Vulnerabilities

Substance3D - Stager versions 3.1.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-9199. Reason: This candidate is a reservation duplicate of CVE-2025-9199. Notes: All CVE users should reference CVE-2025-9199 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Luanox is a module host for Lua packages. Prior to 0.1.1, a file traversal vulnerability can cause potential denial of service by overwriting Phoenix runtime files. Package names like ../../package are not properly filtered and pass the validity check of the rockspec verification system. This causes the uploaded file to be stored at the relative path location. If planned carefully, this could overwrite a runtime file and cause the website to crash. This vulnerability is fixed by 0.1.1.

LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script (for example a script element). An authenticated user with permission to create or edit a profile can insert a script payload into the profile name and have it executed when the profile data is viewed in a browser. This issue is fixed in version 9.3. No known workarounds are mentioned.

Matrix JavaScript SDK is a Matrix Client-Server SDK for JavaScript and TypeScript. matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room. The issue has been patched and users should upgrade to 38.2.0. A workaround is to avoid using MatrixClient::getJoinedRooms in favor of getRooms() and filtering upgraded rooms separately.

Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room's entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker's room and restoring the original room.

Greenshot is an open source Windows screenshot utility. Greenshot 1.3.300 and earlier deserializes attacker-controlled data received in a WM_COPYDATA message using BinaryFormatter.Deserialize without prior validation or authentication, allowing a local process at the same integrity level to trigger arbitrary code execution inside the Greenshot process. The vulnerable logic resides in a WinForms WndProc handler for WM_COPYDATA (message 74) that copies the supplied bytes into a MemoryStream and invokes BinaryFormatter.Deserialize, and only afterward checks whether the specified channel is authorized. Because the authorization check occurs after deserialization, any gadget chain embedded in the serialized payload executes regardless of channel membership. A local attacker who can send WM_COPYDATA to the Greenshot main window can achieve in-process code execution, which may aid evasion of application control policies by running payloads within the trusted, signed Greenshot.exe process. This issue is fixed in version 1.3.301. No known workarounds exist.

Linkr is a lightweight file delivery system that downloads files from a webserver. Linkr versions through 2.0.0 do not verify the integrity or authenticity of .linkr manifest files before using their contents, allowing a tampered manifest to inject arbitrary file entries into a package distribution. An attacker can modify a generated .linkr manifest (for example by adding a new entry with a malicious URL) and when a user runs the extract command the client downloads the attacker-supplied file without verification. This enables arbitrary file injection and creates a potential path to remote code execution if a downloaded malicious binary or script is later executed. Version 2.0.1 adds a manifest integrity check that compares the checksum of the original author-created manifest to the one being extracted and aborts on mismatch, warning if no original manifest is hosted. Users should update to 2.0.1 or later. As a workaround prior to updating, use only trusted .linkr manifests, manually verify manifest integrity, and host manifests on trusted servers.

A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library

Unchecked input for loop condition vulnerability in XML-RPC in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to perform a denial-of-service (DoS) attacks via a crafted XML-RPC request.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Enhance sanity check while generating attr_list<br /> <br /> ni_create_attr_list uses WARN_ON to catch error cases while generating<br /> attribute list, which only prints out stack trace and may not be enough.<br /> This repalces them with more proper error handling flow.<br /> <br /> [ 59.666332] BUG: kernel NULL pointer dereference, address: 000000000000000e<br /> [ 59.673268] #PF: supervisor read access in kernel mode<br /> [ 59.678354] #PF: error_code(0x0000) - not-present page<br /> [ 59.682831] PGD 8000000005ff1067 P4D 8000000005ff1067 PUD 7dee067 PMD 0<br /> [ 59.688556] Oops: 0000 [#1] PREEMPT SMP KASAN PTI<br /> [ 59.692642] CPU: 0 PID: 198 Comm: poc Tainted: G B W 6.2.0-rc1+ #4<br /> [ 59.698868] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> [ 59.708795] RIP: 0010:ni_create_attr_list+0x505/0x860<br /> [ 59.713657] Code: 7e 10 e8 5e d0 d0 ff 45 0f b7 76 10 48 8d 7b 16 e8 00 d1 d0 ff 66 44 89 73 16 4d 8d 75 0e 4c 89 f7 e8 3f d0 d0 ff 4c 8d8<br /> [ 59.731559] RSP: 0018:ffff88800a56f1e0 EFLAGS: 00010282<br /> [ 59.735691] RAX: 0000000000000001 RBX: ffff88800b7b5088 RCX: ffffffffb83079fe<br /> [ 59.741792] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffbb7f9fc0<br /> [ 59.748423] RBP: ffff88800a56f3a8 R08: ffff88800b7b50a0 R09: fffffbfff76ff3f9<br /> [ 59.754654] R10: ffffffffbb7f9fc7 R11: fffffbfff76ff3f8 R12: ffff88800b756180<br /> [ 59.761552] R13: 0000000000000000 R14: 000000000000000e R15: 0000000000000050<br /> [ 59.768323] FS: 00007feaa8c96440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000<br /> [ 59.776027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 59.781395] CR2: 00007f3a2e0b1000 CR3: 000000000a5bc000 CR4: 00000000000006f0<br /> [ 59.787607] Call Trace:<br /> [ 59.790271] <br /> [ 59.792488] ? __pfx_ni_create_attr_list+0x10/0x10<br /> [ 59.797235] ? kernel_text_address+0xd3/0xe0<br /> [ 59.800856] ? unwind_get_return_address+0x3e/0x60<br /> [ 59.805101] ? __kasan_check_write+0x18/0x20<br /> [ 59.809296] ? preempt_count_sub+0x1c/0xd0<br /> [ 59.813421] ni_ins_attr_ext+0x52c/0x5c0<br /> [ 59.817034] ? __pfx_ni_ins_attr_ext+0x10/0x10<br /> [ 59.821926] ? __vfs_setxattr+0x121/0x170<br /> [ 59.825718] ? __vfs_setxattr_noperm+0x97/0x300<br /> [ 59.829562] ? __vfs_setxattr_locked+0x145/0x170<br /> [ 59.833987] ? vfs_setxattr+0x137/0x2a0<br /> [ 59.836732] ? do_setxattr+0xce/0x150<br /> [ 59.839807] ? setxattr+0x126/0x140<br /> [ 59.842353] ? path_setxattr+0x164/0x180<br /> [ 59.845275] ? __x64_sys_setxattr+0x71/0x90<br /> [ 59.848838] ? do_syscall_64+0x3f/0x90<br /> [ 59.851898] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> [ 59.857046] ? stack_depot_save+0x17/0x20<br /> [ 59.860299] ni_insert_attr+0x1ba/0x420<br /> [ 59.863104] ? __pfx_ni_insert_attr+0x10/0x10<br /> [ 59.867069] ? preempt_count_sub+0x1c/0xd0<br /> [ 59.869897] ? _raw_spin_unlock_irqrestore+0x2b/0x50<br /> [ 59.874088] ? __create_object+0x3ae/0x5d0<br /> [ 59.877865] ni_insert_resident+0xc4/0x1c0<br /> [ 59.881430] ? __pfx_ni_insert_resident+0x10/0x10<br /> [ 59.886355] ? kasan_save_alloc_info+0x1f/0x30<br /> [ 59.891117] ? __kasan_kmalloc+0x8b/0xa0<br /> [ 59.894383] ntfs_set_ea+0x90d/0xbf0<br /> [ 59.897703] ? __pfx_ntfs_set_ea+0x10/0x10<br /> [ 59.901011] ? kernel_text_address+0xd3/0xe0<br /> [ 59.905308] ? __kernel_text_address+0x16/0x50<br /> [ 59.909811] ? unwind_get_return_address+0x3e/0x60<br /> [ 59.914898] ? __pfx_stack_trace_consume_entry+0x10/0x10<br /> [ 59.920250] ? arch_stack_walk+0xa2/0x100<br /> [ 59.924560] ? filter_irq_stacks+0x27/0x80<br /> [ 59.928722] ntfs_setxattr+0x405/0x440<br /> [ 59.932512] ? __pfx_ntfs_setxattr+0x10/0x10<br /> [ 59.936634] ? kvmalloc_node+0x2d/0x120<br /> [ 59.940378] ? kasan_save_stack+0x41/0x60<br /> [ 59.943870] ? kasan_save_stack+0x2a/0x60<br /> [ 59.947719] ? kasan_set_track+0x29/0x40<br /> [ 59.951417] ? kasan_save_alloc_info+0x1f/0x30<br /> [ 59.955733] ? __kasan_kmalloc+0x8b/0xa0<br /> [ 59.959598] ? __kmalloc_node+0x68/0x150<br /> [ 59.963163] ? kvmalloc_node+0x2d/0x120<br /> [ 59.966490] ? vmemdup_user+0x2b/0xa0<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> workqueue: fix data race with the pwq-&gt;stats[] increment<br /> <br /> KCSAN has discovered a data race in kernel/workqueue.c:2598:<br /> <br /> [ 1863.554079] ==================================================================<br /> [ 1863.554118] BUG: KCSAN: data-race in process_one_work / process_one_work<br /> <br /> [ 1863.554142] write to 0xffff963d99d79998 of 8 bytes by task 5394 on cpu 27:<br /> [ 1863.554154] process_one_work (kernel/workqueue.c:2598)<br /> [ 1863.554166] worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2752)<br /> [ 1863.554177] kthread (kernel/kthread.c:389)<br /> [ 1863.554186] ret_from_fork (arch/x86/kernel/process.c:145)<br /> [ 1863.554197] ret_from_fork_asm (arch/x86/entry/entry_64.S:312)<br /> <br /> [ 1863.554213] read to 0xffff963d99d79998 of 8 bytes by task 5450 on cpu 12:<br /> [ 1863.554224] process_one_work (kernel/workqueue.c:2598)<br /> [ 1863.554235] worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2752)<br /> [ 1863.554247] kthread (kernel/kthread.c:389)<br /> [ 1863.554255] ret_from_fork (arch/x86/kernel/process.c:145)<br /> [ 1863.554266] ret_from_fork_asm (arch/x86/entry/entry_64.S:312)<br /> <br /> [ 1863.554280] value changed: 0x0000000000001766 -&gt; 0x000000000000176a<br /> <br /> [ 1863.554295] Reported by Kernel Concurrency Sanitizer on:<br /> [ 1863.554303] CPU: 12 PID: 5450 Comm: kworker/u64:1 Tainted: G L 6.5.0-rc6+ #44<br /> [ 1863.554314] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023<br /> [ 1863.554322] Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]<br /> [ 1863.554941] ==================================================================<br /> <br /> lockdep_invariant_state(true);<br /> → pwq-&gt;stats[PWQ_STAT_STARTED]++;<br /> trace_workqueue_execute_start(work);<br /> worker-&gt;current_func(work);<br /> <br /> Moving pwq-&gt;stats[PWQ_STAT_STARTED]++; before the line<br /> <br /> raw_spin_unlock_irq(&amp;pool-&gt;lock);<br /> <br /> resolves the data race without performance penalty.<br /> <br /> KCSAN detected at least one additional data race:<br /> <br /> [ 157.834751] ==================================================================<br /> [ 157.834770] BUG: KCSAN: data-race in process_one_work / process_one_work<br /> <br /> [ 157.834793] write to 0xffff9934453f77a0 of 8 bytes by task 468 on cpu 29:<br /> [ 157.834804] process_one_work (/home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2606)<br /> [ 157.834815] worker_thread (/home/marvin/linux/kernel/linux_torvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2752)<br /> [ 157.834826] kthread (/home/marvin/linux/kernel/linux_torvalds/kernel/kthread.c:389)<br /> [ 157.834834] ret_from_fork (/home/marvin/linux/kernel/linux_torvalds/arch/x86/kernel/process.c:145)<br /> [ 157.834845] ret_from_fork_asm (/home/marvin/linux/kernel/linux_torvalds/arch/x86/entry/entry_64.S:312)<br /> <br /> [ 157.834859] read to 0xffff9934453f77a0 of 8 bytes by task 214 on cpu 7:<br /> [ 157.834868] process_one_work (/home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2606)<br /> [ 157.834879] worker_thread (/home/marvin/linux/kernel/linux_torvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2752)<br /> [ 157.834890] kthread (/home/marvin/linux/kernel/linux_torvalds/kernel/kthread.c:389)<br /> [ 157.834897] ret_from_fork (/home/marvin/linux/kernel/linux_torvalds/arch/x86/kernel/process.c:145)<br /> [ 157.834907] ret_from_fork_asm (/home/marvin/linux/kernel/linux_torvalds/arch/x86/entry/entry_64.S:312)<br /> <br /> [ 157.834920] value changed: 0x000000000000052a -&gt; 0x0000000000000532<br /> <br /> [ 157.834933] Reported by Kernel Concurrency Sanitizer on:<br /> [ 157.834941] CPU: 7 PID: 214 Comm: kworker/u64:2 Tainted: G L 6.5.0-rc7-kcsan-00169-g81eaf55a60fc #4<br /> [ 157.834951] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023<br /> [ 157.834958] Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]<br /> [ 157.835567] ==================================================================<br /> <br /> in code:<br /> <br /> trace_workqueue_execute_end(work, worker-&gt;current_func);<br /> → pwq-&gt;stats[PWQ_STAT_COM<br /> ---truncated---