Vulnerabilidades

*** Pendiente de traducción *** A vulnerability has been found in SourceCodester Onlne Examination & Learning Management System and Syllabus-aligned Learning Management and Examination System 1.0. Affected by this issue is some unknown functionality of the file import_users.php. The manipulation of the argument raw_password with the input CICT_2026 leads to use of hard-coded password. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names.

*** Pendiente de traducción *** A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formPPPEdit of the file /boaform/formPPPEdit. The manipulation of the argument encodename results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used.

*** Pendiente de traducción *** A vulnerability was determined in TOTOLINK CP450 4.1.0cu.747. This vulnerability affects unknown code of the file /etc/vsftpd.conf of the component vsftpd. This manipulation causes least privilege violation. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.

*** Pendiente de traducción *** A vulnerability was identified in D-Link DGS-1100-08PD 1.00.006. This issue affects some unknown processing of the file /etc/boa.conf of the component Web Interface. Such manipulation leads to least privilege violation. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is assessed as difficult. The exploit is publicly available and might be used.

*** Pendiente de traducción *** Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.

*** Pendiente de traducción *** OpenMetadata is a unified metadata platform. Prior to version 1.12.4, a non-admin SSO user can trigger a TEST_CONNECTION workflow for a Database Service and receive, in the HTTP 201 response of POST /api/v1/automations/workflows, both the cleartext database password in request.connection.config.password and the ingestion bot JWT in openMetadataServerConnection.securityConfig.jwtToken. The leaked ingestion-bot token can then be reused as Authorization: Bearer to access sensitive service APIs with bot-level privileges. This issue has been patched in version 1.12.4.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/userq: fix access to stale wptr mapping<br /> <br /> Use drm_exec to take both locks i.e vm root bo and<br /> wptr_obj bo to access the mapping data properly.<br /> <br /> This fixes the security issue of unmap the wptr_obj while<br /> a queue creation is in progress and passing other<br /> bo at same address.<br /> <br /> (cherry picked from commit 1fc6c8ab45dbee096469c08c13f6099d57a52d6c)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: videobuf2: Set vma_flags in vb2_dma_sg_mmap<br /> <br /> vb2_dma_contig sets VMA flags VM_DONTEXPAND and VM_DONTDUMP and I do not<br /> see a reason why vb2_dma_sg should behave differently. This avoids<br /> hitting `WARN_ON(!(vma-&gt;vm_flags &amp; VM_DONTEXPAND));` in<br /> drm_gem_mmap_obj() during mmap() of an imported dma-buf from the out of<br /> tree Apple ISP camera capture driver which uses vb2_dma_sg_memops.<br /> <br /> gst-launch-1.0 v4l2src ! gtk4paintablesink<br /> <br /> [ 38.201528] ------------[ cut here ]------------<br /> [ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm_gem.c:1144 drm_gem_mmap_obj+0x1f8/0x210<br /> [ 38.203278] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer<br /> snd_seq snd_seq_device uinput nf_conntrack_netbios_ns<br /> nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib<br /> nft_reject_inet nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat<br /> nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr bnep<br /> nls_ascii i2c_dev loop fuse dm_multipath nfnetlink brcmfmac_wcc<br /> hid_magicmouse hci_bcm4377 brcmfmac brcmutil bluetooth ecdh_generic<br /> cfg80211 ecc btrfs xor xor_neon rfkill hid_apple raid6_pq joydev<br /> aop_als apple_nvmem_spmi industrialio snd_soc_aop apple_z2<br /> snd_soc_cs42l84 tps6598x snd_soc_tas2764 macsmc_reboot spi_nor<br /> macsmc_hwmon rtc_macsmc gpio_macsmc macsmc_power regmap_spmi<br /> macsmc_input dockchannel_hid panel_summit appledrm nvme_apple dwc3<br /> snd_soc_macaudio drm_client_lib nvme_core phy_apple_atc hwmon<br /> apple_sart apple_dockchannel macsmc apple_rtkit_helper<br /> spmi_apple_controller aop apple_wdt mfd_core nvmem_apple_efuses<br /> pinctrl_apple_gpio apple_isp apple_dcp videobuf2_dma_sg mux_core<br /> spi_apple<br /> [ 38.203300] videobuf2_memops i2c_pasemi_platform snd_soc_apple_mca videobuf2_v4l2 videodev clk_apple_nco videobuf2_common snd_pcm_dmaengine adpdrm asahi apple_admac adpdrm_mipi drm_dma_helper pwm_apple i2c_pasemi_core drm_display_helper mc cec apple_dart ofpart apple_soc_cpufreq leds_pwm phram<br /> [ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full)<br /> [ 38.219040] Tainted: [W]=WARN<br /> [ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)<br /> [ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> [ 38.221088] pc : drm_gem_mmap_obj+0x1f8/0x210<br /> [ 38.221643] lr : drm_gem_mmap_obj+0x78/0x210<br /> [ 38.222178] sp : ffffc0008dc678e0<br /> [ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480<br /> [ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968<br /> [ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0<br /> [ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968<br /> [ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8<br /> [ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff<br /> [ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8<br /> [ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000<br /> [ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038<br /> [ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb<br /> [ 38.231488] Call trace:<br /> [ 38.231806] drm_gem_mmap_obj+0x1f8/0x210 (P)<br /> [ 38.232342] drm_gem_mmap+0x140/0x260<br /> [ 38.232813] __mmap_region+0x488/0x9a0<br /> [ 38.233277] mmap_region+0xd0/0x148<br /> [ 38.233703] do_mmap+0x350/0x5c0<br /> [ 38.234148] vm_mmap_pgoff+0x14c/0x200<br /> [ 38.234612] ksys_mmap_pgoff+0x150/0x208<br /> [ 38.235107] __arm64_sys_mmap+0x34/0x50<br /> [ 38.235611] invoke_syscall+0x50/0x120<br /> [ 38.236075] el0_svc_common.constprop.0+0x48/0xf0<br /> [ 38.236680] do_el0_svc+0x24/0x38<br /> [ 38.237113] el0_svc+0x38/0x168<br /> [ 38.237507] el0t_64_sync_handler+0xa0/0xe8<br /> [ 38.238034] el0t_64_sync+0x198/0x1a0<br /> [ 38.238491] ---[ end trace 0000000000000000 ]---<br /> <br /> There were discussions in [1] at the end of 2023 that mmap() on imported<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: intel/ipu6: fix error pointer dereference<br /> <br /> In a error path isp-&gt;psys is confirmed to be an error pointer not NULL so<br /> this condition is true and the error pointer is dereferenced. So isp-psys<br /> should be set to NULL before going to out_ipu6_bus_del_devices.<br /> <br /> Detected by Smatch:<br /> drivers/media/pci/intel/ipu6/ipu6.c:690 ipu6_pci_probe() error:<br /> &amp;#39;isp-&gt;psys&amp;#39; dereferencing possible ERR_PTR()<br /> <br /> [Sakari Ailus: Fix commit message.]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/v3d: Reject empty multisync extension to prevent infinite loop<br /> <br /> v3d_get_extensions() walks a userspace-provided singly-linked list of<br /> ioctl extensions without any bound on the chain length. A local user<br /> can craft a self-referential extension (ext-&gt;next == &amp;ext) with zero<br /> in_sync_count and out_sync_count, which bypasses the existing duplicate-<br /> extension guard:<br /> <br /> if (se-&gt;in_sync_count || se-&gt;out_sync_count)<br /> return -EINVAL;<br /> <br /> The guard never fires because v3d_get_multisync_post_deps() returns<br /> immediately when count is zero, leaving both fields at zero on every<br /> iteration. The result is an infinite loop in kernel context, blocking<br /> the calling thread and pegging a CPU core indefinitely.<br /> <br /> Fix this by rejecting a multisync extension where both in_sync_count<br /> and out_sync_count are zero in v3d_get_multisync_submit_deps(). An<br /> empty multisync carries no synchronization information and serves no<br /> useful purpose, so returning -EINVAL for such an extension is the<br /> correct defense against this attack vector.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free<br /> <br /> nvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the<br /> final controller reference through nvmet_cq_put(). If that triggers<br /> nvmet_ctrl_free(), the teardown path flushes ctrl-&gt;async_event_work on<br /> the same nvmet-wq.<br /> <br /> Call chain:<br /> <br /> nvmet_tcp_schedule_release_queue()<br /> kref_put(&amp;queue-&gt;kref, nvmet_tcp_release_queue)<br /> nvmet_tcp_release_queue()<br /> queue_work(nvmet_wq, &amp;queue-&gt;release_work) nvme_cq)<br /> nvmet_cq_destroy()<br /> nvmet_ctrl_put(cq-&gt;ctrl)<br /> nvmet_ctrl_free()<br /> flush_work(&amp;ctrl-&gt;async_event_work) async_event_work);<br /> <br /> This trips lockdep with a possible recursive locking warning.<br /> <br /> [ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55<br /> [ 5223.061801] loop0: detected capacity change from 0 to 2097152<br /> [ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1<br /> [ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420)<br /> [ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349.<br /> [ 5223.128453] nvme nvme1: new ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349<br /> [ 5233.199447] nvme nvme1: Removing ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery"<br /> <br /> [ 5233.227718] ============================================<br /> [ 5233.231283] WARNING: possible recursive locking detected<br /> [ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N<br /> [ 5233.238434] --------------------------------------------<br /> [ 5233.241852] kworker/u192:6/2413 is trying to acquire lock:<br /> [ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90<br /> [ 5233.251438]<br /> but task is already holding lock:<br /> [ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0<br /> [ 5233.261125]<br /> other info that might help us debug this:<br /> [ 5233.265333] Possible unsafe locking scenario:<br /> <br /> [ 5233.269217] CPU0<br /> [ 5233.270795] ----<br /> [ 5233.272436] lock((wq_completion)nvmet-wq);<br /> [ 5233.275241] lock((wq_completion)nvmet-wq);<br /> [ 5233.278020]<br /> *** DEADLOCK ***<br /> <br /> [ 5233.281793] May be due to missing lock nesting notation<br /> <br /> [ 5233.286195] 3 locks held by kworker/u192:6/2413:<br /> [ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0<br /> [ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(&amp;queue-&gt;release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0<br /> [ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530<br /> [ 5233.304290]<br /> stack backtrace:<br /> [ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full)<br /> [ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST<br /> [ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014<br /> [ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp]<br /> [ 5233.306532] Call Trace:<br /> [ 5233.306534] <br /> [ 5233.306536] dump_stack_lvl+0x73/0xb0<br /> [ 5233.306552] print_deadlock_bug+0x225/0x2f0<br /> [ 5233.306556] __lock_acquire+0x13f0/0x2290<br /> [ 5233.306563] lock_acquire+0xd0/0x300<br /> [ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90<br /> [ 5233.306571] ? __flush_work+0x20b/0x530<br /> [ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90<br /> [ 5233.306577] touch_wq_lockdep_map+0x3b/0x90<br /> [ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90<br /> [ 52<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc<br /> <br /> The return value of kzalloc_flex() is used without<br /> ensuring that the allocation succeeded, and the<br /> pointer is dereferenced unconditionally.<br /> <br /> Guard the access to the allocated structure to<br /> avoid a potential NULL pointer dereference if the<br /> allocation fails.