Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/vkms: Fix memory leak in vkms_init()<br /> <br /> A memory leak was reported after the vkms module install failed.<br /> <br /> unreferenced object 0xffff88810bc28520 (size 16):<br /> comm "modprobe", pid 9662, jiffies 4298009455 (age 42.590s)<br /> hex dump (first 16 bytes):<br /> 01 01 00 64 81 88 ff ff 00 00 dc 0a 81 88 ff ff ...d............<br /> backtrace:<br /> [] kmalloc_trace+0x27/0x60<br /> [] 0xffffffffc45200a9<br /> [] do_one_initcall+0xd0/0x4f0<br /> [] do_init_module+0x1a4/0x680<br /> [] load_module+0x6249/0x7110<br /> [] __do_sys_finit_module+0x140/0x200<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> The reason is that the vkms_init() returns without checking the return<br /> value of vkms_create(), and if the vkms_create() failed, the config<br /> allocated at the beginning of vkms_init() is leaked.<br /> <br /> vkms_init()<br /> config = kmalloc(...) # config allocated<br /> ...<br /> return vkms_create() # vkms_create failed and config is leaked<br /> <br /> Fix this problem by checking return value of vkms_create() and free the<br /> config if error happened.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix the assign logic of iocb<br /> <br /> commit 18ae8d12991b ("f2fs: show more DIO information in tracepoint")<br /> introduces iocb field in &amp;#39;f2fs_direct_IO_enter&amp;#39; trace event<br /> And it only assigns the pointer and later it accesses its field<br /> in trace print log.<br /> <br /> Unable to handle kernel paging request at virtual address ffffffc04cef3d30<br /> Mem abort info:<br /> ESR = 0x96000007<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> <br /> pc : trace_raw_output_f2fs_direct_IO_enter+0x54/0xa4<br /> lr : trace_raw_output_f2fs_direct_IO_enter+0x2c/0xa4<br /> sp : ffffffc0443cbbd0<br /> x29: ffffffc0443cbbf0 x28: ffffff8935b120d0 x27: ffffff8935b12108<br /> x26: ffffff8935b120f0 x25: ffffff8935b12100 x24: ffffff8935b110c0<br /> x23: ffffff8935b10000 x22: ffffff88859a936c x21: ffffff88859a936c<br /> x20: ffffff8935b110c0 x19: ffffff8935b10000 x18: ffffffc03b195060<br /> x17: ffffff8935b11e76 x16: 00000000000000cc x15: ffffffef855c4f2c<br /> x14: 0000000000000001 x13: 000000000000004e x12: ffff0000ffffff00<br /> x11: ffffffef86c350d0 x10: 00000000000010c0 x9 : 000000000fe0002c<br /> x8 : ffffffc04cef3d28 x7 : 7f7f7f7f7f7f7f7f x6 : 0000000002000000<br /> x5 : ffffff8935b11e9a x4 : 0000000000006250 x3 : ffff0a00ffffff04<br /> x2 : 0000000000000002 x1 : ffffffef86a0a31f x0 : ffffff8935b10000<br /> Call trace:<br /> trace_raw_output_f2fs_direct_IO_enter+0x54/0xa4<br /> print_trace_fmt+0x9c/0x138<br /> print_trace_line+0x154/0x254<br /> tracing_read_pipe+0x21c/0x380<br /> vfs_read+0x108/0x3ac<br /> ksys_read+0x7c/0xec<br /> __arm64_sys_read+0x20/0x30<br /> invoke_syscall+0x60/0x150<br /> el0_svc_common.llvm.1237943816091755067+0xb8/0xf8<br /> do_el0_svc+0x28/0xa0<br /> <br /> Fix it by copying the required variables for printing and while at<br /> it fix the similar issue at some other places in the same file.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vhost/vsock: Use kvmalloc/kvfree for larger packets.<br /> <br /> When copying a large file over sftp over vsock, data size is usually 32kB,<br /> and kmalloc seems to fail to try to allocate 32 32kB regions.<br /> <br /> vhost-5837: page allocation failure: order:4, mode:0x24040c0<br /> Call Trace:<br /> [] dump_stack+0x97/0xdb<br /> [] warn_alloc_failed+0x10f/0x138<br /> [] ? __alloc_pages_direct_compact+0x38/0xc8<br /> [] __alloc_pages_nodemask+0x84c/0x90d<br /> [] alloc_kmem_pages+0x17/0x19<br /> [] kmalloc_order_trace+0x2b/0xdb<br /> [] __kmalloc+0x177/0x1f7<br /> [] ? copy_from_iter+0x8d/0x31d<br /> [] vhost_vsock_handle_tx_kick+0x1fa/0x301 [vhost_vsock]<br /> [] vhost_worker+0xf7/0x157 [vhost]<br /> [] kthread+0xfd/0x105<br /> [] ? vhost_dev_set_owner+0x22e/0x22e [vhost]<br /> [] ? flush_kthread_worker+0xf3/0xf3<br /> [] ret_from_fork+0x4e/0x80<br /> [] ? flush_kthread_worker+0xf3/0xf3<br /> <br /> Work around by doing kvmalloc instead.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Validate BOOT record_size<br /> <br /> When the NTFS BOOT record_size field record_bits calculation through blksize_bits() assumes<br /> the size always &gt; 256, which could lead to NPD while mounting a<br /> malformed NTFS image.<br /> <br /> [ 318.675159] BUG: kernel NULL pointer dereference, address: 0000000000000158<br /> [ 318.675682] #PF: supervisor read access in kernel mode<br /> [ 318.675869] #PF: error_code(0x0000) - not-present page<br /> [ 318.676246] PGD 0 P4D 0<br /> [ 318.676502] Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> [ 318.676934] CPU: 0 PID: 259 Comm: mount Not tainted 5.19.0 #5<br /> [ 318.677289] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014<br /> [ 318.678136] RIP: 0010:ni_find_attr+0x2d/0x1c0<br /> [ 318.678656] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180<br /> [ 318.679848] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246<br /> [ 318.680104] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080<br /> [ 318.680790] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> [ 318.681679] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000<br /> [ 318.682577] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080<br /> [ 318.683015] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000<br /> [ 318.683618] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000<br /> [ 318.684280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 318.684651] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0<br /> [ 318.685623] Call Trace:<br /> [ 318.686607] <br /> [ 318.686872] ? ntfs_alloc_inode+0x1a/0x60<br /> [ 318.687235] attr_load_runs_vcn+0x2b/0xa0<br /> [ 318.687468] mi_read+0xbb/0x250<br /> [ 318.687576] ntfs_iget5+0x114/0xd90<br /> [ 318.687750] ntfs_fill_super+0x588/0x11b0<br /> [ 318.687953] ? put_ntfs+0x130/0x130<br /> [ 318.688065] ? snprintf+0x49/0x70<br /> [ 318.688164] ? put_ntfs+0x130/0x130<br /> [ 318.688256] get_tree_bdev+0x16a/0x260<br /> [ 318.688407] vfs_get_tree+0x20/0xb0<br /> [ 318.688519] path_mount+0x2dc/0x9b0<br /> [ 318.688877] do_mount+0x74/0x90<br /> [ 318.689142] __x64_sys_mount+0x89/0xd0<br /> [ 318.689636] do_syscall_64+0x3b/0x90<br /> [ 318.689998] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [ 318.690318] RIP: 0033:0x7fd9e133c48a<br /> [ 318.690687] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008<br /> [ 318.691357] RSP: 002b:00007ffd374406c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5<br /> [ 318.691632] RAX: ffffffffffffffda RBX: 0000564d0b051080 RCX: 00007fd9e133c48a<br /> [ 318.691920] RDX: 0000564d0b051280 RSI: 0000564d0b051300 RDI: 0000564d0b0596a0<br /> [ 318.692123] RBP: 0000000000000000 R08: 0000564d0b0512a0 R09: 0000000000000020<br /> [ 318.692349] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564d0b0596a0<br /> [ 318.692673] R13: 0000564d0b051280 R14: 0000000000000000 R15: 00000000ffffffff<br /> [ 318.693007] <br /> [ 318.693271] Modules linked in:<br /> [ 318.693614] CR2: 0000000000000158<br /> [ 318.694446] ---[ end trace 0000000000000000 ]---<br /> [ 318.694779] RIP: 0010:ni_find_attr+0x2d/0x1c0<br /> [ 318.694952] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180<br /> [ 318.696042] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246<br /> [ 318.696531] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080<br /> [ 318.698114] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> [ 318.699286] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000<br /> [ 318.699795] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080<br /> [ 318.700236] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000<br /> [ 318.700973] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000<br /> [<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vdpasim: fix memory leak when freeing IOTLBs<br /> <br /> After commit bda324fd037a ("vdpasim: control virtqueue support"),<br /> vdpasim-&gt;iommu became an array of IOTLB, so we should clean the<br /> mappings of each free one by one instead of just deleting the ranges<br /> in the first IOTLB which may leak maps.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> clk: socfpga: Fix memory leak in socfpga_gate_init()<br /> <br /> Free @socfpga_clk and @ops on the error path to avoid memory leak issue.

feiskyer mcp-kubernetes-server through 0.1.11 does not consider chained commands in the implementation of --disable-write and --disable-delete, e.g., it allows a "kubectl version; kubectl delete pod" command because the first word (i.e., "version") is not a write or delete operation.

feiskyer mcp-kubernetes-server through 0.1.11 allows OS command injection, even in read-only mode, via /mcp/kubectl because shell=True is used. NOTE: this is unrelated to mcp-server-kubernetes and CVE-2025-53355.

A flaw has been found in Campcodes Online Job Finder System 1.0. This affects an unknown function of the file /index.php?q=result&amp;searchfor=bycompany. This manipulation of the argument Search causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.

An issue was discovered in the methods push.lite.avtech.com.AvtechLib.GetHttpsResponse and push.lite.avtech.com.Push_HttpService.getNewHttpClient in AVTECH EagleEyes 2.0.0. The methods set ALLOW_ALL_HOSTNAME_VERIFIER, bypassing domain validation.

An issue was discovered in the method push.lite.avtech.com.AvtechLib.GetHttpsResponse in AVTECH EagleEyes Lite 2.0.0, the GetHttpsResponse method transmits sensitive information - including internal server URLs, account IDs, passwords, and device tokens - as plaintext query parameters over HTTPS

An issue was discovered in the method push.lite.avtech.com.MySSLSocketFactoryNew.checkServerTrusted in AVTECH EagleEyes 2.0.0. The custom X509TrustManager used in checkServerTrusted only checks the certificate&amp;#39;s expiration date, skipping proper TLS chain validation.