Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT<br /> <br /> When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set()<br /> with the proper length instead of 0. This bug triggers this warning<br /> on a system with IOMMU enabled:<br /> <br /> WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170<br /> RIP: 0010:__iommu_dma_unmap+0x159/0x170<br /> Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45<br /> b8 4c 89 45 c0 e9 77 ff ff ff 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00<br /> RSP: 0018:ff22d31181150c88 EFLAGS: 00010206<br /> RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000<br /> R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000<br /> R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00<br /> FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? show_regs+0x6d/0x80<br /> ? __warn+0x89/0x160<br /> ? __iommu_dma_unmap+0x159/0x170<br /> ? report_bug+0x17e/0x1b0<br /> ? handle_bug+0x46/0x90<br /> ? exc_invalid_op+0x18/0x80<br /> ? asm_exc_invalid_op+0x1b/0x20<br /> ? __iommu_dma_unmap+0x159/0x170<br /> ? __iommu_dma_unmap+0xb3/0x170<br /> iommu_dma_unmap_page+0x4f/0x100<br /> dma_unmap_page_attrs+0x52/0x220<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? xdp_return_frame+0x2e/0xd0<br /> bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en]<br /> __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en]<br /> bnxt_poll+0xd3/0x1e0 [bnxt_en]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()<br /> <br /> syzbot found a potential access to uninit-value in nf_flow_pppoe_proto()<br /> <br /> Blamed commit forgot the Ethernet header.<br /> <br /> BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27<br /> nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27<br /> nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]<br /> nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623<br /> nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]<br /> nf_ingress net/core/dev.c:5742 [inline]<br /> __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837<br /> __netif_receive_skb_one_core net/core/dev.c:5975 [inline]<br /> __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090<br /> netif_receive_skb_internal net/core/dev.c:6176 [inline]<br /> netif_receive_skb+0x57/0x630 net/core/dev.c:6235<br /> tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485<br /> tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938<br /> tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984<br /> new_sync_write fs/read_write.c:593 [inline]<br /> vfs_write+0xb4b/0x1580 fs/read_write.c:686<br /> ksys_write fs/read_write.c:738 [inline]<br /> __do_sys_write fs/read_write.c:749 [inline]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.<br /> <br /> sof_pdata-&gt;tplg_filename can have address allocated by kstrdup()<br /> and can be overwritten. Memory leak was detected with kmemleak:<br /> <br /> unreferenced object 0xffff88812391ff60 (size 16):<br /> comm "kworker/4:1", pid 161, jiffies 4294802931<br /> hex dump (first 16 bytes):<br /> 73 6f 66 2d 68 64 61 2d 67 65 6e 65 72 69 63 00 sof-hda-generic.<br /> backtrace (crc 4bf1675c):<br /> __kmalloc_node_track_caller_noprof+0x49c/0x6b0<br /> kstrdup+0x46/0xc0<br /> hda_machine_select.cold+0x1de/0x12cf [snd_sof_intel_hda_generic]<br /> sof_init_environment+0x16f/0xb50 [snd_sof]<br /> sof_probe_continue+0x45/0x7c0 [snd_sof]<br /> sof_probe_work+0x1e/0x40 [snd_sof]<br /> process_one_work+0x894/0x14b0<br /> worker_thread+0x5e5/0xfb0<br /> kthread+0x39d/0x760<br /> ret_from_fork+0x31/0x70<br /> ret_from_fork_asm+0x1a/0x30

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix race between DIM disable and net_dim()<br /> <br /> There&amp;#39;s a race between disabling DIM and NAPI callbacks using the dim<br /> pointer on the RQ or SQ.<br /> <br /> If NAPI checks the DIM state bit and sees it still set, it assumes<br /> `rq-&gt;dim` or `sq-&gt;dim` is valid. But if DIM gets disabled right after<br /> that check, the pointer might already be set to NULL, leading to a NULL<br /> pointer dereference in net_dim().<br /> <br /> Fix this by calling `synchronize_net()` before freeing the DIM context.<br /> This ensures all in-progress NAPI callbacks are finished before the<br /> pointer is cleared.<br /> <br /> Kernel log:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> ...<br /> RIP: 0010:net_dim+0x23/0x190<br /> ...<br /> Call Trace:<br /> <br /> ? __die+0x20/0x60<br /> ? page_fault_oops+0x150/0x3e0<br /> ? common_interrupt+0xf/0xa0<br /> ? sysvec_call_function_single+0xb/0x90<br /> ? exc_page_fault+0x74/0x130<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? net_dim+0x23/0x190<br /> ? mlx5e_poll_ico_cq+0x41/0x6f0 [mlx5_core]<br /> ? sysvec_apic_timer_interrupt+0xb/0x90<br /> mlx5e_handle_rx_dim+0x92/0xd0 [mlx5_core]<br /> mlx5e_napi_poll+0x2cd/0xac0 [mlx5_core]<br /> ? mlx5e_poll_ico_cq+0xe5/0x6f0 [mlx5_core]<br /> busy_poll_stop+0xa2/0x200<br /> ? mlx5e_napi_poll+0x1d9/0xac0 [mlx5_core]<br /> ? mlx5e_trigger_irq+0x130/0x130 [mlx5_core]<br /> __napi_busy_loop+0x345/0x3b0<br /> ? sysvec_call_function_single+0xb/0x90<br /> ? asm_sysvec_call_function_single+0x16/0x20<br /> ? sysvec_apic_timer_interrupt+0xb/0x90<br /> ? pcpu_free_area+0x1e4/0x2e0<br /> napi_busy_loop+0x11/0x20<br /> xsk_recvmsg+0x10c/0x130<br /> sock_recvmsg+0x44/0x70<br /> __sys_recvfrom+0xbc/0x130<br /> ? __schedule+0x398/0x890<br /> __x64_sys_recvfrom+0x20/0x30<br /> do_syscall_64+0x4c/0x100<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> ...<br /> ---[ end trace 0000000000000000 ]---<br /> ...<br /> ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: reject bs &gt; ps block devices when THP is disabled<br /> <br /> If THP is disabled and when a block device with logical block size &gt;<br /> page size is present, the following null ptr deref panic happens during<br /> boot:<br /> <br /> [ [13.2 mK AOSAN: null-ptr-deref in range [0x0000000000000000-0x0000000000K0 0 0[07]<br /> [ 13.017749] RIP: 0010:create_empty_buffers+0x3b/0x380<br /> <br /> [ 13.025448] Call Trace:<br /> [ 13.025692] <br /> [ 13.025895] block_read_full_folio+0x610/0x780<br /> [ 13.026379] ? __pfx_blkdev_get_block+0x10/0x10<br /> [ 13.027008] ? __folio_batch_add_and_move+0x1fa/0x2b0<br /> [ 13.027548] ? __pfx_blkdev_read_folio+0x10/0x10<br /> [ 13.028080] filemap_read_folio+0x9b/0x200<br /> [ 13.028526] ? __pfx_filemap_read_folio+0x10/0x10<br /> [ 13.029030] ? __filemap_get_folio+0x43/0x620<br /> [ 13.029497] do_read_cache_folio+0x155/0x3b0<br /> [ 13.029962] ? __pfx_blkdev_read_folio+0x10/0x10<br /> [ 13.030381] read_part_sector+0xb7/0x2a0<br /> [ 13.030805] read_lba+0x174/0x2c0<br /> <br /> [ 13.045348] nvme_scan_ns+0x684/0x850 [nvme_core]<br /> [ 13.045858] ? __pfx_nvme_scan_ns+0x10/0x10 [nvme_core]<br /> [ 13.046414] ? _raw_spin_unlock+0x15/0x40<br /> [ 13.046843] ? __switch_to+0x523/0x10a0<br /> [ 13.047253] ? kvm_clock_get_cycles+0x14/0x30<br /> [ 13.047742] ? __pfx_nvme_scan_ns_async+0x10/0x10 [nvme_core]<br /> [ 13.048353] async_run_entry_fn+0x96/0x4f0<br /> [ 13.048787] process_one_work+0x667/0x10a0<br /> [ 13.049219] worker_thread+0x63c/0xf60<br /> <br /> As large folio support depends on THP, only allow bs &gt; ps block devices<br /> if THP is enabled.

In high traffic environments, a Silicon Labs OpenThread RCP (see impacted versions) fails to clear the SPI transmit buffer and may send a corrupt packet over SPI to its host,  causing the host to reset the RCP which results in a denial of service.

A client-side security misconfiguration vulnerability exists in OpenBlow whistleblowing platform across multiple versions and default deployments, due to the absence of critical HTTP response headers including Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. This omission weakens browser-level defenses and exposes users to cross-site scripting (XSS), clickjacking, and referer leakage. Although some instances attempt to enforce CSP via HTML tags, this method is ineffective, as modern browsers rely on header-based enforcement to reliably block inline scripts and untrusted resources.

An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected.

A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority, as it is a duplicate of CVE-2025-53692 and CVE-2025-53694.

An information disclosure vulnerability exits in Sitecore JSS React Sample Application 11.0.0 - 14.0.1 that may cause page content intended for one user to be shown to another user.

A cross-site scripting (XSS) vulnerability exists in Sitecore Experience Platform (XP) 7.5 - 10.2 and CMS 7.2 - 7.2 Update-6 that may allow authenticated Sitecore Shell users to be tricked into executing custom JS code. Managed Cloud Standard customers who run the affected Sitecore Experience Platform / CMS versions are also affected.