Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/gma500: Fix null dereference in hdmi teardown<br /> <br /> pci_set_drvdata sets the value of pdev-&gt;driver_data to NULL,<br /> after which the driver_data obtained from the same dev is<br /> dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is<br /> extracted from it. To prevent this, swap these calls.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Svacer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: fix warning in smc_rx_splice() when calling get_page()<br /> <br /> smc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are<br /> later passed to get_page() in smc_rx_splice(). Since kmalloc memory is<br /> not page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents<br /> holding a refcount on the buffer. This can lead to use-after-free if<br /> the memory is released before splice_to_pipe() completes.<br /> <br /> Use folio_alloc() instead, ensuring DMBs are page-backed and safe for<br /> get_page().<br /> <br /> WARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc]<br /> CPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE<br /> Hardware name: IBM 3931 A01 704 (z/VM 7.4.0)<br /> Krnl PSW : 0704e00180000000 000793161032696c (smc_rx_splice+0xafc/0xe20 [smc])<br /> R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3<br /> Krnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005<br /> 0000000000000001 001cee80007d3006 0007740000001000 001c000000000000<br /> 000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000<br /> 000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8<br /> Krnl Code: 0007931610326960: af000000 mc 0,0<br /> 0007931610326964: a7f4ff43 brc 15,00079316103267ea<br /> #0007931610326968: af000000 mc 0,0<br /> &gt;000793161032696c: a7f4ff3f brc 15,00079316103267ea<br /> 0007931610326970: e320f1000004 lg %r2,256(%r15)<br /> 0007931610326976: c0e53fd1b5f5 brasl %r14,000793168fd5d560<br /> 000793161032697c: a7f4fbb5 brc 15,00079316103260e6<br /> 0007931610326980: b904002b lgr %r2,%r11<br /> Call Trace:<br /> smc_rx_splice+0xafc/0xe20 [smc]<br /> smc_rx_splice+0x756/0xe20 [smc])<br /> smc_rx_recvmsg+0xa74/0xe00 [smc]<br /> smc_splice_read+0x1ce/0x3b0 [smc]<br /> sock_splice_read+0xa2/0xf0<br /> do_splice_read+0x198/0x240<br /> splice_file_to_pipe+0x7e/0x110<br /> do_splice+0x59e/0xde0<br /> __do_splice+0x11a/0x2d0<br /> __s390x_sys_splice+0x140/0x1f0<br /> __do_syscall+0x122/0x280<br /> system_call+0x6e/0x90<br /> Last Breaking-Event-Address:<br /> smc_rx_splice+0x960/0xe20 [smc]<br /> ---[ end trace 0000000000000000 ]---

An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 9110, W920, W930, Modem 5123, and Modem 5300. Incorrect handling of RLC AM PDUs leads to a Denial of Service.

NetBird VPN when installed using vendor&amp;#39;s provided script failed to remove or change default password of an admin account created by ZITADEL.<br /> This issue affects instances installed using vendor&amp;#39;s provided script. This issue may affect instances created with Docker if the default password was not changed nor the user was removed.<br /> <br /> This issue has been fixed in version 0.57.0

An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 9110, W920, W930, Modem 5123, and Modem 5300. Incorrect handling of RLC AM PDUs leads to a Denial of Service.

An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. The absence of a NULL check leads to a Denial of Service when an attacker sends malformed MM packets to the target.

Authorization Bypass Through User-Controlled Key vulnerability in VHS Electronic Software Ltd. Co. ACE Center allows Privilege Abuse, Exploitation of Trusted Identifiers.This issue affects ACE Center: from 3.10.100.1768 before 3.10.161.2255.

A Cross-Site Scripting (XSS) vulnerability exists in Bhabishya-123 E-commerce 1.0, specifically within the index endpoint. Unsanitized input in the /index parameter is directly reflected back into the response HTML, allowing attackers to execute arbitrary JavaScript in the browser of a user who visits a malicious link or submits a crafted request.

An arbitrary code execution vulnerability exists in the git functionality of Truffle Security Co. TruffleHog 3.90.2. A specially crafted repository can lead to a arbitrary code execution. An attacker can provide a malicious respository to trigger this vulnerability.

Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.<br /> Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.<br /> Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.

Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code executes in their browser context, allowing the attacker to perform unauthorized actions such as modifying the admin account credentials.

An issue was discovered in Dolby UDC 4.5 through 4.13. A crash of the DD+ decoder process can occur when a malformed DD+ bitstream is processed. When Evolution data is processed by evo_priv.c from the DD+ bitstream, the decoder writes that data into a buffer. The length calculation for a write can overflow due to an integer wraparound. This can lead to the allocated buffer being too small, and the out-of-bounds check of the subsequent write to be ineffective, leading to an out-of-bounds write.