Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nexthop: Forbid FDB status change while nexthop is in a group<br /> <br /> The kernel forbids the creation of non-FDB nexthop groups with FDB<br /> nexthops:<br /> <br /> # ip nexthop add id 1 via 192.0.2.1 fdb<br /> # ip nexthop add id 2 group 1<br /> Error: Non FDB nexthop group cannot have fdb nexthops.<br /> <br /> And vice versa:<br /> <br /> # ip nexthop add id 3 via 192.0.2.2 dev dummy1<br /> # ip nexthop add id 4 group 3 fdb<br /> Error: FDB nexthop group can only have fdb nexthops.<br /> <br /> However, as long as no routes are pointing to a non-FDB nexthop group,<br /> the kernel allows changing the type of a nexthop from FDB to non-FDB and<br /> vice versa:<br /> <br /> # ip nexthop add id 5 via 192.0.2.2 dev dummy1<br /> # ip nexthop add id 6 group 5<br /> # ip nexthop replace id 5 via 192.0.2.2 fdb<br /> # echo $?<br /> 0<br /> <br /> This configuration is invalid and can result in a NPD [1] since FDB<br /> nexthops are not associated with a nexthop device:<br /> <br /> # ip route add 198.51.100.1/32 nhid 6<br /> # ping 198.51.100.1<br /> <br /> Fix by preventing nexthop FDB status change while the nexthop is in a<br /> group:<br /> <br /> # ip nexthop add id 7 via 192.0.2.2 dev dummy1<br /> # ip nexthop add id 8 group 7<br /> # ip nexthop replace id 7 via 192.0.2.2 fdb<br /> Error: Cannot change nexthop FDB status while in a group.<br /> <br /> [1]<br /> BUG: kernel NULL pointer dereference, address: 00000000000003c0<br /> [...]<br /> Oops: Oops: 0000 [#1] SMP<br /> CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014<br /> RIP: 0010:fib_lookup_good_nhc+0x1e/0x80<br /> [...]<br /> Call Trace:<br /> <br /> fib_table_lookup+0x541/0x650<br /> ip_route_output_key_hash_rcu+0x2ea/0x970<br /> ip_route_output_key_hash+0x55/0x80<br /> __ip4_datagram_connect+0x250/0x330<br /> udp_connect+0x2b/0x60<br /> __sys_connect+0x9c/0xd0<br /> __x64_sys_connect+0x18/0x20<br /> do_syscall_64+0xa4/0x2a0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbcon: fix integer overflow in fbcon_do_set_font<br /> <br /> Fix integer overflow vulnerabilities in fbcon_do_set_font() where font<br /> size calculations could overflow when handling user-controlled font<br /> parameters.<br /> <br /> The vulnerabilities occur when:<br /> 1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount<br /> multiplication with user-controlled values that can overflow.<br /> 2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow<br /> 3. This results in smaller allocations than expected, leading to buffer<br /> overflows during font data copying.<br /> <br /> Add explicit overflow checking using check_mul_overflow() and<br /> check_add_overflow() kernel helpers to safety validate all size<br /> calculations before allocation.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommufd: Fix race during abort for file descriptors<br /> <br /> fput() doesn&amp;#39;t actually call file_operations release() synchronously, it<br /> puts the file on a work queue and it will be released eventually.<br /> <br /> This is normally fine, except for iommufd the file and the iommufd_object<br /> are tied to gether. The file has the object as it&amp;#39;s private_data and holds<br /> a users refcount, while the object is expected to remain alive as long as<br /> the file is.<br /> <br /> When the allocation of a new object aborts before installing the file it<br /> will fput() the file and then go on to immediately kfree() the obj. This<br /> causes a UAF once the workqueue completes the fput() and tries to<br /> decrement the users refcount.<br /> <br /> Fix this by putting the core code in charge of the file lifetime, and call<br /> __fput_sync() during abort to ensure that release() is called before<br /> kfree. __fput_sync() is a bit too tricky to open code in all the object<br /> implementations. Instead the objects tell the core code where the file<br /> pointer is and the core will take care of the life cycle.<br /> <br /> If the object is successfully allocated then the file will hold a users<br /> refcount and the iommufd_object cannot be destroyed.<br /> <br /> It is worth noting that close(); ioctl(IOMMU_DESTROY); doesn&amp;#39;t have an<br /> issue because close() is already using a synchronous version of fput().<br /> <br /> The UAF looks like this:<br /> <br /> BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376<br /> Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164<br /> <br /> CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xcd/0x630 mm/kasan/report.c:482<br /> kasan_report+0xe0/0x110 mm/kasan/report.c:595<br /> check_region_inline mm/kasan/generic.c:183 [inline]<br /> kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189<br /> instrument_atomic_read_write include/linux/instrumented.h:96 [inline]<br /> atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]<br /> __refcount_dec include/linux/refcount.h:455 [inline]<br /> refcount_dec include/linux/refcount.h:476 [inline]<br /> iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376<br /> __fput+0x402/0xb70 fs/file_table.c:468<br /> task_work_run+0x14d/0x240 kernel/task_work.c:227<br /> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]<br /> exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43<br /> exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]<br /> syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]<br /> syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]<br /> do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: add max boundary check for VF filters<br /> <br /> There is no check for max filters that VF can request. Add it.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: fix validation of VF state in get resources<br /> <br /> VF state I40E_VF_STATE_ACTIVE is not the only state in which<br /> VF is actually active so it should not be used to determine<br /> if a VF is allowed to obtain resources.<br /> <br /> Use I40E_VF_STATE_RESOURCES_LOADED that is set only in<br /> i40e_vc_get_vf_resources_msg() and cleared during reset.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: fix input validation logic for action_meta<br /> <br /> Fix condition to check &amp;#39;greater or equal&amp;#39; to prevent OOB dereference.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: fix idx validation in config queues msg<br /> <br /> Ensure idx is within range of active/initialized TCs when iterating over<br /> vf-&gt;ch[idx] in i40e_vc_config_queues_msg().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: fix idx validation in i40e_validate_queue_map<br /> <br /> Ensure idx is within range of active/initialized TCs when iterating over<br /> vf-&gt;ch[idx] in i40e_validate_queue_map().

*** Pendiente de traducción *** The Dynamically Display Posts plugin for WordPress is vulnerable to SQL Injection via the &amp;#39;tax_query&amp;#39; parameter in all versions up to, and including, 1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

*** Pendiente de traducción *** The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes.

*** Pendiente de traducción *** The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types.

*** Pendiente de traducción *** The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s shortcodes in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.