Vulnerabilidades

*** Pendiente de traducción *** An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi.

*** Pendiente de traducción *** An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the dhcpMtu parameter to /cgi-bin/cstecgi.cgi.

*** Pendiente de traducción *** An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the ttlWay parameter to /cgi-bin/cstecgi.cgi.

*** Pendiente de traducción *** Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

*** Pendiente de traducción *** Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

*** Pendiente de traducción *** Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

*** Pendiente de traducción *** TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized access to the protocol, read debug data, modify certain device configuration values, and trigger device reboot, resulting in loss of integrity and a denial-of-service condition.

*** Pendiente de traducción *** OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same gateway scope.

*** Pendiente de traducción *** OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.

*** Pendiente de traducción *** OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.

*** Pendiente de traducción *** OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption<br /> <br /> The -EBUSY handling in tls_do_encryption(), introduced by commit<br /> 859054147318 ("net: tls: handle backlogging of crypto requests"), has<br /> a use-after-free due to double cleanup of encrypt_pending and the<br /> scatterlist entry.<br /> <br /> When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to<br /> the cryptd backlog and the async callback tls_encrypt_done() will be<br /> invoked upon completion. That callback unconditionally restores the<br /> scatterlist entry (sge-&gt;offset, sge-&gt;length) and decrements<br /> ctx-&gt;encrypt_pending. However, if tls_encrypt_async_wait() returns an<br /> error, the synchronous error path in tls_do_encryption() performs the<br /> same cleanup again, double-decrementing encrypt_pending and<br /> double-restoring the scatterlist.<br /> <br /> The double-decrement corrupts the encrypt_pending sentinel (initialized<br /> to 1), making tls_encrypt_async_wait() permanently skip the wait for<br /> pending async callbacks. A subsequent sendmsg can then free the<br /> tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still<br /> pending, resulting in a use-after-free when the callback fires on the<br /> freed record.<br /> <br /> Fix this by skipping the synchronous cleanup when the -EBUSY async<br /> wait returns an error, since the callback has already handled<br /> encrypt_pending and sge restoration.