Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: fix validation of VF state in get resources<br /> <br /> VF state I40E_VF_STATE_ACTIVE is not the only state in which<br /> VF is actually active so it should not be used to determine<br /> if a VF is allowed to obtain resources.<br /> <br /> Use I40E_VF_STATE_RESOURCES_LOADED that is set only in<br /> i40e_vc_get_vf_resources_msg() and cleared during reset.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: fix input validation logic for action_meta<br /> <br /> Fix condition to check &amp;#39;greater or equal&amp;#39; to prevent OOB dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: fix idx validation in config queues msg<br /> <br /> Ensure idx is within range of active/initialized TCs when iterating over<br /> vf-&gt;ch[idx] in i40e_vc_config_queues_msg().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: fix idx validation in i40e_validate_queue_map<br /> <br /> Ensure idx is within range of active/initialized TCs when iterating over<br /> vf-&gt;ch[idx] in i40e_validate_queue_map().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbcon: fix integer overflow in fbcon_do_set_font<br /> <br /> Fix integer overflow vulnerabilities in fbcon_do_set_font() where font<br /> size calculations could overflow when handling user-controlled font<br /> parameters.<br /> <br /> The vulnerabilities occur when:<br /> 1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount<br /> multiplication with user-controlled values that can overflow.<br /> 2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow<br /> 3. This results in smaller allocations than expected, leading to buffer<br /> overflows during font data copying.<br /> <br /> Add explicit overflow checking using check_mul_overflow() and<br /> check_add_overflow() kernel helpers to safety validate all size<br /> calculations before allocation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommufd: Fix race during abort for file descriptors<br /> <br /> fput() doesn&amp;#39;t actually call file_operations release() synchronously, it<br /> puts the file on a work queue and it will be released eventually.<br /> <br /> This is normally fine, except for iommufd the file and the iommufd_object<br /> are tied to gether. The file has the object as it&amp;#39;s private_data and holds<br /> a users refcount, while the object is expected to remain alive as long as<br /> the file is.<br /> <br /> When the allocation of a new object aborts before installing the file it<br /> will fput() the file and then go on to immediately kfree() the obj. This<br /> causes a UAF once the workqueue completes the fput() and tries to<br /> decrement the users refcount.<br /> <br /> Fix this by putting the core code in charge of the file lifetime, and call<br /> __fput_sync() during abort to ensure that release() is called before<br /> kfree. __fput_sync() is a bit too tricky to open code in all the object<br /> implementations. Instead the objects tell the core code where the file<br /> pointer is and the core will take care of the life cycle.<br /> <br /> If the object is successfully allocated then the file will hold a users<br /> refcount and the iommufd_object cannot be destroyed.<br /> <br /> It is worth noting that close(); ioctl(IOMMU_DESTROY); doesn&amp;#39;t have an<br /> issue because close() is already using a synchronous version of fput().<br /> <br /> The UAF looks like this:<br /> <br /> BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376<br /> Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164<br /> <br /> CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xcd/0x630 mm/kasan/report.c:482<br /> kasan_report+0xe0/0x110 mm/kasan/report.c:595<br /> check_region_inline mm/kasan/generic.c:183 [inline]<br /> kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189<br /> instrument_atomic_read_write include/linux/instrumented.h:96 [inline]<br /> atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]<br /> __refcount_dec include/linux/refcount.h:455 [inline]<br /> refcount_dec include/linux/refcount.h:476 [inline]<br /> iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376<br /> __fput+0x402/0xb70 fs/file_table.c:468<br /> task_work_run+0x14d/0x240 kernel/task_work.c:227<br /> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]<br /> exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43<br /> exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]<br /> syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]<br /> syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]<br /> do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

The Dynamically Display Posts plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;tax_query&amp;#39; parameter in all versions up to, and including, 1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes.

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types.

The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s shortcodes in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.0. This is due to the plugin assigning the editor role by default. While limitations with respect to capabilities are put in place, use of the API is not restricted. This vulnerability can be leveraged together with CVE-2025-6038 to obtain admin privileges.

In Eclipse ThreadX before 6.4.3, when memory protection is enabled, syscall parameters verification wasn&amp;#39;t enough, allowing an attacker to obtain an arbitrary memory read/write.