Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: sch_qfq: do not free existing class in qfq_change_class()<br /> <br /> Fixes qfq_change_class() error case.<br /> <br /> cl-&gt;qdisc and cl should only be freed if a new class and qdisc<br /> were allocated, or we risk various UAF.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> macvlan: fix possible UAF in macvlan_forward_source()<br /> <br /> Add RCU protection on (struct macvlan_source_entry)-&gt;vlan.<br /> <br /> Whenever macvlan_hash_del_source() is called, we must clear<br /> entry-&gt;vlan pointer before RCU grace period starts.<br /> <br /> This allows macvlan_forward_source() to skip over<br /> entries queued for freeing.<br /> <br /> Note that macvlan_dev are already RCU protected, as they<br /> are embedded in a standard netdev (netdev_priv(ndev)).<br /> <br /> https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: tegra-adma: Fix use-after-free<br /> <br /> A use-after-free bug exists in the Tegra ADMA driver when audio streams<br /> are terminated, particularly during XRUN conditions. The issue occurs<br /> when the DMA buffer is freed by tegra_adma_terminate_all() before the<br /> vchan completion tasklet finishes accessing it.<br /> <br /> The race condition follows this sequence:<br /> <br /> 1. DMA transfer completes, triggering an interrupt that schedules the<br /> completion tasklet (tasklet has not executed yet)<br /> 2. Audio playback stops, calling tegra_adma_terminate_all() which<br /> frees the DMA buffer memory via kfree()<br /> 3. The scheduled tasklet finally executes, calling vchan_complete()<br /> which attempts to access the already-freed memory<br /> <br /> Since tasklets can execute at any time after being scheduled, there is<br /> no guarantee that the buffer will remain valid when vchan_complete()<br /> runs.<br /> <br /> Fix this by properly synchronizing the virtual channel completion:<br /> - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the<br /> descriptors as terminated instead of freeing the descriptor.<br /> - Add the callback tegra_adma_synchronize() that calls<br /> vchan_synchronize() which kills any pending tasklets and frees any<br /> terminated descriptors.<br /> <br /> Crash logs:<br /> [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0<br /> [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0<br /> <br /> [ 337.427562] Call trace:<br /> [ 337.427564] dump_backtrace+0x0/0x320<br /> [ 337.427571] show_stack+0x20/0x30<br /> [ 337.427575] dump_stack_lvl+0x68/0x84<br /> [ 337.427584] print_address_description.constprop.0+0x74/0x2b8<br /> [ 337.427590] kasan_report+0x1f4/0x210<br /> [ 337.427598] __asan_load8+0xa0/0xd0<br /> [ 337.427603] vchan_complete+0x124/0x3b0<br /> [ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0<br /> [ 337.427617] tasklet_action+0x30/0x40<br /> [ 337.427623] __do_softirq+0x1a0/0x5c4<br /> [ 337.427628] irq_exit+0x110/0x140<br /> [ 337.427633] handle_domain_irq+0xa4/0xe0<br /> [ 337.427640] gic_handle_irq+0x64/0x160<br /> [ 337.427644] call_on_irq_stack+0x20/0x4c<br /> [ 337.427649] do_interrupt_handler+0x7c/0x90<br /> [ 337.427654] el1_interrupt+0x30/0x80<br /> [ 337.427659] el1h_64_irq_handler+0x18/0x30<br /> [ 337.427663] el1h_64_irq+0x7c/0x80<br /> [ 337.427667] cpuidle_enter_state+0xe4/0x540<br /> [ 337.427674] cpuidle_enter+0x54/0x80<br /> [ 337.427679] do_idle+0x2e0/0x380<br /> [ 337.427685] cpu_startup_entry+0x2c/0x70<br /> [ 337.427690] rest_init+0x114/0x130<br /> [ 337.427695] arch_call_rest_init+0x18/0x24<br /> [ 337.427702] start_kernel+0x380/0x3b4<br /> [ 337.427706] __primary_switched+0xc0/0xc8

*** Pendiente de traducción *** Deep Instinct Windows Agent 1.2.24.0 contains an unquoted service path vulnerability in the DeepNetworkService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure Sense\DeepNetworkService.exe to inject malicious code that would execute with LocalSystem permissions during service startup.

*** Pendiente de traducción *** KMSpico 17.1.0.0 contains an unquoted service path vulnerability in the Service KMSELDI configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:\Program Files\KMSpico\Service_KMS.exe to inject malicious executables and escalate privileges.

*** Pendiente de traducción *** Magic Mouse 2 Utilities 2.20 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to inject malicious executables and gain elevated system privileges by placing a malicious file in the service path.

*** Pendiente de traducción *** Microvirt MEMU Play 3.7.0 contains an unquoted service path vulnerability in the MEmusvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with elevated LocalSystem privileges.

*** Pendiente de traducción *** HTC IPTInstaller 4.0.9 contains an unquoted service path vulnerability in the PassThru Service configuration. Attackers can exploit the unquoted binary path to inject and execute malicious code with elevated LocalSystem privileges.

*** Pendiente de traducción *** SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users&amp;#39; browsers when the page is loaded.

*** Pendiente de traducción *** Click2Magic 1.1.5 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts in the chat name input. Attackers can craft a malicious payload in the chat name to capture administrator cookies when the admin processes user requests.

*** Pendiente de traducción *** A vulnerability was determined in lcg0124 BootDo up to 5ccd963c74058036b466e038cff37de4056c1600. Affected by this vulnerability is the function redirectToLogin of the file AccessControlFilter.java of the component Host Header Handler. This manipulation of the argument Hostname causes open redirect. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available.

*** Pendiente de traducción *** The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the search feature in class-cubewp-search-ajax-hooks.php due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.