? __pm_runtime_resume+0xe2/0xf0<br /> ? __pm_runtime_resume+0xe2/0xf0<br /> __pm_runtime_resume+0xe2/0xf0<br /> ethnl_ops_begin+0x49/0x270<br /> ethnl_set_features+0x23c/0xab0<br /> ? __pfx_ethnl_set_features+0x10/0x10<br /> ? kvm_sched_clock_read+0x11/0x20<br /> ? local_clock_noinstr+0xf/0xf0<br /> ? local_clock+0x10/0x30<br /> ? kasan_save_track+0x25/0x60<br /> ? __kasan_kmalloc+0x7f/0x90<br /> ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0<br /> genl_family_rcv_msg_doit+0x1e7/0x2c0<br /> ? __pfx_genl_family_rcv_msg_doit+0x10/0x10<br /> ? __pfx_cred_has_capability.isra.0+0x10/0x10<br /> ? stack_trace_save+0x8e/0xc0<br /> genl_rcv_msg+0x411/0x660<br /> ? __pfx_genl_rcv_msg+0x10/0x10<br /> ? __pfx_ethnl_set_features+0x10/0x10<br /> netlink_rcv_skb+0x121/0x380<br /> ? __pfx_genl_rcv_msg+0x10/0x10<br /> ? __pfx_netlink_rcv_skb+0x10/0x10<br /> ? __pfx_down_read+0x10/0x10<br /> genl_rcv+0x23/0x30<br /> netlink_unicast+0x60f/0x830<br /> ? __pfx_netlink_unicast+0x10/0x10<br /> ? __pfx___alloc_skb+0x10/0x10<br /> netlink_sendmsg+0x6ea/0xbc0<br /> ? __pfx_netlink_sendmsg+0x10/0x10<br /> ? __futex_queue+0x10b/0x1f0<br /> ____sys_sendmsg+0x7a2/0x950<br /> ? copy_msghdr_from_user+0x26b/0x430<br /> ? __pfx_____sys_sendmsg+0x10/0x10<br /> ? __pfx_copy_msghdr_from_user+0x10/0x10<br /> ___sys_sendmsg+0xf8/0x180<br /> ? __pfx____sys_sendmsg+0x10/0x10<br /> ? __pfx_futex_wait+0x10/0x10<br /> ? fdget+0x2e4/0x4a0<br /> __sys_sendmsg+0x11f/0x1c0<br /> ? __pfx___sys_sendmsg+0x10/0x10<br /> do_syscall_64+0xe2/0x570<br /> ? exc_page_fault+0x66/0xb0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> This fix may be combined with another one in the ethtool subsystem:<br /> https://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fuse: reject oversized dirents in page cache<br /> <br /> fuse_add_dirent_to_cache() computes a serialized dirent size from the<br /> server-controlled namelen field and copies the dirent into a single<br /> page-cache page. The existing logic only checks whether the dirent fits<br /> in the remaining space of the current page and advances to a fresh page<br /> if not. It never checks whether the dirent itself exceeds PAGE_SIZE.<br /> <br /> As a result, a malicious FUSE server can return a dirent with<br /> namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB<br /> page systems this causes memcpy() to overflow the cache page by 24 bytes<br /> into the following kernel page.<br /> <br /> Reject dirents that cannot fit in a single page before copying them into<br /> the readdir cache.

*** Pendiente de traducción *** A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function on_prepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2026.04.10 is able to mitigate this issue. The identifier of the patch is 0072d3488ae5b8d922d3ee87458d829993742a32. It is recommended to upgrade the affected component.

*** Pendiente de traducción *** A vulnerability was detected in Exiftool up to 13.53. Impacted is the function Process_mrld of the file lib/Image/ExifTool/GM.pm of the component JPEG/QuickTime/MOV/MP4. The manipulation of the argument -ee results in code injection. Attacking locally is a requirement. Upgrading to version 13.54 is recommended to address this issue. The patch is identified as 5a8b6b6ead12b39e3f32f978a4efd0233facbb01. It is suggested to upgrade the affected component. The fix in the source code mentions: "[J]ust to be safe, probably never happen".

*** Pendiente de traducción *** A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of the component Dashboard. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the &amp;#39;add_plugins_page&amp;#39; and &amp;#39;add_themes_page&amp;#39; functions. This makes it possible for unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with attacker-controlled code via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.