Vulnerabilities

An issue was discovered on IROAD Dashcam FX2 devices. Bypass of Device Pairing/Registration can occur. It requires device registration via the "IROAD X View" app for authentication, but its HTTP server lacks this restriction. Once connected to the dashcam's Wi-Fi network via the default password ("qwertyuiop"), an attacker can directly access the HTTP server at http://192.168.10.1 without undergoing the pairing process. Additionally, no alert is triggered on the device when an attacker connects, making this intrusion completely silent.

A server-side request forgery vulnerability exists in the cecho.php functionality of MedDream PACS Premium 7.3.5.860. A specially crafted HTTP request can lead to SSRF. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

In Malwarebytes Binisoft Windows Firewall Control before 6.16.0.0, the installer is vulnerable to local privilege escalation.

A vulnerability, which was classified as problematic, has been found in bsc Peru Cocktails App 1.0.0 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component bsc.devy.peru_cocktails. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

A flaw was found in GLib. A denial of service on Windows platforms may occur if an application attempts to spawn a program using long command lines.

Incorrect Use of Privileged APIs vulnerability in Beamsec PhishPro allows Privilege Abuse.This issue affects PhishPro: before 7.5.4.2.

A vulnerability classified as critical was found in Campcodes Online Recruitment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=save_recruitment_status. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: make fallback action and fallback decision atomic<br /> <br /> Syzkaller reported the following splat:<br /> <br /> WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]<br /> WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]<br /> WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline]<br /> WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153<br /> Modules linked in:<br /> CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)<br /> Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]<br /> RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]<br /> RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline]<br /> RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153<br /> Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00<br /> RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45<br /> RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001<br /> RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000<br /> R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000<br /> FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432<br /> tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975<br /> tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166<br /> tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925<br /> tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363<br /> ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205<br /> ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233<br /> NF_HOOK include/linux/netfilter.h:317 [inline]<br /> NF_HOOK include/linux/netfilter.h:311 [inline]<br /> ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254<br /> dst_input include/net/dst.h:469 [inline]<br /> ip_rcv_finish net/ipv4/ip_input.c:447 [inline]<br /> NF_HOOK include/linux/netfilter.h:317 [inline]<br /> NF_HOOK include/linux/netfilter.h:311 [inline]<br /> ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567<br /> __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975<br /> __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088<br /> process_backlog+0x301/0x1360 net/core/dev.c:6440<br /> __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453<br /> napi_poll net/core/dev.c:7517 [inline]<br /> net_rx_action+0xb44/0x1010 net/core/dev.c:7644<br /> handle_softirqs+0x1d0/0x770 kernel/softirq.c:579<br /> do_softirq+0x3f/0x90 kernel/softirq.c:480<br /> <br /> <br /> __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407<br /> local_bh_enable include/linux/bottom_half.h:33 [inline]<br /> inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524<br /> mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985<br /> mptcp_check_listen_stop net/mptcp/mib.h:118 [inline]<br /> __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000<br /> mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066<br /> inet_release+0xed/0x200 net/ipv4/af_inet.c:435<br /> inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487<br /> __sock_release+0xb3/0x270 net/socket.c:649<br /> sock_close+0x1c/0x30 net/socket.c:1439<br /> __fput+0x402/0xb70 fs/file_table.c:465<br /> task_work_run+0x150/0x240 kernel/task_work.c:227<br /> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]<br /> exit_to_user_mode_loop+0xd4<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: core: ensure the allocated report buffer can contain the reserved report ID<br /> <br /> When the report ID is not used, the low level transport drivers expect<br /> the first byte to be 0. However, currently the allocated buffer not<br /> account for that extra byte, meaning that instead of having 8 guaranteed<br /> bytes for implement to be working, we only have 7.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: configfs: Fix OOB read on empty string write<br /> <br /> When writing an empty string to either &amp;#39;qw_sign&amp;#39; or &amp;#39;landingPage&amp;#39;<br /> sysfs attributes, the store functions attempt to access page[l - 1]<br /> before validating that the length &amp;#39;l&amp;#39; is greater than zero.<br /> <br /> This patch fixes the vulnerability by adding a check at the beginning<br /> of os_desc_qw_sign_store() and webusb_landingPage_store() to handle<br /> the zero-length input case gracefully by returning immediately.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: libwx: remove duplicate page_pool_put_full_page()<br /> <br /> page_pool_put_full_page() should only be invoked when freeing Rx buffers<br /> or building a skb if the size is too short. At other times, the pages<br /> need to be reused. So remove the redundant page put. In the original<br /> code, double free pages cause kernel panic:<br /> <br /> [ 876.949834] __irq_exit_rcu+0xc7/0x130<br /> [ 876.949836] common_interrupt+0xb8/0xd0<br /> [ 876.949838] <br /> [ 876.949838] <br /> [ 876.949840] asm_common_interrupt+0x22/0x40<br /> [ 876.949841] RIP: 0010:cpuidle_enter_state+0xc2/0x420<br /> [ 876.949843] Code: 00 00 e8 d1 1d 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 cd fc 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d<br /> [ 876.949844] RSP: 0018:ffffaa7340267e78 EFLAGS: 00000246<br /> [ 876.949845] RAX: ffff9e3f135be000 RBX: 0000000000000002 RCX: 0000000000000000<br /> [ 876.949846] RDX: 000000cc2dc4cb7c RSI: ffffffff89ee49ae RDI: ffffffff89ef9f9e<br /> [ 876.949847] RBP: ffff9e378f940800 R08: 0000000000000002 R09: 00000000000000ed<br /> [ 876.949848] R10: 000000000000afc8 R11: ffff9e3e9e5a9b6c R12: ffffffff8a6d8580<br /> [ 876.949849] R13: 000000cc2dc4cb7c R14: 0000000000000002 R15: 0000000000000000<br /> [ 876.949852] ? cpuidle_enter_state+0xb3/0x420<br /> [ 876.949855] cpuidle_enter+0x29/0x40<br /> [ 876.949857] cpuidle_idle_call+0xfd/0x170<br /> [ 876.949859] do_idle+0x7a/0xc0<br /> [ 876.949861] cpu_startup_entry+0x25/0x30<br /> [ 876.949862] start_secondary+0x117/0x140<br /> [ 876.949864] common_startup_64+0x13e/0x148<br /> [ 876.949867] <br /> [ 876.949868] ---[ end trace 0000000000000000 ]---<br /> [ 876.949869] ------------[ cut here ]------------<br /> [ 876.949870] list_del corruption, ffffead40445a348-&gt;next is NULL<br /> [ 876.949873] WARNING: CPU: 14 PID: 0 at lib/list_debug.c:52 __list_del_entry_valid_or_report+0x67/0x120<br /> [ 876.949875] Modules linked in: snd_hrtimer(E) bnep(E) binfmt_misc(E) amdgpu(E) squashfs(E) vfat(E) loop(E) fat(E) amd_atl(E) snd_hda_codec_realtek(E) intel_rapl_msr(E) snd_hda_codec_generic(E) intel_rapl_common(E) snd_hda_scodec_component(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) edac_mce_amd(E) snd_intel_dspcfg(E) snd_hda_codec(E) snd_hda_core(E) amdxcp(E) kvm_amd(E) snd_hwdep(E) gpu_sched(E) drm_panel_backlight_quirks(E) cec(E) snd_pcm(E) drm_buddy(E) snd_seq_dummy(E) drm_ttm_helper(E) btusb(E) kvm(E) snd_seq_oss(E) btrtl(E) ttm(E) btintel(E) snd_seq_midi(E) btbcm(E) drm_exec(E) snd_seq_midi_event(E) i2c_algo_bit(E) snd_rawmidi(E) bluetooth(E) drm_suballoc_helper(E) irqbypass(E) snd_seq(E) ghash_clmulni_intel(E) sha512_ssse3(E) drm_display_helper(E) aesni_intel(E) snd_seq_device(E) rfkill(E) snd_timer(E) gf128mul(E) drm_client_lib(E) drm_kms_helper(E) snd(E) i2c_piix4(E) joydev(E) soundcore(E) wmi_bmof(E) ccp(E) k10temp(E) i2c_smbus(E) gpio_amdpt(E) i2c_designware_platform(E) gpio_generic(E) sg(E)<br /> [ 876.949914] i2c_designware_core(E) sch_fq_codel(E) parport_pc(E) drm(E) ppdev(E) lp(E) parport(E) fuse(E) nfnetlink(E) ip_tables(E) ext4 crc16 mbcache jbd2 sd_mod sfp mdio_i2c i2c_core txgbe ahci ngbe pcs_xpcs libahci libwx r8169 phylink libata realtek ptp pps_core video wmi<br /> [ 876.949933] CPU: 14 UID: 0 PID: 0 Comm: swapper/14 Kdump: loaded Tainted: G W E 6.16.0-rc2+ #20 PREEMPT(voluntary)<br /> [ 876.949935] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE<br /> [ 876.949936] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024<br /> [ 876.949936] RIP: 0010:__list_del_entry_valid_or_report+0x67/0x120<br /> [ 876.949938] Code: 00 00 00 48 39 7d 08 0f 85 a6 00 00 00 5b b8 01 00 00 00 5d 41 5c e9 73 0d 93 ff 48 89 fe 48 c7 c7 a0 31 e8 89 e8 59 7c b3 ff 0b 31 c0 5b 5d 41 5c e9 57 0d 93 ff 48 89 fe 48 c7 c7 c8 31 e8<br /> [ 876.949940] RSP: 0018:ffffaa73405d0c60 EFLAGS: 00010282<br /> [ 876.949941] RAX: 0000000000000000 RBX: ffffead40445a348 RCX: 0000000000000000<br /> [ 876.949942] RDX: 0000000000000105 RSI: 00000<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfs: Fix race between cache write completion and ALL_QUEUED being set<br /> <br /> When netfslib is issuing subrequests, the subrequests start processing<br /> immediately and may complete before we reach the end of the issuing<br /> function. At the end of the issuing function we set NETFS_RREQ_ALL_QUEUED<br /> to indicate to the collector that we aren&amp;#39;t going to issue any more subreqs<br /> and that it can do the final notifications and cleanup.<br /> <br /> Now, this isn&amp;#39;t a problem if the request is synchronous<br /> (NETFS_RREQ_OFFLOAD_COLLECTION is unset) as the result collection will be<br /> done in-thread and we&amp;#39;re guaranteed an opportunity to run the collector.<br /> <br /> However, if the request is asynchronous, collection is primarily triggered<br /> by the termination of subrequests queuing it on a workqueue. Now, a race<br /> can occur here if the app thread sets ALL_QUEUED after the last subrequest<br /> terminates.<br /> <br /> This can happen most easily with the copy2cache code (as used by Ceph)<br /> where, in the collection routine of a read request, an asynchronous write<br /> request is spawned to copy data to the cache. Folios are added to the<br /> write request as they&amp;#39;re unlocked, but there may be a delay before<br /> ALL_QUEUED is set as the write subrequests may complete before we get<br /> there.<br /> <br /> If all the write subreqs have finished by the ALL_QUEUED point, no further<br /> events happen and the collection never happens, leaving the request<br /> hanging.<br /> <br /> Fix this by queuing the collector after setting ALL_QUEUED. This is a bit<br /> heavy-handed and it may be sufficient to do it only if there are no extant<br /> subreqs.<br /> <br /> Also add a tracepoint to cross-reference both requests in a copy-to-request<br /> operation and add a trace to the netfs_rreq tracepoint to indicate the<br /> setting of ALL_QUEUED.