{"resultsPerPage":851,"startIndex":0,"totalResults":851,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-01T23:33:17.239","vulnerabilities":[{"cve":{"id":"CVE-2024-26795","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-04-04T09:15:08.740","lastModified":"2026-06-01T17:16:27.390","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Sparse-Memory/vmemmap out-of-bounds fix\n\nOffset vmemmap so that the first page of vmemmap will be mapped\nto the first page of physical memory in order to ensure that\nvmemmap’s bounds will be respected during\npfn_to_page()/page_to_pfn() operations.\nThe conversion macros will produce correct SV39/48/57 addresses\nfor every possible/valid DRAM_BASE inside the physical memory limits.\n\nv2:Address Alex's comments"},{"lang":"es","value":"En el kernel de Linux, se resolvió la siguiente vulnerabilidad: riscv: Sparse-Memory/vmemmap fuera de los límites corrige Offset vmemmap para que la primera página de vmemmap se asigne a la primera página de la memoria física para garantizar que vmemmap Los límites se respetarán durante las operaciones pfn_to_page()/page_to_pfn(). Las macros de conversión producirán direcciones SV39/48/57 correctas para cada DRAM_BASE posible/válida dentro de los límites de la memoria física. v2: Abordar los comentarios de Alex"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4","versionEndExcluding":"5.10.212","matchCriteriaId":"BEAE9FEA-B6FA-4969-92DF-2BA82E59C0AA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.151","matchCriteriaId":"EEAFD33E-C22F-4FB1-A417-9C96AB3E0358"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.81","matchCriteriaId":"EC825B0E-DFCA-4034-9B92-F111A4E2A732"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.21","matchCriteriaId":"B19074A2-9FE5-4E7D-9E2D-020F95013ADA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.9","matchCriteriaId":"1C538467-EDA0-4A9A-82EB-2925DE9FF827"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*","matchCriteriaId":"B9F4EA73-0894-400F-A490-3A397AB7A517"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*","matchCriteriaId":"056BD938-0A27-4569-B391-30578B309EE3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*","matchCriteriaId":"F02056A5-B362-4370-9FF8-6F0BD384D520"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*","matchCriteriaId":"62075ACE-B2A0-4B16-829D-B3DA5AE5CC41"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*","matchCriteriaId":"A780F817-2A77-4130-A9B7-5C25606314E3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.8:rc6:*:*:*:*:*:*","matchCriteriaId":"AEB9199B-AB8F-4877-8964-E2BA95B5F15C"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2a1728c15ec4f45ed9248ae22f626541c179bfbe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5941a90c55d3bfba732b32208d58d997600b44ef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8310080799b40fd9f2a8b808c657269678c149af","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a11dd49dcb9376776193e15641f84fcc1e5980c9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a278d5c60f21aa15d540abb2f2da6e6d795c3e6e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2a1728c15ec4f45ed9248ae22f626541c179bfbe","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5941a90c55d3bfba732b32208d58d997600b44ef","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8310080799b40fd9f2a8b808c657269678c149af","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8af1c121b0102041809bc137ec600d1865eaeedd","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a11dd49dcb9376776193e15641f84fcc1e5980c9","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a278d5c60f21aa15d540abb2f2da6e6d795c3e6e","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]}]}},{"cve":{"id":"CVE-2021-47188","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-04-10T19:15:47.527","lastModified":"2026-06-01T17:16:21.090","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Improve SCSI abort handling\n\nThe following has been observed on a test setup:\n\nWARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c\nCall trace:\n ufshcd_queuecommand+0x468/0x65c\n scsi_send_eh_cmnd+0x224/0x6a0\n scsi_eh_test_devices+0x248/0x418\n scsi_eh_ready_devs+0xc34/0xe58\n scsi_error_handler+0x204/0x80c\n kthread+0x150/0x1b4\n ret_from_fork+0x10/0x30\n\nThat warning is triggered by the following statement:\n\n\tWARN_ON(lrbp->cmd);\n\nFix this warning by clearing lrbp->cmd from the abort handler."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: ufs: core: Mejorar el manejo de la interrupción de SCSI Se ha observado lo siguiente en una configuración de prueba: ADVERTENCIA: CPU: 4 PID: 250 en drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Rastreo de llamadas: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 Esa advertencia se activa por lo siguiente: declaración: WARN_ON(lrbp->cmd); Corrija esta advertencia borrando lrbp->cmd del controlador de aborto."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4","versionEndExcluding":"5.15.5","matchCriteriaId":"3C95FCA8-3E24-46CE-91BF-CBED93B2065C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:*","matchCriteriaId":"357AA433-37E8-4323-BFB2-3038D6E4B414"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3ff1f6b6ba6f97f50862aa50e79959cc8ddc2566","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/9491bc16082d9a402c9099acbfffc89af6f9316f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c36baca06efa833adaefba61f45fefdc49b6d070","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/3ff1f6b6ba6f97f50862aa50e79959cc8ddc2566","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/c36baca06efa833adaefba61f45fefdc49b6d070","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"]}]}},{"cve":{"id":"CVE-2024-26886","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-04-17T11:15:10.253","lastModified":"2026-06-01T17:16:28.063","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: af_bluetooth: Fix deadlock\n\nAttemting to do sock_lock on .recvmsg may cause a deadlock as shown\nbellow, so instead of using sock_sock this uses sk_receive_queue.lock\non bt_sock_ioctl to avoid the UAF:\n\nINFO: task kworker/u9:1:121 blocked for more than 30 seconds.\n Not tainted 6.7.6-lemon #183\nWorkqueue: hci0 hci_rx_work\nCall Trace:\n \n __schedule+0x37d/0xa00\n schedule+0x32/0xe0\n __lock_sock+0x68/0xa0\n ? __pfx_autoremove_wake_function+0x10/0x10\n lock_sock_nested+0x43/0x50\n l2cap_sock_recv_cb+0x21/0xa0\n l2cap_recv_frame+0x55b/0x30a0\n ? psi_task_switch+0xeb/0x270\n ? finish_task_switch.isra.0+0x93/0x2a0\n hci_rx_work+0x33a/0x3f0\n process_one_work+0x13a/0x2f0\n worker_thread+0x2f0/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe0/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n "},{"lang":"es","value":"En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Bluetooth: af_bluetooth: Reparar interbloqueo Intentar ejecutar sock_lock en .recvmsg puede causar un interbloqueo como se muestra a continuación, por lo que en lugar de usar sock_sock, usa sk_receive_queue.lock en bt_sock_ioctl para evitar el UAF: INFORMACIÓN: tarea kworker/u9:1:121 bloqueada durante más de 30 segundos. No contaminado 6.7.6-lemon #183 Cola de trabajo: hci0 hci_rx_work Seguimiento de llamadas: __schedule+0x37d/0xa00 Schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270? terminar_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 proceso_one_work+0x13a/0x2f0 trabajador_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 "}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.206","versionEndExcluding":"5.11","matchCriteriaId":"BF2B36A4-0863-4B10-93EA-AA0E9F9A22F0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.146","versionEndExcluding":"5.16","matchCriteriaId":"FAA2E1CA-770E-4B32-875B-D5C8778DB075"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.70","versionEndExcluding":"6.1.83","matchCriteriaId":"A79BE0FB-9E48-4970-B1FA-2455103632EA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.9","versionEndExcluding":"6.6.23","matchCriteriaId":"8D7CB827-BC7D-4E41-A05A-9860336AB3BC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.11","matchCriteriaId":"9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.8.2","matchCriteriaId":"543A75FF-25B8-4046-A514-1EA8EDD87AB1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2c9e2df022ef8b9d7fac58a04a2ef4ed25288955","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/60673f442984fe689d4127a5dd4be414247b3d67","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb992416c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/817e8138ce86001b2fa5c63d6ede756e205a01f7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f7b94bdc1ec107c92262716b073b3e816d4784fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2c9e2df022ef8b9d7fac58a04a2ef4ed25288955","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb992416c","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/817e8138ce86001b2fa5c63d6ede756e205a01f7","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cb8adca52f306563d958a863bb0cbae9c184d1ae","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f7b94bdc1ec107c92262716b073b3e816d4784fb","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}},{"cve":{"id":"CVE-2024-27389","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-05-01T13:15:51.653","lastModified":"2026-06-01T17:16:28.447","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npstore: inode: Only d_invalidate() is needed\n\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\n\n WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\n\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\n\n---"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: pstore: inode: solo se necesita d_invalidate(). La descarga de un backend modular de pstore con registros en pstorefs activaría la advertencia de doble caída de dput(): ADVERTENCIA: CPU: 0 PID: 2569 en fs/dcache.c:762 dput.part.0+0x3f3/0x410 Usar la combinación de d_drop()/dput() (como se menciona en Documentation/filesystems/vfs.rst) no es el enfoque correcto aquí, y conduce al problema de recuento de referencias visto anteriormente. Utilice d_invalidate() y actualice el código para no molestarse en buscar códigos de error que nunca sucederán. ---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"6.1.83","matchCriteriaId":"E8D30B4C-D66E-4ECB-8103-8CD9DFE724AA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.23","matchCriteriaId":"E00814DC-0BA7-431A-9926-80FEB4A96C68"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.11","matchCriteriaId":"9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.8.2","matchCriteriaId":"543A75FF-25B8-4046-A514-1EA8EDD87AB1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/340682ed1932b8e3bd0bfc6c31a0c6354eb57cc6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4cdf9006fc095af71da80e9b5f48a32e991b9ed3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a43e0fc5e9134a46515de2f2f8d4100b74e50de3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cb9e802e49c24eeb3af35e9e8c04d526f35f112a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d0ee2a8adb6673382cce8a4280e1ca0849b3b783","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/db6e5e16f1ee9e3b01d2f71c7f0ba945f4bf0f4e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/340682ed1932b8e3bd0bfc6c31a0c6354eb57cc6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4cdf9006fc095af71da80e9b5f48a32e991b9ed3","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a43e0fc5e9134a46515de2f2f8d4100b74e50de3","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cb9e802e49c24eeb3af35e9e8c04d526f35f112a","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/db6e5e16f1ee9e3b01d2f71c7f0ba945f4bf0f4e","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}},{"cve":{"id":"CVE-2022-48703","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-05-03T16:15:08.650","lastModified":"2026-06-01T17:16:21.750","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR\n\nIn some case, the GDDV returns a package with a buffer which has\nzero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10).\n\nThen the data_vault_read() got NULL point dereference problem when\naccessing the 0x10 value in data_vault.\n\n[ 71.024560] BUG: kernel NULL pointer dereference, address:\n0000000000000010\n\nThis patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or\nNULL value in data_vault."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Thermal/int340x_thermal: maneja data_vault cuando el valor es ZERO_SIZE_PTR. En algunos casos, el GDDV devuelve un paquete con un buffer que tiene longitud cero. Provoca que kmemdup() devuelva ZERO_SIZE_PTR (0x10). Luego, data_vault_read() tuvo un problema de desreferencia de punto NULL al acceder al valor 0x10 en data_vault. [71.024560] ERROR: desreferencia del puntero NULL del kernel, dirección: 00000000000000010 Este parche usa ZERO_OR_NULL_PTR() para verificar ZERO_SIZE_PTR o el valor NULL en data_vault."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.19.9","matchCriteriaId":"A99BA199-0BFA-4BF0-A0C7-3EBC72400E1B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*","matchCriteriaId":"E8BD11A3-8643-49B6-BADE-5029A0117325"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*","matchCriteriaId":"5F0AD220-F6A9-4012-8636-155F1B841FAD"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/39d5137085a6c37ace4680ee4d24020a4a03e7dc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/722588f17fd3d3a127e50718ec2caf22bd7e9daa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7931e28098a4c1a2a6802510b0cbe57546d2049d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dae42083b045a4ddf71c57cf350cb2412b5915c2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7931e28098a4c1a2a6802510b0cbe57546d2049d","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dae42083b045a4ddf71c57cf350cb2412b5915c2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}},{"cve":{"id":"CVE-2023-52682","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-05-17T15:15:19.427","lastModified":"2026-06-01T17:16:24.177","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to wait on block writeback for post_read case\n\nIf inode is compressed, but not encrypted, it missed to call\nf2fs_wait_on_block_writeback() to wait for GCed page writeback\nin IPU write path.\n\nThread A\t\t\t\tGC-Thread\n\t\t\t\t\t- f2fs_gc\n\t\t\t\t\t - do_garbage_collect\n\t\t\t\t\t - gc_data_segment\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t migrate normal cluster's block via\n\t\t\t\t\t meta_inode's page cache\n- f2fs_write_single_data_page\n - f2fs_do_write_data_page\n - f2fs_inplace_write_data\n - f2fs_submit_page_bio\n\nIRQ\n- f2fs_read_end_io\n\t\t\t\t\tIRQ\n\t\t\t\t\told data overrides new data due to\n\t\t\t\t\tout-of-order GC and common IO.\n\t\t\t\t\t- f2fs_read_end_io"},{"lang":"es","value":" En el kernel de Linux, se resolvió la siguiente vulnerabilidad: f2fs: corrección para esperar en la reescritura del bloque para el caso post_read. Si el inodo está comprimido, pero no encriptado, no llamó a f2fs_wait_on_block_writeback() para esperar la reescritura de la página GCed en la ruta de escritura de la IPU. Subproceso A GC-Thread - f2fs_gc - do_garbage_collect - gc_data_segment - move_data_block - f2fs_submit_page_write migra el bloque del clúster normal a través del caché de página de meta_inode - f2fs_write_single_data_page - f2fs_do_write_data_page - f2fs_inplace_write_data - f2fs_submit_page_bio IRQ - fs_read_end_io Los datos antiguos de IRQ anulan los datos nuevos debido a GC desordenado y común OÍ. - f2fs_read_end_io"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.1.75","matchCriteriaId":"13605B12-370B-4461-98FF-513B221402E5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.14","matchCriteriaId":"5C6B50A6-3D8B-4CE2-BDCC-A098609CBA14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.2","matchCriteriaId":"7229C448-E0C9-488B-8939-36BA5254065E"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2bfe8fdb674f71747553a65f2ef27e14c8880655","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4535be48780431753505e74e1b1ad4836a189bc2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/55fdc1c24a1d6229fe0ecf31335fb9a2eceaaa00","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9bfd5ea71521d0e522ba581c6ccc5db93759c0c3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f904c156d8011d8291ffd5b6b398f3747e294986","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4535be48780431753505e74e1b1ad4836a189bc2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/55fdc1c24a1d6229fe0ecf31335fb9a2eceaaa00","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9bfd5ea71521d0e522ba581c6ccc5db93759c0c3","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f904c156d8011d8291ffd5b6b398f3747e294986","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}},{"cve":{"id":"CVE-2024-35865","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-05-19T09:15:08.033","lastModified":"2026-06-01T17:16:28.637","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corrige UAF potencial en smb2_is_valid_oplock_break() Omita las sesiones que se están eliminando (estado == SES_EXITING) para evitar UAF."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.85","matchCriteriaId":"B62CF0EC-6C39-4DAD-A6CC-C31C3277A460"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.26","matchCriteriaId":"C520696A-A594-4FFC-A32D-12DA535CE911"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.8.5","matchCriteriaId":"DBD6C99E-4250-4DFE-8447-FF2075939D10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*","matchCriteriaId":"22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*","matchCriteriaId":"DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/21fed37d2bdcde33453faf61d3d4d96c355f04bd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/22863485a4626ec6ecf297f4cc0aef709bc862e4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3dba0e5276f131e36d6d8043191d856f49238628","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/84488466b7a69570bdbf76dd9576847ab97d54e7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a710ef9e974f18232d2b9b19c90eda1a1167b2d4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/21fed37d2bdcde33453faf61d3d4d96c355f04bd","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/22863485a4626ec6ecf297f4cc0aef709bc862e4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3dba0e5276f131e36d6d8043191d856f49238628","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/84488466b7a69570bdbf76dd9576847ab97d54e7","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}},{"cve":{"id":"CVE-2023-52737","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-05-21T16:15:13.667","lastModified":"2026-06-01T17:16:24.403","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: lock the inode in shared mode before starting fiemap\n\nCurrently fiemap does not take the inode's lock (VFS lock), it only locks\na file range in the inode's io tree. This however can lead to a deadlock\nif we have a concurrent fsync on the file and fiemap code triggers a fault\nwhen accessing the user space buffer with fiemap_fill_next_extent(). The\ndeadlock happens on the inode's i_mmap_lock semaphore, which is taken both\nby fsync and btrfs_page_mkwrite(). This deadlock was recently reported by\nsyzbot and triggers a trace like the following:\n\n task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\n schedule+0xcb/0x190 kernel/sched/core.c:6682\n wait_on_state fs/btrfs/extent-io-tree.c:707 [inline]\n wait_extent_bit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751\n lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742\n find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488\n writepage_delalloc+0x1ef/0x540 fs/btrfs/extent_io.c:1863\n __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174\n extent_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091\n extent_writepages+0x219/0x540 fs/btrfs/extent_io.c:3211\n do_writepages+0x3c3/0x680 mm/page-writeback.c:2581\n filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388\n __filemap_fdatawrite_range mm/filemap.c:421 [inline]\n filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439\n btrfs_fdatawrite_range fs/btrfs/file.c:3850 [inline]\n start_ordered_ops fs/btrfs/file.c:1737 [inline]\n btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839\n generic_write_sync include/linux/fs.h:2885 [inline]\n btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684\n call_write_iter include/linux/fs.h:2189 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7f7d4054e9b9\n RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9\n RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006\n RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69\n R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8\n \n INFO: task syz-executor361:5697 blocked for more than 145 seconds.\n Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004\n Call Trace:\n \n context_switch kernel/sched/core.c:5293 [inline]\n __schedule+0x995/0xe20 kernel/sched/core.c:6606\n schedule+0xcb/0x190 kernel/sched/core.c:6682\n rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095\n __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260\n btrfs_page_mkwrite+0x417/0xc80 fs/btrfs/inode.c:8526\n do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947\n wp_page_shared+0x15e/0x380 mm/memory.c:3295\n handle_pte_fault mm/memory.c:4949 [inline]\n __handle_mm_fault mm/memory.c:5073 [inline]\n handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219\n do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428\n handle_page_fault arch/x86/mm/fault.c:1519 [inline]\n exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575\n asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570\n RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233\n Code: 74 0a 89 (...)\n RSP: 0018:ffffc9000570f330 EFLAGS: 000502\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: bloquea el inodo en modo compartido antes de iniciar fiemap. Actualmente, fiemap no toma el bloqueo del inodo (bloqueo VFS), solo bloquea un rango de archivos en el árbol io del inodo. Sin embargo, esto puede llevar a un punto muerto si tenemos un fsync simultáneo en el archivo y el código fiemap desencadena una falla al acceder al búfer de espacio de usuario con fiemap_fill_next_extent(). El punto muerto ocurre en el semáforo i_mmap_lock del inodo, que es tomado tanto por fsync como por btrfs_page_mkwrite(). Syzbot informó recientemente de este punto muerto y activa un seguimiento como el siguiente: task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c: 5293 [en línea] __schedule+0x995/0xe20 kernel/sched/core.c:6606 Schedule+0xcb/0x190 kernel/sched/core.c:6682 wait_on_state fs/btrfs/extent-io-tree.c:707 [en línea] wait_extent_bit +0x577/0x6f0 fs/btrfs/extent-io-tree.c:751 lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742 find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488 writepage_delalloc +0x1ef/0x540 fs/btrfs/extent_io.c:1863 __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174 extensión_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091 extensión_writepages+0x219/0 x540 fs/btrfs/ extend_io.c:3211 do_writepages+0x3c3/0x680 mm/page-writeback.c:2581 filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388 __filemap_fdatawrite_range mm/filemap.c:421 [en línea] filemap_fdatawrite_range+0x175/0x200 mm/filemap .c:439 btrfs_fdatawrite_range fs/btrfs/file.c:3850 [en línea] start_ordered_ops fs/btrfs/file.c:1737 [en línea] btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839 generic_write_sync include/linux/fs .h:2885 [en línea] btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684 call_write_iter include/linux/fs.h:2189 [en línea] new_sync_write fs/read_write.c:491 [en línea] vfs_write+0x7dc/0xc50 fs/read_write.c:584 ksys_write+0x177/0x2a0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [en línea] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f7d4054e9b9 RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: fffffffffffffda 00007f7d405d87a0 RCX: 00007f7d4054e9b9 RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006 RBP: 00007f7d405a51d0 R08: 000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69 R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8 INFORMACIÓN: tarea syz-executor361:5697 bloqueada durante más de 145 segundos. No contaminado 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" desactiva este mensaje. tarea:syz-executor361 estado:D pila:21216 pid:5697 ppid:5119 banderas:0x00004004 Seguimiento de llamadas: context_switch kernel/sched/core.c:5293 [en línea] __schedule+0x995/0xe20 kernel/sched/core. c:6606 Schedule+0xcb/0x190 kernel/sched/core.c:6682 rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095 __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260 btrfs_page_mkwrite+0x417/ 0xc80 fs/btrfs/inode.c:8526 do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947 wp_page_shared+0x15e/0x380 mm/memory.c:3295 handle_pte_fault mm/memory.c:4949 [en línea] __handle_mm_fault mm/memory.c :5073 [en línea] handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219 do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428 handle_page_fault arch/x86/mm/fault.c:1519 [en línea] exc_page_fault+ 0x7a/0x110 arch/x86/mm/fault.c:1575 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S :233 Código: 74 0a 89 (...) RSP: 0018:ffffc9000570f330 EFLAGS: 000502 ---truncado---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.13","matchCriteriaId":"9138AFE1-2E76-4732-AD8B-167AF50BB353"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*","matchCriteriaId":"FF501633-2F44-4913-A8EE-B021929F49F6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*","matchCriteriaId":"2BDA597B-CAC1-4DF0-86F0-42E142C654E9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*","matchCriteriaId":"725C78C9-12CE-406F-ABE8-0813A01D66E8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*","matchCriteriaId":"A127C155-689C-4F67-B146-44A57F4BFD85"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:*","matchCriteriaId":"D34127CC-68F5-4703-A5F6-5006F803E4AE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*","matchCriteriaId":"4AB8D555-648E-4F2F-98BD-3E7F45BD12A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc7:*:*:*:*:*:*","matchCriteriaId":"C64BDD9D-C663-4E75-AE06-356EDC392B82"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/519b7e13b5ae8dd38da1e52275705343be6bb508","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d8c594da79bc0244e610a70594e824a401802be1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e425191073a80906d8502b5179471cc58b0b9e9a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/519b7e13b5ae8dd38da1e52275705343be6bb508","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d8c594da79bc0244e610a70594e824a401802be1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}},{"cve":{"id":"CVE-2024-36922","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-05-30T16:15:15.470","lastModified":"2026-06-01T17:16:28.843","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: read txq->read_ptr under lock\n\nIf we read txq->read_ptr without lock, we can read the same\nvalue twice, then obtain the lock, and reclaim from there\nto two different places, but crucially reclaim the same\nentry twice, resulting in the WARN_ONCE() a little later.\nFix that by reading txq->read_ptr under lock."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: iwlwifi: leer txq->read_ptr bajo bloqueo Si leemos txq->read_ptr sin bloqueo, podemos leer el mismo valor dos veces, luego obtener el bloqueo y reclamar desde allí a dos lugares diferentes, pero fundamentalmente reclama la misma entrada dos veces, lo que resulta en WARN_ONCE() un poco más tarde. Solucione eso leyendo txq->read_ptr bajo bloqueo."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.31","matchCriteriaId":"E3E590E3-9122-405E-A816-1B69540EC77D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.8.10","matchCriteriaId":"6A6B920C-8D8F-4130-86B4-AD334F4CF2E3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*","matchCriteriaId":"22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/43d07103df670484cdd26f9588eabef80f69db89","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/aab7b39fcac5f6165f6434bcbb56bb7865d4ad2b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b83db8e756dec68a950ed2f056248b1704b3deaa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c2ace6300600c634553657785dfe5ea0ed688ac2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f30e8af109818c9db08cbcc46eb9713fe4b530ba","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/43d07103df670484cdd26f9588eabef80f69db89","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b83db8e756dec68a950ed2f056248b1704b3deaa","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c2ace6300600c634553657785dfe5ea0ed688ac2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}},{"cve":{"id":"CVE-2022-48816","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-07-16T12:15:05.687","lastModified":"2026-06-01T17:16:21.927","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: lock against ->sock changing during sysfs read\n\n->sock can be set to NULL asynchronously unless ->recv_mutex is held.\nSo it is important to hold that mutex. Otherwise a sysfs read can\ntrigger an oops.\nCommit 17f09d3f619a (\"SUNRPC: Check if the xprt is connected before\nhandling sysfs reads\") appears to attempt to fix this problem, but it\nonly narrows the race window."},{"lang":"es","value":"En el kernel de Linux, se resolvió la siguiente vulnerabilidad: SUNRPC: bloqueo contra ->cambio de calcetín durante la lectura de sysfs ->sock se puede establecer en NULL de forma asincrónica a menos que se mantenga ->recv_mutex. Por eso es importante mantener ese mutex. De lo contrario, una lectura de sysfs puede provocar un error. El commit 17f09d3f619a (\"SUNRPC: compruebe si el xprt está conectado antes de manejar las lecturas sysfs\") parece intentar solucionar este problema, pero solo reduce la ventana de ejecución."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.67","versionEndExcluding":"5.11","matchCriteriaId":"7A76EA36-1A32-42E8-93FC-BF561EE04439"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13.19","versionEndExcluding":"5.16.10","matchCriteriaId":"08B7AA69-6FF6-4230-808E-4135D12B8FBD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*","matchCriteriaId":"7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*","matchCriteriaId":"E6E34B23-78B4-4516-9BD8-61B33F4AC49A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*","matchCriteriaId":"C030FA3D-03F4-4FB9-9DBF-D08E5CAC51AA"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9482ab4540f5bcc869b44c067ae99b5fca16bd07","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b49ea673e119f59c71645e2f65b3ccad857c90ee","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fdc42287ae3f8a35cc2098307f52d7864b4bc8ed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9482ab4540f5bcc869b44c067ae99b5fca16bd07","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b49ea673e119f59c71645e2f65b3ccad857c90ee","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}},{"cve":{"id":"CVE-2024-21182","sourceIdentifier":"secalert_us@oracle.com","published":"2024-07-16T23:15:22.660","lastModified":"2026-06-01T19:32:02.173","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)."},{"lang":"es","value":"Vulnerabilidad en el producto Oracle WebLogic Server de Oracle Fusion Middleware (componente: Core). Las versiones compatibles que se ven afectadas son 12.2.1.4.0 y 14.1.1.0.0. Una vulnerabilidad fácilmente explotable permite que un atacante no autenticado con acceso a la red a través de T3, IIOP comprometa Oracle WebLogic Server. Los ataques exitosos a esta vulnerabilidad pueden resultar en un acceso no autorizado a datos críticos o un acceso completo a todos los datos accesibles de Oracle WebLogic Server. CVSS 3.1 Puntaje base 7.5 (Impactos en la confidencialidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)."}],"metrics":{"cvssMetricV31":[{"source":"secalert_us@oracle.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"cisaExploitAdd":"2026-06-01","cisaActionDue":"2026-06-04","cisaRequiredAction":"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","cisaVulnerabilityName":"Oracle WebLogic Server Unspecified Vulnerability","weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*","matchCriteriaId":"4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*","matchCriteriaId":"04BCDC24-4A21-473C-8733-0D9CFB38A752"}]}]}],"references":[{"url":"https://www.oracle.com/security-alerts/cpujul2024.html","source":"secalert_us@oracle.com","tags":["Vendor Advisory"]},{"url":"https://www.oracle.com/security-alerts/cpujul2024.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21182","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["US Government Resource"]}]}},{"cve":{"id":"CVE-2024-41079","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-07-29T15:15:15.457","lastModified":"2026-06-01T17:16:28.997","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: always initialize cqe.result\n\nThe spec doesn't mandate that the first two double words (aka results)\nfor the command queue entry need to be set to 0 when they are not\nused (not specified). Though, the target implemention returns 0 for TCP\nand FC but not for RDMA.\n\nLet's make RDMA behave the same and thus explicitly initializing the\nresult field. This prevents leaking any data from the stack."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nvmet: inicializar siempre cqe.result La especificación no exige que las dos primeras palabras dobles (también conocidas como resultados) para la entrada de la cola de comandos deban establecerse en 0 cuando no lo están usado (no especificado). Sin embargo, la implementación de destino devuelve 0 para TCP y FC, pero no para RDMA. Hagamos que RDMA se comporte igual y así inicialicemos explícitamente el campo de resultado. Esto evita la fuga de datos de la pila."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.101","matchCriteriaId":"BC2B5B53-6D0E-4FA7-B414-71D3FF089CAA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.42","matchCriteriaId":"972274A2-D688-4C37-BE42-689B58B4C225"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.9.11","matchCriteriaId":"01E300B3-8B39-4A2D-8B03-4631433D3915"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*","matchCriteriaId":"2EBB4392-5FA6-4DA9-9772-8F9C750109FA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*","matchCriteriaId":"331C2F14-12C7-45D5-893D-8C52EE38EA10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*","matchCriteriaId":"3173713D-909A-4DD3-9DD4-1E171EB057EE"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c6a2cf8b0764f3ba7d9bff58c8775a6d4476bb29","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2024-43902","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-08-26T11:15:04.733","lastModified":"2026-06-01T17:16:29.457","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null checker before passing variables\n\nChecks null pointer before passing variables to functions.\n\nThis fixes 3 NULL_RETURNS issues reported by Coverity."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: agrega un verificador nulo antes de pasar variables Comprueba el puntero nulo antes de pasar variables a funciones. Esto soluciona 3 problemas NULL_RETURNS informados por Coverity."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.165","matchCriteriaId":"8647BEB2-97C3-4787-A05E-ED6B198C9374"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.105","matchCriteriaId":"89BEB24B-0F37-4C92-A397-564DA7CD8EE9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.46","matchCriteriaId":"FA11941E-81FB-484C-B583-881EEB488340"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.10.5","matchCriteriaId":"D074AE50-4A5E-499C-A2FD-75FD60DEA560"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1686675405d07f35eae7ff3d13a530034b899df2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4cc2a94d96caeb3c975acdae7351c2f997c32175","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8092aa3ab8f7b737a34b71f91492c676a843043a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/83c7f509ef087041604e9572938f82e18b724c9d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d0b8b23b9c2ebec693a36fea518d8f13493ad655","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ea000e4b4ee5363997715531cb3d024b4e5d561c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2024-46770","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-09-18T08:15:04.957","lastModified":"2026-06-01T17:16:29.623","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: Add netif_device_attach/detach into PF reset flow\n\nEthtool callbacks can be executed while reset is in progress and try to\naccess deleted resources, e.g. getting coalesce settings can result in a\nNULL pointer dereference seen below.\n\nReproduction steps:\nOnce the driver is fully initialized, trigger reset:\n\t# echo 1 > /sys/class/net//device/reset\nwhen reset is in progress try to get coalesce settings using ethtool:\n\t# ethtool -c \n\nBUG: kernel NULL pointer dereference, address: 0000000000000020\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] PREEMPT SMP PTI\nCPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7\nRIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice]\nRSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206\nRAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000\nR13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40\nFS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0\nCall Trace:\n\nice_get_coalesce+0x17/0x30 [ice]\ncoalesce_prepare_data+0x61/0x80\nethnl_default_doit+0xde/0x340\ngenl_family_rcv_msg_doit+0xf2/0x150\ngenl_rcv_msg+0x1b3/0x2c0\nnetlink_rcv_skb+0x5b/0x110\ngenl_rcv+0x28/0x40\nnetlink_unicast+0x19c/0x290\nnetlink_sendmsg+0x222/0x490\n__sys_sendto+0x1df/0x1f0\n__x64_sys_sendto+0x24/0x30\ndo_syscall_64+0x82/0x160\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7faee60d8e27\n\nCalling netif_device_detach() before reset makes the net core not call\nthe driver when ethtool command is issued, the attempt to execute an\nethtool command during reset will result in the following message:\n\n netlink error: No such device\n\ninstead of NULL pointer dereference. Once reset is done and\nice_rebuild() is executing, the netif_device_attach() is called to allow\nfor ethtool operations to occur again in a safe manner."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ice: Agregar netif_device_attach/detach en el flujo de reinicio de PF Las devoluciones de llamadas de Ethtool se pueden ejecutar mientras el reinicio está en progreso e intentar acceder a los recursos eliminados, por ejemplo, obtener configuraciones de coalesce puede resultar en una desreferencia de puntero NULL que se ve a continuación. Pasos de reproducción: Una vez que el controlador esté completamente inicializado, active el reinicio: # echo 1 > /sys/class/net//device/reset cuando el reinicio esté en progreso intente obtener la configuración de coalesce usando ethtool: # ethtool -c ERROR: desreferencia de puntero NULL del núcleo, dirección: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: GS 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 0000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 000000000000000 R08: 000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000080050033 CR2: 000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Seguimiento de llamadas: ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e DESCANSE EN PÉRDIDA: 0033:0x7faee60d8e27 Llamar a netif_device_detach() antes del reinicio hace que el núcleo de red no llame al controlador cuando se emite el comando ethtool, el intento de ejecutar un comando ethtool durante el reinicio dará como resultado el siguiente mensaje: error de netlink: No existe dicho dispositivo en lugar de la desreferencia de puntero NULL. Una vez que se realiza el reinicio y se ejecuta ice_rebuild(), se llama a netif_device_attach() para permitir que las operaciones de ethtool se realicen nuevamente de manera segura."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"6.1.110","matchCriteriaId":"B5B79244-509A-41A4-94DD-97D80A01AB5A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.51","matchCriteriaId":"E4529134-BAC4-4776-840B-304009E181A0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.10.10","matchCriteriaId":"ACDEE48C-137A-4731-90D0-A675865E1BED"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*","matchCriteriaId":"8B3CE743-2126-47A3-8B7C-822B502CF119"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*","matchCriteriaId":"4DEB27E7-30AA-45CC-8934-B89263EF3551"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*","matchCriteriaId":"E0005AEF-856E-47EB-BFE4-90C46899394D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*","matchCriteriaId":"39889A68-6D34-47A6-82FC-CD0BF23D6754"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*","matchCriteriaId":"B8383ABF-1457-401F-9B61-EE50F4C61F4F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*","matchCriteriaId":"B77A9280-37E6-49AD-B559-5B23A3B1DC3D"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/36486c9e8e01b84faaee47203eac0b7e9cc7fa4a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/721f27f489a47ed0d8690b73fc1f070c2eb180cf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9e3ffb839249eca113062587659224f856fe14e5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d11a67634227f9f9da51938af085fb41a733848f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/efe8effe138044a4747d1112ebb8c454d1663723","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2024-49925","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-10-21T18:15:14.540","lastModified":"2026-06-01T17:16:30.010","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: efifb: Register sysfs groups through driver core\n\nThe driver core can register and cleanup sysfs groups already.\nMake use of that functionality to simplify the error handling and\ncleanup.\n\nAlso avoid a UAF race during unregistering where the sysctl attributes\nwere usable after the info struct was freed."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fbdev: efifb: Registrar grupos sysfs a través del núcleo del controlador El núcleo del controlador ya puede registrar y limpiar grupos sysfs. Utilice esa funcionalidad para simplificar el manejo y la limpieza de errores. También evite una ejecución UAF durante la anulación del registro donde los atributos sysctl se podían usar después de que se liberara la estructura de información."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.55","matchCriteriaId":"8B527B5F-BDDA-424E-932E-16FCAAB575E2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.10.14","matchCriteriaId":"4C16BCE0-FFA0-4599-BE0A-1FD65101C021"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.11.3","matchCriteriaId":"54D9C704-D679-41A7-9C40-10A6B1E7FFE9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2a9c40c72097b583b23aeb2a26d429ccfc81fbc1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2d97b85eb5a86766ad0f8ea3d121e6ae144e3ed8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/36bfefb6baaa8e46de44f4fd919ce4347337620f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4684d69b9670a83992189f6271dc0fcdec4ed0d7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/872cd2d029d2c970a8a1eea88b48dab2b3f2e93a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/95cdd538e0e5677efbdf8aade04ec098ab98f457","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2024-50012","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-10-21T19:15:04.683","lastModified":"2026-06-01T17:16:30.267","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: Avoid a bad reference count on CPU node\n\nIn the parse_perf_domain function, if the call to\nof_parse_phandle_with_args returns an error, then the reference to the\nCPU device node that was acquired at the start of the function would not\nbe properly decremented.\n\nAddress this by declaring the variable with the __free(device_node)\ncleanup attribute."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cpufreq: evitar un recuento de referencia incorrecto en el nodo de CPU En la función parse_perf_domain, si la llamada a of_parse_phandle_with_args devuelve un error, la referencia al nodo de dispositivo de CPU que se adquirió al inicio de la función no se decrementaría correctamente. Aborde esto declarando la variable con el atributo de limpieza __free(device_node)."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-Other"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.55","matchCriteriaId":"8B527B5F-BDDA-424E-932E-16FCAAB575E2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.10.14","matchCriteriaId":"4C16BCE0-FFA0-4599-BE0A-1FD65101C021"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.11.3","matchCriteriaId":"54D9C704-D679-41A7-9C40-10A6B1E7FFE9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0f41f383b5a61a2bf6429a449ebba7fb08179d81","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2b846344b15f933a56903b7cdba9080f06c725ff","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/47cb1d9278f179df8250304ec41009e3e836a926","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6c3d8387839252f1a0fc6367f314446e4a2ebd0b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/77f88b17387a017416babf1e6488fa17682287e2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c0f02536fffbbec71aced36d52a765f8c4493dc2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2024-53213","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-12-27T14:15:29.237","lastModified":"2026-06-01T17:16:30.667","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: lan78xx: Fix double free issue with interrupt buffer allocation\n\nIn lan78xx_probe(), the buffer `buf` was being freed twice: once\nimplicitly through `usb_free_urb(dev->urb_intr)` with the\n`URB_FREE_BUFFER` flag and again explicitly by `kfree(buf)`. This caused\na double free issue.\n\nTo resolve this, reordered `kmalloc()` and `usb_alloc_urb()` calls to\nsimplify the initialization sequence and removed the redundant\n`kfree(buf)`. Now, `buf` is allocated after `usb_alloc_urb()`, ensuring\nit is correctly managed by `usb_fill_int_urb()` and freed by\n`usb_free_urb()` as intended."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: usb: lan78xx: Se soluciona el problema de doble liberación con la asignación de búfer de interrupción En lan78xx_probe(), el búfer `buf` se liberaba dos veces: una vez implícitamente a través de `usb_free_urb(dev->urb_intr)` con el indicador `URB_FREE_BUFFER` y otra vez explícitamente por `kfree(buf)`. Esto causaba un problema de doble liberación. Para resolver esto, reordenamos las llamadas `kmalloc()` y `usb_alloc_urb()` para simplificar la secuencia de inicialización y eliminamos el `kfree(buf)` redundante. Ahora, `buf` se asigna después de `usb_alloc_urb()`, lo que garantiza que `usb_fill_int_urb()` lo administre correctamente y que `usb_free_urb()` lo libere como estaba previsto."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-415"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"6.1.120","matchCriteriaId":"DFA9B856-F80A-4A22-BC26-5EB65D554687"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.64","matchCriteriaId":"CA16DEE3-ABEC-4449-9F4A-7A3DC4FC36C7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.11.11","matchCriteriaId":"21434379-192D-472F-9B54-D45E3650E893"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.2","matchCriteriaId":"D8882B1B-2ABC-4838-AC1D-DBDBB5764776"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/03819abbeb11117dcbba40bfe322b88c0c88a6b6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2970ef2fce90c661952ec2b451b0276d5f8d6180","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7ac9f3c981eeceee2ec4d30d850f4a6f50a1ec40","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/977128343fc2a30737399b58df8ea77e94f164bd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a422ebec863d99d5607fb41bb7af3347fcb436d3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b09512aea6223eec756f52aa584fc29eeab57480","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cc5aa8e3ad69dcedeba79e667d4a2efb72a305af","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2024-53221","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-12-27T14:15:30.190","lastModified":"2026-06-01T17:16:30.917","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix null-ptr-deref in f2fs_submit_page_bio()\n\nThere's issue as follows when concurrently installing the f2fs.ko\nmodule and mounting the f2fs file system:\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\nRIP: 0010:__bio_alloc+0x2fb/0x6c0 [f2fs]\nCall Trace:\n \n f2fs_submit_page_bio+0x126/0x8b0 [f2fs]\n __get_meta_page+0x1d4/0x920 [f2fs]\n get_checkpoint_version.constprop.0+0x2b/0x3c0 [f2fs]\n validate_checkpoint+0xac/0x290 [f2fs]\n f2fs_get_valid_checkpoint+0x207/0x950 [f2fs]\n f2fs_fill_super+0x1007/0x39b0 [f2fs]\n mount_bdev+0x183/0x250\n legacy_get_tree+0xf4/0x1e0\n vfs_get_tree+0x88/0x340\n do_new_mount+0x283/0x5e0\n path_mount+0x2b2/0x15b0\n __x64_sys_mount+0x1fe/0x270\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nAbove issue happens as the biset of the f2fs file system is not\ninitialized before register \"f2fs_fs_type\".\nTo address above issue just register \"f2fs_fs_type\" at the last in\ninit_f2fs_fs(). Ensure that all f2fs file system resources are\ninitialized."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: corrección de null-ptr-deref en f2fs_submit_page_bio() Existe el siguiente problema al instalar simultáneamente el módulo f2fs.ko y montar el sistema de archivos f2fs: KASAN: null-ptr-deref en el rango [0x0000000000000020-0x0000000000000027] RIP: 0010:__bio_alloc+0x2fb/0x6c0 [f2fs] Seguimiento de llamadas: f2fs_submit_page_bio+0x126/0x8b0 [f2fs] __get_meta_page+0x1d4/0x920 [f2fs] get_checkpoint_version.constprop.0+0x2b/0x3c0 [f2fs] El problema anterior ocurre porque el biset del sistema de archivos f2fs no está configurado inicializado antes de registrar \"f2fs_fs_type\". Para solucionar el problema anterior, simplemente registre \"f2fs_fs_type\" al final de init_f2fs_fs(). Asegúrese de que todos los recursos del sistema de archivos f2fs estén inicializados."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.11.11","matchCriteriaId":"F6E5BC9C-2956-4725-8827-6A983AE003AB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.2","matchCriteriaId":"D8882B1B-2ABC-4838-AC1D-DBDBB5764776"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/32f5e291b7677495f98246eec573767430321c08","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4289be8465924748daa9bf14866eb7f0987d4e39","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8dddc12d03248755d9f709bc1eb9e3ea2bf1b322","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9e11b1d5fda972f6be60ab732976a7c8e064cd56","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b7d0a97b28083084ebdd8e5c6bccd12e6ec18faa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bd9197b72d772be7bccc3b66c83a3157cfe2f96f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2024-56647","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-12-27T15:15:24.467","lastModified":"2026-06-01T17:16:31.080","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix icmp host relookup triggering ip_rt_bug\n\narp link failure may trigger ip_rt_bug while xfrm enabled, call trace is:\n\nWARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20\nModules linked in:\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:ip_rt_bug+0x14/0x20\nCall Trace:\n \n ip_send_skb+0x14/0x40\n __icmp_send+0x42d/0x6a0\n ipv4_link_failure+0xe2/0x1d0\n arp_error_report+0x3c/0x50\n neigh_invalidate+0x8d/0x100\n neigh_timer_handler+0x2e1/0x330\n call_timer_fn+0x21/0x120\n __run_timer_base.part.0+0x1c9/0x270\n run_timer_softirq+0x4c/0x80\n handle_softirqs+0xac/0x280\n irq_exit_rcu+0x62/0x80\n sysvec_apic_timer_interrupt+0x77/0x90\n\nThe script below reproduces this scenario:\nip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \\\n\tdir out priority 0 ptype main flag localok icmp\nip l a veth1 type veth\nip a a 192.168.141.111/24 dev veth0\nip l s veth0 up\nping 192.168.141.155 -c 1\n\nicmp_route_lookup() create input routes for locally generated packets\nwhile xfrm relookup ICMP traffic.Then it will set input route\n(dst->out = ip_rt_bug) to skb for DESTUNREACH.\n\nFor ICMP err triggered by locally generated packets, dst->dev of output\nroute is loopback. Generally, xfrm relookup verification is not required\non loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1).\n\nSkip icmp relookup for locally generated packets to fix it."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: Fix icmp host relookup triggering ip_rt_bug arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is: ADVERTENCIA: CPU: 0 PID: 0 en net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20 Módulos vinculados en: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 No contaminado 6.12.0-rc6-00077-g2e1b3cc9d7f7 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 01/04/2014 RIP: 0010:ip_rt_bug+0x14/0x20 Seguimiento de llamadas: ip_send_skb+0x14/0x40 __icmp_send+0x42d/0x6a0 error de enlace ipv4+0xe2/0x1d0 informe de error arp+0x3c/0x50 invalidación vecinal+0x8d/0x100 controlador de temporizador vecinal+0x2e1/0x330 función de temporizador de llamada+0x21/0x120 __base de temporizador de ejecución.parte.0+0x1c9/0x270 temporizador de ejecución softirq+0x4c/0x80 controlador de softirqs+0xac/0x280 irq_exit_rcu+0x62/0x80 sysvec_apic_timer_interrupt+0x77/0x90 El script a continuación reproduce este escenario: ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \\ dir out priority 0 ptype main flag localok icmp ip la veth1 type veth ip aa 192.168.141.111/24 dev veth0 ip ls veth0 up ping 192.168.141.155 -c 1 icmp_route_lookup() crea rutas de entrada para paquetes generados localmente mientras xfrm vuelve a buscar tráfico ICMP. Luego, establecerá la ruta de entrada (dst->out = ip_rt_bug) en skb para DESTUNREACH. Para el error ICMP activado por paquetes generados localmente, dst->dev de la ruta de salida es loopback. En general, no se requiere la verificación de rebúsqueda de xfrm en interfaces de bucle invertido (net.ipv4.conf.lo.disable_xfrm = 1). Omita la rebúsqueda de ICMP para paquetes generados localmente para solucionarlo."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.25","versionEndExcluding":"6.12.5","matchCriteriaId":"C9393D06-5F2B-4F68-B5D5-C0819E4C7197"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*","matchCriteriaId":"62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9545011e7b2a8fc0cbd6e387a09f12cd41d7d82f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c44daa7e3c73229f7ac74985acb8c7fb909c4e0a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d50981aaaefc3b04490fbc8274d37881a2b1b112","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/da54b3039d436227deebbc202cefea63bd318a38","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2024-56657","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-12-27T15:15:25.543","lastModified":"2026-06-01T17:16:31.350","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: control: Avoid WARN() for symlink errors\n\nUsing WARN() for showing the error of symlink creations don't give\nmore information than telling that something goes wrong, since the\nusual code path is a lregister callback from each control element\ncreation. More badly, the use of WARN() rather confuses fuzzer as if\nit were serious issues.\n\nThis patch downgrades the warning messages to use the normal dev_err()\ninstead of WARN(). For making it clearer, add the function name to\nthe prefix, too."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: control: Evitar WARN() para errores de enlaces simbólicos El uso de WARN() para mostrar el error de creación de enlaces simbólicos no proporciona más información que la de indicar que algo va mal, ya que la ruta de código habitual es una devolución de llamada lregister desde cada creación de elemento de control. Lo que es peor, el uso de WARN() confunde bastante a fuzzer como si se tratara de problemas graves. Este parche degrada los mensajes de advertencia para utilizar el dev_err() normal en lugar de WARN(). Para que quede más claro, añade también el nombre de la función al prefijo."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.6.67","matchCriteriaId":"A31A6E27-005D-423F-9A6C-083C837A173D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.6","matchCriteriaId":"0CB1A9BB-F95E-43DD-A2FD-147912FD91E5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*","matchCriteriaId":"62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*","matchCriteriaId":"5A073481-106D-4B15-B4C7-FB0213B8E1D4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/365ee29e559269cbb2108c4cc05dd8e262b4e84e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/36c0764474b637bbee498806485bed524cad486b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4e5a92a7223c83c1f5f2db6cd010ac9347948972","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b2e538a9827dd04ab5273bf4be8eb2edb84357b0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d5a1ca7b59804d6779644001a878ed925a4688ca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2024-56719","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-12-29T09:15:07.187","lastModified":"2026-06-01T17:16:31.690","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix TSO DMA API usage causing oops\n\nCommit 66600fac7a98 (\"net: stmmac: TSO: Fix unbalanced DMA map/unmap\nfor non-paged SKB data\") moved the assignment of tx_skbuff_dma[]'s\nmembers to be later in stmmac_tso_xmit().\n\nThe buf (dma cookie) and len stored in this structure are passed to\ndma_unmap_single() by stmmac_tx_clean(). The DMA API requires that\nthe dma cookie passed to dma_unmap_single() is the same as the value\nreturned from dma_map_single(). However, by moving the assignment\nlater, this is not the case when priv->dma_cap.addr64 > 32 as \"des\"\nis offset by proto_hdr_len.\n\nThis causes problems such as:\n\n dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed\n\nand with DMA_API_DEBUG enabled:\n\n DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]\n\nFix this by maintaining \"des\" as the original DMA cookie, and use\ntso_des to pass the offset DMA cookie to stmmac_tso_allocator().\n\nFull details of the crashes can be found at:\nhttps://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/\nhttps://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: stmmac: fix TSO DMA API usage burning cause oops Commit 66600fac7a98 (\"net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data\") movió la asignación de los miembros de tx_skbuff_dma[] para que sea posterior en stmmac_tso_xmit(). El buf (dma cookie) y len almacenados en esta estructura se pasan a dma_unmap_single() por stmmac_tx_clean(). La DMA API requiere que la dma cookie pasada a dma_unmap_single() sea la misma que el valor devuelto desde dma_map_single(). Sin embargo, al mover la asignación más tarde, este no es el caso cuando priv->dma_cap.addr64 > 32 como \"des\" es desplazado por proto_hdr_len. Esto causa problemas como: dwc-eth-dwmac 2490000.ethernet eth0: el mapa DMA de transmisión falló y con DMA_API_DEBUG habilitado: DMA-API: dwc-eth-dwmac 2490000.ethernet: el controlador del dispositivo intenta +liberar memoria DMA que no ha asignado [dirección del dispositivo=0x000000ffffcf65c0] [tamaño=66 bytes] Solucione esto manteniendo \"des\" como la cookie DMA original y use tso_des para pasar la cookie DMA de desplazamiento a stmmac_tso_allocator(). Los detalles completos de los fallos se pueden encontrar en: https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/ https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.171","versionEndExcluding":"5.16","matchCriteriaId":"8FA383FE-32A6-400A-B7BA-ECFA9FEEF84B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.116","versionEndExcluding":"6.2","matchCriteriaId":"51279A02-DDC8-4302-8F88-6925DDDF4C99"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.60","versionEndExcluding":"6.6.68","matchCriteriaId":"C18D359D-A98F-430F-85A0-CE282256CE09"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11.7","versionEndExcluding":"6.12.7","matchCriteriaId":"958DC81D-98A5-4983-AF0B-9002CA50EA07"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*","matchCriteriaId":"62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*","matchCriteriaId":"5A073481-106D-4B15-B4C7-FB0213B8E1D4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/05968b6dd0ffc65d7386608b11a11fb4fdfc9f36","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4c49f38e20a57f8abaebdf95b369295b153d1f8e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6abcdc9a73274052a9e96a1926994ecf9aedad82","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9d5dd7ccea1b46a9a7c6b3c2b9e5ed8864e185e2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/db3667c9bbfbbf5de98e6c9542f7e03fb5243286","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2024-56727","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-12-29T12:15:06.813","lastModified":"2026-06-01T17:16:31.927","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c\n\nAdding error pointer check after calling otx2_mbox_get_rsp()."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: octeontx2-pf: gestionar errores otx2_mbox_get_rsp en otx2_flows.c. Añadiendo comprobación de puntero de error después de llamar a otx2_mbox_get_rsp()."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"6.1.120","matchCriteriaId":"F74E4CA1-0407-4198-8012-2A7BB41D8B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.64","matchCriteriaId":"CA16DEE3-ABEC-4449-9F4A-7A3DC4FC36C7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.11.11","matchCriteriaId":"21434379-192D-472F-9B54-D45E3650E893"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.2","matchCriteriaId":"D8882B1B-2ABC-4838-AC1D-DBDBB5764776"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8c9f8b35dc3d4ad8053a72bc0c5a7843591f6b75","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a479b3d7586e6f77f8337bbcac980eaf2d0a4029","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bd3110bc102ab6292656b8118be819faa0de8dd0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c4eae7bac880edd88aaed6a8ec2997fa85e259c7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e3c4e78d636e6dbd8ed72e41b311de2bb7e0b699","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e5e60f17d2462ef5c13db4d1a54eef5778fd2295","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2024-47809","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-01-11T13:15:22.583","lastModified":"2026-06-01T17:16:29.807","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndlm: fix possible lkb_resource null dereference\n\nThis patch fixes a possible null pointer dereference when this function is\ncalled from request_lock() as lkb->lkb_resource is not assigned yet,\nonly after validate_lock_args() by calling attach_lkb(). Another issue\nis that a resource name could be a non printable bytearray and we cannot\nassume to be ASCII coded.\n\nThe log functionality is probably never being hit when DLM is used in\nnormal way and no debug logging is enabled. The null pointer dereference\ncan only occur on a new created lkb that does not have the resource\nassigned yet, it probably never hits the null pointer dereference but we\nshould be sure that other changes might not change this behaviour and we\nactually can hit the mentioned null pointer dereference.\n\nIn this patch we just drop the printout of the resource name, the lkb id\nis enough to make a possible connection to a resource name if this\nexists."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dlm: arregla posible desreferencia nula de lkb_resource Este parche corrige una posible desreferencia de puntero nulo cuando se llama a esta función desde request_lock() ya que lkb->lkb_resource aún no está asignado, solo después de validar_lock_args() llamando a attached_lkb(). Otro problema es que un nombre de recurso podría ser un bytearray no imprimible y no podemos asumir que esté codificado en ASCII. Es probable que la funcionalidad de registro nunca se vea afectada cuando se usa DLM de forma normal y no se habilita ningún registro de depuración. La desreferencia de puntero nulo solo puede ocurrir en un lkb creado recientemente que aún no tenga el recurso asignado, probablemente nunca llegue a la desreferencia de puntero nulo, pero debemos estar seguros de que otros cambios podrían no cambiar este comportamiento y realmente podemos llegar a la desreferencia de puntero nulo mencionada. En este parche simplemente omitimos la impresión del nombre del recurso, el id de lkb es suficiente para hacer una posible conexión con un nombre de recurso si existe."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.66","matchCriteriaId":"90A079EF-8212-45DF-84FB-C525A64635B0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.5","matchCriteriaId":"9501D045-7A94-42CA-8B03-821BE94A65B7"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2db11504ef82a60c1a2063ba7431a5cd013ecfcb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6fbdc3980b70e9c1c86eccea7d5ee68108008fa7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8d55ce46dd543c6965970ce70c22c3076dd35b1e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b98333c67daf887c724cd692e88e2db9418c0861","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e1ffea6bec96d4349dbfcc42ad3e436259f64243","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2024-57945","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-01-21T13:15:09.033","lastModified":"2026-06-01T17:16:32.197","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: Fix the out of bound issue of vmemmap address\n\nIn sparse vmemmap model, the virtual address of vmemmap is calculated as:\n((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)).\nAnd the struct page's va can be calculated with an offset:\n(vmemmap + (pfn)).\n\nHowever, when initializing struct pages, kernel actually starts from the\nfirst page from the same section that phys_ram_base belongs to. If the\nfirst page's physical address is not (phys_ram_base >> PAGE_SHIFT), then\nwe get an va below VMEMMAP_START when calculating va for it's struct page.\n\nFor example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the\nfirst page in the same section is actually pfn 0x80000. During\ninit_unavailable_range(), we will initialize struct page for pfn 0x80000\nwith virtual address ((struct page *)VMEMMAP_START - 0x2000), which is\nbelow VMEMMAP_START as well as PCI_IO_END.\n\nThis commit fixes this bug by introducing a new variable\n'vmemmap_start_pfn' which is aligned with memory section size and using\nit to calculate vmemmap address instead of phys_ram_base."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: mm: Corrige el problema de salida de límites de la dirección vmemmap En el modelo vmemmap disperso, la dirección virtual de vmemmap se calcula como: ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)). Y la va de la página de estructura se puede calcular con un desplazamiento: (vmemmap + (pfn)). Sin embargo, al inicializar las páginas de estructura, el kernel en realidad comienza desde la primera página de la misma sección a la que pertenece phys_ram_base. Si la dirección física de la primera página no es (phys_ram_base >> PAGE_SHIFT), obtenemos una va por debajo de VMEMMAP_START al calcular la va para su página de estructura. Por ejemplo, si phys_ram_base comienza desde 0x82000000 con pfn 0x82000, la primera página en la misma sección es en realidad pfn 0x80000. Durante init_unavailable_range(), inicializaremos struct page para pfn 0x80000 con dirección virtual ((struct page *)VMEMMAP_START - 0x2000), que está debajo de VMEMMAP_START y PCI_IO_END. Esta confirmación corrige este error al introducir una nueva variable 'vmemmap_start_pfn' que está alineada con el tamaño de la sección de memoria y la usa para calcular la dirección vmemmap en lugar de phys_ram_base."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.212","versionEndExcluding":"5.11","matchCriteriaId":"F1E6B58E-F7D7-480E-A09B-0FA874293160"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.151","versionEndExcluding":"5.16","matchCriteriaId":"DF37B912-2F16-4C92-A527-CD2B342631D5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.81","versionEndExcluding":"6.1.140","matchCriteriaId":"41B78C99-AE93-456C-9689-C4B567C67F85"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.21","versionEndExcluding":"6.6.72","matchCriteriaId":"7537BD1C-63FF-4CA8-B2A1-151A8D1AA8E1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.9","versionEndExcluding":"6.8","matchCriteriaId":"739125EE-99C1-42E1-B870-04FD5010BA66"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8.1","versionEndExcluding":"6.12.10","matchCriteriaId":"B62FEA87-2A2A-4A33-A535-AEE5670C4FB3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.8:-:*:*:*:*:*:*","matchCriteriaId":"41E47F32-BA80-4333-96FD-4D25082B0FDD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.8:rc7:*:*:*:*:*:*","matchCriteriaId":"C9B8A5CE-6D20-4C36-AC01-ACA4B70003A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*","matchCriteriaId":"62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*","matchCriteriaId":"5A073481-106D-4B15-B4C7-FB0213B8E1D4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*","matchCriteriaId":"DE491969-75AE-4A6B-9A58-8FC5AF98798F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*","matchCriteriaId":"93C0660D-7FB8-4FBA-892A-B064BA71E49E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*","matchCriteriaId":"034C36A6-C481-41F3-AE9A-D116E5BE6895"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*","matchCriteriaId":"8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/04350304428063da6a55a8a4597d409dc69148b2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/92f08673d3f1893191323572f60e3c62f2e57c2f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a4a7ac3d266008018f05fae53060fcb331151a14","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d2bd51954ac8377c2f1eb1813e694788998add66","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f754f27e98f88428aaf6be6e00f5cbce97f62d4b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2022-49135","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-26T07:00:50.770","lastModified":"2026-06-01T17:16:22.087","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix memory leak\n\n[why]\nResource release is needed on the error handling path\nto prevent memory leak.\n\n[how]\nFix this by adding kfree on the error handling path."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: Corregir pérdida de memoria [por qué] Se necesita la liberación de recursos en la ruta de manejo de errores para evitar pérdidas de memoria. [cómo] Solucione esto agregando kfree en la ruta de manejo de errores."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.34","matchCriteriaId":"EE872F08-121D-4AE8-82B9-2B5DA905C944"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"5.16.20","matchCriteriaId":"ABBBA66E-0244-4621-966B-9790AF1EEB00"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"5.17.3","matchCriteriaId":"AE420AC7-1E59-4398-B84F-71F4B4337762"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3ce1497add6d17b48cc9df65095bd20202d93994","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5076315aaddd640bde896ec8d79423ed8ec83a59","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5d5c6dba2b43e28845d7d7ed32a36802329a5f52","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7e10369c72db7a0e2f77b2e306aadc07aef6b07a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9d0bef3cc22cf250278ed45b829f062a00af9e27","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2022-49158","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-26T07:00:53.013","lastModified":"2026-06-01T17:16:22.347","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix warning message due to adisc being flushed\n\nFix warning message due to adisc being flushed. Linux kernel triggered a\nwarning message where a different error code type is not matching up with\nthe expected type. Add additional translation of one error code type to\nanother.\n\nWARNING: CPU: 2 PID: 1131623 at drivers/scsi/qla2xxx/qla_init.c:498\nqla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx]\nCPU: 2 PID: 1131623 Comm: drmgr Not tainted 5.13.0-rc1-autotest #1\n..\nGPR28: c000000aaa9c8890 c0080000079ab678 c00000140a104800 c00000002bd19000\nNIP [c00800000790857c] qla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx]\nLR [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx]\nCall Trace:\n[c00000001cdc3620] [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx] (unreliable)\n[c00000001cdc3710] [c0080000078f3080] __qla2x00_abort_all_cmds+0x1b8/0x580 [qla2xxx]\n[c00000001cdc3840] [c0080000078f589c] qla2x00_abort_all_cmds+0x34/0xd0 [qla2xxx]\n[c00000001cdc3880] [c0080000079153d8] qla2x00_abort_isp_cleanup+0x3f0/0x570 [qla2xxx]\n[c00000001cdc3920] [c0080000078fb7e8] qla2x00_remove_one+0x3d0/0x480 [qla2xxx]\n[c00000001cdc39b0] [c00000000071c274] pci_device_remove+0x64/0x120\n[c00000001cdc39f0] [c0000000007fb818] device_release_driver_internal+0x168/0x2a0\n[c00000001cdc3a30] [c00000000070e304] pci_stop_bus_device+0xb4/0x100\n[c00000001cdc3a70] [c00000000070e4f0] pci_stop_and_remove_bus_device+0x20/0x40\n[c00000001cdc3aa0] [c000000000073940] pci_hp_remove_devices+0x90/0x130\n[c00000001cdc3b30] [c0080000070704d0] disable_slot+0x38/0x90 [rpaphp] [\nc00000001cdc3b60] [c00000000073eb4c] power_write_file+0xcc/0x180\n[c00000001cdc3be0] [c0000000007354bc] pci_slot_attr_store+0x3c/0x60\n[c00000001cdc3c00] [c00000000055f820] sysfs_kf_write+0x60/0x80 [c00000001cdc3c20]\n[c00000000055df10] kernfs_fop_write_iter+0x1a0/0x290\n[c00000001cdc3c70] [c000000000447c4c] new_sync_write+0x14c/0x1d0\n[c00000001cdc3d10] [c00000000044b134] vfs_write+0x224/0x330\n[c00000001cdc3d60] [c00000000044b3f4] ksys_write+0x74/0x130\n[c00000001cdc3db0] [c00000000002df70] system_call_exception+0x150/0x2d0\n[c00000001cdc3e10] [c00000000000d45c] system_call_common+0xec/0x278"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: qla2xxx: Se corrige el mensaje de advertencia debido a que se vaciaba adisc Se corrige el mensaje de advertencia debido a que se vaciaba adisc. El kernel de Linux activó un mensaje de advertencia cuando un tipo de código de error diferente no coincide con el tipo esperado. Agregue una traducción adicional de un tipo de código de error a otro. ADVERTENCIA: CPU: 2 PID: 1131623 en drivers/scsi/qla2xxx/qla_init.c:498 qla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx] CPU: 2 PID: 1131623 Comm: drmgr No contaminado 5.13.0-rc1-autotest #1 .. GPR28: c000000aaa9c8890 c0080000079ab678 c00000140a104800 c00000002bd19000 NIP [c00800000790857c] qla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx] LR [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx] Call Trace: [c00000001cdc3620] [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx] (no confiable) [c00000001cdc3710] [c0080000078f3080] __qla2x00_abort_all_cmds+0x1b8/0x580 [qla2xxx] [c00000001cdc3840] [c0080000078f589c] qla2x00_abort_all_cmds+0x34/0xd0 [qla2xxx] [c00000001cdc3880] [c0080000079153d8] qla2x00_abort_isp_cleanup+0x3f0/0x570 [qla2xxx] [c00000001cdc3920] [c0080000078fb7e8] qla2x00_remove_one+0x3d0/0x480 [qla2xxx] [c00000001cdc39b0] [c00000000071c274] pci_device_remove+0x64/0x120 [c00000001cdc39f0] [c0000000007fb818] device_release_driver_internal+0x168/0x2a0 [c00000001cdc3a30] [c00000000070e304] pci_stop_bus_device+0xb4/0x100 [c00000001cdc3a70] [c00000000070e4f0] pci_stop_and_remove_bus_device+0x20/0x40 [c00000001cdc3aa0] [c000000000073940] pci_hp_remove_devices+0x90/0x130 [c00000001cdc3b30] [c0080000070704d0] disable_slot+0x38/0x90 [rpaphp] [ c00000001cdc3b60] [c00000000073eb4c] power_write_file+0xcc/0x180 [c00000001cdc3be0] [c0000000007354bc] pci_slot_attr_store+0x3c/0x60 [c00000001cdc3c00] [c00000000055f820] sysfs_kf_write+0x60/0x80 [c00000001cdc3c20] [c00000000055df10] kernfs_fop_write_iter+0x1a0/0x290 [c00000001cdc3c70] [c000000000447c4c] new_sync_write+0x14c/0x1d0 [c00000001cdc3d10] [c00000000044b134] vfs_write+0x224/0x330 [c00000001cdc3d60] [c00000000044b3f4] ksys_write+0x74/0x130 [c00000001cdc3db0] [c00000000002df70] system_call_exception+0x150/0x2d0 [c00000001cdc3e10] [c00000000000d45c] system_call_common+0xec/0x278"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-617"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.33","matchCriteriaId":"0B4D5502-DA34-43DA-93D1-158E3047C2C7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"5.16.19","matchCriteriaId":"20C43679-0439-405A-B97F-685BEE50613B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"5.17.2","matchCriteriaId":"210C679C-CF84-44A3-8939-E629C87E54BF"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/64f24af75b79cba3b86b0760e27e0fa904db570f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7a3457777c4f700c64836e78dc71e6ce459f62b8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b13baf97ddbc1a7e7536168383bc0d84c2204b03","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c7e01292eb8499ef044737fd2ba37d033552167c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d8fb8da69e194e0249b3cdb746ef09ce823ae26b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2022-49183","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-26T07:00:55.427","lastModified":"2026-06-01T17:16:22.500","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix ref leak when switching zones\n\nWhen switching zones or network namespaces without doing a ct clear in\nbetween, it is now leaking a reference to the old ct entry. That's\nbecause tcf_ct_skb_nfct_cached() returns false and\ntcf_ct_flow_table_lookup() may simply overwrite it.\n\nThe fix is to, as the ct entry is not reusable, free it already at\ntcf_ct_skb_nfct_cached()."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: act_ct: se corrige la fuga de referencia al cambiar de zona Al cambiar de zona o de espacio de nombres de red sin hacer una limpieza de ct en el medio, ahora se filtra una referencia a la entrada ct anterior. Esto se debe a que tcf_ct_skb_nfct_cached() devuelve falso y tcf_ct_flow_table_lookup() puede simplemente sobrescribirlo. La solución es, como la entrada ct no es reutilizable, liberarla ya en tcf_ct_skb_nfct_cached()."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-Other"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.103","versionEndExcluding":"5.11","matchCriteriaId":"C6C1F51A-A817-4CF1-9578-38216E3CF649"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.26","versionEndExcluding":"5.15.33","matchCriteriaId":"806417E1-B697-4476-94C3-EBC38748D945"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16.12","versionEndIncluding":"5.16.19","matchCriteriaId":"108A78FE-B91E-44D1-8EBD-D9C4D8A649EC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndIncluding":"5.17.2","matchCriteriaId":"FD8C9932-9223-472D-A70C-42BCD470680A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4bb42d73def9411e5cad885b9811987d72431df1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9222a08be539cbb7a8e0d46cbc7ab9e4db273eb8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b24793a37d91aacad7cb9893b226a7924a89636a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bcb74e132a76ce0502bb33d5b65533a4ed72d159","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bcbf4e5c3b5b373cd61528392dd1ec8e9c0fd33d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-21712","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-27T02:15:14.863","lastModified":"2026-06-01T17:16:32.507","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmd/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime\n\nAfter commit ec6bb299c7c3 (\"md/md-bitmap: add 'sync_size' into struct\nmd_bitmap_stats\"), following panic is reported:\n\nOops: general protection fault, probably for non-canonical address\nRIP: 0010:bitmap_get_stats+0x2b/0xa0\nCall Trace:\n \n md_seq_show+0x2d2/0x5b0\n seq_read_iter+0x2b9/0x470\n seq_read+0x12f/0x180\n proc_reg_read+0x57/0xb0\n vfs_read+0xf6/0x380\n ksys_read+0x6c/0xf0\n do_syscall_64+0x82/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nRoot cause is that bitmap_get_stats() can be called at anytime if mddev\nis still there, even if bitmap is destroyed, or not fully initialized.\nDeferenceing bitmap in this case can crash the kernel. Meanwhile, the\nabove commit start to deferencing bitmap->storage, make the problem\neasier to trigger.\n\nFix the problem by protecting bitmap_get_stats() with bitmap_info.mutex."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: md/md-bitmap: sincronizar bitmap_get_stats() con el tiempo de vida del mapa de bits Después de el commit ec6bb299c7c3 (\"md/md-bitmap: agregar 'sync_size' en la estructura md_bitmap_stats\"), se informa el siguiente pánico: Vaya: error de protección general, probablemente para una dirección no canónica RIP: 0010:bitmap_get_stats+0x2b/0xa0 Seguimiento de llamadas: md_seq_show+0x2d2/0x5b0 seq_read_iter+0x2b9/0x470 seq_read+0x12f/0x180 proc_reg_read+0x57/0xb0 vfs_read+0xf6/0x380 ksys_read+0x6c/0xf0 La causa principal es que bitmap_get_stats() se puede llamar en cualquier momento si mddev aún está allí, incluso si bitmap se destruye o no se inicializa por completo. La deferenciación de bitmap en este caso puede hacer que el kernel se bloquee. Mientras tanto, el commit anterior comienza a deferenciar bitmap->storage, lo que hace que el problema sea más fácil de desencadenar. Solucione el problema protegiendo bitmap_get_stats() con bitmap_info.mutex."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.13","versionEndExcluding":"6.1.130","matchCriteriaId":"61DF49F7-2C3F-4E19-8AA8-381D3051AC1B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.80","matchCriteriaId":"A93F3655-6FAF-43B0-8541-A212998F05B8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.13","matchCriteriaId":"2897389C-A8C3-4D69-90F2-E701B3D66373"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.2","matchCriteriaId":"6D4116B1-1BFD-4F23-BA84-169CC05FC5A3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/032fa54f486eac5507976e7e31f079a767bc13a8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/237e19519c8ff6949f0ef57c4a0243f5b2b0fa18","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4e9316eee3885bfb311b4759513f2ccf37891c09","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/52848a095b55a302af92f52ca0de5b3112059bb8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8d28d0ddb986f56920ac97ae704cc3340a699a30","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/eb2f9d98cd3e94a79fbf8fb90637c5b12e805428","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html","source":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}]}},{"cve":{"id":"CVE-2025-21739","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-27T03:15:14.530","lastModified":"2026-06-01T17:16:32.803","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix use-after free in init error and remove paths\n\ndevm_blk_crypto_profile_init() registers a cleanup handler to run when\nthe associated (platform-) device is being released. For UFS, the\ncrypto private data and pointers are stored as part of the ufs_hba's\ndata structure 'struct ufs_hba::crypto_profile'. This structure is\nallocated as part of the underlying ufshcd and therefore Scsi_host\nallocation.\n\nDuring driver release or during error handling in ufshcd_pltfrm_init(),\nthis structure is released as part of ufshcd_dealloc_host() before the\n(platform-) device associated with the crypto call above is released.\nOnce this device is released, the crypto cleanup code will run, using\nthe just-released 'struct ufs_hba::crypto_profile'. This causes a\nuse-after-free situation:\n\n Call trace:\n kfree+0x60/0x2d8 (P)\n kvfree+0x44/0x60\n blk_crypto_profile_destroy_callback+0x28/0x70\n devm_action_release+0x1c/0x30\n release_nodes+0x6c/0x108\n devres_release_all+0x98/0x100\n device_unbind_cleanup+0x20/0x70\n really_probe+0x218/0x2d0\n\nIn other words, the initialisation code flow is:\n\n platform-device probe\n ufshcd_pltfrm_init()\n ufshcd_alloc_host()\n scsi_host_alloc()\n allocation of struct ufs_hba\n creation of scsi-host devices\n devm_blk_crypto_profile_init()\n devm registration of cleanup handler using platform-device\n\nand during error handling of ufshcd_pltfrm_init() or during driver\nremoval:\n\n ufshcd_dealloc_host()\n scsi_host_put()\n put_device(scsi-host)\n release of struct ufs_hba\n put_device(platform-device)\n crypto cleanup handler\n\nTo fix this use-after free, change ufshcd_alloc_host() to register a\ndevres action to automatically cleanup the underlying SCSI device on\nufshcd destruction, without requiring explicit calls to\nufshcd_dealloc_host(). This way:\n\n * the crypto profile and all other ufs_hba-owned resources are\n destroyed before SCSI (as they've been registered after)\n * a memleak is plugged in tc-dwc-g210-pci.c remove() as a\n side-effect\n * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as\n it's not needed anymore\n * no future drivers using ufshcd_alloc_host() could ever forget\n adding the cleanup"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registra un controlador de depuración para ejecutarse cuando se libera el dispositivo (de plataforma) asociado. Para UFS, los datos privados de cifrado y los punteros se almacenan como parte de la estructura de datos de ufs_hba 'struct ufs_hba::crypto_profile'. Esta estructura se asigna como parte de la asignación subyacente de ufshcd y, por lo tanto, de Scsi_host. Durante el lanzamiento del controlador o durante la gestión de errores en ufshcd_pltfrm_init(), esta estructura se libera como parte de ufshcd_dealloc_host() antes de que se libere el dispositivo (de plataforma) asociado con la llamada criptográfica anterior. Una vez que se libera este dispositivo, se ejecutará el código de depuración criptográfica, utilizando el 'struct ufs_hba::crypto_profile' recién publicado. Esto provoca una situación de use after free: Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blk_crypto_profile_destroy_callback+0x28/0x70 devm_action_release+0x1c/0x30 release_nodes+0x6c/0x108 devres_release_all+0x98/0x100 device_unbind_cleanup+0x20/0x70 really_probe+0x218/0x2d0 In other words, the initialisation code flow is: platform-device probe ufshcd_pltfrm_init() ufshcd_alloc_host() scsi_host_alloc() allocation of struct ufs_hba creation of scsi-host devices devm_blk_crypto_profile_init() devm registration of cleanup handler using platform-device and during error handling of ufshcd_pltfrm_init() or during driver removal: ufshcd_dealloc_host() scsi_host_put() put_device(scsi-host) release of struct ufs_hba put_device(platform-device) crypto cleanup handler To fix this use-after free, change ufshcd_alloc_host() para registrar una acción devres para limpiar automáticamente el dispositivo SCSI subyacente en la destrucción de ufshcd, sin requerir llamadas explícitas a ufshcd_dealloc_host(). De esta manera: * el perfil criptográfico y todos los demás recursos propiedad de ufs_hba se destruyen antes de SCSI (ya que se registraron después) * se conecta una fuga de memoria en tc-dwc-g210-pci.c remove() como efecto secundario * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) se puede eliminar por completo ya que ya no es necesario * ningún controlador futuro que use ufshcd_alloc_host() podría olvidarse de agregar la depuración "}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"6.12.14","matchCriteriaId":"03E58B14-5ED8-473D-BB8E-CB847D6B7FC1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.3","matchCriteriaId":"0E92CEE3-1FC3-4AFC-A513-DEDBA7414F00"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*","matchCriteriaId":"186716B6-2B66-4BD0-852E-D48E71C0C85F"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0a6895c03b1f439236e2d22b1a69ebfc1eb9d5ea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0c77c0d754fe83cb154715fcfec6c3faef94f207","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0dc539b888fb5f56b6eeddd95433eab557d4b0c1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9c185beae09a3eb85f54777edafa227f7e03075d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d06eb2620d3bf16056b8b7ea3744dbb5e30512f4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f8fb2403ddebb5eea0033d90d9daae4c88749ada","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-21845","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-03-12T10:15:16.820","lastModified":"2026-06-01T17:16:33.203","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: spi-nor: sst: Fix SST write failure\n\n'commit 18bcb4aa54ea (\"mtd: spi-nor: sst: Factor out common write operation\nto `sst_nor_write_data()`\")' introduced a bug where only one byte of data\nis written, regardless of the number of bytes passed to\nsst_nor_write_data(), causing a kernel crash during the write operation.\nEnsure the correct number of bytes are written as passed to\nsst_nor_write_data().\n\nCall trace:\n[ 57.400180] ------------[ cut here ]------------\n[ 57.404842] While writing 2 byte written 1 bytes\n[ 57.409493] WARNING: CPU: 0 PID: 737 at drivers/mtd/spi-nor/sst.c:187 sst_nor_write_data+0x6c/0x74\n[ 57.418464] Modules linked in:\n[ 57.421517] CPU: 0 UID: 0 PID: 737 Comm: mtd_debug Not tainted 6.12.0-g5ad04afd91f9 #30\n[ 57.429517] Hardware name: Xilinx Versal A2197 Processor board revA - x-prc-02 revA (DT)\n[ 57.437600] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 57.444557] pc : sst_nor_write_data+0x6c/0x74\n[ 57.448911] lr : sst_nor_write_data+0x6c/0x74\n[ 57.453264] sp : ffff80008232bb40\n[ 57.456570] x29: ffff80008232bb40 x28: 0000000000010000 x27: 0000000000000001\n[ 57.463708] x26: 000000000000ffff x25: 0000000000000000 x24: 0000000000000000\n[ 57.470843] x23: 0000000000010000 x22: ffff80008232bbf0 x21: ffff000816230000\n[ 57.477978] x20: ffff0008056c0080 x19: 0000000000000002 x18: 0000000000000006\n[ 57.485112] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80008232b580\n[ 57.492246] x14: 0000000000000000 x13: ffff8000816d1530 x12: 00000000000004a4\n[ 57.499380] x11: 000000000000018c x10: ffff8000816fd530 x9 : ffff8000816d1530\n[ 57.506515] x8 : 00000000fffff7ff x7 : ffff8000816fd530 x6 : 0000000000000001\n[ 57.513649] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n[ 57.520782] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0008049b0000\n[ 57.527916] Call trace:\n[ 57.530354] sst_nor_write_data+0x6c/0x74\n[ 57.534361] sst_nor_write+0xb4/0x18c\n[ 57.538019] mtd_write_oob_std+0x7c/0x88\n[ 57.541941] mtd_write_oob+0x70/0xbc\n[ 57.545511] mtd_write+0x68/0xa8\n[ 57.548733] mtdchar_write+0x10c/0x290\n[ 57.552477] vfs_write+0xb4/0x3a8\n[ 57.555791] ksys_write+0x74/0x10c\n[ 57.559189] __arm64_sys_write+0x1c/0x28\n[ 57.563109] invoke_syscall+0x54/0x11c\n[ 57.566856] el0_svc_common.constprop.0+0xc0/0xe0\n[ 57.571557] do_el0_svc+0x1c/0x28\n[ 57.574868] el0_svc+0x30/0xcc\n[ 57.577921] el0t_64_sync_handler+0x120/0x12c\n[ 57.582276] el0t_64_sync+0x190/0x194\n[ 57.585933] ---[ end trace 0000000000000000 ]---\n\n[pratyush@kernel.org: add Cc stable tag]"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mtd: spi-nor: sst: Se corrige el error de escritura en SST «commit 18bcb4aa54ea (\"mtd: spi-nor: sst: Factorizar la operación de escritura común a `sst_nor_write_data()`\")», que introdujo un error donde solo se escribe un byte de datos, independientemente del número de bytes pasados a sst_nor_write_data(), lo que provoca un fallo del kernel durante la operación de escritura. Asegúrese de que se escriba el número correcto de bytes al pasar a sst_nor_write_data(). Rastreo de llamada: [ 57.400180] ------------[ cortar aquí ]------------ [ 57.404842] Mientras se escribían 2 bytes, se escribió 1 byte [ 57.409493] ADVERTENCIA: CPU: 0 PID: 737 at drivers/mtd/spi-nor/sst.c:187 sst_nor_write_data+0x6c/0x74 [ 57.418464] Modules linked in: [ 57.421517] CPU: 0 UID: 0 PID: 737 Comm: mtd_debug Not tainted 6.12.0-g5ad04afd91f9 #30 [ 57.429517] Hardware name: Xilinx Versal A2197 Processor board revA - x-prc-02 revA (DT) [ 57.437600] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 57.444557] pc : sst_nor_write_data+0x6c/0x74 [ 57.448911] lr : sst_nor_write_data+0x6c/0x74 [ 57.453264] sp : ffff80008232bb40 [ 57.456570] x29: ffff80008232bb40 x28: 0000000000010000 x27: 0000000000000001 [ 57.463708] x26: 000000000000ffff x25: 0000000000000000 x24: 0000000000000000 [ 57.470843] x23: 0000000000010000 x22: ffff80008232bbf0 x21: ffff000816230000 [ 57.477978] x20: ffff0008056c0080 x19: 0000000000000002 x18: 0000000000000006 [ 57.485112] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80008232b580 [ 57.492246] x14: 0000000000000000 x13: ffff8000816d1530 x12: 00000000000004a4 [ 57.499380] x11: 000000000000018c x10: ffff8000816fd530 x9 : ffff8000816d1530 [ 57.506515] x8 : 00000000fffff7ff x7 : ffff8000816fd530 x6 : 0000000000000001 [ 57.513649] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 57.520782] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0008049b0000 [ 57.527916] Call trace: [ 57.530354] sst_nor_write_data+0x6c/0x74 [ 57.534361] sst_nor_write+0xb4/0x18c [ 57.538019] mtd_write_oob_std+0x7c/0x88 [ 57.541941] mtd_write_oob+0x70/0xbc [ 57.545511] mtd_write+0x68/0xa8 [ 57.548733] mtdchar_write+0x10c/0x290 [ 57.552477] vfs_write+0xb4/0x3a8 [ 57.555791] ksys_write+0x74/0x10c [ 57.559189] __arm64_sys_write+0x1c/0x28 [ 57.563109] invoke_syscall+0x54/0x11c [ 57.566856] el0_svc_common.constprop.0+0xc0/0xe0 [ 57.571557] do_el0_svc+0x1c/0x28 [ 57.574868] el0_svc+0x30/0xcc [ 57.577921] el0t_64_sync_handler+0x120/0x12c [ 57.582276] el0t_64_sync+0x190/0x194 [ 57.585933] ---[ end trace 0000000000000000 ]--- [pratyush@kernel.org: add Cc stable tag] "}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.17","matchCriteriaId":"D7CFE07B-B159-42C9-8FE6-76AF2E647681"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.5","matchCriteriaId":"72E69ABB-9015-43A6-87E1-5150383CFFD9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*","matchCriteriaId":"186716B6-2B66-4BD0-852E-D48E71C0C85F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*","matchCriteriaId":"0D3E781C-403A-498F-9DA9-ECEE50F41E75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*","matchCriteriaId":"66619FB8-0AAF-4166-B2CF-67B24143261D"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/539bd20352832b9244238a055eb169ccf1c41ff6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9553391f32f8c43e12fc7c04e1035160b5ea20bf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bb1accc7e0f688886f0c634f2e878b8ac4ee6a58","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f791837015a0d20f584d0ed368393f119a00018f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f7c14993dc2f1eca661975c0ff90a6e2098ecd41","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-21847","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-03-12T10:15:17.100","lastModified":"2026-06-01T17:16:33.427","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()\n\nThe nullity of sps->cstream should be checked similarly as it is done in\nsof_set_stream_data_offset() function.\nAssuming that it is not NULL if sps->stream is NULL is incorrect and can\nlead to NULL pointer dereference."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: SOF: stream-ipc: Comprobación de nulidad de cstream en sof_ipc_msg_data(). La nulidad de sps->cstream debe comprobarse de forma similar a como se realiza en la función sof_set_stream_data_offset(). Asumir que no es NULL si sps->stream es NULL es incorrecto y puede provocar la desreferenciación del puntero NULL."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.6.80","matchCriteriaId":"ACF3631C-19E5-4953-B4A3-AB7CD48E6A57"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.17","matchCriteriaId":"15370AEE-6D1C-49C3-8CB7-E889D5F92B6F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.5","matchCriteriaId":"72E69ABB-9015-43A6-87E1-5150383CFFD9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*","matchCriteriaId":"186716B6-2B66-4BD0-852E-D48E71C0C85F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*","matchCriteriaId":"0D3E781C-403A-498F-9DA9-ECEE50F41E75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*","matchCriteriaId":"66619FB8-0AAF-4166-B2CF-67B24143261D"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2b3878baf90918a361a3dfd3513025100b1b40b6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/62ab1ae5511c59b5f0bf550136ff321331adca9f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6c18f5eb2043ebf4674c08a9690218dc818a11ab","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d8d99c3b5c485f339864aeaa29f76269cc0ea975","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dfe25c554daa12ee26eb3540bbded57733ed5d9c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-21863","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-03-12T10:15:19.387","lastModified":"2026-06-01T17:16:33.627","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: prevent opcode speculation\n\nsqe->opcode is used for different tables, make sure we santitise it\nagainst speculations."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: evita la especulación de código de operación. sqe->opcode se utiliza para diferentes tablas, asegúrese de que lo desinfectemos contra especulaciones."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.6.80","matchCriteriaId":"E3785293-6562-4D6B-B271-6DD83134CCC5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.17","matchCriteriaId":"15370AEE-6D1C-49C3-8CB7-E889D5F92B6F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.5","matchCriteriaId":"72E69ABB-9015-43A6-87E1-5150383CFFD9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*","matchCriteriaId":"186716B6-2B66-4BD0-852E-D48E71C0C85F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*","matchCriteriaId":"0D3E781C-403A-498F-9DA9-ECEE50F41E75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*","matchCriteriaId":"66619FB8-0AAF-4166-B2CF-67B24143261D"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/18eae8420081ef8e043ad455937bfb470ef08607","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1e988c3fe1264708f4f92109203ac5b1d65de50b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/506b9b5e8c2d2a411ea8fe361333f5081c56d23a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b9826e3b26ec031e9063f64a7c735449c43955e4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d261ead565a080e3411b0dd04e6d58a52471cac8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fdbfd52bd8b85ed6783365ff54c82ab7067bd61b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-22069","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-04-16T15:16:01.100","lastModified":"2026-06-01T17:16:33.837","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler\n\nNaresh Kamboju reported a \"Bad frame pointer\" kernel warning while\nrunning LTP trace ftrace_stress_test.sh in riscv. We can reproduce the\nsame issue with the following command:\n\n```\n$ cd /sys/kernel/debug/tracing\n$ echo 'f:myprobe do_nanosleep%return args1=$retval' > dynamic_events\n$ echo 1 > events/fprobes/enable\n$ echo 1 > tracing_on\n$ sleep 1\n```\n\nAnd we can get the following kernel warning:\n\n[ 127.692888] ------------[ cut here ]------------\n[ 127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000\n[ 127.693755] from func do_nanosleep return to ffffffff800ccb16\n[ 127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be\n[ 127.699894] Modules linked in:\n[ 127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32\n[ 127.701453] Hardware name: riscv-virtio,qemu (DT)\n[ 127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be\n[ 127.702032] ra : ftrace_return_to_handler+0x1b2/0x1be\n[ 127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10\n[ 127.702221] gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000\n[ 127.702284] t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80\n[ 127.702346] s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20\n[ 127.702408] a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000\n[ 127.702470] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038\n[ 127.702530] s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0\n[ 127.702591] s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068\n[ 127.702651] s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001\n[ 127.702710] s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e\n[ 127.702769] t5 : ffffffff819d89a0 t6 : ff2000000065bb18\n[ 127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003\n[ 127.703292] [] ftrace_return_to_handler+0x1b2/0x1be\n[ 127.703760] [] return_to_handler+0x16/0x26\n[ 127.704009] [] return_to_handler+0x0/0x26\n[ 127.704057] [] common_nsleep+0x42/0x54\n[ 127.704117] [] __riscv_sys_clock_nanosleep+0xba/0x10a\n[ 127.704176] [] do_trap_ecall_u+0x188/0x218\n[ 127.704295] [] handle_exception+0x14a/0x156\n[ 127.705436] ---[ end trace 0000000000000000 ]---\n\nThe reason is that the stack layout for constructing argument for the\nftrace_return_to_handler in the return_to_handler does not match the\n__arch_ftrace_regs structure of riscv, leading to unexpected results."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: fgraph: Se corrige el diseño de la pila para que coincida con el argumento __arch_ftrace_regs de ftrace_return_to_handler Naresh Kamboju informó una advertencia del kernel \"Puntero de marco incorrecto\" mientras ejecutaba el seguimiento LTP ftrace_stress_test.sh en riscv. Podemos reproducir el mismo problema con el siguiente comando: ``` $ cd /sys/kernel/debug/tracing $ echo 'f:myprobe do_nanosleep%return args1=$retval' > dynamic_events $ echo 1 > events/fprobes/enable $ echo 1 > tracing_on $ sleep 1 ``` Y podemos obtener la siguiente advertencia del kernel: [ 127.692888] ------------[ cortar aquí ]------------ [ 127.693755] Puntero de marco incorrecto: se esperaba ff2000000065be50, se recibió ba34c141e9594000 [ 127.693755] de func do_nanosleep return a ffffffff800ccb16 [ 127.698699] ADVERTENCIA: CPU: 1 PID: 129 en kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be [ 127.699894] Módulos vinculados en: [ 127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep No contaminado 6.14.0-rc3-g0ab191c74642 #32 [ 127.701453] Nombre del hardware: riscv-virtio,qemu (DT) [ 127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be [ 127.702032] ra : ftrace_return_to_handler+0x1b2/0x1be [ 127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10 [ 127.702221] gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000 [ 127.702284] t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80 [ 127.702346] s1 : ff60000081262000 a0 : 000000000000007b a1: ffffffff81894f20 [127.702408] a2: 0000000000000010 a3: fffffffffffffffffe a4: 00000000000000000 [127.702470] a5: 0000000000000000 a6: 0000000000000008 a7: 0000000000000038 [127.702530] s2: ba34c141e9594000 s3: 0000000000000000 s4: ff2000000065bdd0 [127.702591] s5: 00007fff8adcf400 s6: 000055556dc1d8c0 s7: 00000000000000068 [127.702651] s8: 00007fff8adf5d10 s9: 000000000000006d s10: 0000000000000001 [127.702710] s11: 00005555737377c8 t3: ffffffff819d899e t4: ffffffff819d899e [ 127.702769] t5: ffffffff819d89a0 t6: ff2000000065bb18 [127.702826] estado: 0000000200000120 dirección incorrecta: 0000000000000000 causa: 0000000000000003 [127.703292] [] ftrace_return_to_handler+0x1b2/0x1be [127.703760] [] return_to_handler+0x16/0x26 [127.704009] [] retorno_al_controlador+0x0/0x26 [ 127.704057] [] suspensión_común+0x42/0x54 [ 127.704117] [] __riscv_sys_clock_nanosleep+0xba/0x10a [ 127.704176] [] hacer_trampa_ecall_u+0x188/0x218 [ 127.704295] [] controlar_excepción+0x14a/0x156 [ 127.705436] ---[ fin de seguimiento 0000000000000000 ]--- La razón es que el diseño de la pila para construir el argumento para ftrace_return_to_handler en return_to_handler no coincide con la estructura __arch_ftrace_regs de riscv, lo que genera resultados inesperados."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-668"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.14.2","matchCriteriaId":"FADAE5D8-4808-442C-B218-77B2CE8780A0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/67a5ba8f742f247bc83e46dd2313c142b1383276","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/78b39c587b8f6c69140177108f9c08a75b1c7c37","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7ed384db061a264bd806898f7ccab9b98b591488","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-22105","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-04-16T15:16:04.827","lastModified":"2026-06-01T17:16:34.003","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: check xdp prog when set bond mode\n\nFollowing operations can trigger a warning[1]:\n\n ip netns add ns1\n ip netns exec ns1 ip link add bond0 type bond mode balance-rr\n ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp\n ip netns exec ns1 ip link set bond0 type bond mode broadcast\n ip netns del ns1\n\nWhen delete the namespace, dev_xdp_uninstall() is called to remove xdp\nprogram on bond dev, and bond_xdp_set() will check the bond mode. If bond\nmode is changed after attaching xdp program, the warning may occur.\n\nSome bond modes (broadcast, etc.) do not support native xdp. Set bond mode\nwith xdp program attached is not good. Add check for xdp program when set\nbond mode.\n\n [1]\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930\n Modules linked in:\n CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\n Workqueue: netns cleanup_net\n RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930\n Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...\n RSP: 0018:ffffc90000063d80 EFLAGS: 00000282\n RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff\n RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48\n RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb\n R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8\n R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000\n FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0\n Call Trace:\n \n ? __warn+0x83/0x130\n ? unregister_netdevice_many_notify+0x8d9/0x930\n ? report_bug+0x18e/0x1a0\n ? handle_bug+0x54/0x90\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? unregister_netdevice_many_notify+0x8d9/0x930\n ? bond_net_exit_batch_rtnl+0x5c/0x90\n cleanup_net+0x237/0x3d0\n process_one_work+0x163/0x390\n worker_thread+0x293/0x3b0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xec/0x1e0\n ? __pfx_kthread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \n ---[ end trace 0000000000000000 ]---"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bonding: check xdp prog when set bond mode Las siguientes operaciones pueden activar una advertencia[1]: ip netns add ns1 ip netns exec ns1 ip link add bond0 type bond mode balance-rr ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp ip netns exec ns1 ip link set bond0 type bond mode broadcast ip netns del ns1 Cuando se elimina el espacio de nombres, se llama a dev_xdp_uninstall() para eliminar el programa xdp en bond dev, y bond_xdp_set() comprobará el modo bond. Si se cambia el modo bond después de adjuntar el programa xdp, puede aparecer la advertencia. Algunos modos de enlace (broadcast, etc.) no admiten xdp nativo. Establecer el modo bond con el programa xdp adjunto no es bueno. Agregar verificación para el programa xdp cuando se establece el modo de enlace. [1] ------------[ cortar aquí ]------------ ADVERTENCIA: CPU: 0 PID: 11 en net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930 Módulos vinculados: CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 No contaminado 6.14.0-rc4 #107 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Cola de trabajo: netns cleanup_net RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930 Código: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ... RSP: 0018:ffffc90000063d80 EFLAGS: 00000282 RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48 RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 000000000009ffb R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8 R13: 0000000000000001 R14: muerto000000000100 R15: ffffc90000045000 FS: 000000000000000(0000) GS:ffff888007a00000(0000) knlGS:000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0 Rastreo de llamadas: ? __warn+0x83/0x130 ? unregister_netdevice_many_notify+0x8d9/0x930 ? report_bug+0x18e/0x1a0 ? handle_bug+0x54/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? unregister_netdevice_many_notify+0x8d9/0x930 ? lote_de_salida_de_red_de_bono_rtnl+0x5c/0x90 red_de_limpieza+0x237/0x3d0 trabajo_uno_del_proceso+0x163/0x390 subproceso_de_trabajo+0x293/0x3b0 ? __pfx_subproceso_de_trabajo+0x10/0x10 subproceso_de_trabajo+0xec/0x1e0 ? __pfx_subproceso_de_trabajo+0x10/0x10 ? __pfx_subproceso_de_trabajo+0x10/0x10 ret_de_bifurcación+0x2f/0x50 ? __pfx_subproceso_de_trabajo+0x10/0x10 ret_de_bifurcación_asm+0x1a/0x30 ---[ fin de seguimiento 0000000000000000 ]---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.12.57","matchCriteriaId":"C755C7A4-940F-437A-9E38-8A1DAD3454D3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.14.2","matchCriteriaId":"FADAE5D8-4808-442C-B218-77B2CE8780A0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/074de2f6706ea840bbf06599cdc194086fbae092","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/094ee6017ea09c11d6af187935a949df32803ce0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5106da73b01668a1aa5d0f352b95d2b832b5caa7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6f3af8055ee7ab69d1451f056fcd890df99c167e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-22107","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-04-16T15:16:04.997","lastModified":"2026-06-01T17:16:34.190","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()\n\nThere are actually 2 problems:\n- deleting the last element doesn't require the memmove of elements\n [i + 1, end) over it. Actually, element i+1 is out of bounds.\n- The memmove itself should move size - i - 1 elements, because the last\n element is out of bounds.\n\nThe out-of-bounds element still remains out of bounds after being\naccessed, so the problem is only that we touch it, not that it becomes\nin active use. But I suppose it can lead to issues if the out-of-bounds\nelement is part of an unmapped page."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: dsa: sja1105: corrección de la advertencia de kasan fuera de los límites en sja1105_table_delete_entry() En realidad, hay 2 problemas: - eliminar el último elemento no requiere el memmove de elementos [i + 1, fin) sobre él. En realidad, el elemento i + 1 está fuera de los límites. - El memmove en sí mismo debería mover tamaño - i - 1 elementos, porque el último elemento está fuera de los límites. El elemento fuera de los límites sigue estando fuera de los límites después de ser accedido, por lo que el problema es solo que lo tocamos, no que se vuelva en uso activo. Pero supongo que puede conducir a problemas si el elemento fuera de los límites es parte de una página no asignada."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.14.2","matchCriteriaId":"B485FDF4-1B47-438C-876C-E449A567F0DF"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/031e00249e9e6bee72ba66701c8f83b45fc4b8a2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4584486cfcca24b7b586da3377eb3cffd48669ec","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/59b97641de03c081f26b3a8876628c765b5faa25","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5f2b28b79d2d1946ee36ad8b3dc0066f73c90481","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b52153da1f42e2f4d6259257a7ba027331671a93","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f117d0467215d7f1d445ae16d2c799637e63dc6c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f85b9bfb08ba2b642d1810c6c4ae1e7b46f1776a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-23141","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-05-01T13:15:49.910","lastModified":"2026-06-01T17:16:34.357","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses\n\nAcquire a lock on kvm->srcu when userspace is getting MP state to handle a\nrather extreme edge case where \"accepting\" APIC events, i.e. processing\npending INIT or SIPI, can trigger accesses to guest memory. If the vCPU\nis in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP\nstate will trigger a nested VM-Exit by way of ->check_nested_events(), and\nemuating the nested VM-Exit can access guest memory.\n\nThe splat was originally hit by syzkaller on a Google-internal kernel, and\nreproduced on an upstream kernel by hacking the triple_fault_event_test\nselftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a\nmemory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.\n\n =============================\n WARNING: suspicious RCU usage\n 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted\n -----------------------------\n include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!\n\n other info that might help us debug this:\n\n rcu_scheduler_active = 2, debug_locks = 1\n 1 lock held by triple_fault_ev/1256:\n #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]\n\n stack backtrace:\n CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Call Trace:\n \n dump_stack_lvl+0x7f/0x90\n lockdep_rcu_suspicious+0x144/0x190\n kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]\n kvm_vcpu_read_guest+0x3e/0x90 [kvm]\n read_and_check_msr_entry+0x2e/0x180 [kvm_intel]\n __nested_vmx_vmexit+0x550/0xde0 [kvm_intel]\n kvm_check_nested_events+0x1b/0x30 [kvm]\n kvm_apic_accept_events+0x33/0x100 [kvm]\n kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]\n kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]\n __x64_sys_ioctl+0x8b/0xb0\n do_syscall_64+0x6c/0x170\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n "},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: x86: Adquisición de SRCU en KVM_GET_MP_STATE para proteger los accesos a la memoria del invitado. Adquisición de un bloqueo en kvm->srcu cuando el espacio de usuario obtiene el estado MP para gestionar un caso extremo en el que la \"aceptación\" de eventos APIC, es decir, el procesamiento de INIT o SIPI pendientes, puede desencadenar accesos a la memoria del invitado. Si la vCPU está en L2 con INIT *y* una solicitud TRIPLE_FAULT pendiente, obtener el estado MP activará una salida de máquina virtual anidada mediante ->check_nested_events(), y la emulación de la salida de máquina virtual anidada puede acceder a la memoria del invitado. El splat fue alcanzado originalmente por syzkaller en un kernel interno de Google, y reproducido en un kernel ascendente hackeando la autoprueba triple_fault_event_test para rellenar un INIT pendiente, almacenar un MSR en VM-Exit (para generar un acceso a memoria en VMX), y hacer vcpu_mp_state_get() para activar el escenario. ============================== ADVERTENCIA: uso sospechoso de RCU 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 No contaminado ----------------------------- include/linux/kvm_host.h:1058 ¡uso sospechoso de rcu_dereference_check()! Otra información que podría ayudarnos a depurar esto: rcu_scheduler_active = 2, debug_locks = 1 1 bloqueo mantenido por triple_fault_ev/1256: #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, en: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] seguimiento de pila: CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev No contaminado 6.14.0-rc3-b112d356288b-vmx #3 Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Seguimiento de llamadas: dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x144/0x190 kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] read_and_check_msr_entry+0x2e/0x180 [kvm_intel] __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] kvm_check_nested_events+0x1b/0x30 [kvm] kvm_apic_accept_events+0x33/0x100 [kvm] kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] __x64_sys_ioctl+0x8b/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 "}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.135","matchCriteriaId":"29C64220-D258-41B3-A931-B8C3456115E5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.88","matchCriteriaId":"6E5947E5-45E3-462A-829B-382B3B1C61BD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.24","matchCriteriaId":"1D35A8A8-F3EC-45E6-AD37-1F154B27529D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.12","matchCriteriaId":"4A475784-BF3B-4514-81EE-49C8522FB24A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.14.3","matchCriteriaId":"483E2E15-2135-4EC6-AB64-16282C5EF704"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*","matchCriteriaId":"8D465631-2980-487A-8E65-40AE2B9F8ED1"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","matchCriteriaId":"FA6FEEC2-9F11-4643-8827-749718254FED"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/56d997b257075951a46663970cd350cd5e34c041","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/592e040572f216d916f465047c8ce4a308fcca44","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7bc5c360375d28ba5ef6298b0d53e735c81d66a1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ef01cac401f18647d62720cf773d7bb0541827da","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f5cbe725b7477b4cd677be1b86b4e08f90572997","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2022-49803","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-05-01T15:16:03.617","lastModified":"2026-06-01T17:16:22.683","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: Fix memory leak of nsim_dev->fa_cookie\n\nkmemleak reports this issue:\n\nunreferenced object 0xffff8881bac872d0 (size 8):\n comm \"sh\", pid 58603, jiffies 4481524462 (age 68.065s)\n hex dump (first 8 bytes):\n 04 00 00 00 de ad be ef ........\n backtrace:\n [<00000000c80b8577>] __kmalloc+0x49/0x150\n [<000000005292b8c6>] nsim_dev_trap_fa_cookie_write+0xc1/0x210 [netdevsim]\n [<0000000093d78e77>] full_proxy_write+0xf3/0x180\n [<000000005a662c16>] vfs_write+0x1c5/0xaf0\n [<000000007aabf84a>] ksys_write+0xed/0x1c0\n [<000000005f1d2e47>] do_syscall_64+0x3b/0x90\n [<000000006001c6ec>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe issue occurs in the following scenarios:\n\nnsim_dev_trap_fa_cookie_write()\n kmalloc() fa_cookie\n nsim_dev->fa_cookie = fa_cookie\n..\nnsim_drv_remove()\n\nThe fa_cookie allocked in nsim_dev_trap_fa_cookie_write() is not freed. To\nfix, add kfree(nsim_dev->fa_cookie) to nsim_drv_remove()."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netdevsim: Se corrige la pérdida de memoria de nsim_dev->fa_cookie. kmemleak informa de este problema: objeto sin referencia 0xffff8881bac872d0 (tamaño 8): comm \"sh\", pid 58603, jiffies 4481524462 (edad 68,065 s) volcado hexadecimal (primeros 8 bytes): 04 00 00 00 de ad be ef ........ backtrace: [<00000000c80b8577>] __kmalloc+0x49/0x150 [<000000005292b8c6>] nsim_dev_trap_fa_cookie_write+0xc1/0x210 [netdevsim] [<0000000093d78e77>] escritura de proxy completo+0xf3/0x180 [<000000005a662c16>] escritura de vfs+0x1c5/0xaf0 [<000000007aabf84a>] escritura de ksys+0xed/0x1c0 [<000000005f1d2e47>] llamada al sistema_64+0x3b/0x90 [<000000006001c6ec>] entrada_SYSCALL_64_after_hwframe+0x63/0xcd El problema ocurre en los siguientes escenarios: nsim_dev_trap_fa_cookie_write() kmalloc() fa_cookie nsim_dev->fa_cookie = fa_cookie .. nsim_drv_remove(): La fa_cookie bloqueada en nsim_dev_trap_fa_cookie_write() no se libera. Para solucionarlo, añada kfree(nsim_dev->fa_cookie) a nsim_drv_remove()."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.0.10","matchCriteriaId":"25ED8B13-F842-4669-8961-136863DA8006"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*","matchCriteriaId":"E7E331DA-1FB0-4DEC-91AC-7DA69D461C11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*","matchCriteriaId":"17F0B248-42CF-4AE6-A469-BB1BAE7F4705"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*","matchCriteriaId":"E2422816-0C14-4B5E-A1E6-A9D776E5C49B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*","matchCriteriaId":"1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*","matchCriteriaId":"35B26BE4-43A6-4A36-A7F6-5B3F572D9186"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/064bc7312bd09a48798418663090be0c776183db","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/207edad5717e0a5709ce8467f0eff41c607835c9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6d463ddd0107d4188229d996dcdd45c99bad8af7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2022-49822","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-05-01T15:16:05.623","lastModified":"2026-06-01T17:16:22.827","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix connections leak when tlink setup failed\n\nIf the tlink setup failed, lost to put the connections, then\nthe module refcnt leak since the cifsd kthread not exit.\n\nAlso leak the fscache info, and for next mount with fsc, it will\nprint the follow errors:\n CIFS: Cache volume key already in use (cifs,127.0.0.1:445,TEST)\n\nLet's check the result of tlink setup, and do some cleanup."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cifs: Se corrige la fuga de conexiones al fallar la configuración de Tlink. Si la configuración de Tlink falla, se pierden las conexiones y se produce una fuga de referencia del módulo, ya que el kthread de cifsd no finaliza. También se filtra la información de fscache, y en el siguiente montaje con fsc, se mostrarán los siguientes errores: CIFS: La clave del volumen de caché ya está en uso (cifs,127.0.0.1:445,TEST). Revisemos el resultado de la configuración de Tlink y realicemos una limpieza."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.15.81","matchCriteriaId":"00A78005-6361-427F-8D7B-122A764B8EBB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.0.10","matchCriteriaId":"64F9ADD1-3ADB-4D66-A00F-4A83010B05F0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*","matchCriteriaId":"E7E331DA-1FB0-4DEC-91AC-7DA69D461C11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*","matchCriteriaId":"17F0B248-42CF-4AE6-A469-BB1BAE7F4705"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*","matchCriteriaId":"E2422816-0C14-4B5E-A1E6-A9D776E5C49B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*","matchCriteriaId":"1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*","matchCriteriaId":"35B26BE4-43A6-4A36-A7F6-5B3F572D9186"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0a087842d10b5daa123ee5291e386cdd78413705","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1dcdf5f5b2137185cbdd5385f29949ab3da4f00c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/775d6625f96b26b90b9be9164b855ea2c471c0e5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a9059e338fc000c0b87d8cf29e93c74fd703212e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2023-53133","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-05-02T16:15:32.260","lastModified":"2026-06-01T17:16:24.740","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix an infinite loop error when len is 0 in tcp_bpf_recvmsg_parser()\n\nWhen the buffer length of the recvmsg system call is 0, we got the\nflollowing soft lockup problem:\n\nwatchdog: BUG: soft lockup - CPU#3 stuck for 27s! [a.out:6149]\nCPU: 3 PID: 6149 Comm: a.out Kdump: loaded Not tainted 6.2.0+ #30\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:remove_wait_queue+0xb/0xc0\nCode: 5e 41 5f c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 57 <41> 56 41 55 41 54 55 48 89 fd 53 48 89 f3 4c 8d 6b 18 4c 8d 73 20\nRSP: 0018:ffff88811b5978b8 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: ffff88811a7d3780 RCX: ffffffffb7a4d768\nRDX: dffffc0000000000 RSI: ffff88811b597908 RDI: ffff888115408040\nRBP: 1ffff110236b2f1b R08: 0000000000000000 R09: ffff88811a7d37e7\nR10: ffffed10234fa6fc R11: 0000000000000001 R12: ffff88811179b800\nR13: 0000000000000001 R14: ffff88811a7d38a8 R15: ffff88811a7d37e0\nFS: 00007f6fb5398740(0000) GS:ffff888237180000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000000 CR3: 000000010b6ba002 CR4: 0000000000370ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n tcp_msg_wait_data+0x279/0x2f0\n tcp_bpf_recvmsg_parser+0x3c6/0x490\n inet_recvmsg+0x280/0x290\n sock_recvmsg+0xfc/0x120\n ____sys_recvmsg+0x160/0x3d0\n ___sys_recvmsg+0xf0/0x180\n __sys_recvmsg+0xea/0x1a0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThe logic in tcp_bpf_recvmsg_parser is as follows:\n\nmsg_bytes_ready:\n\tcopied = sk_msg_recvmsg(sk, psock, msg, len, flags);\n\tif (!copied) {\n\t\twait data;\n\t\tgoto msg_bytes_ready;\n\t}\n\nIn this case, \"copied\" always is 0, the infinite loop occurs.\n\nAccording to the Linux system call man page, 0 should be returned in this\ncase. Therefore, in tcp_bpf_recvmsg_parser(), if the length is 0, directly\nreturn. Also modify several other functions with the same problem."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf, sockmap: corrige un error de bucle infinito cuando len es 0 en tcp_bpf_recvmsg_parser() Cuando la longitud del búfer de la llamada del sistema recvmsg es 0, tenemos el siguiente problema de bloqueo suave: watchdog: ERROR: bloqueo suave: ¡CPU n.º 3 bloqueada durante 27 s! [a.out:6149] CPU: 3 PID: 6149 Comm: a.out Kdump: cargado No contaminado 6.2.0+ #30 Nombre del hardware: PC estándar QEMU (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:remove_wait_queue+0xb/0xc0 Código: 5e 41 5f c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 57 <41> 56 41 55 41 54 55 48 89 fd 53 48 89 f3 4c 8d 6b 18 4c 8d 73 20 RSP: 0018:ffff88811b5978b8 EFLAGS: 00000246 RAX: 000000000000000 RBX: ffff88811a7d3780 RCX: ffffffffb7a4d768 RDX: dffffc0000000000 RSI: ffff88811b597908 RDI: ffff888115408040 RBP: 1ffff110236b2f1b R08: 000000000000000 R09: ffff88811a7d37e7 R10: ffffed10234fa6fc R11: 000000000000001 R12: ffff88811179b800 R13: 0000000000000001 R14: ffff88811a7d38a8 R15: ffff88811a7d37e0 FS: 00007f6fb5398740(0000) GS:ffff888237180000(0000) knlGS:000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000080050033 CR2: 0000000020000000 CR3: 0000000010b6ba002 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Rastreo de llamadas: tcp_msg_wait_data+0x279/0x2f0 tcp_bpf_recvmsg_parser+0x3c6/0x490 inet_recvmsg+0x280/0x290 sock_recvmsg+0xfc/0x120 ____sys_recvmsg+0x160/0x3d0 ___sys_recvmsg+0xf0/0x180 __sys_recvmsg+0xea/0x1a0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc The logic in tcp_bpf_recvmsg_parser is as follows: msg_bytes_ready: copied = sk_msg_recvmsg(sk, psock, msg, len, flags); if (!copied) { wait data; goto msg_bytes_ready; } En este caso, \"copiado\" siempre es 0, se produce el bucle infinito. Según la página del manual de llamadas del sistema de Linux, en este caso se debería devolver 0. Por lo tanto, en tcp_bpf_recvmsg_parser(), si la longitud es 0, se devuelve directamente. Modifique también otras funciones con el mismo problema."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-835"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.15.103","matchCriteriaId":"9A448EF3-BCC2-4540-98BC-8158B650FDB6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.20","matchCriteriaId":"B22D8949-72A1-4CED-8318-A040635DEEBE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.2.7","matchCriteriaId":"EFEDDF17-189C-4901-BD6B-41752E80AAA4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.3:rc1:*:*:*:*:*:*","matchCriteriaId":"B8E3B0E8-FA27-4305-87BB-AF6C25B160CB"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4a476285f6d2921c3c9faa494eab83b78f78fc55","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bf0579989de64d36e177c0611c685dc4a91457a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d900f3d20cc3169ce42ec72acc850e662a4d4db2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f0d52cc242f279c422b487dcaaccd98b99672fd0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f45cf3ae3068e70e2c7f3e24a7f8e8aa99511f03","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-37864","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-05-09T07:16:07.410","lastModified":"2026-06-01T17:16:34.550","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: clean up FDB, MDB, VLAN entries on unbind\n\nAs explained in many places such as commit b117e1e8a86d (\"net: dsa:\ndelete dsa_legacy_fdb_add and dsa_legacy_fdb_del\"), DSA is written given\nthe assumption that higher layers have balanced additions/deletions.\nAs such, it only makes sense to be extremely vocal when those\nassumptions are violated and the driver unbinds with entries still\npresent.\n\nBut Ido Schimmel points out a very simple situation where that is wrong:\nhttps://lore.kernel.org/netdev/ZDazSM5UsPPjQuKr@shredder/\n(also briefly discussed by me in the aforementioned commit).\n\nBasically, while the bridge bypass operations are not something that DSA\nexplicitly documents, and for the majority of DSA drivers this API\nsimply causes them to go to promiscuous mode, that isn't the case for\nall drivers. Some have the necessary requirements for bridge bypass\noperations to do something useful - see dsa_switch_supports_uc_filtering().\n\nAlthough in tools/testing/selftests/net/forwarding/local_termination.sh,\nwe made an effort to popularize better mechanisms to manage address\nfilters on DSA interfaces from user space - namely macvlan for unicast,\nand setsockopt(IP_ADD_MEMBERSHIP) - through mtools - for multicast, the\nfact is that 'bridge fdb add ... self static local' also exists as\nkernel UAPI, and might be useful to someone, even if only for a quick\nhack.\n\nIt seems counter-productive to block that path by implementing shim\n.ndo_fdb_add and .ndo_fdb_del operations which just return -EOPNOTSUPP\nin order to prevent the ndo_dflt_fdb_add() and ndo_dflt_fdb_del() from\nrunning, although we could do that.\n\nAccepting that cleanup is necessary seems to be the only option.\nEspecially since we appear to be coming back at this from a different\nangle as well. Russell King is noticing that the WARN_ON() triggers even\nfor VLANs:\nhttps://lore.kernel.org/netdev/Z_li8Bj8bD4-BYKQ@shell.armlinux.org.uk/\n\nWhat happens in the bug report above is that dsa_port_do_vlan_del() fails,\nthen the VLAN entry lingers on, and then we warn on unbind and leak it.\n\nThis is not a straight revert of the blamed commit, but we now add an\ninformational print to the kernel log (to still have a way to see\nthat bugs exist), and some extra comments gathered from past years'\nexperience, to justify the logic."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: dsa: clean up FDB, MDB, VLAN entries on unbind Como se explica en muchos lugares como la confirmación b117e1e8a86d (\"net: dsa: delete dsa_legacy_fdb_add y dsa_legacy_fdb_del\"), DSA se escribe asumiendo que las capas superiores tienen adiciones/eliminaciones equilibradas. Como tal, solo tiene sentido ser extremadamente vocal cuando se violan esas suposiciones y el controlador se desvincula con entradas aún presentes. Pero Ido Schimmel señala una situación muy simple donde eso es incorrecto: https://lore.kernel.org/netdev/ZDazSM5UsPPjQuKr@shredder/ (también discutido brevemente por mí en la confirmación mencionada anteriormente). Básicamente, mientras que las operaciones de bypass de puente no son algo que DSA documente explícitamente, y para la mayoría de los controladores DSA esta API simplemente hace que pasen al modo promiscuo, ese no es el caso para todos los controladores. Algunos requisitos para que las operaciones de bypass de puente sean útiles (véase dsa_switch_supports_uc_filtering()). Si bien en tools/testing/selftests/net/forwarding/local_termination.sh nos esforzamos por popularizar mejores mecanismos para gestionar filtros de direcciones en interfaces DSA desde el espacio de usuario (en concreto, macvlan para unidifusión y setsockopt(IP_ADD_MEMBERSHIP) mediante mtools para multidifusión), lo cierto es que «bridge fdb add ... self static local» también existe como UAPI del kernel y podría ser útil, aunque solo sea para una modificación rápida. Parece contraproducente bloquear esa ruta implementando operaciones de shim .ndo_fdb_add y .ndo_fdb_del, que simplemente devuelven -EOPNOTSUPP para impedir la ejecución de ndo_dflt_fdb_add() y ndo_dflt_fdb_del(), aunque podríamos hacerlo. Aceptar la necesidad de una depuración parece ser la única opción. Sobre todo porque parece que también estamos abordando este tema desde una perspectiva diferente. Russell King observa que la función WARN_ON() se activa incluso para las VLAN: https://lore.kernel.org/netdev/Z_li8Bj8bD4-BYKQ@shell.armlinux.org.uk/ Lo que ocurre en el informe de error anterior es que dsa_port_do_vlan_del() falla, la entrada de la VLAN persiste y, a continuación, advertimos sobre la desvinculación y la filtramos. Esto no es una reversión directa de la confirmación criticada, sino que ahora añadimos una impresión informativa al registro del kernel (para seguir viendo la existencia de errores) y algunos comentarios adicionales recopilados de años anteriores para justificar la lógica."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-617"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.6.88","matchCriteriaId":"2CBC0222-4DFC-46A3-85BF-7DBAB71EE14B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.25","matchCriteriaId":"8E59EE65-FA6B-4AE4-8125-26135E28BF35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.14.4","matchCriteriaId":"29FA1A8E-1C2A-4B0B-B397-2C915ECDEDEE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*","matchCriteriaId":"8D465631-2980-487A-8E65-40AE2B9F8ED1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*","matchCriteriaId":"4C9D071F-B28E-46EC-AC61-22B913390211"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5e531e71b9d21d5e985251440e0d722f71299b7a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7afb5fb42d4950f33af2732b8147c552659f79b7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/86c6613a69bca815f1865ed8cedfd4b9142621ab","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8fcc1e6f808912977caf17366c625b95dc29ba4f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/99c50c98803425378e08a7394dc885506dc85f06","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2022-49961","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-06-18T11:15:23.347","lastModified":"2026-06-01T17:16:22.993","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO\n\nPrecision markers need to be propagated whenever we have an ARG_CONST_*\nstyle argument, as the verifier cannot consider imprecise scalars to be\nequivalent for the purposes of states_equal check when such arguments\nrefine the return value (in this case, set mem_size for PTR_TO_MEM). The\nresultant mem_size for the R0 is derived from the constant value, and if\nthe verifier incorrectly prunes states considering them equivalent where\nsuch arguments exist (by seeing that both registers have reg->precise as\nfalse in regsafe), we can end up with invalid programs passing the\nverifier which can do access beyond what should have been the correct\nmem_size in that explored state.\n\nTo show a concrete example of the problem:\n\n0000000000000000 :\n 0: r2 = *(u32 *)(r1 + 80)\n 1: r1 = *(u32 *)(r1 + 76)\n 2: r3 = r1\n 3: r3 += 4\n 4: if r3 > r2 goto +18 \n 5: w2 = 0\n 6: *(u32 *)(r1 + 0) = r2\n 7: r1 = *(u32 *)(r1 + 0)\n 8: r2 = 1\n 9: if w1 == 0 goto +1 \n 10: r2 = -1\n\n0000000000000058 :\n 11: r1 = 0 ll\n 13: r3 = 0\n 14: call bpf_ringbuf_reserve\n 15: if r0 == 0 goto +7 \n 16: r1 = r0\n 17: r1 += 16777215\n 18: w2 = 0\n 19: *(u8 *)(r1 + 0) = r2\n 20: r1 = r0\n 21: r2 = 0\n 22: call bpf_ringbuf_submit\n\n00000000000000b8 :\n 23: w0 = 0\n 24: exit\n\nFor the first case, the single line execution's exploration will prune\nthe search at insn 14 for the branch insn 9's second leg as it will be\nverified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will\nalways be 0 so at runtime we don't get error for being greater than\nUINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just\nsees reg->precise as false for both r2 registers in both states, hence\nconsiders them equal for purposes of states_equal.\n\nIf we propagated precise markers using the backtracking support, we\nwould use the precise marking to then ensure that old r2 (UINT_MAX) was\nwithin the new r2 (1) and this would never be true, so the verification\nwould rightfully fail.\n\nThe end result is that the out of bounds access at instruction 19 would\nbe permitted without this fix.\n\nNote that reg->precise is always set to true when user does not have\nCAP_BPF (or when subprog count is greater than 1 (i.e. use of any static\nor global functions)), hence this is only a problem when precision marks\nneed to be explicitly propagated (i.e. privileged users with CAP_BPF).\n\nA simplified test case has been included in the next patch to prevent\nfuture regressions."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Hacer mark_chain_precision para ARG_CONST_ALLOC_SIZE_OR_ZERO Los marcadores de precisión deben propagarse siempre que tengamos un argumento de estilo ARG_CONST_*, ya que el verificador no puede considerar que los escalares imprecisos sean equivalentes para los fines de la comprobación states_equal cuando dichos argumentos refinan el valor de retorno (en este caso, establecer mem_size para PTR_TO_MEM). El mem_size resultante para el R0 se deriva del valor constante, y si el verificador poda incorrectamente los estados considerándolos equivalentes donde existen dichos argumentos (al ver que ambos registros tienen reg->precise como falso en regsafe), podemos terminar con programas no válidos que pasan el verificador que pueden hacer acceso más allá de lo que debería haber sido el mem_size correcto en ese estado explorado. Para mostrar un ejemplo concreto del problema: 0000000000000000 : 0: r2 = *(u32 *)(r1 + 80) 1: r1 = *(u32 *)(r1 + 76) 2: r3 = r1 3: r3 += 4 4: si r3 > r2 goto +18 5: w2 = 0 6: *(u32 *)(r1 + 0) = r2 7: r1 = *(u32 *)(r1 + 0) 8: r2 = 1 9: si w1 == 0 goto +1 10: r2 = -1 0000000000000058 : 11: r1 = 0 ll 13: r3 = 0 14: llamar a bpf_ringbuf_reserve 15: si r0 == 0 goto +7 16: r1 = r0 17: r1 += 16777215 18: w2 = 0 19: *(u8 *)(r1 + 0) = r2 20: r1 = r0 21: r2 = 0 22: llamar a bpf_ringbuf_submit 00000000000000b8 : 23: w0 = 0 24: salir Para el primer caso, la exploración de la ejecución de una sola línea podará la búsqueda en insn 14 para la segunda rama de la rama insn 9, ya que se verificará primero utilizando r2 = -1 (UINT_MAX), mientras que como w1 en insn 9 siempre será 0, por lo que en tiempo de ejecución no obtenemos un error por ser mayor que UINT_MAX/4 de bpf_ringbuf_reserve. El verificador durante regsafe solo ve reg->precise como falso para ambos registros r2 en ambos estados, por lo tanto, los considera iguales para fines de states_equal. Si propagáramos marcadores precisos utilizando el soporte de retroceso, usaríamos el marcado preciso para asegurarnos de que el antiguo r2 (UINT_MAX) estuviera dentro del nuevo r2 (1) y esto nunca sería verdadero, por lo que la verificación fallaría legítimamente. El resultado final es que el acceso fuera de los límites en la instrucción 19 se permitiría sin esta corrección. Tenga en cuenta que reg->precise siempre se establece en verdadero cuando el usuario no tiene CAP_BPF (o cuando el recuento de subprocesos es mayor que 1 (es decir, uso de cualquier función estática o global)), por lo tanto, esto solo es un problema cuando las marcas de precisión deben propagarse explícitamente (es decir, usuarios privilegiados con CAP_BPF). Se ha incluido un caso de prueba simplificado en el próximo parche para evitar futuras regresiones."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.19.8","matchCriteriaId":"E240750A-F19E-4C50-8D2E-BC11FF9EAB4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*","matchCriteriaId":"E8BD11A3-8643-49B6-BADE-5029A0117325"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*","matchCriteriaId":"5F0AD220-F6A9-4012-8636-155F1B841FAD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*","matchCriteriaId":"A46498B3-78E1-4623-AAE1-94D29A42BE4E"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2459615a8d7f44ac81f0965bc094e55ccb254717","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2fc31465c5373b5ca4edf2e5238558cb62902311","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/987b4c465ba28c662ca857be6c20fd2d96bc55f0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2022-50073","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-06-18T11:15:36.173","lastModified":"2026-06-01T17:16:23.270","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null\n\nFixes a NULL pointer derefence bug triggered from tap driver.\nWhen tap_get_user calls virtio_net_hdr_to_skb the skb->dev is null\n(in tap.c skb->dev is set after the call to virtio_net_hdr_to_skb)\nvirtio_net_hdr_to_skb calls dev_parse_header_protocol which\nneeds skb->dev field to be valid.\n\nThe line that trigers the bug is in dev_parse_header_protocol\n(dev is at offset 0x10 from skb and is stored in RAX register)\n if (!dev->header_ops || !dev->header_ops->parse_protocol)\n 22e1: mov 0x10(%rbx),%rax\n 22e5:\t mov 0x230(%rax),%rax\n\nSetting skb->dev before the call in tap.c fixes the issue.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000230\nRIP: 0010:virtio_net_hdr_to_skb.constprop.0+0x335/0x410 [tap]\nCode: c0 0f 85 b7 fd ff ff eb d4 41 39 c6 77 cf 29 c6 48 89 df 44 01 f6 e8 7a 79 83 c1 48 85 c0 0f 85 d9 fd ff ff eb b7 48 8b 43 10 <48> 8b 80 30 02 00 00 48 85 c0 74 55 48 8b 40 28 48 85 c0 74 4c 48\nRSP: 0018:ffffc90005c27c38 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff888298f25300 RCX: 0000000000000010\nRDX: 0000000000000005 RSI: ffffc90005c27cb6 RDI: ffff888298f25300\nRBP: ffffc90005c27c80 R08: 00000000ffffffea R09: 00000000000007e8\nR10: ffff88858ec77458 R11: 0000000000000000 R12: 0000000000000001\nR13: 0000000000000014 R14: ffffc90005c27e08 R15: ffffc90005c27cb6\nFS: 0000000000000000(0000) GS:ffff88858ec40000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000230 CR3: 0000000281408006 CR4: 00000000003706e0\nCall Trace:\n tap_get_user+0x3f1/0x540 [tap]\n tap_sendmsg+0x56/0x362 [tap]\n ? get_tx_bufs+0xc2/0x1e0 [vhost_net]\n handle_tx_copy+0x114/0x670 [vhost_net]\n handle_tx+0xb0/0xe0 [vhost_net]\n handle_tx_kick+0x15/0x20 [vhost_net]\n vhost_worker+0x7b/0xc0 [vhost]\n ? vhost_vring_call_reset+0x40/0x40 [vhost]\n kthread+0xfa/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: tap: Desreferencia de puntero nulo en dev_parse_header_protocol cuando skb->dev es nulo. Corrige un error de desreferencia de puntero nulo provocado por el controlador tap. Cuando tap_get_user llama a virtio_net_hdr_to_skb, skb->dev es nulo (en tap.c, skb->dev se establece después de la llamada a virtio_net_hdr_to_skb). virtio_net_hdr_to_skb llama a dev_parse_header_protocol, que requiere que el campo skb->dev sea válido. La línea que activa el error está en dev_parse_header_protocol (dev está en el desplazamiento 0x10 desde skb y está almacenado en el registro RAX) if (!dev->header_ops || !dev->header_ops->parse_protocol) 22e1: mov 0x10(%rbx),%rax 22e5: mov 0x230(%rax),%rax Configurar skb->dev antes de la llamada en tap.c soluciona el problema. ERROR: desreferencia de puntero NULL del núcleo, dirección: 0000000000000230 RIP: 0010:virtio_net_hdr_to_skb.constprop.0+0x335/0x410 [tap] Código: c0 0f 85 b7 fd ff ff eb d4 41 39 c6 77 cf 29 c6 48 89 df 44 01 f6 e8 7a 79 83 c1 48 85 c0 0f 85 d9 fd ff ff eb b7 48 8b 43 10 <48> 8b 80 30 02 00 00 48 85 c0 74 55 48 8b 40 28 48 85 c0 74 4c 48 RSP: 0018:ffffc90005c27c38 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888298f25300 RCX: 0000000000000010 RDX: 0000000000000005 RSI: ffffc90005c27cb6 RDI: ffff888298f25300 RBP: ffffc90005c27c80 R08: 00000000ffffffea R09: 00000000000007e8 R10: ffff88858ec77458 R11: 00000000000000000 R12: 0000000000000001 R13: 0000000000000014 R14: ffffc90005c27e08 R15: ffffc90005c27cb6 FS: 000000000000000(0000) GS:ffff88858ec40000(0000) knlGS:000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000230 CR3: 0000000281408006 CR4: 00000000003706e0 Rastreo de llamadas: tap_get_user+0x3f1/0x540 [tap] tap_sendmsg+0x56/0x362 [tap] ? get_tx_bufs+0xc2/0x1e0 [vhost_net] handle_tx_copy+0x114/0x670 [vhost_net] handle_tx+0xb0/0xe0 [vhost_net] handle_tx_kick+0x15/0x20 [vhost_net] vhost_worker+0x7b/0xc0 [vhost] ? vhost_vring_call_reset+0x40/0x40 [vhost] kthread+0xfa/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 "}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.226","versionEndExcluding":"4.15","matchCriteriaId":"C9608EF4-37A2-4904-B924-93CA34F65EBE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.181","versionEndExcluding":"4.20","matchCriteriaId":"6CD1844D-5434-4975-BB93-6CD6962BDD86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.106","versionEndExcluding":"5.5","matchCriteriaId":"65DA83B3-8CE9-4F0B-85BE-72293590844D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.24","versionEndExcluding":"5.11","matchCriteriaId":"BBCF7704-6B2C-46CC-AC9A-0CC0AB7DAA73"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11.7","versionEndExcluding":"5.12","matchCriteriaId":"FDFD4195-BBCD-4B40-801F-7EB86B6CD9C6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12.1","versionEndExcluding":"5.19.4","matchCriteriaId":"5CCE065C-FD94-4855-8B7E-61C5D8CA0736"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.12:-:*:*:*:*:*:*","matchCriteriaId":"75EB504D-4A83-4C67-9C8D-FD9C6C8EB4CD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.12:rc3:*:*:*:*:*:*","matchCriteriaId":"E5371152-7515-4908-BB7E-494805EA5DF2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.12:rc4:*:*:*:*:*:*","matchCriteriaId":"D7788E5B-D54E-45BF-9043-2C7B77842FD0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.12:rc5:*:*:*:*:*:*","matchCriteriaId":"A935F9F1-DA8B-49F4-BF2B-FA01A92F113E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.12:rc6:*:*:*:*:*:*","matchCriteriaId":"DF0AF673-12B7-4274-9090-411D4939CB62"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.12:rc7:*:*:*:*:*:*","matchCriteriaId":"06AE06A6-A0C3-4556-BFFA-3D6E4BAC43C8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.12:rc8:*:*:*:*:*:*","matchCriteriaId":"FCE63934-38CF-4311-AD72-624E86AF3889"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/447ba770cfe798925f4923548b367fd49f0ee5f0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4f61f133f354853bc394ec7d6028adb9b02dd701","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8f90163f9e013c8fc791aab338aab44a46044cfc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/dd29648fcf69339713f2d25f7014ae905dcdfc18","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2022-50116","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-06-18T11:15:41.257","lastModified":"2026-06-01T17:16:23.453","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix deadlock and link starvation in outgoing data path\n\nThe current implementation queues up new control and user packets as needed\nand processes this queue down to the ldisc in the same code path.\nThat means that the upper and the lower layer are hard coupled in the code.\nDue to this deadlocks can happen as seen below while transmitting data,\nespecially during ldisc congestion. Furthermore, the data channels starve\nthe control channel on high transmission load on the ldisc.\n\nIntroduce an additional control channel data queue to prevent timeouts and\nlink hangups during ldisc congestion. This is being processed before the\nuser channel data queue in gsm_data_kick(), i.e. with the highest priority.\nPut the queue to ldisc data path into a workqueue and trigger it whenever\nnew data has been put into the transmission queue. Change\ngsm_dlci_data_sweep() accordingly to fill up the transmission queue until\nTX_THRESH_HI. This solves the locking issue, keeps latency low and provides\ngood performance on high data load.\nNote that now all packets from a DLCI are removed from the internal queue\nif the associated DLCI was closed. This ensures that no data is sent by the\nintroduced write task to an already closed DLCI.\n\nBUG: spinlock recursion on CPU#0, test_v24_loop/124\n lock: serial8250_ports+0x3a8/0x7500, .magic: dead4ead, .owner: test_v24_loop/124, .owner_cpu: 0\nCPU: 0 PID: 124 Comm: test_v24_loop Tainted: G O 5.18.0-rc2 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x34/0x44\n do_raw_spin_lock+0x76/0xa0\n _raw_spin_lock_irqsave+0x72/0x80\n uart_write_room+0x3b/0xc0\n gsm_data_kick+0x14b/0x240 [n_gsm]\n gsmld_write_wakeup+0x35/0x70 [n_gsm]\n tty_wakeup+0x53/0x60\n tty_port_default_wakeup+0x1b/0x30\n serial8250_tx_chars+0x12f/0x220\n serial8250_handle_irq.part.0+0xfe/0x150\n serial8250_default_handle_irq+0x48/0x80\n serial8250_interrupt+0x56/0xa0\n __handle_irq_event_percpu+0x78/0x1f0\n handle_irq_event+0x34/0x70\n handle_fasteoi_irq+0x90/0x1e0\n __common_interrupt+0x69/0x100\n common_interrupt+0x48/0xc0\n asm_common_interrupt+0x1e/0x40\nRIP: 0010:__do_softirq+0x83/0x34e\nCode: 2a 0a ff 0f b7 ed c7 44 24 10 0a 00 00 00 48 c7 c7 51 2a 64 82 e8 2d\ne2 d5 ff 65 66 c7 05 83 af 1e 7e 00 00 fb b8 ff ff ff ff <49> c7 c2 40 61\n80 82 0f bc c5 41 89 c4 41 83 c4 01 0f 84 e6 00 00\nRSP: 0018:ffffc90000003f98 EFLAGS: 00000286\nRAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff82642a51 RDI: ffffffff825bb5e7\nRBP: 0000000000000200 R08: 00000008de3271a8 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000030 R14: 0000000000000000 R15: 0000000000000000\n ? __do_softirq+0x73/0x34e\n irq_exit_rcu+0xb5/0x100\n common_interrupt+0xa4/0xc0\n \n \n asm_common_interrupt+0x1e/0x40\nRIP: 0010:_raw_spin_unlock_irqrestore+0x2e/0x50\nCode: 00 55 48 89 fd 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 85 28 36 ff\n48 89 ef e8 cd 58 36 ff 80 e7 02 74 01 fb bf 01 00 00 00 3d 97 33 ff\n65 8b 05 96 23 2b 7e 85 c0 74 03 5b 5d c3 0f 1f 44\nRSP: 0018:ffffc9000020fd08 EFLAGS: 00000202\nRAX: 0000000000000000 RBX: 0000000000000246 RCX: 0000000000000000\nRDX: 0000000000000004 RSI: ffffffff8257fd74 RDI: 0000000000000001\nRBP: ffff8880057de3a0 R08: 00000008de233000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000100 R14: 0000000000000202 R15: ffff8880057df0b8\n ? _raw_spin_unlock_irqrestore+0x23/0x50\n gsmtty_write+0x65/0x80 [n_gsm]\n n_tty_write+0x33f/0x530\n ? swake_up_all+0xe0/0xe0\n file_tty_write.constprop.0+0x1b1/0x320\n ? n_tty_flush_buffer+0xb0/0xb0\n new_sync_write+0x10c/0x190\n vfs_write+0x282/0x310\n ksys_write+0x68/0xe0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f3e5e35c15c\nCode: 8b 7c 24 08 89 c5 e8 c5 ff ff ff 89 ef 89 44 24\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tty: n_gsm: corrige el bloqueo y la inanición del enlace en la ruta de datos de salida La implementación actual pone en cola nuevos paquetes de control y de usuario según sea necesario y procesa esta cola hasta el ldisc en la misma ruta de código. Eso significa que las capas superior e inferior están acopladas rígidamente en el código. Debido a esto, pueden ocurrir bloqueos como se ve a continuación mientras se transmiten datos, especialmente durante la congestión del ldisc. Además, los canales de datos privan al canal de control en una carga de transmisión alta en el ldisc. Introduzca una cola de datos de canal de control adicional para evitar tiempos de espera y cuelgues de enlace durante la congestión del ldisc. Esto se procesa antes que la cola de datos del canal de usuario en gsm_data_kick(), es decir, con la máxima prioridad. Coloque la cola a la ruta de datos del ldisc en una cola de trabajo y actívela siempre que se hayan incluido nuevos datos en la cola de transmisión. Modifique gsm_dlci_data_sweep() según corresponda para llenar la cola de transmisión hasta TX_THRESH_HI. Esto soluciona el problema de bloqueo, mantiene baja la latencia y proporciona un buen rendimiento con una carga de datos alta. Tenga en cuenta que ahora todos los paquetes de un DLCI se eliminan de la cola interna si el DLCI asociado estaba cerrado. Esto garantiza que la tarea de escritura introducida no envíe datos a un DLCI ya cerrado. ERROR: recursión de spinlock en CPU#0, test_v24_loop/124 bloqueo: serial8250_ports+0x3a8/0x7500, .magic: dead4ead, .owner: test_v24_loop/124, .owner_cpu: 0 CPU: 0 PID: 124 Comm: test_v24_loop Contaminado: GO 5.18.0-rc2 #3 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 01/04/2014 Rastreo de llamadas: dump_stack_lvl+0x34/0x44 do_raw_spin_lock+0x76/0xa0 _raw_spin_lock_irqsave+0x72/0x80 uart_write_room+0x3b/0xc0 gsm_data_kick+0x14b/0x240 [n_gsm] gsmld_write_wakeup+0x35/0x70 [n_gsm] tty_wakeup+0x53/0x60 tty_port_default_wakeup+0x1b/0x30 serial8250_tx_chars+0x12f/0x220 serial8250_handle_irq.part.0+0xfe/0x150 serial8250_default_handle_irq+0x48/0x80 serial8250_interrupt+0x56/0xa0 __handle_irq_event_percpu+0x78/0x1f0 handle_irq_event+0x34/0x70 handle_fasteoi_irq+0x90/0x1e0 __common_interrupt+0x69/0x100 common_interrupt+0x48/0xc0 asm_common_interrupt+0x1e/0x40 RIP: 0010:__do_softirq+0x83/0x34e Code: 2a 0a ff 0f b7 ed c7 44 24 10 0a 00 00 00 48 c7 c7 51 2a 64 82 e8 2d e2 d5 ff 65 66 c7 05 83 af 1e 7e 00 00 fb b8 ff ff ff ff <49> c7 c2 40 61 80 82 0f bc c5 41 89 c4 41 83 c4 01 0f 84 e6 00 00 RSP: 0018:ffffc90000003f98 EFLAGS: 00000286 RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff82642a51 RDI: ffffffff825bb5e7 RBP: 0000000000000200 R08: 00000008de3271a8 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000030 R14: 0000000000000000 R15: 0000000000000000 ? __do_softirq+0x73/0x34e irq_exit_rcu+0xb5/0x100 common_interrupt+0xa4/0xc0 asm_common_interrupt+0x1e/0x40 RIP: 0010:_raw_spin_unlock_irqrestore+0x2e/0x50 Code: 00 55 48 89 fd 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 85 28 36 ff 48 89 ef e8 cd 58 36 ff 80 e7 02 74 01 fb bf 01 00 00 00 3d 97 33 ff 65 8b 05 96 23 2b 7e 85 c0 74 03 5b 5d c3 0f 1f 44 RSP: 0018:ffffc9000020fd08 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000246 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffffffff8257fd74 RDI: 0000000000000001 RBP: ffff8880057de3a0 R08: 00000008de233000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000100 R14: 0000000000000202 R15: ffff8880057df0b8 ? _raw_spin_unlock_irqrestore+0x23/0x50 gsmtty_write+0x65/0x80 [n_gsm] n_tty_write+0x33f/0x530 ? swake_up_all+0xe0/0xe0 file_tty_write.constprop.0+0x1b1/0x320 ? n_tty_flush_buffer+0xb0/0xb0 new_sync_write+0x10c/0x190 vfs_write+0x282/0x310 ksys_write+0x68/0xe0 do_syscall_64+0x3b/0x90 entry_SYSCALL ---truncado---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"5.18.18","matchCriteriaId":"D85A2140-5A58-48E8-BB38-4918B0EB5E8A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"5.19.2","matchCriteriaId":"A1A2A5A5-4598-4D7E-BA07-4660398D6C8F"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0af021678d5d30c31f5a6b631f404ead3575212a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5020173e7e7725110a8d4be1359bf1dfc4b1814d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7962a4b900099cf90e02859bb297f2c618d8d940","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c165698c9919b000bdbe73859d3bb7b33bdb9223","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-38105","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-07-03T09:15:23.997","lastModified":"2026-06-01T17:16:34.727","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Kill timer properly at removal\n\nThe USB-audio MIDI code initializes the timer, but in a rare case, the\ndriver might be freed without the disconnect call. This leaves the\ntimer in an active state while the assigned object is released via\nsnd_usbmidi_free(), which ends up with a kernel warning when the debug\nconfiguration is enabled, as spotted by fuzzer.\n\nFor avoiding the problem, put timer_shutdown_sync() at\nsnd_usbmidi_free(), so that the timer can be killed properly.\nWhile we're at it, replace the existing timer_delete_sync() at the\ndisconnect callback with timer_shutdown_sync(), too."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: usb-audio: Kill timer properly at removal El código MIDI USB-audio inicializa el temporizador, pero en un caso raro, el controlador podría liberarse sin la llamada de desconexión. Esto deja al temporizador en un estado activo mientras el objeto asignado se libera a través de snd_usbmidi_free(), lo que termina con una advertencia del kernel cuando se habilita la configuración de depuración, como lo detectó un fuzzer. Para evitar el problema, coloque timer_shutdown_sync() en snd_usbmidi_free(), para que el temporizador pueda ser eliminado correctamente. Mientras estamos en ello, reemplace también el timer_delete_sync() existente en la devolución de llamada de desconexión con timer_shutdown_sync()."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.14","versionEndExcluding":"6.6.111","matchCriteriaId":"0317582A-6B0D-428B-AEE4-F2F23E337ACF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.52","matchCriteriaId":"2D9B210A-8880-498F-A5CE-0C653F909220"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.3","matchCriteriaId":"0541C761-BD5E-4C1A-8432-83B375D7EB92"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/06513dd6d32c37d0364db8488cfdf3e14da238a8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/62066758d2ae169278e5d6aea5995b1b6f6ddeb5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/647410a7da46067953a53c0d03f8680eff570959","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c611b9e55174e439dcd85a72969b43a95f3827a4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/efaf61052b8ff9ee8968912fbaf02c2847c78ede","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-38192","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-07-04T14:15:26.280","lastModified":"2026-06-01T17:16:34.887","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: clear the dst when changing skb protocol\n\nA not-so-careful NAT46 BPF program can crash the kernel\nif it indiscriminately flips ingress packets from v4 to v6:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n ip6_rcv_core (net/ipv6/ip6_input.c:190:20)\n ipv6_rcv (net/ipv6/ip6_input.c:306:8)\n process_backlog (net/core/dev.c:6186:4)\n napi_poll (net/core/dev.c:6906:9)\n net_rx_action (net/core/dev.c:7028:13)\n do_softirq (kernel/softirq.c:462:3)\n netif_rx (net/core/dev.c:5326:3)\n dev_loopback_xmit (net/core/dev.c:4015:2)\n ip_mc_finish_output (net/ipv4/ip_output.c:363:8)\n NF_HOOK (./include/linux/netfilter.h:314:9)\n ip_mc_output (net/ipv4/ip_output.c:400:5)\n dst_output (./include/net/dst.h:459:9)\n ip_local_out (net/ipv4/ip_output.c:130:9)\n ip_send_skb (net/ipv4/ip_output.c:1496:8)\n udp_send_skb (net/ipv4/udp.c:1040:8)\n udp_sendmsg (net/ipv4/udp.c:1328:10)\n\nThe output interface has a 4->6 program attached at ingress.\nWe try to loop the multicast skb back to the sending socket.\nIngress BPF runs as part of netif_rx(), pushes a valid v6 hdr\nand changes skb->protocol to v6. We enter ip6_rcv_core which\ntries to use skb_dst(). But the dst is still an IPv4 one left\nafter IPv4 mcast output.\n\nClear the dst in all BPF helpers which change the protocol.\nTry to preserve metadata dsts, those may carry non-routing\nmetadata."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: borrar el dst al cambiar el protocolo skb Un programa BPF NAT46 no tan cuidadoso puede hacer que el kernel se bloquee si cambia indiscriminadamente los paquetes de entrada de v4 a v6: ERROR: kernel NULL pointer dereference, address: 0000000000000000 ip6_rcv_core (net/ipv6/ip6_input.c:190:20) ipv6_rcv (net/ipv6/ip6_input.c:306:8) process_backlog (net/core/dev.c:6186:4) napi_poll (net/core/dev.c:6906:9) net_rx_action (net/core/dev.c:7028:13) do_softirq (kernel/softirq.c:462:3) netif_rx (net/core/dev.c:5326:3) dev_loopback_xmit (net/core/dev.c:4015:2) ip_mc_finish_output (net/ipv4/ip_output.c:363:8) NF_HOOK (./include/linux/netfilter.h:314:9) ip_mc_output (net/ipv4/ip_output.c:400:5) dst_output (./include/net/dst.h:459:9) ip_local_out (net/ipv4/ip_output.c:130:9) ip_send_skb (net/ipv4/ip_output.c:1496:8) udp_send_skb (net/ipv4/udp.c:1040:8) udp_sendmsg (net/ipv4/udp.c:1328:10) La interfaz de salida tiene un programa 4->6 conectado en la entrada. Intentamos devolver el skb de multidifusión al socket de envío. El BPF de entrada se ejecuta como parte de netif_rx(), envía un hdr v6 válido y cambia el protocolo skb a v6. Introducimos ip6_rcv_core, que intenta usar skb_dst(). Sin embargo, el dst sigue siendo IPv4 tras la salida de mcast IPv4. Borre el dst en todos los ayudantes de BPF que cambien el protocolo. Intente conservar los dst de metadatos, ya que pueden contener metadatos no relacionados con el enrutamiento."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.6.95","matchCriteriaId":"48B353B3-604B-4851-A2E8-6C4F134728E5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.35","matchCriteriaId":"E569FD34-0076-4428-BE17-EECCF867611C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.4","matchCriteriaId":"DFD174C5-1AA2-4671-BDDC-1A9FCC753655"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*","matchCriteriaId":"6D4894DB-CCFE-4602-B1BF-3960B2E19A01"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2a3ad42a57b43145839f2f233fb562247658a6d9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/98b1d8dc9a3170b2614f1e8c93854e75cdd83980","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a046f183d21ab5ace5a96ece4cf9873a42f003a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ba9db6f907ac02215e30128770f85fbd7db2fcf9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bfa4d86e130a09f67607482e988313430e38f6c4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e9994e7b9f7bbb882d13c8191731649249150d21","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-38250","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-07-09T11:15:27.193","lastModified":"2026-06-01T17:16:35.033","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix use-after-free in vhci_flush()\n\nsyzbot reported use-after-free in vhci_flush() without repro. [0]\n\nFrom the splat, a thread close()d a vhci file descriptor while\nits device was being used by iotcl() on another thread.\n\nOnce the last fd refcnt is released, vhci_release() calls\nhci_unregister_dev(), hci_free_dev(), and kfree() for struct\nvhci_data, which is set to hci_dev->dev->driver_data.\n\nThe problem is that there is no synchronisation after unlinking\nhdev from hci_dev_list in hci_unregister_dev(). There might be\nanother thread still accessing the hdev which was fetched before\nthe unlink operation.\n\nWe can use SRCU for such synchronisation.\n\nLet's run hci_dev_reset() under SRCU and wait for its completion\nin hci_unregister_dev().\n\nAnother option would be to restore hci_dev->destruct(), which was\nremoved in commit 587ae086f6e4 (\"Bluetooth: Remove unused\nhci-destruct cb\"). However, this would not be a good solution, as\nwe should not run hci_unregister_dev() while there are in-flight\nioctl() requests, which could lead to another data-race KCSAN splat.\n\nNote that other drivers seem to have the same problem, for exmaple,\nvirtbt_remove().\n\n[0]:\nBUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]\nBUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937\nRead of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718\n\nCPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xd2/0x2b0 mm/kasan/report.c:521\n kasan_report+0x118/0x150 mm/kasan/report.c:634\n skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]\n skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937\n skb_queue_purge include/linux/skbuff.h:3368 [inline]\n vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69\n hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline]\n hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592\n sock_do_ioctl+0xd9/0x300 net/socket.c:1190\n sock_ioctl+0x576/0x790 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fcf5b98e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929\nRDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009\nRBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528\n \n\nAllocated by task 6535:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635\n misc_open+0x2bc/0x330 drivers/char/misc.c:161\n chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414\n do_dentry_open+0xdf0/0x1970 fs/open.c:964\n vfs_open+0x3b/0x340 fs/open.c:1094\n do_open fs/namei.c:3887 [inline]\n path_openat+0x2ee5/0x3830 fs/name\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: hci_core: Se corrige el use-after-free en vhci_flush() syzbot informó use-after-free en vhci_flush() sin reproducción. [0] Desde el splat, un subproceso cierra() un descriptor de archivo vhci mientras su dispositivo estaba siendo usado por iotcl() en otro subproceso. Una vez que se libera el último fd refcnt, vhci_release() llama a hci_unregister_dev(), hci_free_dev() y kfree() para struct vhci_data, que está configurado en hci_dev->dev->driver_data. El problema es que no hay sincronización después de desvincular hdev de hci_dev_list en hci_unregister_dev(). Podría haber otro subproceso que aún acceda al hdev que se obtuvo antes de la operación de desvinculación. Podemos usar SRCU para dicha sincronización. Ejecutemos hci_dev_reset() en SRCU y esperemos a que se complete en hci_unregister_dev(). Otra opción sería restaurar hci_dev->destruct(), que se eliminó en el commit 587ae086f6e4 (\"Bluetooth: Eliminar el bloque de comandos hci-destruct no utilizado\"). Sin embargo, esta no sería una buena solución, ya que no deberíamos ejecutar hci_unregister_dev() mientras haya solicitudes ioctl() en curso, lo que podría provocar otro error de KCSAN en la ejecución de datos. Tenga en cuenta que otros controladores parecen tener el mismo problema, por ejemplo, virtbt_remove(). [0]: ERROR: KASAN: slab-use-after-free en skb_queue_empty_lockless include/linux/skbuff.h:1891 [en línea] ERROR: KASAN: slab-use-after-free en skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 Lectura de tamaño 8 en la dirección ffff88807cb8d858 por la tarea syz.1.219/6718 CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 No contaminado 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full) Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Rastreo de llamadas: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 skb_queue_purge include/linux/skbuff.h:3368 [inline] vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69 hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline] hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592 sock_do_ioctl+0xd9/0x300 net/socket.c:1190 sock_ioctl+0x576/0x790 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcf5b98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929 RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009 RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528 Allocated by task 6535: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635 misc_open+0x2bc/0x330 drivers/char/misc.c:161 chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414 do_dentry_open+0xdf0/0x1970 fs/open.c:964 vfs_open+0x3b/0x340 fs/open.c:1094 ---truncado---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4","versionEndExcluding":"6.6.97","matchCriteriaId":"B7D2126A-0CD0-4115-A75E-37D8FA8907ED"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.36","matchCriteriaId":"2BD88DEC-018F-4F40-8E29-A2CA89813EBA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.5","matchCriteriaId":"0CC768E2-3BBC-4A6E-9C2F-ECB27A703C2D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*","matchCriteriaId":"6D4894DB-CCFE-4602-B1BF-3960B2E19A01"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*","matchCriteriaId":"09709862-E348-4378-8632-5A7813EDDC86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*","matchCriteriaId":"415BF58A-8197-43F5-B3D7-D1D63057A26E"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0e5c144c557df910ab64d9c25d06399a9a735e65","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1d6123102e9fbedc8d25bf4731da6d513173e49e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/90dee0a0ff84fac8accd5be98412b3819f667149","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bc0819a25e04cd68ef3568cfa51b63118fea39a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c56b177efce8b62798e4d96bdb9867106cb7c4a0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ce23b73f0f27e2dbeb81734a79db710f05aa33c6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-38584","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-08-19T17:15:35.723","lastModified":"2026-06-01T17:16:35.347","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix pd UAF once and for all\n\nThere is a race condition/UAF in padata_reorder that goes back\nto the initial commit. A reference count is taken at the start\nof the process in padata_do_parallel, and released at the end in\npadata_serial_worker.\n\nThis reference count is (and only is) required for padata_replace\nto function correctly. If padata_replace is never called then\nthere is no issue.\n\nIn the function padata_reorder which serves as the core of padata,\nas soon as padata is added to queue->serial.list, and the associated\nspin lock released, that padata may be processed and the reference\ncount on pd would go away.\n\nFix this by getting the next padata before the squeue->serial lock\nis released.\n\nIn order to make this possible, simplify padata_reorder by only\ncalling it once the next padata arrives."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: padata: Arregla pd UAF de una vez por todas Hay una condición de ejecución/UAF en padata_reorder que se remonta a la confirmación inicial. Se toma un recuento de referencias al inicio del proceso en padata_do_parallel y se libera al final en padata_serial_worker. Este recuento de referencias es (y solo es) necesario para que padata_replace funcione correctamente. Si nunca se llama a padata_replace, no hay problema. En la función padata_reorder que sirve como núcleo de padata, tan pronto como padata se agrega a queue->serial.list y se libera el bloqueo de giro asociado, ese padata puede procesarse y el recuento de referencias en pd desaparecería. Arregla esto obteniendo el siguiente padata antes de que se libere el bloqueo squeue->serial. Para que esto sea posible, simplifica padata_reorder llamándolo solo una vez que llega el siguiente padata."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.15.10","matchCriteriaId":"70708DCC-6F9D-4EFE-AF47-0CA615284AD2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.16.1","matchCriteriaId":"58182352-D7DF-4CC9-841E-03C1D852C3FB"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/609e59193fc6d9dd323f1c6ae1fdd721f1c79680","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/71203f68c7749609d7fc8ae6ad054bdedeb24f91","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/73f132e60857038416540c3599b1de6033d7575a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a11a12a9880ab37342b73c93cfe1a3ada02ff0db","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a2048e475e22b13dc3e53d485b7e6e11464ed9a6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cdf79bd2e1ecb3cc75631c73d8f4149be6019a52","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dbe3e911a59bda6de96e7cae387ff882c2c177fa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f231d5d001ec75f5886c02d496a4c79edc383d45","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-38626","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-08-22T16:15:36.193","lastModified":"2026-06-01T17:16:35.500","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode\n\nw/ \"mode=lfs\" mount option, generic/299 will cause system panic as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.c:2835!\nCall Trace:\n \n f2fs_allocate_data_block+0x6f4/0xc50\n f2fs_map_blocks+0x970/0x1550\n f2fs_iomap_begin+0xb2/0x1e0\n iomap_iter+0x1d6/0x430\n __iomap_dio_rw+0x208/0x9a0\n f2fs_file_write_iter+0x6b3/0xfa0\n aio_write+0x15d/0x2e0\n io_submit_one+0x55e/0xab0\n __x64_sys_io_submit+0xa5/0x230\n do_syscall_64+0x84/0x2f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0010:new_curseg+0x70f/0x720\n\nThe root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may\ntrigger foreground gc only if it allocates any physical block, it will be\na little bit later when there is multiple threads writing data w/\naio/dio/bufio method in parallel, since we always use OPU in lfs mode, so\nf2fs_map_blocks() does block allocations aggressively.\n\nIn order to fix this issue, let's give a chance to trigger foreground\ngc in prior to block allocation in f2fs_map_blocks()."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: corrección para activar el gc de primer plano durante f2fs_map_blocks() en modo lfs con la opción de montaje \"mode=lfs\", generic/299 provocará pánico en el sistema como se muestra a continuación: ------------[ cortar aquí ]------------ ¡ERROR del kernel en fs/f2fs/segment.c:2835! Rastreo de llamadas: f2fs_allocate_data_block+0x6f4/0xc50 f2fs_map_blocks+0x970/0x1550 f2fs_iomap_begin+0xb2/0x1e0 iomap_iter+0x1d6/0x430 __iomap_dio_rw+0x208/0x9a0 f2fs_file_write_iter+0x6b3/0xfa0 aio_write+0x15d/0x2e0 io_submit_one+0x55e/0xab0 __x64_sys_io_submit+0xa5/0x230 do_syscall_64+0x84/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0010:new_curseg+0x70f/0x720 La causa principal de la falta de espacio es que, en f2fs_map_blocks(), f2fs puede activar el recolector de basura en primer plano solo si asigna algún bloque físico. Esto ocurrirá un poco más tarde, cuando varios subprocesos escriban datos con el método aio/dio/bufio en paralelo. Dado que siempre usamos OPU en modo lfs, f2fs_map_blocks() realiza asignaciones de bloques de forma agresiva. Para solucionar este problema, permitamos que el recolector de basura en primer plano se active antes de la asignación de bloques en f2fs_map_blocks()."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.6.102","matchCriteriaId":"DA9CAA58-80C7-48D4-A774-66C1C7B0CA0A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.42","matchCriteriaId":"EA7AA5E6-4376-4A85-A021-6ACC5FF801C3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.10","matchCriteriaId":"5890C690-B295-40C2-9121-FF5F987E5142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.16.1","matchCriteriaId":"58182352-D7DF-4CC9-841E-03C1D852C3FB"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1005a3ca28e90c7a64fa43023f866b960a60f791","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/385e64a0744584397b4b52b27c96703516f39968","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/82765ce5c7a56f9309ee45328e763610eaf11253","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c737047f4665232d1e26b3620bc62df334545451","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d2f280f43a2a9d918fd23169ff3a6f3b65c7cec5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f289690f50a01c3e085d87853392d5b7436a4cee","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-38627","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-08-22T16:15:36.337","lastModified":"2026-06-01T17:16:35.667","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic\n\nThe decompress_io_ctx may be released asynchronously after\nI/O completion. If this file is deleted immediately after read,\nand the kworker of processing post_read_wq has not been executed yet\ndue to high workloads, It is possible that the inode(f2fs_inode_info)\nis evicted and freed before it is used f2fs_free_dic.\n\n The UAF case as below:\n Thread A Thread B\n - f2fs_decompress_end_io\n - f2fs_put_dic\n - queue_work\n add free_dic work to post_read_wq\n - do_unlink\n - iput\n - evict\n - call_rcu\n This file is deleted after read.\n\n Thread C kworker to process post_read_wq\n - rcu_do_batch\n - f2fs_free_inode\n - kmem_cache_free\n inode is freed by rcu\n - process_scheduled_works\n - f2fs_late_free_dic\n - f2fs_free_dic\n - f2fs_release_decomp_mem\n read (dic->inode)->i_compress_algorithm\n\nThis patch store compress_algorithm and sbi in dic to avoid inode UAF.\n\nIn addition, the previous solution is deprecated in [1] may cause system hang.\n[1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: compress: fix UAF de f2fs_inode_info en f2fs_free_dic El decompress_io_ctx puede liberarse de forma asíncrona tras la finalización de la E/S. Si este archivo se elimina inmediatamente después de la lectura, y el kworker del procesamiento de post_read_wq aún no se ha ejecutado debido a las altas cargas de trabajo, es posible que el inodo (f2fs_inode_info) se desaloje y se libere antes de que se use f2fs_free_dic. El caso de UAF como se muestra a continuación: Hilo A Hilo B - f2fs_decompress_end_io - f2fs_put_dic - queue_work añadir trabajo free_dic a post_read_wq - do_unlink - iput - evict - call_rcu Este archivo se elimina tras la lectura. Hilo C kworker para procesar post_read_wq - rcu_do_batch - f2fs_free_inode - kmem_cache_free inodo liberado por rcu - process_scheduled_works - f2fs_late_free_dic - f2fs_free_dic - f2fs_release_decomp_mem lectura (dic->inode)->i_compress_algorithm). Este parche almacena compress_algorithm y sbi en dic para evitar el UAF del inodo. Además, la solución anterior está obsoleta en [1] y puede causar un bloqueo del sistema. [1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.16.1","matchCriteriaId":"3AF1532A-8F0C-4D73-8D9F-3580F2A8F834"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/39868685c2a94a70762bc6d77dc81d781d05bff5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5d604d40cd3232b09cb339941ef958e49283ed0a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/74cbeeca4f16823ba58c882e1d8b836c0e39c93d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cc81768212cdc509e5a986274db7bc24d18cde19","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-38659","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-08-22T16:15:41.053","lastModified":"2026-06-01T17:16:35.787","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: No more self recovery\n\nWhen a node withdraws and it turns out that it is the only node that has\nthe filesystem mounted, gfs2 currently tries to replay the local journal\nto bring the filesystem back into a consistent state. Not only is that\na very bad idea, it has also never worked because gfs2_recover_func()\nwill refuse to do anything during a withdraw.\n\nHowever, before even getting to this point, gfs2_recover_func()\ndereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before\ncommit 04133b607a78 (\"gfs2: Prevent double iput for journal on error\")\nand is a NULL pointer dereference since then.\n\nSimply get rid of self recovery to fix that."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: gfs2: No más autorrecuperación. Cuando un nodo se retira y resulta ser el único que tiene montado el sistema de archivos, gfs2 intenta reproducir el diario local para restablecer la consistencia del sistema de archivos. Esto no solo es una pésima idea, sino que nunca ha funcionado, ya que gfs2_recover_func() se niega a hacer nada durante una retirada. Sin embargo, incluso antes de llegar a este punto, gfs2_recover_func() desreferencia sdp->sd_jdesc->jd_inode. Esto era un use-after-free antes del commit 04133b607a78 (\"gfs2: Evitar doble entrada para el diario en caso de error\") y, desde entonces, es una desreferencia de puntero nulo. Simplemente elimine la autorrecuperación para solucionarlo."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.6.102","matchCriteriaId":"15CE236D-FDAD-4D13-A4F9-81000110F6C5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.42","matchCriteriaId":"EA7AA5E6-4376-4A85-A021-6ACC5FF801C3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.10","matchCriteriaId":"5890C690-B295-40C2-9121-FF5F987E5142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.16.1","matchCriteriaId":"58182352-D7DF-4CC9-841E-03C1D852C3FB"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1a91ba12abef628b43cada87478328274d988e88","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6784367b2f3cd7b89103de35764f37f152590dbd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/69cf5699a402ee7ae1be53954dc2ae652c0a053c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6ebe17b359bead383581f729e43f591c1c36e159","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/97c94c7dbddc34d353c83b541b3decabf98d04af","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/deb016c1669002e48c431d6fd32ea1c20ef41756","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f5426ffbec971a8f7346a57392d3a901bdee5a9b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-38710","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-09-04T16:15:40.137","lastModified":"2026-06-01T17:16:35.937","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Validate i_depth for exhash directories\n\nA fuzzer test introduced corruption that ends up with a depth of 0 in\ndir_e_read(), causing an undefined shift by 32 at:\n\n index = hash >> (32 - dip->i_depth);\n\nAs calculated in an open-coded way in dir_make_exhash(), the minimum\ndepth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is\ninvalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time.\n\nSo we can avoid the undefined behaviour by checking for depth values\nlower than the minimum in gfs2_dinode_in(). Values greater than the\nmaximum are already being checked for there.\n\nAlso switch the calculation in dir_make_exhash() to use ilog2() to\nclarify how the depth is calculated.\n\nTested with the syzkaller repro.c and xfstests '-g quick'."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.43","matchCriteriaId":"1936DB45-ECC5-4A1A-A924-0D4E14DFE578"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.11","matchCriteriaId":"BC242347-F722-43AE-B910-BE0B22386977"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.16.2","matchCriteriaId":"BD7C087D-2415-4521-B624-30003352F899"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/076e992752e4b24178918f748d75597c80a408d2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/112bb60cd0e254a369e95aa9941a694ffeca089f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/366183911b153e9b8cf758e1414e1154d7569337","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/53a0249d68a210c16e961b83adfa82f94ee0a53d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/557c024ca7250bb65ae60f16c02074106c2f197b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9680c58675b82348ab84d387e4fa727f7587e1a0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b5f46951e62377b6e406fadc18bc3c5bdf1632a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cddea0c721106ea480371412d8de21705eb27376","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2023-53292","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-09-16T08:15:38.457","lastModified":"2026-06-01T17:16:24.907","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none\n\nAfter grabbing q->sysfs_lock, q->elevator may become NULL because of\nelevator switch.\n\nFix the NULL dereference on q->elevator by checking it with lock."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.4.7","matchCriteriaId":"565551D3-65F9-4062-91B4-52D139D5ACAD"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/245165658e1c9f95c0fecfe02b9b1ebd30a1198a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3e977386521b71471e66ec2ba82efdfcc456adf2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/988ddb77218d3975dd13dee7bb0e1fae098a9fdb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2023-53421","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-09-18T16:15:45.897","lastModified":"2026-06-01T17:16:25.097","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats()\n\nWhen blkg_alloc() is called to allocate a blkcg_gq structure\nwith the associated blkg_iostat_set's, there are 2 fields within\nblkg_iostat_set that requires proper initialization - blkg & sync.\nThe former field was introduced by commit 3b8cc6298724 (\"blk-cgroup:\nOptimize blkcg_rstat_flush()\") while the later one was introduced by\ncommit f73316482977 (\"blk-cgroup: reimplement basic IO stats using\ncgroup rstat\").\n\nUnfortunately those fields in the blkg_iostat_set's are not properly\nre-initialized when they are cleared in v1's blkcg_reset_stats(). This\ncan lead to a kernel panic due to NULL pointer access of the blkg\npointer. The missing initialization of sync is less problematic and\ncan be a problem in a debug kernel due to missing lockdep initialization.\n\nFix these problems by re-initializing them after memory clearing."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"6.3.13","matchCriteriaId":"9822986C-54A4-4AA9-B875-6C1B9A28DE75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.4.4","matchCriteriaId":"6AB81046-CB69-4115-924C-963B37C41385"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0561aa6033dd181594116d705c41fc16e97161a2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3d2af77e31ade05ff7ccc3658c3635ec1bea0979","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/58c135513562698f222a58ba07dbdfcfb268aa0d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/892faa76be894d324bf48b12a55c7af7be2bad83","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/abbce7f82613ea5eeefd0fc3c1c8e449b9cef2a2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b0d26283af612b9e0cc3188b0b88ad7fdea447e8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2022-50472","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-10-04T16:15:43.673","lastModified":"2026-06-01T17:16:23.630","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mad: Don't call to function that might sleep while in atomic context\n\nTracepoints are not allowed to sleep, as such the following splat is\ngenerated due to call to ib_query_pkey() in atomic context.\n\nWARNING: CPU: 0 PID: 1888000 at kernel/trace/ring_buffer.c:2492 rb_commit+0xc1/0x220\nCPU: 0 PID: 1888000 Comm: kworker/u9:0 Kdump: loaded Tainted: G OE --------- - - 4.18.0-305.3.1.el8.x86_64 #1\n Hardware name: Red Hat KVM, BIOS 1.13.0-2.module_el8.3.0+555+a55c8938 04/01/2014\n Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]\n RIP: 0010:rb_commit+0xc1/0x220\n RSP: 0000:ffffa8ac80f9bca0 EFLAGS: 00010202\n RAX: ffff8951c7c01300 RBX: ffff8951c7c14a00 RCX: 0000000000000246\n RDX: ffff8951c707c000 RSI: ffff8951c707c57c RDI: ffff8951c7c14a00\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff8951c7c01300 R11: 0000000000000001 R12: 0000000000000246\n R13: 0000000000000000 R14: ffffffff964c70c0 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8951fbc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f20e8f39010 CR3: 000000002ca10005 CR4: 0000000000170ef0\n Call Trace:\n ring_buffer_unlock_commit+0x1d/0xa0\n trace_buffer_unlock_commit_regs+0x3b/0x1b0\n trace_event_buffer_commit+0x67/0x1d0\n trace_event_raw_event_ib_mad_recv_done_handler+0x11c/0x160 [ib_core]\n ib_mad_recv_done+0x48b/0xc10 [ib_core]\n ? trace_event_raw_event_cq_poll+0x6f/0xb0 [ib_core]\n __ib_process_cq+0x91/0x1c0 [ib_core]\n ib_cq_poll_work+0x26/0x80 [ib_core]\n process_one_work+0x1a7/0x360\n ? create_worker+0x1a0/0x1a0\n worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x116/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x35/0x40\n ---[ end trace 78ba8509d3830a16 ]---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.15.86","matchCriteriaId":"C2B5F12C-9CEF-4D20-8485-99A8F3C03995"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.0.16","matchCriteriaId":"C720A569-3D93-4D77-95F6-E2B3A3267D9F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.1.2","matchCriteriaId":"77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/47e31b86edff36f2d26cbc88ce695d98ff804178","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5c20311d76cbaeb7ed2ecf9c8b8322f8fc4a7ae3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cea70a572c0cb9728d728cfebe7d5bd485e97513","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d45e6ccb8e98d8339631f32984d345a663e74ce2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fa8a2f3be78e4585996bcf4c15e4504441a4c7a0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2022-50493","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-10-04T16:15:46.300","lastModified":"2026-06-01T17:16:23.810","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix crash when I/O abort times out\n\nWhile performing CPU hotplug, a crash with the following stack was seen:\n\nCall Trace:\n qla24xx_process_response_queue+0x42a/0x970 [qla2xxx]\n qla2x00_start_nvme_mq+0x3a2/0x4b0 [qla2xxx]\n qla_nvme_post_cmd+0x166/0x240 [qla2xxx]\n nvme_fc_start_fcp_op.part.0+0x119/0x2e0 [nvme_fc]\n blk_mq_dispatch_rq_list+0x17b/0x610\n __blk_mq_sched_dispatch_requests+0xb0/0x140\n blk_mq_sched_dispatch_requests+0x30/0x60\n __blk_mq_run_hw_queue+0x35/0x90\n __blk_mq_delay_run_hw_queue+0x161/0x180\n blk_execute_rq+0xbe/0x160\n __nvme_submit_sync_cmd+0x16f/0x220 [nvme_core]\n nvmf_connect_admin_queue+0x11a/0x170 [nvme_fabrics]\n nvme_fc_create_association.cold+0x50/0x3dc [nvme_fc]\n nvme_fc_connect_ctrl_work+0x19/0x30 [nvme_fc]\n process_one_work+0x1e8/0x3c0\n\nOn abort timeout, completion was called without checking if the I/O was\nalready completed.\n\nVerify that I/O and abort request are indeed outstanding before attempting\ncompletion."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3.17","versionEndExcluding":"5.4","matchCriteriaId":"52607F53-FDC9-4FD7-8CD9-7911AF5733F2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.4","versionEndExcluding":"5.15.86","matchCriteriaId":"FD782530-D591-4DEB-9E5C-4361F5C2FF59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.0.16","matchCriteriaId":"C720A569-3D93-4D77-95F6-E2B3A3267D9F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.1.2","matchCriteriaId":"77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/05382ed9142cf8a8a3fb662224477eecc415778b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5f730e489e741c28fe6a5b3308e33c094462acb0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/68ad83188d782b2ecef2e41ac245d27e0710fe8e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cb4dff498468b62e8c520568559b3a9007e104d7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d3871af13aa03fbbe7fbb812eaf140501229a72e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2023-53543","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-10-04T16:15:49.413","lastModified":"2026-06-01T17:16:25.303","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check\n\nThe vdpa_nl_policy structure is used to validate the nlattr when parsing\nthe incoming nlmsg. It will ensure the attribute being described produces\na valid nlattr pointer in info->attrs before entering into each handler\nin vdpa_nl_ops.\n\nThat is to say, the missing part in vdpa_nl_policy may lead to illegal\nnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.\n\nThis patch adds the missing nla_policy for vdpa max vqp attr to avoid\nsuch bugs."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.198","versionEndExcluding":"6.1.47","matchCriteriaId":"638778C1-5F03-4F56-AE33-745E57C94BA6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.4.12","matchCriteriaId":"CF8ECF64-40AE-49AB-8315-4D83F9F56ECF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*","matchCriteriaId":"0B3E6E4D-E24E-4630-B00C-8C9901C597B0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*","matchCriteriaId":"E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*","matchCriteriaId":"F5608371-157A-4318-8A2E-4104C3467EA1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*","matchCriteriaId":"2226A776-DF8C-49E0-A030-0A7853BB018A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.5:rc5:*:*:*:*:*:*","matchCriteriaId":"6F15C659-DF06-455A-9765-0E6DE920F29A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.5:rc6:*:*:*:*:*:*","matchCriteriaId":"5B1C14ED-ABC4-41D3-8D9C-D38C6A65B4DE"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5d6ba607d6cb5c58a4ddf33381e18c83dbb4098f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/baed19c108ac8287425b93a44985bbe9a0b1af8d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ea65e8b5e6b1a34deda7564f09c90e9e80db436a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ff71709445ac033e6e250d971683110e4781c068","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2023-53545","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-10-04T16:15:49.637","lastModified":"2026-06-01T17:16:25.443","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: unmap and remove csa_va properly\n\nRoot PD BO should be reserved before unmap and remove\na bo_va from VM otherwise lockdep will complain.\n\nv2: check fpriv->csa_va is not NULL instead of amdgpu_mcbp (christian)\n\n[14616.936827] WARNING: CPU: 6 PID: 1711 at drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c:1762 amdgpu_vm_bo_del+0x399/0x3f0 [amdgpu]\n[14616.937096] Call Trace:\n[14616.937097] \n[14616.937102] amdgpu_driver_postclose_kms+0x249/0x2f0 [amdgpu]\n[14616.937187] drm_file_free+0x1d6/0x300 [drm]\n[14616.937207] drm_close_helper.isra.0+0x62/0x70 [drm]\n[14616.937220] drm_release+0x5e/0x100 [drm]\n[14616.937234] __fput+0x9f/0x280\n[14616.937239] ____fput+0xe/0x20\n[14616.937241] task_work_run+0x61/0x90\n[14616.937246] exit_to_user_mode_prepare+0x215/0x220\n[14616.937251] syscall_exit_to_user_mode+0x2a/0x60\n[14616.937254] do_syscall_64+0x48/0x90\n[14616.937257] entry_SYSCALL_64_after_hwframe+0x63/0xcd"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.4.12","matchCriteriaId":"627AF6EA-81E2-47AC-9270-EB299AB9D5EB"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1bc35e637a81dac5f5155e83a277c26708c4d4d7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5daff15cd013422bc6d1efcfe82b586800025384","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a3a96bf843c356d1d9b2d7f6d0784b6ee28ca9d0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ae325b245208394279a1dc412c831ebd71befb0d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2023-53596","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-10-04T16:15:56.153","lastModified":"2026-06-01T17:16:25.567","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: base: Free devm resources when unregistering a device\n\nIn the current code, devres_release_all() only gets called if the device\nhas a bus and has been probed.\n\nThis leads to issues when using bus-less or driver-less devices where\nthe device might never get freed if a managed resource holds a reference\nto the device. This is happening in the DRM framework for example.\n\nWe should thus call devres_release_all() in the device_del() function to\nmake sure that the device-managed actions are properly executed when the\ndevice is unregistered, even if it has neither a bus nor a driver.\n\nThis is effectively the same change than commit 2f8d16a996da (\"devres:\nrelease resources on device_del()\") that got reverted by commit\na525a3ddeaca (\"driver core: free devres in device_release\") over\nmemory leaks concerns.\n\nThis patch effectively combines the two commits mentioned above to\nrelease the resources both on device_del() and device_release() and get\nthe best of both worlds."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"6.1.53","matchCriteriaId":"89E9E471-1046-448D-9B47-6061EBC5484E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.4.16","matchCriteriaId":"C3039EA3-F6CA-43EF-9F17-81A7EC6841EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.5.3","matchCriteriaId":"880C803A-BEAE-4DA0-8A59-AC023F7B4EE3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/297992e5c63528e603666e36081836204fc36ec9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3bcc4c2a096e8342c8c719e595ce15de212694dd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/699fb50d99039a50e7494de644f96c889279aca3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/83e2ec36a92432e9445e853c12becbbae353b511","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b9ef4b0aa91d2f9f5951faafdbbd47cf01799ec3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c8c426fae26086a0ca8ab6cc6da2de79810ec038","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2022-50552","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-10-07T16:15:41.910","lastModified":"2026-06-01T17:16:23.983","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: use quiesced elevator switch when reinitializing queues\n\nThe hctx's run_work may be racing with the elevator switch when\nreinitializing hardware queues. The queue is merely frozen in this\ncontext, but that only prevents requests from allocating and doesn't\nstop the hctx work from running. The work may get an elevator pointer\nthat's being torn down, and can result in use-after-free errors and\nkernel panics (example below). Use the quiesced elevator switch instead,\nand make the previous one static since it is now only used locally.\n\n nvme nvme0: resetting controller\n nvme nvme0: 32/0/0 default/read/poll queues\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 80000020c8861067 P4D 80000020c8861067 PUD 250f8c8067 PMD 0\n Oops: 0000 [#1] SMP PTI\n Workqueue: kblockd blk_mq_run_work_fn\n RIP: 0010:kyber_has_work+0x29/0x70\n\n...\n\n Call Trace:\n __blk_mq_do_dispatch_sched+0x83/0x2b0\n __blk_mq_sched_dispatch_requests+0x12e/0x170\n blk_mq_sched_dispatch_requests+0x30/0x60\n __blk_mq_run_hw_queue+0x2b/0x50\n process_one_work+0x1ef/0x380\n worker_thread+0x2d/0x3e0"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19","versionEndExcluding":"5.19.17","matchCriteriaId":"01CFE817-DEAE-44C8-A519-2061E88C4EB3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.0.3","matchCriteriaId":"5BCD8201-B847-4442-B894-70D430128DEF"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0f90015383cd3f1128bebfbe7a97122d97808046","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/63a681bcc32a43528ce0f690569f7f48e59c3963","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8237c01f1696bc53c470493bf1fe092a107648a6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9646443f28f33ec545ae303e613c3f476fad4dc1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c478b3b2900f1834cf9eda5bfef0d5696099505d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2023-53629","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-10-07T16:15:45.933","lastModified":"2026-06-01T17:16:25.723","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs: dlm: fix use after free in midcomms commit\n\nWhile working on processing dlm message in softirq context I experienced\nthe following KASAN use-after-free warning:\n\n[ 151.760477] ==================================================================\n[ 151.761803] BUG: KASAN: use-after-free in dlm_midcomms_commit_mhandle+0x19d/0x4b0\n[ 151.763414] Read of size 4 at addr ffff88811a980c60 by task lock_torture/1347\n\n[ 151.765284] CPU: 7 PID: 1347 Comm: lock_torture Not tainted 6.1.0-rc4+ #2828\n[ 151.766778] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+16134+e5908aa2 04/01/2014\n[ 151.768726] Call Trace:\n[ 151.769277] \n[ 151.769748] dump_stack_lvl+0x5b/0x86\n[ 151.770556] print_report+0x180/0x4c8\n[ 151.771378] ? kasan_complete_mode_report_info+0x7c/0x1e0\n[ 151.772241] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0\n[ 151.773069] kasan_report+0x93/0x1a0\n[ 151.773668] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0\n[ 151.774514] __asan_load4+0x7e/0xa0\n[ 151.775089] dlm_midcomms_commit_mhandle+0x19d/0x4b0\n[ 151.775890] ? create_message.isra.29.constprop.64+0x57/0xc0\n[ 151.776770] send_common+0x19f/0x1b0\n[ 151.777342] ? remove_from_waiters+0x60/0x60\n[ 151.778017] ? lock_downgrade+0x410/0x410\n[ 151.778648] ? __this_cpu_preempt_check+0x13/0x20\n[ 151.779421] ? rcu_lockdep_current_cpu_online+0x88/0xc0\n[ 151.780292] _convert_lock+0x46/0x150\n[ 151.780893] convert_lock+0x7b/0xc0\n[ 151.781459] dlm_lock+0x3ac/0x580\n[ 151.781993] ? 0xffffffffc0540000\n[ 151.782522] ? torture_stop+0x120/0x120 [dlm_locktorture]\n[ 151.783379] ? dlm_scan_rsbs+0xa70/0xa70\n[ 151.784003] ? preempt_count_sub+0xd6/0x130\n[ 151.784661] ? is_module_address+0x47/0x70\n[ 151.785309] ? torture_stop+0x120/0x120 [dlm_locktorture]\n[ 151.786166] ? 0xffffffffc0540000\n[ 151.786693] ? lockdep_init_map_type+0xc3/0x360\n[ 151.787414] ? 0xffffffffc0540000\n[ 151.787947] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture]\n[ 151.789004] ? torture_stop+0x120/0x120 [dlm_locktorture]\n[ 151.789858] ? 0xffffffffc0540000\n[ 151.790392] ? lock_torture_cleanup+0x20/0x20 [dlm_locktorture]\n[ 151.791347] ? delay_tsc+0x94/0xc0\n[ 151.791898] torture_ex_iter+0xc3/0xea [dlm_locktorture]\n[ 151.792735] ? torture_start+0x30/0x30 [dlm_locktorture]\n[ 151.793606] lock_torture+0x177/0x270 [dlm_locktorture]\n[ 151.794448] ? torture_dlm_lock_sync.isra.3+0x150/0x150 [dlm_locktorture]\n[ 151.795539] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]\n[ 151.796476] ? do_raw_spin_lock+0x11e/0x1e0\n[ 151.797152] ? mark_held_locks+0x34/0xb0\n[ 151.797784] ? _raw_spin_unlock_irqrestore+0x30/0x70\n[ 151.798581] ? __kthread_parkme+0x79/0x110\n[ 151.799246] ? trace_preempt_on+0x2a/0xf0\n[ 151.799902] ? __kthread_parkme+0x79/0x110\n[ 151.800579] ? preempt_count_sub+0xd6/0x130\n[ 151.801271] ? __kasan_check_read+0x11/0x20\n[ 151.801963] ? __kthread_parkme+0xec/0x110\n[ 151.802630] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]\n[ 151.803569] kthread+0x192/0x1d0\n[ 151.804104] ? kthread_complete_and_exit+0x30/0x30\n[ 151.804881] ret_from_fork+0x1f/0x30\n[ 151.805480] \n\n[ 151.806111] Allocated by task 1347:\n[ 151.806681] kasan_save_stack+0x26/0x50\n[ 151.807308] kasan_set_track+0x25/0x30\n[ 151.807920] kasan_save_alloc_info+0x1e/0x30\n[ 151.808609] __kasan_slab_alloc+0x63/0x80\n[ 151.809263] kmem_cache_alloc+0x1ad/0x830\n[ 151.809916] dlm_allocate_mhandle+0x17/0x20\n[ 151.810590] dlm_midcomms_get_mhandle+0x96/0x260\n[ 151.811344] _create_message+0x95/0x180\n[ 151.811994] create_message.isra.29.constprop.64+0x57/0xc0\n[ 151.812880] send_common+0x129/0x1b0\n[ 151.813467] _convert_lock+0x46/0x150\n[ 151.814074] convert_lock+0x7b/0xc0\n[ 151.814648] dlm_lock+0x3ac/0x580\n[ 151.815199] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture]\n[ 151.816258] torture_ex_iter+0xc3/0xea [dlm_locktorture]\n[ 151.817129] lock_t\n---truncated---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14","versionEndExcluding":"6.1.20","matchCriteriaId":"11DC9B79-A3D9-48E0-ACA3-BD431CD1AEE1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.2.3","matchCriteriaId":"88C67289-22AD-4CA9-B202-5F5A80E5BA4B"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/724b6bab0d75f1dc01fdfbf7fe8d4217a5cb90ba","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/84d6ce2aef1d06a53f606211da68a2085dfeb50d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a2de9f9b686c71b4fa3663ae374f5f643c46a446","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a3b0e9ac3c2447008db942d51f593841d8329e99","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-39997","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-10-15T08:15:37.947","lastModified":"2026-06-01T17:16:36.083","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free\n\nThe previous commit 0718a78f6a9f (\"ALSA: usb-audio: Kill timer properly at\nremoval\") patched a UAF issue caused by the error timer.\n\nHowever, because the error timer kill added in this patch occurs after the\nendpoint delete, a race condition to UAF still occurs, albeit rarely.\n\nAdditionally, since kill-cleanup for urb is also missing, freed memory can\nbe accessed in interrupt context related to urb, which can cause UAF.\n\nTherefore, to prevent this, error timer and urb must be killed before\nfreeing the heap memory."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/353d8c715cc951a980728133c9dd64ca5a0a186c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/647d6b8d22be12842fde6ed0c56859ebc615f21e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9f2c0ac1423d5f267e7f1d1940780fc764b0fee3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/af600e7f5526d16146b3ae99f6ad57bfea79ca33","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/dc4874366cf6cf4a31d8fa4b7f0e2a5b2d7647ba","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e16985513e89466a236d2a7c202783b4dd0c5a46","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e63f049c7764b615d1d50cb486745fa63372b42d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-40005","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-10-20T16:15:37.127","lastModified":"2026-06-01T17:16:36.210","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-quadspi: Implement refcount to handle unbind during busy\n\ndriver support indirect read and indirect write operation with\nassumption no force device removal(unbind) operation. However\nforce device removal(removal) is still available to root superuser.\n\nUnbinding driver during operation causes kernel crash. This changes\nensure driver able to handle such operation for indirect read and\nindirect write by implementing refcount to track attached devices\nto the controller and gracefully wait and until attached devices\nremove operation completed before proceed with removal operation."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.6.125","matchCriteriaId":"A2F78819-3B3D-45F2-B2BC-445385A4FAE4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.16.10","matchCriteriaId":"898CB0E7-69BE-48EB-A212-89F26E47CC47"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*","matchCriteriaId":"327D22EF-390B-454C-BD31-2ED23C998A1C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*","matchCriteriaId":"C730CD9A-D969-4A8E-9522-162AAF7C0EE9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*","matchCriteriaId":"39982C4B-716E-4B2F-8196-FA301F47807D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*","matchCriteriaId":"340BEEA9-D70D-4290-B502-FBB1032353B1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/56787f4a75907ae99b5f5842b756fa68e2482f6d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/65ed52200080eafce3eead05cf22ce01238defca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7446284023e8ef694fb392348185349c773eefb3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8ce3ebbe5c718940b4e94f5c25f5720223f893f8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8df235f768cea7a5829cb02525622646eb0df5f5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b7ec8a2b094a33d0464958c2cbf75b8f229098b0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-40163","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-11-12T11:15:46.517","lastModified":"2026-06-01T17:16:36.353","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Stop dl_server before CPU goes offline\n\nIBM CI tool reported kernel warning[1] when running a CPU removal\noperation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\"\n\nWARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170\nNIP [c0000000002b6ed8] cpudl_set+0x58/0x170\nLR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0\nCall Trace:\n[c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable)\n[c0000000002b7cb8] dl_server_timer+0x168/0x2a0\n[c00000000034df84] __hrtimer_run_queues+0x1a4/0x390\n[c00000000034f624] hrtimer_interrupt+0x124/0x300\n[c00000000002a230] timer_interrupt+0x140/0x320\n\nGit bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\")\n\nThis happens since:\n- dl_server hrtimer gets enqueued close to cpu offline, when\n kthread_park enqueues a fair task.\n- CPU goes offline and drmgr removes it from cpu_present_mask.\n- hrtimer fires and warning is hit.\n\nFix it by stopping the dl_server before CPU is marked dead.\n\n[1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/\n[2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr\n\n[sshegde: wrote the changelog and tested it]"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/ab6c0f158508bb16d483add70b73a73f95651c33","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d7fd56ed5e07e053a5eea6112d61fcaded653b87","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ee6e44dfe6e50b4a5df853d933a96bdff5309e6e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-40261","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-04T16:16:20.053","lastModified":"2026-06-01T17:16:36.467","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()\n\nnvme_fc_delete_assocation() waits for pending I/O to complete before\nreturning, and an error can cause ->ioerr_work to be queued after\ncancel_work_sync() had been called. Move the call to cancel_work_sync() to\nbe after nvme_fc_delete_association() to ensure ->ioerr_work is not running\nwhen the nvme_fc_ctrl object is freed. Otherwise the following can occur:\n\n[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL\n[ 1135.917705] ------------[ cut here ]------------\n[ 1135.922336] kernel BUG at lib/list_debug.c:52!\n[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)\n[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025\n[ 1135.950969] Workqueue: 0x0 (nvme-wq)\n[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b\n[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046\n[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000\n[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0\n[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08\n[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100\n[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0\n[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000\n[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0\n[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 1136.055910] PKRU: 55555554\n[ 1136.058623] Call Trace:\n[ 1136.061074] \n[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.071898] ? move_linked_works+0x4a/0xa0\n[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.081744] ? __die_body.cold+0x8/0x12\n[ 1136.085584] ? die+0x2e/0x50\n[ 1136.088469] ? do_trap+0xca/0x110\n[ 1136.091789] ? do_error_trap+0x65/0x80\n[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.101289] ? exc_invalid_op+0x50/0x70\n[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20\n[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.120806] move_linked_works+0x4a/0xa0\n[ 1136.124733] worker_thread+0x216/0x3a0\n[ 1136.128485] ? __pfx_worker_thread+0x10/0x10\n[ 1136.132758] kthread+0xfa/0x240\n[ 1136.135904] ? __pfx_kthread+0x10/0x10\n[ 1136.139657] ret_from_fork+0x31/0x50\n[ 1136.143236] ? __pfx_kthread+0x10/0x10\n[ 1136.146988] ret_from_fork_asm+0x1a/0x30\n[ 1136.150915] "}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0a2c5495b6d1ecb0fa18ef6631450f391a888256","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/33f64600a12055219bda38b55320c62cdeda9167","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3f48cd7f35da07fc067cef926bb7f6f4735de37b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/48ae433c6cc6985f647b1b37d8bb002972cf9bdb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9610a2c162ef729a3988213a4604376e492f6f44","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a9b1315ed428239612601e9e188329e7cefa32fd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fbd5741a556eaaa63d0908132ca79d335b58b1cd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-40347","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-16T14:15:46.470","lastModified":"2026-06-01T17:16:36.640","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: fix the deadlock of enetc_mdio_lock\n\nAfter applying the workaround for err050089, the LS1028A platform\nexperiences RCU stalls on RT kernel. This issue is caused by the\nrecursive acquisition of the read lock enetc_mdio_lock. Here list some\nof the call stacks identified under the enetc_poll path that may lead to\na deadlock:\n\nenetc_poll\n -> enetc_lock_mdio\n -> enetc_clean_rx_ring OR napi_complete_done\n -> napi_gro_receive\n -> enetc_start_xmit\n -> enetc_lock_mdio\n -> enetc_map_tx_buffs\n -> enetc_unlock_mdio\n -> enetc_unlock_mdio\n\nAfter enetc_poll acquires the read lock, a higher-priority writer attempts\nto acquire the lock, causing preemption. The writer detects that a\nread lock is already held and is scheduled out. However, readers under\nenetc_poll cannot acquire the read lock again because a writer is already\nwaiting, leading to a thread hang.\n\nCurrently, the deadlock is avoided by adjusting enetc_lock_mdio to prevent\nrecursive lock acquisition."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/1f92f5bd057a4fad9dab6af17963cdd21e5da6ed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2781ca82ce8cad263d80b617addb727e6a84c9e5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2e55a49dc3b2a6b23329e4fbbd8a5feb20e220aa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/50bd33f6b3922a6b760aa30d409cae891cec8fb5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a649161526736f48bcc592e3a412e5bcd7dd9e24","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-68201","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-16T14:15:52.937","lastModified":"2026-06-01T17:16:37.810","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: remove two invalid BUG_ON()s\n\nThose can be triggered trivially by userspace."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7281d5b698d60fa46d17cd36ee8c5192fea9428d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a41bdba05899c7f455cd960ef0713acc335370dc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/eaf12bffd7f79f4d46ec028706f9d1a2d90f46fd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-68239","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-16T15:15:53.063","lastModified":"2026-06-01T17:16:37.917","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbinfmt_misc: restore write access before closing files opened by open_exec()\n\nbm_register_write() opens an executable file using open_exec(), which\ninternally calls do_open_execat() and denies write access on the file to\navoid modification while it is being executed.\n\nHowever, when an error occurs, bm_register_write() closes the file using\nfilp_close() directly. This does not restore the write permission, which\nmay cause subsequent write operations on the same file to fail.\n\nFix this by calling exe_file_allow_write_access() before filp_close() to\nrestore the write permission properly."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/480ac88431703f2adbb8e6b5bd73c3f3cf9f3d7f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/54274ff90488b6c0f595a6518faed3cf0bc966eb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6cce7bc7fac8471c832696720d9c8f2a976d9c54","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/90f601b497d76f40fa66795c3ecf625b6aced9fd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e785f552ab04dbca01d31f0334f4561240b04459","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fbab8c08e1a6dbaef81e22d672a7647553101d16","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-68307","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-16T16:16:10.240","lastModified":"2026-06-01T17:16:38.043","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs\n\nThe driver lacks the cleanup of failed transfers of URBs. This reduces the\nnumber of available URBs per error by 1. This leads to reduced performance\nand ultimately to a complete stop of the transmission.\n\nIf the sending of a bulk URB fails do proper cleanup:\n- increase netdev stats\n- mark the echo_sbk as free\n- free the driver's context and do accounting\n- wake the send queue"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/1a588c40a422a3663a52f1c5535e8fb6b044167d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4a82072e451eacf24fc66a445e906f5095d215db","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/516a0cd1c03fa266bb67dd87940a209fd4e53ce7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/87974ebd6552817492daec7866ebfa2c484fa2ac","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9c8eb33b7008178b6ce88aa7593d12063ce60ca3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f7a5560675bd85efaf16ab01a43053670ff2b000","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-68315","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-16T16:16:11.080","lastModified":"2026-06-01T17:16:38.157","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to detect potential corrupted nid in free_nid_list\n\nAs reported, on-disk footer.ino and footer.nid is the same and\nout-of-range, let's add sanity check on f2fs_alloc_nid() to detect\nany potential corruption in free_nid_list."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/6b9525596a83cd5b7bbc2c7bd5f9ad9cf5ad60fa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/88b2ddb0c4f1dc874d4598e78cc830c64315ed86","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8fc6056dcf79937c46c97fa4996cda65956437a9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9337ed5e777e1c19854928cba7a8131dd00e611b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/adbcb34f03abb89e681a5907c4c3ce4bf224991d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2023-53989","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-24T11:15:51.803","lastModified":"2026-06-01T17:16:25.870","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mm: fix VA-range sanity check\n\nBoth create_mapping_noalloc() and update_mapping_prot() sanity-check\ntheir 'virt' parameter, but the check itself doesn't make much sense.\nThe condition used today appears to be a historical accident.\n\nThe sanity-check condition:\n\n\tif ((virt >= PAGE_END) && (virt < VMALLOC_START)) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\n... can only be true for the KASAN shadow region or the module region,\nand there's no reason to exclude these specifically for creating and\nupdateing mappings.\n\nWhen arm64 support was first upstreamed in commit:\n\n c1cc1552616d0f35 (\"arm64: MMU initialisation\")\n\n... the condition was:\n\n\tif (virt < VMALLOC_START) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\nAt the time, VMALLOC_START was the lowest kernel address, and this was\nchecking whether 'virt' would be translated via TTBR1.\n\nSubsequently in commit:\n\n 14c127c957c1c607 (\"arm64: mm: Flip kernel VA space\")\n\n... the condition was changed to:\n\n\tif ((virt >= VA_START) && (virt < VMALLOC_START)) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\nThis appear to have been a thinko. The commit moved the linear map to\nthe bottom of the kernel address space, with VMALLOC_START being at the\nhalfway point. The old condition would warn for changes to the linear\nmap below this, and at the time VA_START was the end of the linear map.\n\nSubsequently we cleaned up the naming of VA_START in commit:\n\n 77ad4ce69321abbe (\"arm64: memory: rename VA_START to PAGE_END\")\n\n... keeping the erroneous condition as:\n\n\tif ((virt >= PAGE_END) && (virt < VMALLOC_START)) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\nCorrect the condition to check against the start of the TTBR1 address\nspace, which is currently PAGE_OFFSET. This simplifies the logic, and\nmore clearly matches the \"outside kernel range\" message in the warning."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/32020fc2a8373d3de35ae6d029d5969a42651e7a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/621619f626cbe702ddbdc54117f3868b8ebd8129","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9d8d3df71516ec3236d8d93ff029d251377ba4b1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ab9b4008092c86dc12497af155a0901cc1156999","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b03c7fcc5ed854d0e1b27e9abf12428bfa751a37","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c7a9e967cc9615a1dabc5e0e6fdbe88a172d5a5b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2023-54322","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-30T13:16:21.520","lastModified":"2026-06-01T17:16:27.177","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: set __exception_irq_entry with __irq_entry as a default\n\nfilter_irq_stacks() is supposed to cut entries which are related irq entries\nfrom its call stack.\nAnd in_irqentry_text() which is called by filter_irq_stacks()\nuses __irqentry_text_start/end symbol to find irq entries in callstack.\n\nBut it doesn't work correctly as without \"CONFIG_FUNCTION_GRAPH_TRACER\",\narm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq\nbetween __irqentry_text_start and __irqentry_text_end as we discussed in below link.\nhttps://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t\n\nThis problem can makes unintentional deep call stack entries especially\nin KASAN enabled situation as below.\n\n[ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity\n[ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c\n[ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n[ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c\n[ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c\n[ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0\n[ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000\n[ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd\n[ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040\n[ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000\n[ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20\n[ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8\n[ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800\n[ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8\n[ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c\n[ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022\n[ 2479.386231]I[0:launcher-loader: 1719] Call trace:\n[ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c\n[ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70\n[ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138\n[ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24\n[ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170\n[ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20\n[ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c\n[ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28\n[ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0\n[ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80\n[ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98\n[ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c\n[ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0\n[ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300\n[ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c\n[ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4\n[ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0\n[ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300\n[ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c\n[ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304\n[ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160\n[ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194\n[ 2479.386833]I\n---truncated---"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0bd309f22663f3ee749bea0b6d70642c31a1c0a5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/47d74b54180b6b296b489b7895011c9a28979ff1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c71d6934c6ac40a97146a410e0320768c7b1bb3c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d3b219e504fc5c5a25fa7c04c8589ff34baef9a8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-68823","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-01-13T16:16:04.660","lastModified":"2026-06-01T17:16:38.260","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix deadlock when reading partition table\n\nWhen one process(such as udev) opens ublk block device (e.g., to read\nthe partition table via bdev_open()), a deadlock[1] can occur:\n\n1. bdev_open() grabs disk->open_mutex\n2. The process issues read I/O to ublk backend to read partition table\n3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request()\n runs bio->bi_end_io() callbacks\n4. If this triggers fput() on file descriptor of ublk block device, the\n work may be deferred to current task's task work (see fput() implementation)\n5. This eventually calls blkdev_release() from the same context\n6. blkdev_release() tries to grab disk->open_mutex again\n7. Deadlock: same task waiting for a mutex it already holds\n\nThe fix is to run blk_update_request() and blk_mq_end_request() with bottom\nhalves disabled. This forces blkdev_release() to run in kernel work-queue\ncontext instead of current task work context, and allows ublk server to make\nforward progress, and avoids the deadlock.\n\n[axboe: rewrite comment in ublk]"},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nublk: soluciona un interbloqueo al leer la tabla de particiones\n\nCuando un proceso (como udev) abre el dispositivo de bloques ublk (por ejemplo, para leer la tabla de particiones a través de bdev_open()), puede ocurrir un interbloqueo[1]:\n\n1. bdev_open() adquiere disk->open_mutex\n2. El proceso emite E/S de lectura al backend de ublk para leer la tabla de particiones\n3. En __ublk_complete_rq(), blk_update_request() o blk_mq_end_request() ejecuta las retrollamadas bio->bi_end_io()\n4. Si esto activa fput() en el descriptor de archivo del dispositivo de bloques ublk, el trabajo puede ser aplazado al trabajo de tarea de la tarea actual (ver la implementación de fput())\n5. Esto finalmente llama a blkdev_release() desde el mismo contexto\n6. blkdev_release() intenta adquirir disk->open_mutex de nuevo\n7. Interbloqueo: misma tarea esperando por un mutex que ya posee\n\nLa solución es ejecutar blk_update_request() y blk_mq_end_request() con las mitades inferiores deshabilitadas. Esto fuerza a blkdev_release() a ejecutarse en el contexto de la cola de trabajo del kernel en lugar del contexto de trabajo de la tarea actual, y permite al servidor ublk avanzar, y evita el interbloqueo.\n\n[axboe: reescribir comentario en ublk]"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.6.124","matchCriteriaId":"07A21134-3555-4ED3-8B0A-940F93C45530"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.70","matchCriteriaId":"F3791390-0628-4808-99EF-1ED8ABF60933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.3","matchCriteriaId":"2DC484D8-FB4F-4112-900F-AE333B6FE7A7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0460e09a614291f06c008443f47393c37b7358e7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/27bb79b7717b2fbb111a1c13548b2786ee712dca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/64c0b7e2293757e8320f13434cd809f1c9257a62","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9bcc47343ee0ef346aa7b2b460c8ff56bd882fe7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c258f5c4502c9667bccf5d76fa731ab9c96687c1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2025-71161","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-01-23T16:15:53.000","lastModified":"2026-06-01T17:16:38.587","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm-verity: disable recursive forward error correction\n\nThere are two problems with the recursive correction:\n\n1. It may cause denial-of-service. In fec_read_bufs, there is a loop that\nhas 253 iterations. For each iteration, we may call verity_hash_for_block\nrecursively. There is a limit of 4 nested recursions - that means that\nthere may be at most 253^4 (4 billion) iterations. Red Hat QE team\nactually created an image that pushes dm-verity to this limit - and this\nimage just makes the udev-worker process get stuck in the 'D' state.\n\n2. It doesn't work. In fec_read_bufs we store data into the variable\n\"fio->bufs\", but fio bufs is shared between recursive invocations, if\n\"verity_hash_for_block\" invoked correction recursively, it would\noverwrite partially filled fio->bufs."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndm-verity: deshabilitar la corrección de errores hacia adelante recursiva\n\nHay dos problemas con la corrección recursiva:\n\n1. Puede causar una denegación de servicio. En fec_read_bufs, hay un bucle que tiene 253 iteraciones. Para cada iteración, podemos llamar a verity_hash_for_block recursivamente. Hay un límite de 4 recursiones anidadas, lo que significa que puede haber como máximo 253^4 (4 mil millones) iteraciones. El equipo de QE de Red Hat creó una imagen que lleva a dm-verity a este límite, y esta imagen simplemente hace que el proceso udev-worker se quede atascado en el estado 'D'.\n\n2. No funciona. En fec_read_bufs almacenamos datos en la variable 'fio->bufs', pero fio bufs se comparte entre invocaciones recursivas; si 'verity_hash_for_block' invocara la corrección recursivamente, sobrescribiría los fio->bufs parcialmente llenos."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-193"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5","versionEndExcluding":"6.18.6","matchCriteriaId":"09F12E1C-9D38-454F-8AC2-792EBBD94320"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/232948cf600fba69aff36b25d85ef91a73a35756","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4220cb37406915c926c0e4a3dbab77cd9cceeb1e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/897d9006e75f46f8bd7df78faa424327ae6a4bcf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8b821ca892cfeeaf0bedc9fc72717294f67144d5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d9f3e47d3fae0c101d9094bc956ed24e7a0ee801","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e227d2b229c7529bd98d348efc55262ccf24ab35","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-23066","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-02-04T17:16:17.303","lastModified":"2026-06-01T17:16:44.440","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix recvmsg() unconditional requeue\n\nIf rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at\nthe front of the recvmsg queue already has its mutex locked, it requeues\nthe call - whether or not the call is already queued. The call may be on\nthe queue because MSG_PEEK was also passed and so the call was not dequeued\nor because the I/O thread requeued it.\n\nThe unconditional requeue may then corrupt the recvmsg queue, leading to\nthings like UAFs or refcount underruns.\n\nFix this by only requeuing the call if it isn't already on the queue - and\nmoving it to the front if it is already queued. If we don't queue it, we\nhave to put the ref we obtained by dequeuing it.\n\nAlso, MSG_PEEK doesn't dequeue the call so shouldn't call\nrxrpc_notify_socket() for the call if we didn't use up all the data on the\nqueue, so fix that also."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nrxrpc: Corrección del reenqueque incondicional de recvmsg()\n\nSi rxrpc_recvmsg() falla porque se especificó MSG_DONTWAIT pero la llamada al frente de la cola de recvmsg ya tiene su mutex bloqueado, reenquequea la llamada, esté o no la llamada ya en la cola. La llamada puede estar en la cola porque también se pasó MSG_PEEK y por lo tanto la llamada no fue desencolada o porque el hilo de E/S la reenquequeó.\n\nEl reenqueque incondicional puede entonces corromper la cola de recvmsg, lo que lleva a cosas como UAFs o subdesbordamientos de refcount.\n\nSolucione esto reenquequeando la llamada solo si no está ya en la cola, y moviéndola al frente si ya está en la cola. Si no la encolamos, tenemos que liberar la referencia que obtuvimos al desencolarla.\n\nAdemás, MSG_PEEK no desencola la llamada, por lo que no debería llamar a rxrpc_notify_socket() para la llamada si no consumimos todos los datos de la cola, así que corrija eso también."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-674"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.18.8","matchCriteriaId":"A85A6630-48F5-47FB-9871-DB4D2269F664"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0464bf75590da75b8413c3e758c04647b4cdb3c6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2c28769a51deb6022d7fbd499987e237a01dd63a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8fd3b5e297854a4da0f273169baf4b1b7b257b97","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/930114425065f7ace6e0c0630fab4af75e059ea8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c198628f3fca5c874d93874c233014d336e09f64","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c6cebcb4e0b3140ec2ace45c020a9049527385d1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cf969bddd6e69c5777fa89dc88402204e72f312a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-23141","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-02-14T16:15:54.163","lastModified":"2026-06-01T17:16:44.610","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: check for inline extents in range_is_hole_in_parent()\n\nBefore accessing the disk_bytenr field of a file extent item we need\nto check if we are dealing with an inline extent.\nThis is because for inline extents their data starts at the offset of\nthe disk_bytenr field. So accessing the disk_bytenr\nmeans we are accessing inline data or in case the inline data is less\nthan 8 bytes we can actually cause an invalid\nmemory access if this inline extent item is the first item in the leaf\nor access metadata from other items."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nbtrfs: send: verificar extents en línea en range_is_hole_in_parent()\n\nAntes de acceder al campo disk_bytenr de un elemento de extent de archivo, necesitamos verificar si estamos tratando con un extent en línea.\nEsto se debe a que para los extents en línea, sus datos comienzan en el desplazamiento del campo disk_bytenr. Así que acceder al disk_bytenr significa que estamos accediendo a datos en línea o, en caso de que los datos en línea sean menores de 8 bytes, podemos realmente causar un acceso a memoria inválido si este elemento de extent en línea es el primer elemento en la hoja o acceder a metadatos de otros elementos."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.6.122","matchCriteriaId":"E7BC335C-8761-4A07-975D-299AB3719ECF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.67","matchCriteriaId":"7456F614-6AA8-4C08-8229-BA342D4AFBAD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.7","matchCriteriaId":"99FF3E05-0E7A-44E9-8E47-BF6F1F8EC436"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/08b096c1372cd69627f4f559fb47c9fb67a52b39","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/39f83f10772310ba4a77f2b5256aaf36994ef7e8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/901e581bfc44d181f7d9c3f11880dac3e89deb2e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d948055bd46a9c14d1d4217aed65c5c258c32903","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/db00636643e66898d79f2530ac9c56ebd5eca369","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-23157","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-02-14T16:15:55.863","lastModified":"2026-06-01T17:16:44.767","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not strictly require dirty metadata threshold for metadata writepages\n\n[BUG]\nThere is an internal report that over 1000 processes are\nwaiting at the io_schedule_timeout() of balance_dirty_pages(), causing\na system hang and trigger a kernel coredump.\n\nThe kernel is v6.4 kernel based, but the root problem still applies to\nany upstream kernel before v6.18.\n\n[CAUSE]\nFrom Jan Kara for his wisdom on the dirty page balance behavior first.\n\n This cgroup dirty limit was what was actually playing the role here\n because the cgroup had only a small amount of memory and so the dirty\n limit for it was something like 16MB.\n\n Dirty throttling is responsible for enforcing that nobody can dirty\n (significantly) more dirty memory than there's dirty limit. Thus when\n a task is dirtying pages it periodically enters into balance_dirty_pages()\n and we let it sleep there to slow down the dirtying.\n\n When the system is over dirty limit already (either globally or within\n a cgroup of the running task), we will not let the task exit from\n balance_dirty_pages() until the number of dirty pages drops below the\n limit.\n\n So in this particular case, as I already mentioned, there was a cgroup\n with relatively small amount of memory and as a result with dirty limit\n set at 16MB. A task from that cgroup has dirtied about 28MB worth of\n pages in btrfs btree inode and these were practically the only dirty\n pages in that cgroup.\n\nSo that means the only way to reduce the dirty pages of that cgroup is\nto writeback the dirty pages of btrfs btree inode, and only after that\nthose processes can exit balance_dirty_pages().\n\nNow back to the btrfs part, btree_writepages() is responsible for\nwriting back dirty btree inode pages.\n\nThe problem here is, there is a btrfs internal threshold that if the\nbtree inode's dirty bytes are below the 32M threshold, it will not\ndo any writeback.\n\nThis behavior is to batch as much metadata as possible so we won't write\nback those tree blocks and then later re-COW them again for another\nmodification.\n\nThis internal 32MiB is higher than the existing dirty page size (28MiB),\nmeaning no writeback will happen, causing a deadlock between btrfs and\ncgroup:\n\n- Btrfs doesn't want to write back btree inode until more dirty pages\n\n- Cgroup/MM doesn't want more dirty pages for btrfs btree inode\n Thus any process touching that btree inode is put into sleep until\n the number of dirty pages is reduced.\n\nThanks Jan Kara a lot for the analysis of the root cause.\n\n[ENHANCEMENT]\nSince kernel commit b55102826d7d (\"btrfs: set AS_KERNEL_FILE on the\nbtree_inode\"), btrfs btree inode pages will only be charged to the root\ncgroup which should have a much larger limit than btrfs' 32MiB\nthreshold.\nSo it should not affect newer kernels.\n\nBut for all current LTS kernels, they are all affected by this problem,\nand backporting the whole AS_KERNEL_FILE may not be a good idea.\n\nEven for newer kernels I still think it's a good idea to get\nrid of the internal threshold at btree_writepages(), since for most cases\ncgroup/MM has a better view of full system memory usage than btrfs' fixed\nthreshold.\n\nFor internal callers using btrfs_btree_balance_dirty() since that\nfunction is already doing internal threshold check, we don't need to\nbother them.\n\nBut for external callers of btree_writepages(), just respect their\nrequests and write back whatever they want, ignoring the internal\nbtrfs threshold to avoid such deadlock on btree inode dirty page\nbalancing."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: btrfs: no requerir estrictamente el umbral de metadatos sucios para la escritura de páginas de metadatos [ERROR] Existe un informe interno de que más de 1000 procesos están esperando en el io_schedule_timeout() de balance_dirty_pages(), causando un cuelgue del sistema y desencadenando un volcado de memoria del kernel. El kernel está basado en el kernel v6.4, pero el problema raíz todavía se aplica a cualquier kernel upstream anterior a la v6.18. [CAUSA] De Jan Kara por su sabiduría sobre el comportamiento de balanceo de páginas sucias primero. Este límite de suciedad del cgroup era lo que realmente estaba desempeñando el papel aquí porque el cgroup tenía solo una pequeña cantidad de memoria y por lo tanto el límite de suciedad para él era de aproximadamente 16MB. La limitación de suciedad es responsable de asegurar que nadie pueda ensuciar (significativamente) más memoria sucia de lo que hay de límite de suciedad. Así, cuando una tarea está ensuciando páginas, entra periódicamente en balance_dirty_pages() y la dejamos dormir allí para ralentizar el ensuciamiento. Cuando el sistema ya está por encima del límite de suciedad (ya sea globalmente o dentro de un cgroup de la tarea en ejecución), no permitiremos que la tarea salga de balance_dirty_pages() hasta que el número de páginas sucias caiga por debajo del límite. Así que en este caso particular, como ya mencioné, había un cgroup con una cantidad de memoria relativamente pequeña y como resultado con un límite de suciedad establecido en 16MB. Una tarea de ese cgroup ha ensuciado páginas por un valor de aproximadamente 28MB en el inodo btree de btrfs y estas eran prácticamente las únicas páginas sucias en ese cgroup. Así que eso significa que la única forma de reducir las páginas sucias de ese cgroup es realizar el writeback de las páginas sucias del inodo btree de btrfs, y solo después de eso esos procesos pueden salir de balance_dirty_pages(). Ahora volviendo a la parte de btrfs, btree_writepages() es responsable de realizar el writeback de las páginas sucias del inodo btree. El problema aquí es que hay un umbral interno de btrfs que si los bytes sucios del inodo btree están por debajo del umbral de 32M, no realizará ningún writeback. Este comportamiento es para agrupar la mayor cantidad posible de metadatos para que no escribamos de vuelta esos bloques de árbol y luego los volvamos a copiar en escritura (re-COW) para otra modificación. Estos 32MiB internos son más altos que el tamaño de página sucia existente (28MiB), lo que significa que no se realizará ningún writeback, causando un interbloqueo entre btrfs y cgroup: - Btrfs no quiere realizar el writeback del inodo btree hasta que haya más páginas sucias - Cgroup/MM no quiere más páginas sucias para el inodo btree de btrfs Así, cualquier proceso que toque ese inodo btree es puesto a dormir hasta que el número de páginas sucias se reduzca. Muchas gracias a Jan Kara por el análisis de la causa raíz. [MEJORA] Desde el commit del kernel b55102826d7d ('btrfs: establecer AS_KERNEL_FILE en el btree_inode'), las páginas del inodo btree de btrfs solo se cargarán al cgroup raíz, el cual debería tener un límite mucho mayor que el umbral de 32MiB de btrfs. Así que no debería afectar a kernels más nuevos. Pero para todos los kernels LTS actuales, todos están afectados por este problema, y realizar un backport de todo el AS_KERNEL_FILE puede no ser una buena idea. Incluso para kernels más nuevos, sigo pensando que es una buena idea eliminar el umbral interno en btree_writepages(), ya que en la mayoría de los casos cgroup/MM tiene una mejor visión del uso de la memoria de todo el sistema que el umbral fijo de btrfs. Para los llamadores internos que usan btrfs_btree_balance_dirty(), ya que esa función ya está realizando una comprobación de umbral interna, ---truncado---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.18.9","matchCriteriaId":"A25D17E8-22B0-4A6C-B1FD-1EA80C78268F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*","matchCriteriaId":"F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0c3666ec188640c20e254011e7adf4464c32ee58","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4357e02cafabe01c2d737ceb4c4c6382fc2ee10a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4e159150a9a56d66d247f4b5510bed46fe58aa1c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/629666d20c7dcd740e193ec0631fdff035b1f7d6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6a8b6242eaa1dd7a0de2d6de6420d10ffe68db90","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bb9be3f713652e330df00f3724c18c7a5469e7ac","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-71221","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-02-14T17:15:54.450","lastModified":"2026-06-01T17:16:38.730","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()\n\nAdd proper locking in mmp_pdma_residue() to prevent use-after-free when\naccessing descriptor list and descriptor contents.\n\nThe race occurs when multiple threads call tx_status() while the tasklet\non another CPU is freeing completed descriptors:\n\nCPU 0 CPU 1\n----- -----\nmmp_pdma_tx_status()\nmmp_pdma_residue()\n -> NO LOCK held\n list_for_each_entry(sw, ..)\n DMA interrupt\n dma_do_tasklet()\n -> spin_lock(&desc_lock)\n list_move(sw->node, ...)\n spin_unlock(&desc_lock)\n | dma_pool_free(sw) <- FREED!\n -> access sw->desc <- UAF!\n\nThis issue can be reproduced when running dmatest on the same channel with\nmultiple threads (threads_per_chan > 1).\n\nFix by protecting the chain_running list iteration and descriptor access\nwith the chan->desc_lock spinlock."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndmaengine: mmp_pdma: Corrección de condición de carrera en mmp_pdma_residue()\n\nAñadir bloqueo adecuado en mmp_pdma_residue() para prevenir uso después de liberación al acceder a la lista de descriptores y al contenido del descriptor.\n\nLa condición de carrera ocurre cuando múltiples hilos llaman a tx_status() mientras el tasklet en otra CPU está liberando descriptores completados:\n\nCPU 0 CPU 1\n----- -----\nmmp_pdma_tx_status()\nmmp_pdma_residue()\n -> SIN BLOQUEO mantenido\n list_for_each_entry(sw, ..)\n Interrupción DMA\n dma_do_tasklet()\n -> spin_lock(&desc_lock)\n list_move(sw->node, ...)\n spin_unlock(&desc_lock)\n | dma_pool_free(sw) <- ¡LIBERADO!\n -> acceso a sw->desc <- ¡UAF!\n\nEste problema puede ser reproducido al ejecutar dmatest en el mismo canal con múltiples hilos (hilos_por_canal > 1).\n\nSolución protegiendo la iteración de la lista chain_running y el acceso al descriptor con el spinlock chan->desc_lock."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.0,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-362"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.18.10","matchCriteriaId":"D20A40DD-5043-4C92-9FB6-C88CA3BBEECE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3f0e0e2d9e752570041e95fd04635e2580097819","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9f665b3c3d9a168410251f27a5d019b7bf93185c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a143545855bc2c6e1330f6f57ae375ac44af00a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dfb5e05227745de43b7fd589721817a4337c970d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/eba0c75670c022cb1f948600db972524bcfe8166","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fc023b8fab057f0c910856ff36d3e12a30b7af4a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-23204","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-02-14T17:15:58.297","lastModified":"2026-06-01T17:16:44.937","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_u32: use skb_header_pointer_careful()\n\nskb_header_pointer() does not fully validate negative @offset values.\n\nUse skb_header_pointer_careful() instead.\n\nGangMin Kim provided a report and a repro fooling u32_classify():\n\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet/sched: cls_u32: usar skb_header_pointer_careful()\n\nskb_header_pointer() no valida completamente los valores negativos de @offset.\n\nUsar skb_header_pointer_careful() en su lugar.\n\nGangMin Kim proporcionó un informe y una reproducción engañando a u32_classify():\n\nBUG: KASAN: slab-out-of-bounds en u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35.1","versionEndExcluding":"6.6.124","matchCriteriaId":"CDD3DE1F-BBB8-495C-81E8-5D36799A6116"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.70","matchCriteriaId":"F3791390-0628-4808-99EF-1ED8ABF60933"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.10","matchCriteriaId":"7156C23F-009E-4D05-838C-A2DA417B5B8D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.35:-:*:*:*:*:*:*","matchCriteriaId":"11B11B98-42CE-41C8-A40E-FAA230FD2A76"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.35:rc2:*:*:*:*:*:*","matchCriteriaId":"EA4BC3D2-70FF-4EED-9DC8-B378F88F4D36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.35:rc3:*:*:*:*:*:*","matchCriteriaId":"A7ACC123-06D8-4A3F-8730-AA7FF6EFBD35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.35:rc4:*:*:*:*:*:*","matchCriteriaId":"3F6891F7-2B07-4A96-A0D6-AC528B7E0DD8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.35:rc5:*:*:*:*:*:*","matchCriteriaId":"657BCE5D-DC8B-4BE2-AED8-BC52C738F999"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.35:rc6:*:*:*:*:*:*","matchCriteriaId":"160E9402-241A-44AE-A92A-9629CA656F38"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*","matchCriteriaId":"F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*","matchCriteriaId":"EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/29681ed51e737be14d18ecd1c304c57002e4b72c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cfa745830e45ecb75c061aa34330ee0cac941cc7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-4324","sourceIdentifier":"secalert@redhat.com","published":"2026-03-17T14:16:19.777","lastModified":"2026-06-01T19:16:54.323","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sort_by parameter of the /api/hosts/bootc_images API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database."},{"lang":"es","value":"Se encontró un defecto en el plugin Katello para Red Hat Satellite. Esta vulnerabilidad, causada por un saneamiento inadecuado de la entrada proporcionada por el usuario, permite a un atacante remoto inyectar comandos SQL arbitrarios en el parámetro sort_by del endpoint de la API /api/hosts/bootc_images. Esto puede conducir a una Denegación de Servicio (DoS) al desencadenar errores en la base de datos, y potencialmente habilitar la inyección SQL ciega basada en booleanos, lo que podría permitir a un atacante extraer información sensible de la base de datos."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:22326","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:5968","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:5970","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-4324","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448349","source":"secalert@redhat.com"}]}},{"cve":{"id":"CVE-2026-23255","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-03-18T18:16:23.687","lastModified":"2026-06-01T17:16:45.110","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add proper RCU protection to /proc/net/ptype\n\nYin Fengwei reported an RCU stall in ptype_seq_show() and provided\na patch.\n\nReal issue is that ptype_seq_next() and ptype_seq_show() violate\nRCU rules.\n\nptype_seq_show() runs under rcu_read_lock(), and reads pt->dev\nto get device name without any barrier.\n\nAt the same time, concurrent writers can remove a packet_type structure\n(which is correctly freed after an RCU grace period) and clear pt->dev\nwithout an RCU grace period.\n\nDefine ptype_iter_state to carry a dev pointer along seq_net_private:\n\nstruct ptype_iter_state {\n\tstruct seq_net_private\tp;\n\tstruct net_device\t*dev; // added in this patch\n};\n\nWe need to record the device pointer in ptype_get_idx() and\nptype_seq_next() so that ptype_seq_show() is safe against\nconcurrent pt->dev changes.\n\nWe also need to add full RCU protection in ptype_seq_next().\n(Missing READ_ONCE() when reading list.next values)\n\nMany thanks to Dong Chenchen for providing a repro."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: añadir protección RCU adecuada a /proc/net/ptype\n\nYin Fengwei informó de un bloqueo RCU en ptype_seq_show() y proporcionó un parche.\n\nEl problema real es que ptype_seq_next() y ptype_seq_show() violan las reglas RCU.\n\nptype_seq_show() se ejecuta bajo rcu_read_lock(), y lee pt->dev para obtener el nombre del dispositivo sin ninguna barrera.\n\nAl mismo tiempo, los escritores concurrentes pueden eliminar una estructura packet_type (que se libera correctamente después de un período de gracia RCU) y borrar pt->dev sin un período de gracia RCU.\n\nDefinir ptype_iter_state para llevar un puntero dev junto con seq_net_private:\n\nstruct ptype_iter_state {\n\tstruct seq_net_private\tp;\n\tstruct net_device\t*dev; // añadido en este parche\n};\n\nNecesitamos registrar el puntero del dispositivo en ptype_get_idx() y ptype_seq_next() para que ptype_seq_show() esté a salvo de cambios concurrentes en pt->dev.\n\nTambién necesitamos añadir protección RCU completa en ptype_seq_next().\n(Falta READ_ONCE() al leer los valores de list.next)\n\nMuchas gracias a Dong Chenchen por proporcionar una reproducción."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12.1","versionEndExcluding":"6.6.136","matchCriteriaId":"E2D9D9DF-0F25-43D5-9C6A-4C891E3A29FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.80","matchCriteriaId":"97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.10","matchCriteriaId":"7156C23F-009E-4D05-838C-A2DA417B5B8D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*","matchCriteriaId":"6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*","matchCriteriaId":"4F76C298-81DC-43E4-8FC9-DC005A2116EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*","matchCriteriaId":"0AB349B2-3F78-4197-882B-90ADB3BF645A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*","matchCriteriaId":"6AC88830-A9BC-4607-B572-A4B502FC9FD0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*","matchCriteriaId":"476CB3A5-D022-4F13-AAEF-CB6A5785516A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*","matchCriteriaId":"F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*","matchCriteriaId":"EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/002a73470b56848e4c81efeaaedd471e92d66d8d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/589a530ae44d0c80f523fcfd1a15af8087f27d35","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dcefd3f0b9ed8288654c75254bdcee8e1085e861","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e974a10a52618f7f57a4bce173a0ed96acd4e5dc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f613e8b4afea0cd17c7168e8b00e25bc8d33175d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-23327","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-03-25T11:16:29.837","lastModified":"2026-06-01T17:16:45.257","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()\n\ncxl_payload_from_user_allowed() casts and dereferences the input\npayload without first verifying its size. When a raw mailbox command\nis sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG,\nwhich expects a 16-byte UUID), uuid_equal() reads past the allocated buffer,\ntriggering a KASAN splat:\n\nBUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683\nRead of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258\n\nCPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x650 mm/kasan/report.c:482\n kasan_report+0xce/0x100 mm/kasan/report.c:595\n memcmp+0x176/0x1d0 lib/string.c:683\n uuid_equal include/linux/uuid.h:73 [inline]\n cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline]\n cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline]\n cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline]\n cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643\n __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline]\n cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fdaf331ba79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79\nRDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003\nRBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768\n \n\nAdd 'in_size' parameter to cxl_payload_from_user_allowed() and validate\nthe payload is large enough."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncxl/mbox: validar el tamaño de la carga útil antes de acceder a los contenidos en cxl_payload_from_user_allowed()\n\ncxl_payload_from_user_allowed() convierte y desreferencia la carga útil de entrada sin verificar primero su tamaño. Cuando se envía un comando de buzón sin procesar con una carga útil de tamaño insuficiente (es decir: 1 byte para CXL_MBOX_OP_CLEAR_LOG, que espera un UUID de 16 bytes), uuid_equal() lee más allá del búfer asignado, lo que activa un KASAN splat:\n\nBUG: KASAN: slab-out-of-bounds en memcmp+0x176/0x1d0 lib/string.c:683\nLectura de tamaño 8 en la dirección ffff88810130f5c0 por la tarea syz.1.62/2258\n\nCPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 No contaminado 6.19.0-dirty #3 PREEMPT(voluntary)\nNombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\nTraza de llamadas:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x650 mm/kasan/report.c:482\n kasan_report+0xce/0x100 mm/kasan/report.c:595\n memcmp+0x176/0x1d0 lib/string.c:683\n uuid_equal include/linux/uuid.h:73 [inline]\n cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline]\n cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline]\n cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline]\n cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643\n __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline]\n cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fdaf331ba79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79\nRDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003\nRBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768\n \n\nAñadir el parámetro 'in_size' a cxl_payload_from_user_allowed() y validar que la carga útil sea lo suficientemente grande."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19.1","versionEndExcluding":"6.19.7","matchCriteriaId":"74C0D01A-385D-4859-8FCC-93ACC7B4B847"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.19:-:*:*:*:*:*:*","matchCriteriaId":"9D759CCF-9E1B-41B2-81AA-CB580C5F3EEC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/60b5d1f68338aff2c5af0113f04aefa7169c50c2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7c8a7b7f063b7e7ae9bba4cbaa14a5d2fe3a55e1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dc184ac2f0ba77ae19725ee06ad3ab36bb9d1f61","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-23371","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-03-25T11:16:36.637","lastModified":"2026-06-01T17:16:45.403","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting\n\nRunning stress-ng --schedpolicy 0 on an RT kernel on a big machine\nmight lead to the following WARNINGs (edited).\n\n sched: DL de-boosted task PID 22725: REPLENISH flag missing\n\n WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8\n ... (running_bw underflow)\n Call trace:\n dequeue_task_dl+0x15c/0x1f8 (P)\n dequeue_task+0x80/0x168\n deactivate_task+0x24/0x50\n push_dl_task+0x264/0x2e0\n dl_task_timer+0x1b0/0x228\n __hrtimer_run_queues+0x188/0x378\n hrtimer_interrupt+0xfc/0x260\n ...\n\nThe problem is that when a SCHED_DEADLINE task (lock holder) is\nchanged to a lower priority class via sched_setscheduler(), it may\nfail to properly inherit the parameters of potential DEADLINE donors\nif it didn't already inherit them in the past (shorter deadline than\ndonor's at that time). This might lead to bandwidth accounting\ncorruption, as enqueue_task_dl() won't recognize the lock holder as\nboosted.\n\nThe scenario occurs when:\n1. A DEADLINE task (donor) blocks on a PI mutex held by another\n DEADLINE task (holder), but the holder doesn't inherit parameters\n (e.g., it already has a shorter deadline)\n2. sched_setscheduler() changes the holder from DEADLINE to a lower\n class while still holding the mutex\n3. The holder should now inherit DEADLINE parameters from the donor\n and be enqueued with ENQUEUE_REPLENISH, but this doesn't happen\n\nFix the issue by introducing __setscheduler_dl_pi(), which detects when\na DEADLINE (proper or boosted) task gets setscheduled to a lower\npriority class. In case, the function makes the task inherit DEADLINE\nparameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag to\nensure proper bandwidth accounting during the next enqueue operation."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nsched/deadline: Solucionar la falta de ENQUEUE_REPLENISH durante la des-potenciación PI\n\nEjecutar stress-ng --schedpolicy 0 en un kernel RT en una máquina grande podría llevar a las siguientes ADVERTENCIAS (editado).\n\n sched: Tarea DL des-potenciada PID 22725: Falta la bandera REPLENISH\n\n ADVERTENCIA: CPU: 93 PID: 0 en kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8\n ... (desbordamiento negativo de running_bw)\n Traza de llamada:\n dequeue_task_dl+0x15c/0x1f8 (P)\n dequeue_task+0x80/0x168\n deactivate_task+0x24/0x50\n push_dl_task+0x264/0x2e0\n dl_task_timer+0x1b0/0x228\n __hrtimer_run_queues+0x188/0x378\n hrtimer_interrupt+0xfc/0x260\n ...\n\nEl problema es que cuando una tarea SCHED_DEADLINE (poseedor del bloqueo) se cambia a una clase de prioridad inferior a través de sched_setscheduler(), puede no heredar correctamente los parámetros de los posibles donantes DEADLINE si no los heredó ya en el pasado (plazo más corto que el del donante en ese momento). Esto podría llevar a la corrupción de la contabilidad del ancho de banda, ya que enqueue_task_dl() no reconocerá al poseedor del bloqueo como potenciado.\n\nEl escenario ocurre cuando:\n1. Una tarea DEADLINE (donante) se bloquea en un mutex PI mantenido por otra tarea DEADLINE (poseedor), pero el poseedor no hereda los parámetros (por ejemplo, ya tiene un plazo más corto)\n2. sched_setscheduler() cambia el poseedor de DEADLINE a una clase inferior mientras aún mantiene el mutex\n3. El poseedor debería ahora heredar los parámetros DEADLINE del donante y ser encolado con ENQUEUE_REPLENISH, pero esto no sucede\n\nSolucionar el problema introduciendo __setscheduler_dl_pi(), que detecta cuando una tarea DEADLINE (propia o potenciada) se programa a una clase de prioridad inferior. En ese caso, la función hace que la tarea herede los parámetros DEADLINE del donante (pi_se) y establece la bandera ENQUEUE_REPLENISH para asegurar una contabilidad adecuada del ancho de banda durante la siguiente operación de encolado."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.257","versionEndExcluding":"4.20","matchCriteriaId":"CC49E974-39F0-4EAB-AA56-2136CE9885A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.212","versionEndExcluding":"5.5","matchCriteriaId":"1FF42D15-4929-4BA3-A853-6ED272405AD4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.1","versionEndExcluding":"6.19.7","matchCriteriaId":"59C083CB-F10A-4E24-A914-13201863DFA3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.10:-:*:*:*:*:*:*","matchCriteriaId":"B29EBB93-107F-4ED6-8DE3-C2732BC659C3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0638bf16b7a73a2fe63624bd0d16d9fd904805c3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ba1c22924ddcc280672a2a06a9ca99ee3a1b92c3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d658686a1331db3bb108ca079d76deb3208ed949","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-23389","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-03-25T11:16:39.440","lastModified":"2026-06-01T17:16:45.543","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix memory leak in ice_set_ringparam()\n\nIn ice_set_ringparam, tx_rings and xdp_rings are allocated before\nrx_rings. If the allocation of rx_rings fails, the code jumps to\nthe done label leaking both tx_rings and xdp_rings. Furthermore, if\nthe setup of an individual Rx ring fails during the loop, the code jumps\nto the free_tx label which releases tx_rings but leaks xdp_rings.\n\nFix this by introducing a free_xdp label and updating the error paths to\nensure both xdp_rings and tx_rings are properly freed if rx_rings\nallocation or setup fails.\n\nCompile tested only. Issue found using a prototype static analysis tool\nand code review."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nice: Corrección de fuga de memoria en ice_set_ringparam()\n\nEn ice_set_ringparam, tx_rings y xdp_rings se asignan antes de rx_rings. Si la asignación de rx_rings falla, el código salta a la etiqueta done provocando una fuga tanto de tx_rings como de xdp_rings. Además, si la configuración de un anillo Rx individual falla durante el bucle, el código salta a la etiqueta free_tx, que libera tx_rings pero provoca una fuga de xdp_rings.\n\nEsto se corrige introduciendo una etiqueta free_xdp y actualizando las rutas de error para asegurar que tanto xdp_rings como tx_rings se liberen correctamente si la asignación o configuración de rx_rings falla.\n\nProbado solo en compilación. Problema encontrado utilizando una herramienta prototipo de análisis estático y revisión de código."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17.1","versionEndExcluding":"6.12.81","matchCriteriaId":"AB00FA77-1A3D-4E2C-99B3-4BC4E748DDFF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.22","matchCriteriaId":"C9DF8BCE-36D3-475D-9D21-19E4F02F9029"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.7","matchCriteriaId":"69245D10-0B71-485E-80C3-A64F077004D3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.17:-:*:*:*:*:*:*","matchCriteriaId":"3F438846-FE97-43DC-A655-B5EF8DED552E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/44ba32a892b72de3faa04b8cfb1f2f1418fdd580","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/63dc317dfcd3faffd082c2bf3080f9ad070273da","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b23282218eca27b710111460b4964c8a456c6c44","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bddf04e3822e4fa38691433dd0750420d49a0dd6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e0c211a0c26159058303712d6b4fbd1c88835e6d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fe868b499d16f55bbeea89992edb98043c9de416","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-23394","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-03-25T11:16:40.190","lastModified":"2026-06-01T17:16:45.680","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Give up GC if MSG_PEEK intervened.\n\nIgor Ushakov reported that GC purged the receive queue of\nan alive socket due to a race with MSG_PEEK with a nice repro.\n\nThis is the exact same issue previously fixed by commit\ncbcf01128d0a (\"af_unix: fix garbage collect vs MSG_PEEK\").\n\nAfter GC was replaced with the current algorithm, the cited\ncommit removed the locking dance in unix_peek_fds() and\nreintroduced the same issue.\n\nThe problem is that MSG_PEEK bumps a file refcount without\ninteracting with GC.\n\nConsider an SCC containing sk-A and sk-B, where sk-A is\nclose()d but can be recv()ed via sk-B.\n\nThe bad thing happens if sk-A is recv()ed with MSG_PEEK from\nsk-B and sk-B is close()d while GC is checking unix_vertex_dead()\nfor sk-A and sk-B.\n\n GC thread User thread\n --------- -----------\n unix_vertex_dead(sk-A)\n -> true <------.\n \\\n `------ recv(sk-B, MSG_PEEK)\n invalidate !! -> sk-A's file refcount : 1 -> 2\n\n close(sk-B)\n -> sk-B's file refcount : 2 -> 1\n unix_vertex_dead(sk-B)\n -> true\n\nInitially, sk-A's file refcount is 1 by the inflight fd in sk-B\nrecvq. GC thinks sk-A is dead because the file refcount is the\nsame as the number of its inflight fds.\n\nHowever, sk-A's file refcount is bumped silently by MSG_PEEK,\nwhich invalidates the previous evaluation.\n\nAt this moment, sk-B's file refcount is 2; one by the open fd,\nand one by the inflight fd in sk-A. The subsequent close()\nreleases one refcount by the former.\n\nFinally, GC incorrectly concludes that both sk-A and sk-B are dead.\n\nOne option is to restore the locking dance in unix_peek_fds(),\nbut we can resolve this more elegantly thanks to the new algorithm.\n\nThe point is that the issue does not occur without the subsequent\nclose() and we actually do not need to synchronise MSG_PEEK with\nthe dead SCC detection.\n\nWhen the issue occurs, close() and GC touch the same file refcount.\nIf GC sees the refcount being decremented by close(), it can just\ngive up garbage-collecting the SCC.\n\nTherefore, we only need to signal the race during MSG_PEEK with\na proper memory barrier to make it visible to the GC.\n\nLet's use seqcount_t to notify GC when MSG_PEEK occurs and let\nit defer the SCC to the next run.\n\nThis way no locking is needed on the MSG_PEEK side, and we can\navoid imposing a penalty on every MSG_PEEK unnecessarily.\n\nNote that we can retry within unix_scc_dead() if MSG_PEEK is\ndetected, but we do not do so to avoid hung task splat from\nabusive MSG_PEEK calls."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\naf_unix: Abandonar la recolección de basura (GC) si MSG_PEEK intervino.\n\nIgor Ushakov informó que la recolección de basura (GC) purgó la cola de recepción de un socket activo debido a una condición de carrera con MSG_PEEK con una buena reproducción.\n\nEste es exactamente el mismo problema previamente solucionado por el commit cbcf01128d0a ('af_unix: corregir recolección de basura vs MSG_PEEK').\n\nDespués de que la recolección de basura (GC) fue reemplazada por el algoritmo actual, el commit citado eliminó la 'danza de bloqueo' en unix_peek_fds() y reintrodujo el mismo problema.\n\nEl problema es que MSG_PEEK incrementa un contador de referencias de archivo sin interactuar con la recolección de basura (GC).\n\nConsidere un SCC que contiene sk-A y sk-B, donde sk-A está close()d (cerrado) pero puede ser recv()ed (recibido) a través de sk-B.\n\nLo malo sucede si sk-A es recv()ed (recibido) con MSG_PEEK desde sk-B y sk-B está close()d (cerrado) mientras la recolección de basura (GC) está verificando unix_vertex_dead() para sk-A y sk-B.\n\n Hilo de GC Hilo de usuario\n --------- -----------\n unix_vertex_dead(sk-A)\n -> true <------.\n \\\n `------ recv(sk-B, MSG_PEEK)\n ¡¡invalidar!! -> contador de referencias de archivo de sk-A : 1 -> 2\n\n close(sk-B)\n -> contador de referencias de archivo de sk-B : 2 -> 1\n unix_vertex_dead(sk-B)\n -> true\n\nInicialmente, el contador de referencias de archivo de sk-A es 1 por el descriptor de archivo en tránsito en la cola de recepción de sk-B. La recolección de basura (GC) piensa que sk-A está muerto porque el contador de referencias de archivo es el mismo que el número de sus descriptores de archivo en tránsito.\n\nSin embargo, el contador de referencias de archivo de sk-A es incrementado silenciosamente por MSG_PEEK, lo que invalida la evaluación anterior.\n\nEn este momento, el contador de referencias de archivo de sk-B es 2; uno por el descriptor de archivo abierto, y uno por el descriptor de archivo en tránsito en sk-A. El close() (cierre) subsiguiente libera un contador de referencias por el primero.\n\nFinalmente, la recolección de basura (GC) concluye incorrectamente que tanto sk-A como sk-B están muertos.\n\nUna opción es restaurar la 'danza de bloqueo' en unix_peek_fds(), pero podemos resolver esto de manera más elegante gracias al nuevo algoritmo.\n\nEl punto es que el problema no ocurre sin el close() (cierre) subsiguiente y en realidad no necesitamos sincronizar MSG_PEEK con la detección de SCC muertos.\n\nCuando ocurre el problema, close() (el cierre) y la recolección de basura (GC) tocan el mismo contador de referencias de archivo. Si la recolección de basura (GC) ve que el contador de referencias es decrementado por close() (el cierre), puede simplemente abandonar la recolección de basura del SCC.\n\nPor lo tanto, solo necesitamos señalar la condición de carrera durante MSG_PEEK con una barrera de memoria adecuada para hacerla visible a la recolección de basura (GC).\n\nUsemos seqcount_t para notificar a la recolección de basura (GC) cuando ocurre MSG_PEEK y permitirle aplazar el SCC a la siguiente ejecución.\n\nDe esta manera, no se necesita bloqueo en el lado de MSG_PEEK, y podemos evitar imponer una penalización a cada MSG_PEEK innecesariamente.\n\nTenga en cuenta que podemos reintentar dentro de unix_scc_dead() si se detecta MSG_PEEK, pero no lo hacemos para evitar la 'salpicadura' de tareas colgadas por llamadas abusivas a MSG_PEEK."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-362"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.141","versionEndExcluding":"6.2","matchCriteriaId":"B0A3421E-59FE-4E16-9DC6-4CAF59C361C7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.93","versionEndExcluding":"6.7","matchCriteriaId":"4CAF81AF-E0B7-4112-B091-4DE2CB164414"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10.1","versionEndExcluding":"6.18.23","matchCriteriaId":"7109F074-E2CB-44FB-A4DB-E45B24EF0E17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.10","matchCriteriaId":"96D34333-38BE-4414-9E79-6EB764329581"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.10:-:*:*:*:*:*:*","matchCriteriaId":"9EA80796-744E-45F5-8632-2AB4F7889FCD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3106f326f67c03dd9da4ca64663d11e40138cf40","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/37dd7ab332396eb8dd80b2dc7ea4b61abf767436","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/72cf49ad50c16270b52bc512d9c2df5743922968","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e3dd56fb5683ba80bf8d7a2f9aa21cfa53f05202","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e5b31d988a41549037b8d8721a3c3cae893d8670","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-23399","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-03-28T08:15:56.720","lastModified":"2026-06-01T17:16:45.830","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnf_tables: nft_dynset: fix possible stateful expression memleak in error path\n\nIf cloning the second stateful expression in the element via GFP_ATOMIC\nfails, then the first stateful expression remains in place without being\nreleased.\n\n unreferenced object (percpu) 0x607b97e9cab8 (size 16):\n comm \"softirq\", pid 0, jiffies 4294931867\n hex dump (first 16 bytes on cpu 3):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n backtrace (crc 0):\n pcpu_alloc_noprof+0x453/0xd80\n nft_counter_clone+0x9c/0x190 [nf_tables]\n nft_expr_clone+0x8f/0x1b0 [nf_tables]\n nft_dynset_new+0x2cb/0x5f0 [nf_tables]\n nft_rhash_update+0x236/0x11c0 [nf_tables]\n nft_dynset_eval+0x11f/0x670 [nf_tables]\n nft_do_chain+0x253/0x1700 [nf_tables]\n nft_do_chain_ipv4+0x18d/0x270 [nf_tables]\n nf_hook_slow+0xaa/0x1e0\n ip_local_deliver+0x209/0x330"},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnf_tables: nft_dynset: corregir posible fuga de memoria de expresión con estado en la ruta de error\n\nSi la clonación de la segunda expresión con estado en el elemento a través de GFP_ATOMIC falla, entonces la primera expresión con estado permanece en su lugar sin ser liberada.\n\n objeto sin referencia (por CPU) 0x607b97e9cab8 (tamaño 16):\n comm 'softirq', pid 0, jiffies 4294931867\n volcado hexadecimal (primeros 16 bytes en la CPU 3):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n rastreo de pila (crc 0):\n pcpu_alloc_noprof+0x453/0xd80\n nft_counter_clone+0x9c/0x190 [nf_tables]\n nft_expr_clone+0x8f/0x1b0 [nf_tables]\n nft_dynset_new+0x2cb/0x5f0 [nf_tables]\n nft_rhash_update+0x236/0x11c0 [nf_tables]\n nft_dynset_eval+0x11f/0x670 [nf_tables]\n nft_do_chain+0x253/0x1700 [nf_tables]\n nft_do_chain_ipv4+0x18d/0x270 [nf_tables]\n nf_hook_slow+0xaa/0x1e0\n ip_local_deliver+0x209/0x330"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11.1","versionEndExcluding":"6.12.78","matchCriteriaId":"0618528B-8039-4E87-8695-397AE7D4B4E5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.20","matchCriteriaId":"E5571059-6552-48E7-9BEF-3E358C387171"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.10","matchCriteriaId":"96D34333-38BE-4414-9E79-6EB764329581"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.11:-:*:*:*:*:*:*","matchCriteriaId":"7AD3510E-E8FA-47F3-9AD5-D8EA4A2719D1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0548a13b5a145b16e4da0628b5936baf35f51b43","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/31641c682db73353e4647e40735c7f2a75ff58ef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4357dbb1d9c35ca0b4443d71c98a48e6666f7689","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c88a9fd26cee365bec932196f76175772a941cca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d1354873cbe3b344899c4311ac05897fd83e3f21","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e6661add2d9c6913e1dad97336595e23a2bed195","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/eb7bf413e59945df03d4567b73ce464eebe2f4ea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-5119","sourceIdentifier":"secalert@redhat.com","published":"2026-03-30T07:15:58.350","lastModified":"2026-06-01T19:16:54.580","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation."},{"lang":"es","value":"Se encontró una vulnerabilidad en libsoup. Al establecer túneles HTTPS a través de un proxy HTTP configurado, las cookies de sesión sensibles se transmiten en texto claro dentro de la solicitud HTTP CONNECT inicial. Un atacante posicionado en la red o un proxy HTTP malicioso puede interceptar estas cookies, lo que podría conducir al secuestro potencial de la sesión o a la suplantación de identidad del usuario."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-319"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gnome:libsoup:-:*:*:*:*:*:*:*","matchCriteriaId":"C5BAC4F4-3ACD-4F4D-920C-F920FD2C5472"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*","matchCriteriaId":"142AD0DD-4CF3-4D74-9442-459CE3347E3A"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","matchCriteriaId":"F4CFF558-3C47-480D-A2F0-BABF26042943"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*","matchCriteriaId":"7F6FB57C-2BC7-487C-96DD-132683AEB35D"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:13978","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:14087","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:15968","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:17482","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:19143","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:19356","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:21686","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:22316","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:22317","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:22323","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-5119","source":"secalert@redhat.com","tags":["Mitigation","Vendor Advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452932","source":"secalert@redhat.com","tags":["Issue Tracking","Vendor Advisory"]},{"url":"https://gitlab.gnome.org/GNOME/libsoup/-/issues/502","source":"secalert@redhat.com","tags":["Exploit","Issue Tracking"]}]}},{"cve":{"id":"CVE-2026-34070","sourceIdentifier":"security-advisories@github.com","published":"2026-03-31T03:15:58.947","lastModified":"2026-06-01T16:23:18.117","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22."},{"lang":"es","value":"LangChain es un framework para construir agentes y aplicaciones impulsadas por LLM. Antes de la versión 1.2.22, múltiples funciones en langchain_core.prompts.loading leían archivos de rutas incrustadas en diccionarios de configuración deserializados sin validar contra salto de directorio o inyección de ruta absoluta. Cuando una aplicación pasa configuraciones de prompt influenciadas por el usuario a load_prompt() o load_prompt_from_config(), un atacante puede leer archivos arbitrarios en el sistema de archivos del host, restringido solo por verificaciones de extensión de archivo (.txt para plantillas, .json/.yaml para ejemplos). Este problema ha sido parcheado en la versión 1.2.22."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:*","versionEndExcluding":"1.2.22","matchCriteriaId":"2ABD029B-592B-4C63-A280-09F190C3587A"}]}]}],"references":[{"url":"https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-25835","sourceIdentifier":"cve@mitre.org","published":"2026-04-01T19:16:28.663","lastModified":"2026-06-01T17:05:36.843","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a Pseudo-Random Number Generator (PRNG)."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.5,"impactScore":5.2}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-335"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*","versionStartIncluding":"2.18.0","versionEndExcluding":"3.6.6","matchCriteriaId":"F718023A-E632-45A1-8C51-781C969DA96D"},{"vulnerable":true,"criteria":"cpe:2.3:a:arm:mbed_tls:4.0.0:*:*:*:*:*:*:*","matchCriteriaId":"8EF688FA-732F-4EAF-BAC6-AC3CDAF19588"},{"vulnerable":true,"criteria":"cpe:2.3:a:linaro:tf-psa-crypto:*:*:*:*:*:*:*:*","versionEndExcluding":"1.1.0","matchCriteriaId":"7D0F0906-16E8-4BB0-AE3C-9E703702BA08"}]}]}],"references":[{"url":"https://mbed-tls.readthedocs.io/en/latest/security-advisories/","source":"cve@mitre.org","tags":["Vendor Advisory"]},{"url":"https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-rng-cloning/","source":"cve@mitre.org","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-23442","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-03T16:16:28.423","lastModified":"2026-06-01T17:16:45.967","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: add NULL checks for idev in SRv6 paths\n\n__in6_dev_get() can return NULL when the device has no IPv6 configuration\n(e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER).\n\nAdd NULL checks for idev returned by __in6_dev_get() in both\nseg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL\npointer dereferences."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10.1","versionEndExcluding":"6.12.83","matchCriteriaId":"C9FB8914-AA64-42C8-B1C5-31091B1EAA92"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.19.10","matchCriteriaId":"74050944-3704-4081-A5DA-C5DAB1E275E6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.10:-:*:*:*:*:*:*","matchCriteriaId":"C201E405-86F2-4F96-984A-00A865219C86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0348fa0ada37cef7c6b5ab2a428bb2c6aee784e4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/06413793526251870e20402c39930804f14d59c0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/50352fc103928e10e8729abc79a0d05abef26c4d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/83d705d35e583cb1b1eacf196dfe7b77d442018e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a25853c9feea7bbf31d157ff6e004d2d3b4f7f13","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bc9843c39f9932a8b36efd1d362ea00bb88e4e78","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c5cedee5d97382176573bbe21e1724e737a5eb64","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d1bd8b9edc6752d10f84d28ff64f842401ce336d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-23444","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-03T16:16:28.810","lastModified":"2026-06-01T17:16:46.110","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure\n\nieee80211_tx_prepare_skb() has three error paths, but only two of them\nfree the skb. The first error path (ieee80211_tx_prepare() returning\nTX_DROP) does not free it, while invoke_tx_handlers() failure and the\nfragmentation check both do.\n\nAdd kfree_skb() to the first error path so all three are consistent,\nand remove the now-redundant frees in callers (ath9k, mt76,\nmac80211_hwsim) to avoid double-free.\n\nDocument the skb ownership guarantee in the function's kdoc."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13.1","versionEndExcluding":"6.18.20","matchCriteriaId":"FF3A2276-F204-45D0-888F-78B1900D361C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.10","matchCriteriaId":"96D34333-38BE-4414-9E79-6EB764329581"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.13:-:*:*:*:*:*:*","matchCriteriaId":"0F72A71E-B6B2-40F2-A21D-BF7CE1514976"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/06e769dddcbeb3baf2ce346273b53dd61fdbecf4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3b4d27acafaeab478fd24f79ad6e593a892828b9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/50f1b690b4868923fbd242298def2fb88662f108","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5ef8ca1c164786da24169af155c1ca1ff1353cf8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/905ef207d5ed99ca64adfe39fba9ac46e434327a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9a779d1f480e83720b5384adf165604e7ee226bd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d5ad6ab61cbd89afdb60881f6274f74328af3ee9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f77b51bcee7be2bb686b5f7a2d4a1921e4bdb9f4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-23468","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-03T16:16:34.330","lastModified":"2026-06-01T17:16:46.267","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Limit BO list entry count to prevent resource exhaustion\n\nUserspace can pass an arbitrary number of BO list entries via the\nbo_number field. Although the previous multiplication overflow check\nprevents out-of-bounds allocation, a large number of entries could still\ncause excessive memory allocation (up to potentially gigabytes) and\nunnecessarily long list processing times.\n\nIntroduce a hard limit of 128k entries per BO list, which is more than\nsufficient for any realistic use case (e.g., a single list containing all\nbuffers in a large scene). This prevents memory exhaustion attacks and\nensures predictable performance.\n\nReturn -EINVAL if the requested entry count exceeds the limit\n\n(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.6.140","matchCriteriaId":"51C70DBB-3DC0-42D5-8319-BBAA828267C9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.86","matchCriteriaId":"55DA1C62-9991-451E-B8A8-E0004E00F789"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.20","matchCriteriaId":"E5571059-6552-48E7-9BEF-3E358C387171"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.10","matchCriteriaId":"96D34333-38BE-4414-9E79-6EB764329581"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2723e6851309531ce61aed74e93a0cd268cc862a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5ce4a38e6c2488949e373d5066303f9c128db614","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6270b1a5dab94665d7adce3dc78bc9066ed28bdd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c833d6c7199c5b5fca9ec95593acd539ec9c171c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e620378aab78d415bd8a15a2f91c145906520288","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-23469","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-03T16:16:34.463","lastModified":"2026-06-01T17:16:46.410","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/imagination: Synchronize interrupts before suspending the GPU\n\nThe runtime PM suspend callback doesn't know whether the IRQ handler is\nin progress on a different CPU core and doesn't wait for it to finish.\n\nDepending on timing, the IRQ handler could be running while the GPU is\nsuspended, leading to kernel crashes when trying to access GPU\nregisters. See example signature below.\n\nIn a power off sequence initiated by the runtime PM suspend callback,\nwait for any IRQ handlers in progress on other CPU cores to finish, by\ncalling synchronize_irq().\n\nAt the same time, remove the runtime PM resume/put calls in the threaded\nIRQ handler. On top of not being the right approach to begin with, and\nbeing at the wrong place as they should have wrapped all GPU register\naccesses, the driver would hit a deadlock between synchronize_irq()\nbeing called from a runtime PM suspend callback, holding the device\npower lock, and the resume callback requiring the same.\n\nExample crash signature on a TI AM68 SK platform:\n\n [ 337.241218] SError Interrupt on CPU0, code 0x00000000bf000000 -- SError\n [ 337.241239] CPU: 0 UID: 0 PID: 112 Comm: irq/234-gpu Tainted: G M 6.17.7-B2C-00005-g9c7bbe4ea16c #2 PREEMPT\n [ 337.241246] Tainted: [M]=MACHINE_CHECK\n [ 337.241249] Hardware name: Texas Instruments AM68 SK (DT)\n [ 337.241252] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [ 337.241256] pc : pvr_riscv_irq_pending+0xc/0x24\n [ 337.241277] lr : pvr_device_irq_thread_handler+0x64/0x310\n [ 337.241282] sp : ffff800085b0bd30\n [ 337.241284] x29: ffff800085b0bd50 x28: ffff0008070d9eab x27: ffff800083a5ce10\n [ 337.241291] x26: ffff000806e48f80 x25: ffff0008070d9eac x24: 0000000000000000\n [ 337.241296] x23: ffff0008068e9bf0 x22: ffff0008068e9bd0 x21: ffff800085b0bd30\n [ 337.241301] x20: ffff0008070d9e00 x19: ffff0008068e9000 x18: 0000000000000001\n [ 337.241305] x17: 637365645f656c70 x16: 0000000000000000 x15: ffff000b7df9ff40\n [ 337.241310] x14: 0000a585fe3c0d0e x13: 000000999704f060 x12: 000000000002771a\n [ 337.241314] x11: 00000000000000c0 x10: 0000000000000af0 x9 : ffff800085b0bd00\n [ 337.241318] x8 : ffff0008071175d0 x7 : 000000000000b955 x6 : 0000000000000003\n [ 337.241323] x5 : 0000000000000000 x4 : 0000000000000002 x3 : 0000000000000000\n [ 337.241327] x2 : ffff800080e39d20 x1 : ffff800080e3fc48 x0 : 0000000000000000\n [ 337.241333] Kernel panic - not syncing: Asynchronous SError Interrupt\n [ 337.241337] CPU: 0 UID: 0 PID: 112 Comm: irq/234-gpu Tainted: G M 6.17.7-B2C-00005-g9c7bbe4ea16c #2 PREEMPT\n [ 337.241342] Tainted: [M]=MACHINE_CHECK\n [ 337.241343] Hardware name: Texas Instruments AM68 SK (DT)\n [ 337.241345] Call trace:\n [ 337.241348] show_stack+0x18/0x24 (C)\n [ 337.241357] dump_stack_lvl+0x60/0x80\n [ 337.241364] dump_stack+0x18/0x24\n [ 337.241368] vpanic+0x124/0x2ec\n [ 337.241373] abort+0x0/0x4\n [ 337.241377] add_taint+0x0/0xbc\n [ 337.241384] arm64_serror_panic+0x70/0x80\n [ 337.241389] do_serror+0x3c/0x74\n [ 337.241392] el1h_64_error_handler+0x30/0x48\n [ 337.241400] el1h_64_error+0x6c/0x70\n [ 337.241404] pvr_riscv_irq_pending+0xc/0x24 (P)\n [ 337.241410] irq_thread_fn+0x2c/0xb0\n [ 337.241416] irq_thread+0x170/0x334\n [ 337.241421] kthread+0x12c/0x210\n [ 337.241428] ret_from_fork+0x10/0x20\n [ 337.241434] SMP: stopping secondary CPUs\n [ 337.241451] Kernel Offset: disabled\n [ 337.241453] CPU features: 0x040000,02002800,20002001,0400421b\n [ 337.241456] Memory Limit: none\n [ 337.457921] ---[ end Kernel panic - not syncing: Asynchronous SError Interrupt ]---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-362"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.18.20","matchCriteriaId":"9DFE02DA-6582-471D-A45D-00B18C91CAA2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.10","matchCriteriaId":"96D34333-38BE-4414-9E79-6EB764329581"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2d7f05cddf4c268cc36256a2476946041dbdd36d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/50257450196e4bba11c562117847ea409660a7de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/772f3653eef50ea7cf721b05d8e275f93bc460f3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8e0c15e426a056b9fb604cf87a1dfdec4d61e407","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31407","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-06T08:16:38.623","lastModified":"2026-06-01T17:16:46.550","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: add missing netlink policy validations\n\nHyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.\n\nThese attributes are used by the kernel without any validation.\nExtend the netlink policies accordingly.\n\nQuoting the reporter:\n nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE\n value directly to ct->proto.sctp.state without checking that it is\n within the valid range. [..]\n\n and: ... with exp->dir = 100, the access at\n ct->master->tuplehash[100] reads 5600 bytes past the start of a\n 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by\n UBSAN."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27","versionEndExcluding":"6.6.136","matchCriteriaId":"B3457033-D01A-43C8-836D-8E21A577B7A5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.10","matchCriteriaId":"96D34333-38BE-4414-9E79-6EB764329581"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/67c53c1978cef3c504237275e39c857e2f6af56e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/78bba9f73942aa7dca47d817d8cec0fb9b443b70","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9174d28f3f15d8c4962f5980c0be167633880443","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/be88a337bf07afb1ee173f1099294d1b7ab3fefe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c5e918390002edf0cff80a0e7ce1f86f16a9507c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e7b5766693477c52424cc6c79dd30a7a9c7db52c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31409","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-06T08:16:38.943","lastModified":"2026-06-01T17:16:46.707","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: unset conn->binding on failed binding request\n\nWhen a multichannel SMB2_SESSION_SETUP request with\nSMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true\nbut never clears it on the error path. This leaves the connection in\na binding state where all subsequent ksmbd_session_lookup_all() calls\nfall back to the global sessions table. This fix it by clearing\nconn->binding = false in the error path."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.1.167","matchCriteriaId":"54D2788B-5D8B-4E8C-A8AD-0650F3F1B069"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.130","matchCriteriaId":"C57BB918-DF28-46B3-94F7-144176841267"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.78","matchCriteriaId":"28D591F5-B196-4CC9-905C-DC80F116E7A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.20","matchCriteriaId":"E5571059-6552-48E7-9BEF-3E358C387171"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.10","matchCriteriaId":"96D34333-38BE-4414-9E79-6EB764329581"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7e8b270813079c785696bce8802a3f920665c88c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21cb7f4e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31420","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-13T14:16:11.617","lastModified":"2026-06-01T17:16:46.843","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: mrp: reject zero test interval to avoid OOM panic\n\nbr_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied\ninterval value from netlink without validation. When interval is 0,\nusecs_to_jiffies(0) yields 0, causing the delayed work\n(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule\nitself with zero delay. This creates a tight loop on system_percpu_wq\nthat allocates and transmits MRP test frames at maximum rate, exhausting\nall system memory and causing a kernel panic via OOM deadlock.\n\nThe same zero-interval issue applies to br_mrp_start_in_test_parse()\nfor interconnect test frames.\n\nUse NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both\nIFLA_BRIDGE_MRP_START_TEST_INTERVAL and\nIFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the\nnetlink attribute parsing layer before the value ever reaches the\nworkqueue scheduling code. This is consistent with how other bridge\nsubsystems (br_fdb, br_mst) enforce range constraints on netlink\nattributes."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"6.19.12","matchCriteriaId":"B469E475-132D-4946-9735-CFEFE1A51CA7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/630a15a31c2034b5b697f4aabc769b9d80d82446","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c9bc352f716d1bebfe43354bce539ec2d0223b30","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e8ec80430bfa520e7352155d6ac632e527cba7aa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fa6e24963342de4370e3a3c9af41e38277b74cf3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-32152","sourceIdentifier":"secure@microsoft.com","published":"2026-04-14T18:17:15.710","lastModified":"2026-06-01T16:26:06.770","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.6936","matchCriteriaId":"B33CE091-B873-4C30-BA05-54A8C1839212"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.6936","matchCriteriaId":"E3AF28F3-D486-4B88-9E0E-371241024174"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8246","matchCriteriaId":"94EB36C7-1FF2-4B44-AD91-F3540F09393E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8246","matchCriteriaId":"14B23C3F-C8AC-491A-BCA5-EB6982C8F9E9"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8246","matchCriteriaId":"361B5DAB-8D1F-45D7-A33C-F49EBA56B5F8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8246","matchCriteriaId":"ADC6CE99-AB5D-4DD5-82A9-892366C4B2FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.1836","matchCriteriaId":"690E74A8-E72C-47B6-96EB-37C48D69A635"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.1836","matchCriteriaId":"13A01FA1-08DC-4E33-9FFC-AB4BCD9634CA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5020","matchCriteriaId":"DC6837B7-5DFD-4AF7-B436-3C6FEF48BA60"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2274","matchCriteriaId":"55A1F3AB-5299-4495-9A73-FDA23C6FD88D"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32690","matchCriteriaId":"ADF41A14-B9DA-4788-82A8-74DCDCD090E1"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32152","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-32154","sourceIdentifier":"secure@microsoft.com","published":"2026-04-14T18:17:16.163","lastModified":"2026-06-01T16:25:38.757","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.6936","matchCriteriaId":"B33CE091-B873-4C30-BA05-54A8C1839212"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.6936","matchCriteriaId":"E3AF28F3-D486-4B88-9E0E-371241024174"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8246","matchCriteriaId":"94EB36C7-1FF2-4B44-AD91-F3540F09393E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8246","matchCriteriaId":"14B23C3F-C8AC-491A-BCA5-EB6982C8F9E9"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8246","matchCriteriaId":"361B5DAB-8D1F-45D7-A33C-F49EBA56B5F8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8246","matchCriteriaId":"ADC6CE99-AB5D-4DD5-82A9-892366C4B2FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.1836","matchCriteriaId":"690E74A8-E72C-47B6-96EB-37C48D69A635"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.1836","matchCriteriaId":"13A01FA1-08DC-4E33-9FFC-AB4BCD9634CA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5020","matchCriteriaId":"DC6837B7-5DFD-4AF7-B436-3C6FEF48BA60"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2274","matchCriteriaId":"55A1F3AB-5299-4495-9A73-FDA23C6FD88D"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32690","matchCriteriaId":"ADF41A14-B9DA-4788-82A8-74DCDCD090E1"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32154","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-31449","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-22T14:16:38.933","lastModified":"2026-06-01T17:16:47.013","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: validate p_idx bounds in ext4_ext_correct_indexes\n\next4_ext_correct_indexes() walks up the extent tree correcting\nindex entries when the first extent in a leaf is modified. Before\naccessing path[k].p_idx->ei_block, there is no validation that\np_idx falls within the valid range of index entries for that\nlevel.\n\nIf the on-disk extent header contains a corrupted or crafted\neh_entries value, p_idx can point past the end of the allocated\nbuffer, causing a slab-out-of-bounds read.\n\nFix this by validating path[k].p_idx against EXT_LAST_INDEX() at\nboth access sites: before the while loop and inside it. Return\n-EFSCORRUPTED if the index pointer is out of range, consistent\nwith how other bounds violations are handled in the ext4 extent\ntree code."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.19.1","versionEndExcluding":"6.12.80","matchCriteriaId":"6126AEF2-0176-48D1-96AD-72781F726931"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.21","matchCriteriaId":"ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.19:-:*:*:*:*:*:*","matchCriteriaId":"9E2DBD4C-9DD9-4DD3-87CB-A0070A789CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"8D97ED16-D6B7-4445-889C-4D6DE2EDC49A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"B2C2D5D4-9A4B-4CDF-8D71-D22EB5E97D5A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"DFFB2843-A867-48EC-97D7-B106C7BBAED0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"3CD3FE23-1A10-47E6-AD7E-D67F1BE3C5E2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"9F39FC76-7D77-4064-94D3-A16C436FA8D1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/01bf1e0b997d82c0e353b51ed74ef99698043c33","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/10242e640b36b91ad03d25f3dc77854bbdff8358","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/407c944f217c17d4343148011acafebc604d55e1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4d08401aa13f1531216f1a7ae281ca4806e90a5c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/93f2e975ed658ce09db4d4c2877ca2c06540df83","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31476","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-22T14:16:44.337","lastModified":"2026-06-01T17:16:47.180","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: do not expire session on binding failure\n\nWhen a multichannel session binding request fails (e.g. wrong password),\nthe error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.\nHowever, during binding, sess points to the target session looked up via\nksmbd_session_lookup_slowpath() -- which belongs to another connection's\nuser. This allows a remote attacker to invalidate any active session by\nsimply sending a binding request with a wrong password (DoS).\n\nFix this by skipping session expiration when the failed request was\na binding attempt, since the session does not belong to the current\nconnection. The reference taken by ksmbd_session_lookup_slowpath() is\nstill correctly released via ksmbd_user_session_put()."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.1","versionEndExcluding":"6.1.168","matchCriteriaId":"9CCD781C-B6A2-442F-817F-8C51A38AFB71"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.131","matchCriteriaId":"CE6ED4D4-0046-4573-BFA9-D64143B6A89F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.80","matchCriteriaId":"97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.21","matchCriteriaId":"ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*","matchCriteriaId":"40D9C0D1-0F32-4A2B-9840-1072F5497540"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1d1888b4a7aec518b707f6eca0bf08992c0e8da3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4642ea35c03cf3d3558c009df4757cdb7af3f82d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6fafc4c4238e538969f1375f9ecdc6587c53f1cc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9bbb19d21ded7d78645506f20d8c44895e3d0fb9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a897064a457056acb976e20e3007cdf553de340f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e0e5edc81b241c70355217de7e120c97c3429deb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f5300690c23c5ac860499bb37dbc09cf43fd62e6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31486","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-22T14:16:46.160","lastModified":"2026-06-01T17:16:47.347","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (pmbus/core) Protect regulator operations with mutex\n\nThe regulator operations pmbus_regulator_get_voltage(),\npmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()\naccess PMBus registers and shared data but were not protected by\nthe update_lock mutex. This could lead to race conditions.\n\nHowever, adding mutex protection directly to these functions causes\na deadlock because pmbus_regulator_notify() (which calls\nregulator_notifier_call_chain()) is often called with the mutex\nalready held (e.g., from pmbus_fault_handler()). If a regulator\ncallback then calls one of the now-protected voltage functions,\nit will attempt to acquire the same mutex.\n\nRework pmbus_regulator_notify() to utilize a worker function to\nsend notifications outside of the mutex protection. Events are\nstored as atomics in a per-page bitmask and processed by the worker.\n\nInitialize the worker and its associated data during regulator\nregistration, and ensure it is cancelled on device removal using\ndevm_add_action_or_reset().\n\nWhile at it, remove the unnecessary include of linux/of.h."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19.1","versionEndExcluding":"6.18.21","matchCriteriaId":"689AD2FA-326D-4E6F-8192-689D60EEA86F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.19:-:*:*:*:*:*:*","matchCriteriaId":"8C54596F-5461-44C4-91FB-7453BE905748"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2c77ae315f3ce9d2c8e1609be74c9358c1fe4e07","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4e9d723d9f198b86f6882a84c501ba1f39e8d055","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/754bd2b4a084b90b5e7b630e1f423061a9b9b761","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/acf04e2863132f6d9222f71f3a76fb9782cbe061","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31488","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-22T14:16:46.453","lastModified":"2026-06-01T17:16:47.477","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Do not skip unrelated mode changes in DSC validation\n\nStarting with commit 17ce8a6907f7 (\"drm/amd/display: Add dsc pre-validation in\natomic check\"), amdgpu resets the CRTC state mode_changed flag to false when\nrecomputing the DSC configuration results in no timing change for a particular\nstream.\n\nHowever, this is incorrect in scenarios where a change in MST/DSC configuration\nhappens in the same KMS commit as another (unrelated) mode change. For example,\nthe integrated panel of a laptop may be configured differently (e.g., HDR\nenabled/disabled) depending on whether external screens are attached. In this\ncase, plugging in external DP-MST screens may result in the mode_changed flag\nbeing dropped incorrectly for the integrated panel if its DSC configuration\ndid not change during precomputation in pre_validate_dsc().\n\nAt this point, however, dm_update_crtc_state() has already created new streams\nfor CRTCs with DSC-independent mode changes. In turn,\namdgpu_dm_commit_streams() will never release the old stream, resulting in a\nmemory leak. amdgpu_dm_atomic_commit_tail() will never acquire a reference to\nthe new stream either, which manifests as a use-after-free when the stream gets\ndisabled later on:\n\nBUG: KASAN: use-after-free in dc_stream_release+0x25/0x90 [amdgpu]\nWrite of size 4 at addr ffff88813d836524 by task kworker/9:9/29977\n\nWorkqueue: events drm_mode_rmfb_work_fn\nCall Trace:\n \n dump_stack_lvl+0x6e/0xa0\n print_address_description.constprop.0+0x88/0x320\n ? dc_stream_release+0x25/0x90 [amdgpu]\n print_report+0xfc/0x1ff\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __virt_addr_valid+0x225/0x4e0\n ? dc_stream_release+0x25/0x90 [amdgpu]\n kasan_report+0xe1/0x180\n ? dc_stream_release+0x25/0x90 [amdgpu]\n kasan_check_range+0x125/0x200\n dc_stream_release+0x25/0x90 [amdgpu]\n dc_state_destruct+0x14d/0x5c0 [amdgpu]\n dc_state_release.part.0+0x4e/0x130 [amdgpu]\n dm_atomic_destroy_state+0x3f/0x70 [amdgpu]\n drm_atomic_state_default_clear+0x8ee/0xf30\n ? drm_mode_object_put.part.0+0xb1/0x130\n __drm_atomic_state_free+0x15c/0x2d0\n atomic_remove_fb+0x67e/0x980\n\nSince there is no reliable way of figuring out whether a CRTC has unrelated\nmode changes pending at the time of DSC validation, remember the value of the\nmode_changed flag from before the point where a CRTC was marked as potentially\naffected by a change in DSC configuration. Reset the mode_changed flag to this\nearlier value instead in pre_validate_dsc().\n\n(cherry picked from commit cc7c7121ae082b7b82891baa7280f1ff2608f22b)"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18.1","versionEndExcluding":"6.12.80","matchCriteriaId":"67222101-CC02-4250-A6E8-A98BDD29DB6F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.21","matchCriteriaId":"ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.18:-:*:*:*:*:*:*","matchCriteriaId":"0384FA0A-DE99-48D7-84E3-46ED0C3B5E03"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/10862e344b4d6434642a48c87d765813fc0b0ba7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/111208b5b7ebcdadb3f922cc52d8425f0fa91b33","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/21159d8b335a6b9f44cbb506733013a902ae2da4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8a5edc97fd9c6415ff2eff872748439a97e3c3d8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/aed3d041ab061ec8a64f50a3edda0f4db7280025","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/da1d0ed31e9802fd99384f43cc63678a5a11cb41","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31489","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-22T14:16:46.603","lastModified":"2026-06-01T17:16:47.623","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: meson-spicc: Fix double-put in remove path\n\nmeson_spicc_probe() registers the controller with\ndevm_spi_register_controller(), so teardown already drops the\ncontroller reference via devm cleanup.\n\nCalling spi_controller_put() again in meson_spicc_remove()\ncauses a double-put."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.244","versionEndExcluding":"4.15","matchCriteriaId":"0BB634A6-F36F-476C-94DA-84A3ABF7A170"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.203","versionEndExcluding":"4.20","matchCriteriaId":"701FECB5-CEA6-4D3E-868E-F70A777945E0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.140","versionEndExcluding":"5.5","matchCriteriaId":"75CD851C-0372-41B3-9A47-AC6DD48C6AB3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.58","versionEndExcluding":"5.11","matchCriteriaId":"A4D3DC93-FB8F-4C90-807D-BD2092747B75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13.10","versionEndExcluding":"5.14","matchCriteriaId":"C09DC193-F9A8-4983-B677-7CE60D711D40"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14.1","versionEndExcluding":"6.12.80","matchCriteriaId":"1077EA71-D36D-44EB-AEF6-7978036231E8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.21","matchCriteriaId":"ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*","matchCriteriaId":"6A05198E-F8FA-4517-8D0E-8C95066AED38"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0d645c6d13fa0597935d3d16b09a7ba5d24ed284","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/40ad0334c17b23d8b66b1082ad1478a6202e90e2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/63542bb402b7013171c9f621c28b609eda4dbf1f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7434c64ddae88a02e7fb478bc256cc100d48d3e3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9b812ceb75a6260c17c91db4b9e74ead8cfa06f5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d61bcec3aec6f0244a9b963e0c76c00f771d49b6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/da06a104f0486355073ff0d1bcb1fcbebb7080d6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31500","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-22T14:16:48.427","lastModified":"2026-06-01T17:16:47.770","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock\n\nbtintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET\nand Intel exception-info retrieval) without holding\nhci_req_sync_lock(). This lets it race against\nhci_dev_do_close() -> btintel_shutdown_combined(), which also runs\n__hci_cmd_sync() under the same lock. When both paths manipulate\nhdev->req_status/req_rsp concurrently, the close path may free the\nresponse skb first, and the still-running hw_error path hits a\nslab-use-after-free in kfree_skb().\n\nWrap the whole recovery sequence in hci_req_sync_lock/unlock so it\nis serialized with every other synchronous HCI command issuer.\n\nBelow is the data race report and the kasan report:\n\n BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined\n\n read of hdev->req_rsp at net/bluetooth/hci_sync.c:199\n by task kworker/u17:1/83:\n __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254\n hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030\n\n write/free by task ioctl/22580:\n btintel_shutdown_combined+0xd0/0x360\n drivers/bluetooth/btintel.c:3648\n hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246\n hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526\n\n BUG: KASAN: slab-use-after-free in\n sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202\n Read of size 4 at addr ffff888144a738dc\n by task kworker/u17:1/83:\n __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3.1","versionEndExcluding":"6.6.131","matchCriteriaId":"13A272C2-FFCB-4269-8944-00DFA555EB6F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.80","matchCriteriaId":"97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.21","matchCriteriaId":"ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.3:-:*:*:*:*:*:*","matchCriteriaId":"5419A247-F671-44D6-9848-35264FDCD816"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5f84e845648dfa86e42de5487f1a774b42f0444d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/66696648af477dc87859e5e4b607112f5f29d010","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7e041d0aad1d4d43d921ace052e04f4e2cacaed3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/94d8e6fe5d0818e9300e514e095a200bd5ff93ae","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f7d84737663ad4a120d2d8ef1561a4df91282c2e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31527","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-22T14:16:52.903","lastModified":"2026-06-01T17:16:47.920","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: platform: use generic driver_override infrastructure\n\nWhen a driver is probed through __driver_attach(), the bus' match()\ncallback is called without the device lock held, thus accessing the\ndriver_override field without a lock, which can cause a UAF.\n\nFix this by using the driver-core driver_override infrastructure taking\ncare of proper locking internally.\n\nNote that calling match() from __driver_attach() without the device lock\nheld is intentional. [1]"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.12.80","matchCriteriaId":"564BF73E-2070-41D2-8204-794C46879E01"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.21","matchCriteriaId":"ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2b38efc05bf7a8568ec74bfffea0f5cfa62bc01d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/492349e5e4a369a8b62781100a3ade470bf1ce6b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7c02a9bd7d14a89065fcf672b86d8e1d1a41d3b1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9a6086d2a828dd2ff74cf9abcae456670febd71f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/edee7ee5a14c3b33f6d54641f5af5c5e9180992d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31532","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-23T12:17:01.927","lastModified":"2026-06-01T17:16:48.050","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: raw: fix ro->uniq use-after-free in raw_rcv()\n\nraw_release() unregisters raw CAN receive filters via can_rx_unregister(),\nbut receiver deletion is deferred with call_rcu(). This leaves a window\nwhere raw_rcv() may still be running in an RCU read-side critical section\nafter raw_release() frees ro->uniq, leading to a use-after-free of the\npercpu uniq storage.\n\nMove free_percpu(ro->uniq) out of raw_release() and into a raw-specific\nsocket destructor. can_rx_unregister() takes an extra reference to the\nsocket and only drops it from the RCU callback, so freeing uniq from\nsk_destruct ensures the percpu area is not released until the relevant\ncallbacks have drained.\n\n[mkl: applied manually]"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndIncluding":"6.6.136","matchCriteriaId":"8685D118-4F50-41C7-BC57-C25C32A44EB6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.18.24","matchCriteriaId":"4C4EAA6A-7949-4B29-BD69-5BB05C4D1A6B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1de30576a6dfeaaa27ef91fa272e6b9240b6fbd3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3f43f12fde34737fba091b7e3ab391e14ddbb0be","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5e9cfffad898bbeaafd0ea608a6d267362f050fc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/64c8553decf5a5f2417bd54761ea0a832c56c4ca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a535a9217ca3f2fccedaafb2fddb4c48f27d36dc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31560","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:30.403","lastModified":"2026-06-01T17:16:48.210","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-dw-dma: fix print error log when wait finish transaction\n\nIf an error occurs, the device may not have a current message. In this\ncase, the system will crash.\n\nIn this case, it's better to use dev from the struct ctlr (struct spi_controller*)."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8.1","versionEndExcluding":"6.19.11","matchCriteriaId":"CE5C168D-744C-4BAC-8555-6A27E3391430"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.8:-:*:*:*:*:*:*","matchCriteriaId":"0E2DC66F-4A95-475F-B8B6-191DEC1E7EF6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/184f5aaf72f1f1c73e66bae0b8d28e81c2f2a72f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3b46d61890632c8f8b117147b6923bff4b42ccb7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/aae4a47073b12c23eb1d2c5401bda442fbe27bd1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b8188ff3cfaa5621212b08473488cdbe41f86531","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31576","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:32.230","lastModified":"2026-06-01T17:16:48.337","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: hackrf: fix to not free memory after the device is registered in hackrf_probe()\n\nIn hackrf driver, the following race condition occurs:\n```\n\t\tCPU0\t\t\t\t\t\tCPU1\nhackrf_probe()\n kzalloc(); // alloc hackrf_dev\n ....\n v4l2_device_register();\n ....\n\t\t\t\t\t\tfd = sys_open(\"/path/to/dev\"); // open hackrf fd\n\t\t\t\t\t\t....\n v4l2_device_unregister();\n ....\n kfree(); // free hackrf_dev\n ....\n\t\t\t\t\t\tsys_ioctl(fd, ...);\n\t\t\t\t\t\t v4l2_ioctl();\n\t\t\t\t\t\t video_is_registered() // UAF!!\n\t\t\t\t\t\t....\n\t\t\t\t\t\tsys_close(fd);\n\t\t\t\t\t\t v4l2_release() // UAF!!\n\t\t\t\t\t\t hackrf_video_release()\n\t\t\t\t\t\t kfree(); // DFB!!\n```\n\nWhen a V4L2 or video device is unregistered, the device node is removed so\nnew open() calls are blocked.\n\nHowever, file descriptors that are already open-and any in-flight I/O-do\nnot terminate immediately; they remain valid until the last reference is\ndropped and the driver's release() is invoked.\n\nTherefore, freeing device memory on the error path after hackrf_probe()\nhas registered dev it will lead to a race to use-after-free vuln, since\nthose already-open handles haven't been released yet.\n\nAnd since release() free memory too, race to use-after-free and\ndouble-free vuln occur.\n\nTo prevent this, if device is registered from probe(), it should be\nmodified to free memory only through release() rather than calling\nkfree() directly."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.136","matchCriteriaId":"14109CEF-714B-4029-A318-97AA58A01833"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/07e9e674b6146b1f6fc41b1f54b8968bf2802824","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/131ec9046e1c8af101aebdaec4e8095e05f3312b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2145c71a8044362e82e9923f001ba2aeb771b848","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3b7da2b4d0fe014eff181ed37e3bf832eb8ed258","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/45cbaf5c7cdc5386d86377f0daf94a17a007fed0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/67fd62e3efdc9dce01f76d95a745212f4feb38e6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/87b9685cca91ed715c39ba544715832d26a7f4b4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/98a0a81ce78020c2522e0046f49d200de9778cb9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fcd1d70792a35c8a97414fe429f48311e41269c2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31577","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:32.347","lastModified":"2026-06-01T17:16:48.493","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map\n\nThe DAT inode's btree node cache (i_assoc_inode) is initialized lazily\nduring btree operations. However, nilfs_mdt_save_to_shadow_map()\nassumes i_assoc_inode is already initialized when copying dirty pages\nto the shadow map during GC.\n\nIf NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before\nany btree operation has occurred on the DAT inode, i_assoc_inode is\nNULL leading to a general protection fault.\n\nFix this by calling nilfs_attach_btree_node_cache() on the DAT inode\nin nilfs_dat_read() at mount time, ensuring i_assoc_inode is always\ninitialized before any GC operation can use it."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.136","matchCriteriaId":"14109CEF-714B-4029-A318-97AA58A01833"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/41de342278ae025c99cc8d33648773f05e306cf1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/449ec5fc99f45974525ba9eea16b6670c45cd363","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4a4e0328edd9e9755843787d28f16dd4165f8b48","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6637bbcfb59df5b732a79e5ab1a74886a0b93d59","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7318e3549518ce8f14776a489d86488d80d7e2c8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7902b1df1520a0880bcda7a3704cfacd17905a83","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/837c7a59fb58f81b0db33848357f6a5d0d1250ad","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/97fb7afec404912d967a7d4715f37742666b3084","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c36e206f302f1ddefed92d09ecbba070e1ae079e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31578","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:32.480","lastModified":"2026-06-01T17:16:48.683","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: as102: fix to not free memory after the device is registered in as102_usb_probe()\n\nIn as102_usb driver, the following race condition occurs:\n```\n\t\tCPU0\t\t\t\t\t\tCPU1\nas102_usb_probe()\n kzalloc(); // alloc as102_dev_t\n ....\n usb_register_dev();\n\t\t\t\t\t\tfd = sys_open(\"/path/to/dev\"); // open as102 fd\n\t\t\t\t\t\t....\n usb_deregister_dev();\n ....\n kfree(); // free as102_dev_t\n ....\n\t\t\t\t\t\tsys_close(fd);\n\t\t\t\t\t\t as102_release() // UAF!!\n\t\t\t\t\t\t as102_usb_release()\n\t\t\t\t\t\t kfree(); // DFB!!\n```\n\nWhen a USB character device registered with usb_register_dev() is later\nunregistered (via usb_deregister_dev() or disconnect), the device node is\nremoved so new open() calls fail. However, file descriptors that are\nalready open do not go away immediately: they remain valid until the last\nreference is dropped and the driver's .release() is invoked.\n\nIn as102, as102_usb_probe() calls usb_register_dev() and then, on an\nerror path, does usb_deregister_dev() and frees as102_dev_t right away.\nIf userspace raced a successful open() before the deregistration, that\nopen FD will later hit as102_release() --> as102_usb_release() and access\nor free as102_dev_t again, occur a race to use-after-free and\ndouble-free vuln.\n\nThe fix is to never kfree(as102_dev_t) directly once usb_register_dev()\nhas succeeded. After deregistration, defer freeing memory to .release().\n\nIn other words, let release() perform the last kfree when the final open\nFD is closed."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.136","matchCriteriaId":"14109CEF-714B-4029-A318-97AA58A01833"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/07ceb444c8f627cf863864d4274b5a77769725ed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/09e9206008b887aa553733bd915d73131071a086","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0d36653a3a821e5a974798adb347b3ea09332914","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/25d500cf391e384356a612b85cf60b353ad3cd0c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2eeae47a438694408189138048a786be99954032","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/582fbecb3756330006fe1950762412a68c2cacd2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7e5aedf6059cba2a669d86caeaf5a51f33ec85a1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cb8092038e95dc1113a68e63762de40fff61ba71","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31580","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:32.683","lastModified":"2026-06-01T17:16:48.830","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix cached_dev.sb_bio use-after-free and crash\n\nIn our production environment, we have received multiple crash reports\nregarding libceph, which have caught our attention:\n\n```\n[6888366.280350] Call Trace:\n[6888366.280452] blk_update_request+0x14e/0x370\n[6888366.280561] blk_mq_end_request+0x1a/0x130\n[6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd]\n[6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd]\n[6888366.280903] __complete_request+0x22/0x70 [libceph]\n[6888366.281032] osd_dispatch+0x15e/0xb40 [libceph]\n[6888366.281164] ? inet_recvmsg+0x5b/0xd0\n[6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph]\n[6888366.281405] ceph_con_process_message+0x79/0x140 [libceph]\n[6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph]\n[6888366.281661] ceph_con_workfn+0x329/0x680 [libceph]\n```\n\nAfter analyzing the coredump file, we found that the address of\ndc->sb_bio has been freed. We know that cached_dev is only freed when it\nis stopped.\n\nSince sb_bio is a part of struct cached_dev, rather than an alloc every\ntime. If the device is stopped while writing to the superblock, the\nreleased address will be accessed at endio.\n\nThis patch hopes to wait for sb_write to complete in cached_dev_free.\n\nIt should be noted that we analyzed the cause of the problem, then tell\nall details to the QWEN and adopted the modifications it made."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.136","matchCriteriaId":"14109CEF-714B-4029-A318-97AA58A01833"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.83","matchCriteriaId":"A8BAD957-8E20-401C-A129-DFF3655CA0B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2d6965581e164fa2ba3f7652ddae5535f6336576","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4f71c8ba2dc009042493021d94a9718fbe2ebf27","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/81f44ed8c3f54abb7561ece774ea4cca5070b2f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9467d360be70e6ee55b0c1cd2a1f1424f57b5b85","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/add4982510f3b7c318a2dd7438bdc9c63171e753","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f50e7c325ab1207fe941555bcff659f6d7050572","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fec114a98b8735ee89c75216c45a78e28be0f128","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31581","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:32.797","lastModified":"2026-06-01T17:16:48.970","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: 6fire: fix use-after-free on disconnect\n\nIn usb6fire_chip_abort(), the chip struct is allocated as the card's\nprivate data (via snd_card_new with sizeof(struct sfire_chip)). When\nsnd_card_free_when_closed() is called and no file handles are open, the\ncard and embedded chip are freed synchronously. The subsequent\nchip->card = NULL write then hits freed slab memory.\n\nCall trace:\n usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]\n usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182\n usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458\n ...\n hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953\n\nFix by moving the card lifecycle out of usb6fire_chip_abort() and into\nusb6fire_chip_disconnect(). The card pointer is saved in a local\nbefore any teardown, snd_card_disconnect() is called first to prevent\nnew opens, URBs are aborted while chip is still valid, and\nsnd_card_free_when_closed() is called last so chip is never accessed\nafter the card may be freed."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.136","matchCriteriaId":"14109CEF-714B-4029-A318-97AA58A01833"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.83","matchCriteriaId":"A8BAD957-8E20-401C-A129-DFF3655CA0B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3dc20d1981d6a67d8184498a5da272942dde1e65","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/51f6532790b74ffdd6970bc848358a2838c1c185","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/af75b486f7e883e3422ece23c8d727e6815144a0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b9c826916fdce6419b94eb0cd8810fdac18c2386","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ba88461f7653636c48321ca993006a74724c2f41","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d21e8a2af4869b5890b34e081d5aeadc93e9cd5c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e247a0e01d15ed420f77ec5e2335721bf430a5b3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e719232f4552e29de8027a83918ea94434be87af","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e88354b381e2006de63d6b052ed7005c9a47d00e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31583","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:33.017","lastModified":"2026-06-01T17:16:49.117","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: em28xx: fix use-after-free in em28xx_v4l2_open()\n\nem28xx_v4l2_open() reads dev->v4l2 without holding dev->lock,\ncreating a race with em28xx_v4l2_init()'s error path and\nem28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct\nand set dev->v4l2 to NULL under dev->lock.\n\nThis race leads to two issues:\n - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler,\n since the video_device is embedded in the freed em28xx_v4l2 struct.\n - NULL pointer dereference in em28xx_resolution_set() when accessing\n v4l2->norm, since dev->v4l2 has been set to NULL.\n\nFix this by moving the mutex_lock() before the dev->v4l2 read and\nadding a NULL check for dev->v4l2 under the lock."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.136","matchCriteriaId":"14109CEF-714B-4029-A318-97AA58A01833"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.83","matchCriteriaId":"A8BAD957-8E20-401C-A129-DFF3655CA0B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2cbf81f76842e46bdf25823c70e1db4044a65678","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/38a327221f7f765e7d853b7bafe47e342441ec85","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3c0283a59e36e3707c4a81f4952e362d31f876b8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5fb2940327722b4684d2f964b54c1c90aa277324","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6b9e66437cc6123ddedac141e1b8b6fcf57d2972","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/871b8ea8ef39a6c253594649f4339378fad3d0dd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a66485a934c7187ae8e36517d40615fa2e961cff","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b5d141ea15f173f15b9f0a72965902f3428c0d92","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dd2b888e08d3b3d6aacd65d76cd44fac11da750f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31585","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:33.267","lastModified":"2026-06-01T17:16:49.253","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix nfeeds state corruption on start_streaming failure\n\nsyzbot reported a memory leak in vidtv_psi_service_desc_init [1].\n\nWhen vidtv_start_streaming() fails inside vidtv_start_feed(), the\nnfeeds counter is left incremented even though no feed was actually\nstarted. This corrupts the driver state: subsequent start_feed calls\nsee nfeeds > 1 and skip starting the mux, while stop_feed calls\neventually try to stop a non-existent stream.\n\nThis state corruption can also lead to memory leaks, since the mux\nand channel resources may be partially allocated during a failed\nstart_streaming but never cleaned up, as the stop path finds\ndvb->streaming == false and returns early.\n\nFix by decrementing nfeeds back when start_streaming fails, keeping\nthe counter in sync with the actual number of active feeds.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888145b50820 (size 32):\n comm \"syz.0.17\", pid 6068, jiffies 4294944486\n backtrace (crc 90a0c7d4):\n vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288\n vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83\n vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524\n vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"6.6.136","matchCriteriaId":"0F98EDB3-BDF6-4821-9197-1BA4A2E056E2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/17cb7957c979529cc98ff57f7ac331532f1f7c83","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/25f19e476ab15defe698504212899fdb9f7cd61b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4bf95f797edd63c93330eafb6d6e670982344b9b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/60f768d46df561e06d92ffcacc00909f37a0f23d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/80900b5424f3454256153ce386388df43b324f63","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/98c22210aeadce67d9d20059f0dbbd01ba7fdbba","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a0e5a598fe9a4612b852406b51153b881592aede","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f8cccb427e65d725fc0ba05e8900b4676eda268e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31586","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:33.393","lastModified":"2026-06-01T17:16:49.400","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: blk-cgroup: fix use-after-free in cgwb_release_workfn()\n\ncgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses\nwb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last\nreference, the blkcg can be freed asynchronously (css_free_rwork_fn ->\nblkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the\npointer to access blkcg->online_pin, resulting in a use-after-free:\n\n BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531\n Workqueue: cgwb_release cgwb_release_workfn\n Call Trace:\n \n blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367)\n cgwb_release_workfn (mm/backing-dev.c:629)\n process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385)\n\n Freed by task 1016:\n kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561)\n css_free_rwork_fn (kernel/cgroup/cgroup.c:5542)\n process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385)\n\n** Stack based on commit 66672af7a095 (\"Add linux-next specific files\nfor 20260410\")\n\nI am seeing this crash sporadically in Meta fleet across multiple kernel\nversions. A full reproducer is available at:\nhttps://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh\n\n(The race window is narrow. To make it easily reproducible, inject a\nmsleep(100) between css_put() and blkcg_unpin_online() in\ncgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the\nreproducer triggers the splat reliably in less than a second.)\n\nFix this by moving blkcg_unpin_online() before css_put(), so the\ncgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online()\naccesses it."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19","versionEndExcluding":"6.6.136","matchCriteriaId":"C65C5FE4-6002-4BBA-98A9-87D1F99A643F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/115a5266749dcde7fe4127e8623d19c752088f69","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1bd36e93b542d9dd020190c6607c6a3663405195","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/23acef4156c260e8598397a1a2e8b3a23e919893","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/50879a3c1faf06e661090015d59e2127255cff27","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/67cb119d32f35e32acd0393bbeb318b2bb1fdafe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/740ba1ebb223f137ff088ab74d533a13f9167bd8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8f5857be99f1ed1fa80991c72449541f634626ee","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dfc8292a1d6782c76b626315605e0585a5a18447","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ea3af09eb87d8f8708c66747fcf1a2762902e839","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31587","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:33.597","lastModified":"2026-06-01T17:16:49.560","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6apm: move component registration to unmanaged version\n\nq6apm component registers dais dynamically from ASoC toplology, which\nare allocated using device managed version apis. Allocating both\ncomponent and dynamic dais using managed version could lead to incorrect\nfree ordering, dai will be freed while component still holding references\nto it.\n\nFix this issue by moving component to unmanged version so\nthat the dai pointers are only freeded after the component is removed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\nRead of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426\nTainted: [W]=WARN\nHardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024\nWorkqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]\nCall trace:\n show_stack+0x28/0x7c (C)\n dump_stack_lvl+0x60/0x80\n print_report+0x160/0x4b4\n kasan_report+0xac/0xfc\n __asan_report_load8_noabort+0x20/0x34\n snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\n snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core]\n devm_component_release+0x30/0x5c [snd_soc_core]\n devres_release_all+0x13c/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nAllocated by task 77:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n kasan_save_alloc_info+0x44/0x58\n __kasan_kmalloc+0xbc/0xdc\n __kmalloc_node_track_caller_noprof+0x1f4/0x620\n devm_kmalloc+0x7c/0x1c8\n snd_soc_register_dai+0x50/0x4f0 [snd_soc_core]\n soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core]\n snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core]\n audioreach_tplg_init+0x124/0x1fc [snd_q6apm]\n q6apm_audio_probe+0x10/0x1c [snd_q6apm]\n snd_soc_component_probe+0x5c/0x118 [snd_soc_core]\n soc_probe_component+0x44c/0xaf0 [snd_soc_core]\n snd_soc_bind_card+0xad0/0x2370 [snd_soc_core]\n snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core]\n devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core]\n x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100]\n platform_probe+0xc0/0x188\n really_probe+0x188/0x804\n __driver_probe_device+0x158/0x358\n driver_probe_device+0x60/0x190\n __device_attach_driver+0x16c/0x2a8\n bus_for_each_drv+0x100/0x194\n __device_attach+0x174/0x380\n device_initial_probe+0x14/0x20\n bus_probe_device+0x124/0x154\n deferred_probe_work_func+0x140/0x220\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nFreed by task 3426:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n __kasan_save_free_info+0x4c/0x80\n __kasan_slab_free+0x78/0xa0\n kfree+0x100/0x4a4\n devres_release_all+0x144/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.6.136","matchCriteriaId":"8489BED4-A890-4712-813B-8F62B04F503D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/110769a9aa51135ac7ce479a47dfb41924f37664","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/30383b7780ffa140bc124de5b66cae7c84133dbb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6ec1235fc941dac6c011b30ee01d9220ff87e0cd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/887632163b546a8944b46ef465f1d74e838b727a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a561a55b79a9c55f0443377f2d4dcf6149d057af","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b7412ed789ffb1e59c8d6f5ab6a6a718963c85e2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f7b790531cdad3b2075ab937aa06d7b802403be4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31588","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:33.733","lastModified":"2026-06-01T17:16:49.717","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Use scratch field in MMIO fragment to hold small write values\n\nWhen exiting to userspace to service an emulated MMIO write, copy the\nto-be-written value to a scratch field in the MMIO fragment if the size\nof the data payload is 8 bytes or less, i.e. can fit in a single chunk,\ninstead of pointing the fragment directly at the source value.\n\nThis fixes a class of use-after-free bugs that occur when the emulator\ninitiates a write using an on-stack, local variable as the source, the\nwrite splits a page boundary, *and* both pages are MMIO pages. Because\nKVM's ABI only allows for physically contiguous MMIO requests, accesses\nthat split MMIO pages are separated into two fragments, and are sent to\nuserspace one at a time. When KVM attempts to complete userspace MMIO in\nresponse to KVM_RUN after the first fragment, KVM will detect the second\nfragment and generate a second userspace exit, and reference the on-stack\nvariable.\n\nThe issue is most visible if the second KVM_RUN is performed by a separate\ntask, in which case the stack of the initiating task can show up as truly\nfreed data.\n\n ==================================================================\n BUG: KASAN: use-after-free in complete_emulated_mmio+0x305/0x420\n Read of size 1 at addr ffff888009c378d1 by task syz-executor417/984\n\n CPU: 1 PID: 984 Comm: syz-executor417 Not tainted 5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace:\n dump_stack+0xbe/0xfd\n print_address_description.constprop.0+0x19/0x170\n __kasan_report.cold+0x6c/0x84\n kasan_report+0x3a/0x50\n check_memory_region+0xfd/0x1f0\n memcpy+0x20/0x60\n complete_emulated_mmio+0x305/0x420\n kvm_arch_vcpu_ioctl_run+0x63f/0x6d0\n kvm_vcpu_ioctl+0x413/0xb20\n __se_sys_ioctl+0x111/0x160\n do_syscall_64+0x30/0x40\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n RIP: 0033:0x42477d\n Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d\n RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005\n RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c\n R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720\n\n The buggy address belongs to the page:\n page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9c37\n flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)\n raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n >ffff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ^\n ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ==================================================================\n\nThe bug can also be reproduced with a targeted KVM-Unit-Test by hacking\nKVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. by\noverwrite the data value with garbage.\n\nLimit the use of the scratch fields to 8-byte or smaller accesses, and to\njust writes, as larger accesses and reads are not affected thanks to\nimplementation details in the emulator, but add a sanity check to ensure\nthose details don't change in the future. Specifically, KVM never uses\non-stack variables for accesses larger that 8 bytes, e.g. uses an operand\nin the emulator context, and *al\n---truncated---"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.0,"impactScore":6.0}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"6.6.136","matchCriteriaId":"5EC33E99-3133-4E9B-AAE4-A37179621C1E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/019d0bd32b9a4646ba35d904907452039e2db700","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0b16e69d17d8c35c5c9d5918bf596c75a44655d3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/22d2ff69d487a32a8b88f9c970120fc2daa08a77","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2b83d91e9ae92fe1258d7040a32430bbb3bb7d6e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3a7b6d75c8f85b09dea893f64a85a356bcf6c3fe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4569c66dd9e94a22cd0796b6514a8b25ffff16a1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/52570e73d48f1c73836d37e594667117b4c2a5a8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b5a02d37eb0739f462fa12df449ab9b3480c783b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dc6a6c3db3a4eca7e747cfc46e22c08d016c68f7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31590","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:36.170","lastModified":"2026-06-01T17:16:49.893","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION\n\nDrop the WARN in sev_pin_memory() on npages overflowing an int, as the\nWARN is comically trivially to trigger from userspace, e.g. by doing:\n\n struct kvm_enc_region range = {\n .addr = 0,\n .size = -1ul,\n };\n\n __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);\n\nNote, the checks in sev_mem_enc_register_region() that presumably exist to\nverify the incoming address+size are completely worthless, as both \"addr\"\nand \"size\" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater\nthan ULONG_MAX. That wart will be cleaned up in the near future.\n\n\tif (range->addr > ULONG_MAX || range->size > ULONG_MAX)\n\t\treturn -EINVAL;\n\nOpportunistically add a comment to explain why the code calculates the\nnumber of pages the \"hard\" way, e.g. instead of just shifting @ulen."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.6.136","matchCriteriaId":"5F07F4AC-C44A-486A-9422-D8975351BA25"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1cba4dcd795daf6d257122779fb6a349edf03914","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/28cc13ca20431b127d42d84ba10898d03e2c8267","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6a8e3c82122737529b25ef2a048fbcc569d8c055","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8acffeef5ef720c35e513e322ab08e32683f32f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a703933bcfa5cc76ca10e2048464600e74136099","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ab423e5892826202a660b5ac85d1125b0e8301a5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/abcd43ff579abd0a654bb4636086e78819dd5f4c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b670833749ffd8681361db2bb047c6f2e3075f3a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c29ff288a2d97a6f4640a498a367cf0eb91312eb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31594","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:37.087","lastModified":"2026-06-01T17:16:50.037","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown\n\nepf_ntb_epc_destroy() duplicates the teardown that the caller is\nsupposed to perform later. This leads to an oops when .allow_link fails\nor when .drop_link is performed. The following is an example oops of the\nformer case:\n\n Unable to handle kernel paging request at virtual address dead000000000108\n [...]\n [dead000000000108] address between user and kernel address ranges\n Internal error: Oops: 0000000096000044 [#1] SMP\n [...]\n Call trace:\n pci_epc_remove_epf+0x78/0xe0 (P)\n pci_primary_epc_epf_link+0x88/0xa8\n configfs_symlink+0x1f4/0x5a0\n vfs_symlink+0x134/0x1d8\n do_symlinkat+0x88/0x138\n __arm64_sys_symlinkat+0x74/0xe0\n [...]\n\nRemove the helper, and drop pci_epc_put(). EPC device refcounting is\ntied to the configfs EPC group lifetime, and pci_epc_put() in the\n.drop_link path is sufficient."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.6.136","matchCriteriaId":"32F2F3AC-7267-4B2D-B7B6-883A16558607"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0da63230d3ec1ec5fcc443a2314233e95bfece54","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/305a0674bc552bfcc3231e23fb91cf4f62aec168","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/478e776101592eb63298714e96823ef78a3295ec","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/73bf218de28d039126dc64281d2b47dd3c46a0a3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a7a3cab4d33fd8a8aed864c447d0d7c99e85404e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b261027a1a235d8925e332363f23135a0eff2b35","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cec9ead73ab154a7953f6ab8dd5127e0d6bbf95a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e238ab12556b00f3b4d8b870b32ba1e4f4d4ebc2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31595","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:37.237","lastModified":"2026-06-01T17:16:50.170","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup\n\nDisable the delayed work before clearing BAR mappings and doorbells to\navoid running the handler after resources have been torn down.\n\n Unable to handle kernel paging request at virtual address ffff800083f46004\n [...]\n Internal error: Oops: 0000000096000007 [#1] SMP\n [...]\n Call trace:\n epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P)\n process_one_work+0x154/0x3b0\n worker_thread+0x2c8/0x400\n kthread+0x148/0x210\n ret_from_fork+0x10/0x20"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.6.136","matchCriteriaId":"32F2F3AC-7267-4B2D-B7B6-883A16558607"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5999067140c67530a6cb6f41a8471596e60452cb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6773cc24c004930903a57761132c1e7728907f8f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9921cce25bfe4021f6e55ca995351eb967165297","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b2eb405bbced3a6e772545e1b74dbde37cee1f8f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ceb73484e7204f661f770069ecdf35f6e941879c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d799984233a50abd2667a7d17a9a710a3f10ebe2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fbb6c353fa2fb5f5f990eda034a1074b0356127e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31596","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:37.340","lastModified":"2026-06-01T17:16:50.290","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: handle invalid dinode in ocfs2_group_extend\n\n[BUG]\nkernel BUG at fs/ocfs2/resize.c:308!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nRIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308\nCode: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe\nCall Trace:\n ...\n ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583\n x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ...\n\n[CAUSE]\nocfs2_group_extend() assumes that the global bitmap inode block\nreturned from ocfs2_inode_lock() has already been validated and\nBUG_ONs when the signature is not a dinode. That assumption is too\nstrong for crafted filesystems because the JBD2-managed buffer path\ncan bypass structural validation and return an invalid dinode to the\nresize ioctl.\n\n[FIX]\nValidate the dinode explicitly in ocfs2_group_extend(). If the global\nbitmap buffer does not contain a valid dinode, report filesystem\ncorruption with ocfs2_error() and fail the resize operation instead of\ncrashing the kernel."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.6.136","matchCriteriaId":"61A18ECC-DBBE-4804-B80E-C799CC05CD13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/10fb72c47aac446f12a4ccd962c7daa60cc890a1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/41c6e9bc3a09539deab43957a3211d902a4818f0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6575f9fbf084502b7118a628425bf7866666498d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7eafcf507fbd68f3276c00f6c02ef155ad69f79b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/911b557dd7817460881fd51a03069b539c674d0e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b328d8e7c437d0f026ba2c13788af6eae77700f1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e384a850a3370d89a7a446cdeccd964bfba2a302","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fabfa6b81bd386154d7e59f8cd8f760f9e68b48c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31597","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:37.457","lastModified":"2026-06-01T17:16:50.440","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY\n\nfilemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,\nas documented in mm/filemap.c:\n\n \"If our return value has VM_FAULT_RETRY set, it's because the mmap_lock\n may be dropped before doing I/O or by lock_folio_maybe_drop_mmap().\"\n\nWhen this happens, a concurrent munmap() can call remove_vma() and free\nthe vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then\nbecomes a dangling pointer, and the subsequent trace_ocfs2_fault() call\ndereferences it -- a use-after-free.\n\nFix this by saving ip_blkno as a plain integer before calling\nfilemap_fault(), and removing vma from the trace event. Since\nip_blkno is copied by value before the lock can be dropped, it\nremains valid regardless of what happens to the vma or inode\nafterward."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.6.136","matchCriteriaId":"860F82EF-76BF-492E-B7CE-559EC99F9C95"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/35c2c05261d6f6d84aaa1355afa201d507943e76","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/36539c4d536f851a3b346a6ebb27b51bc3d77a94","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3f5e74b5db9353b01ed50f4de84e75b755f8fbc2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4cf2768a0291a0cdd0dae801ea0eafa3878a349d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6f072daefcab1d84ce37c073645615f63be91006","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/76a602fdbb78dd05b2da06f74a988cebc97e82d0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7de554cabf160e331e4442e2a9ad874ca9875921","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/925bf22c1b823e231b1baea761fe8a1512e442f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d45ff441b416d4aa1af72b1db23d959601c04da2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31598","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:37.560","lastModified":"2026-06-01T17:16:50.580","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix possible deadlock between unlink and dio_end_io_write\n\nocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem,\nwhile in ocfs2_dio_end_io_write, it acquires these locks in reverse order.\nThis creates an ABBA lock ordering violation on lock classes\nocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and\nocfs2_file_ip_alloc_sem_key.\n\nLock Chain #0 (orphan dir inode_lock -> ip_alloc_sem):\nocfs2_unlink\n ocfs2_prepare_orphan_dir\n ocfs2_lookup_lock_orphan_dir\n inode_lock(orphan_dir_inode) <- lock A\n __ocfs2_prepare_orphan_dir\n ocfs2_prepare_dir_for_insert\n ocfs2_extend_dir\n\t ocfs2_expand_inline_dir\n\t down_write(&oi->ip_alloc_sem) <- Lock B\n\nLock Chain #1 (ip_alloc_sem -> orphan dir inode_lock):\nocfs2_dio_end_io_write\n down_write(&oi->ip_alloc_sem) <- Lock B\n ocfs2_del_inode_from_orphan()\n inode_lock(orphan_dir_inode) <- Lock A\n\nDeadlock Scenario:\n CPU0 (unlink) CPU1 (dio_end_io_write)\n ------ ------\n inode_lock(orphan_dir_inode)\n down_write(ip_alloc_sem)\n down_write(ip_alloc_sem)\n inode_lock(orphan_dir_inode)\n\nSince ip_alloc_sem is to protect allocation changes, which is unrelated\nwith operations in ocfs2_del_inode_from_orphan. So move\nocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.6.136","matchCriteriaId":"7A6CE177-C7BA-4E34-9D61-035565B5FFF5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/297d8d7bb6a2bf133d3a3636edbdf94101cbd719","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2b884d52273c60c298bd570163e8053657bbaff6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/32630dee18c6bb2175c8a865a474749492eaf19c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4b80b5a838a32437f2cae0662578bac216a2c51a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/93f35419eb84d58820040642cb6e7528fe4aba7a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b02da26a992db0c0e2559acbda0fc48d4a2fd337","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bc0fb5c7d54c78be43a536df0e20dee32adb27d3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e049f7a9bd80b7319590789ea5e1c523d6339d91","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f9fb1a7b635849322e1d7b7b6b26389778ec8e82","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31599","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:38.777","lastModified":"2026-06-01T17:16:50.727","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections\n\nsyzbot reported a general protection fault in vidtv_psi_desc_assign [1].\n\nvidtv_psi_pmt_stream_init() can return NULL on memory allocation\nfailure, but vidtv_channel_pmt_match_sections() does not check for\nthis. When tail is NULL, the subsequent call to\nvidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULL\npointer offset, causing a general protection fault.\n\nAdd a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean\nup the already-allocated stream chain and return.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629\nCall Trace:\n \n vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline]\n vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479\n vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"6.6.136","matchCriteriaId":"0F98EDB3-BDF6-4821-9197-1BA4A2E056E2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/07c1e474cf9acf777f09d14a8f8dfcef5b84e46f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2dff11fb5098ae453651f8f77e94ad499c078022","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/54e18a23e62e81b8335cec3e8e9c5cb33fd88665","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5c986b77200b5ea754ba6636deacc7e0942fec9b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/93d9e747a9e8a5ca9e3c5e37dcff76b40399139f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b7efb4c94797c504a1c678edb48c2aa311d3309f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b832cfd516b8504e95884622cee60bf9a39b7945","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e589de36da106ef739ba98f66f5a5c2023370706","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f8e1fc918a9fe67103bcda01d20d745f264d00a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31602","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:39.263","lastModified":"2026-06-01T17:16:50.867","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Limit PTP to a single page\n\nCommit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256\nplayback streams, but the additional pages are not used by the card\ncorrectly. The CT20K2 hardware already has multiple VMEM_PTPAL\nregisters, but using them separately would require refactoring the\nentire virtual memory allocation logic.\n\nct_vm_map() always uses PTEs in vm->ptp[0].area regardless of\nCT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When\naggregate memory allocations exceed this limit, ct_vm_map() tries to\naccess beyond the allocated space and causes a page fault:\n\n BUG: unable to handle page fault for address: ffffd4ae8a10a000\n Oops: Oops: 0002 [#1] SMP PTI\n RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi]\n Call Trace:\n atc_pcm_playback_prepare+0x225/0x3b0\n ct_pcm_playback_prepare+0x38/0x60\n snd_pcm_do_prepare+0x2f/0x50\n snd_pcm_action_single+0x36/0x90\n snd_pcm_action_nonatomic+0xbf/0xd0\n snd_pcm_ioctl+0x28/0x40\n __x64_sys_ioctl+0x97/0xe0\n do_syscall_64+0x81/0x610\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nRevert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count\nremain unchanged."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"6.6.136","matchCriteriaId":"6F4D7A8C-6CA6-44EE-B516-3E57BDDB63C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2b4331c08c0b385598b4d8ccd71e93ab3f4b2578","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/365c36e1a126c6aa1aecedd3a351bcabc66f0c29","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3fd0685d7fef68c2d8a04876bcf9eaa0724ad6a5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/452894005b4abe141b11fe01e7bfe152e6d3860f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ad9011a795407093dcf507f6e5da1828987b4b47","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b7f5ecd13cce8c2f8fa5a84c9aab65997142577e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c5908160e17cb56e1f61fbaee08adc21083f4933","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/de8016fb0904d68ac886e375069535996baa42ee","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e9418da50d9e5c496c22fe392e4ad74c038a94eb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31603","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:39.453","lastModified":"2026-06-01T17:16:51.030","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: sm750fb: fix division by zero in ps_to_hz()\n\nps_to_hz() is called from hw_sm750_crtc_set_mode() without validating\nthat pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO\ncauses a division by zero.\n\nFix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent\nwith other framebuffer drivers."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-369"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"6.6.136","matchCriteriaId":"82B577FA-0D16-462A-8DB4-F6416AE147D0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/124a43550db8a74eef080cd4573a4904efe67029","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1412ba36597a82e928f20047f41d6c6582dafe8a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2f640c6043aeab31a2f607d7605271860c3b11df","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3300b049693138852a4c6738b5f1194a1ee91ddd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6144895a4335a2491c282931f1f2fa610b86339f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/75a1621e4f91310673c9acbcbb25c2a7ff821cd3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/779412e0e391fd4a0d12e1d1adaa7bf043de62d7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b285a8f3bbb821a93eb37c2740a68ca1d7112a59","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/daf6733bd7c4c5015b431739ac29b0e29021096b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31605","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:39.730","lastModified":"2026-06-01T17:16:51.190","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO\n\nMuch like commit 19f953e74356 (\"fbdev: fb_pm2fb: Avoid potential divide\nby zero error\"), we also need to prevent that same crash from happening\nin the udlfb driver as it uses pixclock directly when dividing, which\nwill crash."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-369"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.6.136","matchCriteriaId":"BC733B39-C7FC-46A8-9E89-D10969EC8C99"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/03797cdee38ef19c87785622d423aabaafb71c5f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6de048d78f3029744778b7a2891745f3ca7c209a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/828ce54b27de93bd9c67991bca5a2c76c76742de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9981de9fb5ae0d3d6bc5ff5ca63350c2a3cdc564","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a31e4518bec70333a0a98f2946a12b53b45fe5b9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/afaaaa38579f1252bb42b145f6e88a955c4f73f3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cccbf9b7fdab48ce4feb69c24f7f928aa8e4e8b8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cce24f70090e0decb597b88bc52e8ef8efed6105","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fd50ab7dd4ee5bbb4aebffa76ae18484b03a8ea5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31607","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:39.940","lastModified":"2026-06-01T17:16:51.363","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusbip: validate number_of_packets in usbip_pack_ret_submit()\n\nWhen a USB/IP client receives a RET_SUBMIT response,\nusbip_pack_ret_submit() unconditionally overwrites\nurb->number_of_packets from the network PDU. This value is\nsubsequently used as the loop bound in usbip_recv_iso() and\nusbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible\narray whose size was fixed at URB allocation time based on the\n*original* number_of_packets from the CMD_SUBMIT.\n\nA malicious USB/IP server can set number_of_packets in the response\nto a value larger than what was originally submitted, causing a heap\nout-of-bounds write when usbip_recv_iso() writes to\nurb->iso_frame_desc[i] beyond the allocated region.\n\nKASAN confirmed this with kernel 7.0.0-rc5:\n\n BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640\n Write of size 4 at addr ffff888106351d40 by task vhci_rx/69\n\n The buggy address is located 0 bytes to the right of\n allocated 320-byte region [ffff888106351c00, ffff888106351d40)\n\nThe server side (stub_rx.c) and gadget side (vudc_rx.c) already\nvalidate number_of_packets in the CMD_SUBMIT path since commits\nc6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle\nmalicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden\nCMD_SUBMIT path to handle malicious input\"). The server side validates\nagainst USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.\nOn the client side we have the original URB, so we can use the tighter\nbound: the response must not exceed the original number_of_packets.\n\nThis mirrors the existing validation of actual_length against\ntransfer_buffer_length in usbip_recv_xbuff(), which checks the\nresponse value against the original allocation size.\n\nKelvin Mbogo's series (\"usb: usbip: fix integer overflow in\nusbip_recv_iso()\", v2) hardens the receive-side functions themselves;\nthis patch complements that work by catching the bad value at its\nsource -- in usbip_pack_ret_submit() before the overwrite -- and\nusing the tighter per-URB allocation bound rather than the global\nUSBIP_MAX_ISO_PACKETS limit.\n\nFix this by checking rpdu->number_of_packets against\nurb->number_of_packets in usbip_pack_ret_submit() before the\noverwrite. On violation, clamp to zero so that usbip_recv_iso() and\nusbip_pad_iso() safely return early."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.6.136","matchCriteriaId":"860F82EF-76BF-492E-B7CE-559EC99F9C95"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/324262c38438255bf6bdbf6342ca47c0badaab76","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/973f2c250289f5bf6cc146b98aa6fdde11fe50d6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ce744264b06b97069b3722511ab355738311fee0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31611","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:40.360","lastModified":"2026-06-01T17:16:51.560","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: require 3 sub-authorities before reading sub_auth[2]\n\nparse_dacl() compares each ACE SID against sid_unix_NFS_mode and on\nmatch reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is\nthe prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares\nonly min(num_subauth, 2) sub-authorities so a client SID with\nnum_subauth = 2 and sub_auth = {88, 3} will match.\n\nIf num_subauth = 2 and the ACE is placed at the very end of the security\ndescriptor, sub_auth[2] will be 4 bytes past end_of_acl. The\nout-of-band bytes will then be masked to the low 9 bits and applied as\nthe file's POSIX mode, probably not something that is good to have\nhappen.\n\nFix this up by forcing the SID to actually carry a third sub-authority\nbefore reading it at all."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.7}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6.136","matchCriteriaId":"B1ABA9F0-A5C4-4CBE-92EC-33CA7D4F7634"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/08f9e6d899b5c834bbcc239eae1bed58d9b15d2c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/46bbcd3ebfb3549c8da1838fc4493e79bd3241e7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/53370cf9090777774e07fd9a8ebce67c6cc333ab","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9401f86a224f37b50e6a3ccf1d46a70d5ef8af0a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b5b5d5936a50497fb151c0b122899a6894721c2b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cf2148b880fb7c0fcd727202dbc4fd5d6998b9c2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d2454f4a002d08560a60f214f392e6491cf11560","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31612","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:40.460","lastModified":"2026-06-01T17:16:51.730","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate EaNameLength in smb2_get_ea()\n\nsmb2_get_ea() reads ea_req->EaNameLength from the client request and\npasses it directly to strncmp() as the comparison length without\nverifying that the length of the name really is the size of the input\nbuffer received.\n\nFix this up by properly checking the size of the name based on the value\nreceived and the overall size of the request, to prevent a later\nstrncmp() call to use the length as a \"trusted\" size of the buffer.\nWithout this check, uninitialized heap values might be slowly leaked to\nthe client."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6.136","matchCriteriaId":"B1ABA9F0-A5C4-4CBE-92EC-33CA7D4F7634"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/243b206bcb5a7137e8bddd57b2eec81e1ebd3859","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3363a770b193f555f29d76ddf4ced3305c0ccf6d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4b73376feecb3b61172fe5b4ff42bbbb8531669d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/551dfb15b182abad4600eaf7b37e6eb7000d5b1b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/66751841212c2cc196577453c37f7774ff363f02","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/859f11e1bc81a4d32bb3ceeae54bcd296ac675d3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/dfc6878d14acafffbe670bf2576620757a10a3d8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31613","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:40.560","lastModified":"2026-06-01T17:16:51.990","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOB reads parsing symlink error response\n\nWhen a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()\nreturns success without any length validation, leaving the symlink\nparsers as the only defense against an untrusted server.\n\nsymlink_data() walks SMB 3.1.1 error contexts with the loop test \"p <\nend\", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset\n0. When the server-controlled ErrorDataLength advances p to within 1-7\nbytes of end, the next iteration will read past it. When the matching\ncontext is found, sym->SymLinkErrorTag is read at offset 4 from\np->ErrorContextData with no check that the symlink header itself fits.\n\nsmb2_parse_symlink_response() then bounds-checks the substitute name\nusing SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from\niov_base. That value is computed as sizeof(smb2_err_rsp) +\nsizeof(smb2_symlink_err_rsp), which is correct only when\nErrorContextCount == 0.\n\nWith at least one error context the symlink data sits 8 bytes deeper,\nand each skipped non-matching context shifts it further by 8 +\nALIGN(ErrorDataLength, 8). The check is too short, allowing the\nsubstitute name read to run past iov_len. The out-of-bound heap bytes\nare UTF-16-decoded into the symlink target and returned to userspace via\nreadlink(2).\n\nFix this all up by making the loops test require the full context header\nto fit, rejecting sym if its header runs past end, and bound the\nsubstitute name against the actual position of sym->PathBuffer rather\nthan a fixed offset.\n\nBecause sub_offs and sub_len are 16bits, the pointer math will not\noverflow here with the new greater-than."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.18.24","matchCriteriaId":"F141EC61-6476-4983-A772-21DE7575B28E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/043834e72337ee7b4e9685859888623ba1504ac7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/20ac98f0eb6047edb73c9a27af782bdde08b3757","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3df690bba28edec865cf7190be10708ad0ddd67e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/781902e069f4ecb6c3b83502f181972c1446110a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a66ef2e7ed837325c5600f8617d5ee0a0a149fdd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d65a64755a3df68a2fd19d2a81395e9f723aca23","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e0dd90d14cbbf318157ea8e3fb62ee68a28655ed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31615","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:40.767","lastModified":"2026-06-01T17:16:52.250","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: renesas_usb3: validate endpoint index in standard request handlers\n\nThe GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint\nnumber from the host-supplied wIndex without any sort of validation.\nFix this up by validating the number of endpoints actually match up with\nthe number the device has before attempting to dereference a pointer\nbased on this math.\n\nThis is just like what was done in commit ee0d382feb44 (\"usb: gadget:\naspeed_udc: validate endpoint index for ast udc\") for the aspeed driver."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5","versionEndExcluding":"6.6.136","matchCriteriaId":"FCEFD340-4D12-4082-8086-2A113C4D3AAD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.83","matchCriteriaId":"A8BAD957-8E20-401C-A129-DFF3655CA0B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1b2bfedccc4fb8c9572e1ea464f905424c91de2a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/360aa6e71870a175a6d86af905be2ca171639eb3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/37f430b2240655e6b0199a92aa1057e4d621be51","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/44216e3dd4455b798899b50eedb0ec3831dff8e0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7caaf76207f50c77abfd788380e19b2c23a94415","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/adb8014599fdf0818d3d93f1f74e06cd0bdec08d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c4e5ae6db2328d2d9ed55d3005a36c13faab0752","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e3d42598f2995cdc07b7779874e7c5f8a1b773db","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f880aac8a57ebd92abfa685d45424b2998ac1059","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31616","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:40.870","lastModified":"2026-06-01T17:16:52.453","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()\n\nA broken/bored/mean USB host can overflow the skb_shared_info->frags[]\narray on a Linux gadget exposing a Phonet function by sending an\nunbounded sequence of full-page OUT transfers.\n\npn_rx_complete() finalizes the skb only when req->actual < req->length,\nwhere req->length is set to PAGE_SIZE by the gadget. If the host always\nsends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be\nreset and each completion will add another fragment via\nskb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17),\nsubsequent frag stores overwrite memory adjacent to the shinfo on the\nheap.\n\nDrop the skb and account a length error when the frag limit is reached,\nmatching the fix applied in t7xx by commit f0813bcd2d9d (\"net: wwan:\nt7xx: fix potential skb->frags overflow in RX path\")."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.32","versionEndExcluding":"6.6.136","matchCriteriaId":"B5320F96-8216-44DE-B8AC-7694F1E2D98E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3d7f7e0c842242878c24b2facff8d6eda23ee1e9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4e476c25bfcab0535ba7c76a903ae77ca8747711","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/66f7471c4042e4eb300e30b5b9d87d1406862673","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7424f0287da73d3d8c5fa5e9d25d26fce762708e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9ceff1251904901b0b4e5fe6350fcaffa368ce83","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b5ec49fa198bd08967a3102bd41f53ccadce72c9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c088d5dd2fffb4de1fb8e7f57751c8b82942180a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c9315ce9da3632c591666a29de82d3e92d46bec1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31617","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:40.973","lastModified":"2026-06-01T17:16:52.620","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()\n\nThe block_len read from the host-supplied NTB header is checked against\nntb_max but has no lower bound. When block_len is smaller than\nopts->ndp_size, the bounds check of:\n\tndp_index > (block_len - opts->ndp_size)\nwill underflow producing a huge unsigned value that ndp_index can never\nexceed, defeating the check entirely.\n\nThe same underflow occurs in the datagram index checks against block_len\n- opts->dpe_size. With those checks neutered, a malicious USB host can\nchoose ndp_index and datagram offsets that point past the actual\ntransfer, and the skb_put_data() copies adjacent kernel memory into the\nnetwork skb.\n\nFix this by rejecting block lengths that cannot hold at least the NTB\nheader plus one NDP. This will make block_len - opts->ndp_size and\nblock_len - opts->dpe_size both well-defined.\n\nCommit 8d2b1a1ec9f5 (\"CDC-NCM: avoid overflow in sanity checking\") fixed\na related class of issues on the host side of NCM."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.6.136","matchCriteriaId":"5F07F4AC-C44A-486A-9422-D8975351BA25"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.83","matchCriteriaId":"A8BAD957-8E20-401C-A129-DFF3655CA0B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/068a7f2749fff6462a0a908ec415b885fe430f50","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0f156bb5334e588034ca68ac2ee92b23f66e56e7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1425655c2870054c3ab4712e2b6dbdd331597ada","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6762f8a95772265dd0c2ffe7f400493f3115b135","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/74908b0318d1df1188457040b8714ff4d4b68126","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8757a2593631443648218244b9788e193ae0fdc1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8b3b7bd3c02f98634baaf36c7fc7ac915f6517ca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8f993d30b95dc9557a8a96ceca11abed674c8acb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d58ba8f6546232f8414f396c189297dbee03f1a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31618","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:41.080","lastModified":"2026-06-01T17:16:52.780","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO\n\nMuch like commit 19f953e74356 (\"fbdev: fb_pm2fb: Avoid potential divide\nby zero error\"), we also need to prevent that same crash from happening\nin the udlfb driver as it uses pixclock directly when dividing, which\nwill crash."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-369"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12.1","versionEndExcluding":"6.6.136","matchCriteriaId":"E2D9D9DF-0F25-43D5-9C6A-4C891E3A29FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*","matchCriteriaId":"6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*","matchCriteriaId":"4F76C298-81DC-43E4-8FC9-DC005A2116EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*","matchCriteriaId":"0AB349B2-3F78-4197-882B-90ADB3BF645A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*","matchCriteriaId":"6AC88830-A9BC-4607-B572-A4B502FC9FD0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*","matchCriteriaId":"476CB3A5-D022-4F13-AAEF-CB6A5785516A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2f207e46c62688bb7eb4e3feaf9a0d94020fb0c9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/53cb4e79a07124d2ebe502983c29800104080b47","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/59bde9e0930efef1286768cb65fc78d5e5267f93","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/63dfb0b4741f46d65b667c4275132b3d1966acc8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6567d3e1aaadfebf44ce7dc9ea2630323cd4c736","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6c05191598eca87a87329b3f6e4a0825775f09cf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/859a239d58a812b61267d9944b701affe6a6244e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8f98b81fe011e1879e6a7b1247e69e06a5e17af2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fc386daa6846551a88d338ba9864fc2812cd9030","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31619","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:41.180","lastModified":"2026-06-01T17:16:52.943","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: fireworks: bound device-supplied status before string array lookup\n\nThe status field in an EFW response is a 32-bit value supplied by the\nfirewire device. efr_status_names[] has 17 entries so a status value\noutside that range goes off into the weeds when looking at the %s value.\n\nEven worse, the status could return EFR_STATUS_INCOMPLETE which is\n0x80000000, and is obviously not in that array of potential strings.\n\nFix this up by properly bounding the index against the array size and\nprinting \"unknown\" if it's not recognized."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16","versionEndExcluding":"6.6.136","matchCriteriaId":"7482AD77-8977-4A6A-96C0-1B7E86AC25E9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/07704bbf36f57e4379e4cadf96410dab14621e3b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/183aa0de0f680496b9feb85c9d182681ad4600dd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/327f8e730e3c65ec97df9d3b07de66aeb3dc932d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/62fcb273fbee5b2a0e7ed41cc914c8d7d1a5d285","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/67cfd14074cdafab5de3f7cfc0952c1a9b653e5d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/682d8accf0d83a871e8c327b95c81f53902c922b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cc624b3d2be13297100539b64ad950695188e046","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e103f98f6615ed2934e9cf340654f0cad9eb8a8a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f856f4b6efd51be7950e4b84c06cd961961ca41c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31622","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:41.487","lastModified":"2026-06-01T17:16:53.070","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: digital: Bounds check NFC-A cascade depth in SDD response handler\n\nThe NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3\nor 4 bytes to target->nfcid1 on each round, but the number of cascade\nrounds is controlled entirely by the peer device. The peer sets the\ncascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the\ncascade-incomplete bit in the SEL_RES (deciding whether another round\nfollows).\n\nISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is\nsized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver\nactually enforces this. This means a malicious peer can keep the\ncascade running, writing past the heap-allocated nfc_target with each\nround.\n\nFix this by rejecting the response when the accumulated UID would exceed\nthe buffer.\n\nCommit e329e71013c9 (\"NFC: nci: Bounds check struct nfc_target arrays\")\nfixed similar missing checks against the same field on the NCI path."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-120"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.6.136","matchCriteriaId":"6E4B7C62-D2BF-4255-BC77-4D30A01DC46D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1bec5698b55aa2be5c3b983dba657c01d0fd3dbc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/20663102c14566e900e1d2f679e30b7f1694f387","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2819f34e08bdffb6f06a51c67948ec5737fb166a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5a59bf70c38ee1eb4be03bab830bbc3a6f0bd1f1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8d9d9bf3565271ca7ab9c716a94e87296177e7ba","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9ba6bb09e00b922d902f684f575779e5433fe6e3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cc024a3de265ef6c58957f4990eccb9f806208cb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f83b399aa05a0712e3b1569a30d3d90b3533d2ef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31623","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:41.587","lastModified":"2026-06-01T17:16:53.213","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()\n\nA malicious USB device claiming to be a CDC Phonet modem can overflow\nthe skb_shared_info->frags[] array by sending an unbounded sequence of\nfull-page bulk transfers.\n\nDrop the skb and increment the length error when the frag limit is\nreached. This matches the same fix that commit f0813bcd2d9d (\"net:\nwwan: t7xx: fix potential skb->frags overflow in RX path\") did for the\nt7xx driver."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-120"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.31","versionEndExcluding":"6.6.136","matchCriteriaId":"F537DD4C-1540-41DE-85CB-6B14F7030A5F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0c5c65a17db729fc63ab656bdaaf0e675a9dbeac","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/600dc40554dc5ad1e6f3af51f700228033f43ea7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6053620fdbcd89fa7e755644efdaab78e0daaae7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6807ff49bf796b3823b1e29f97b69316a40a9a94","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9989938d13cc5ba8447eeed5a61acfcf61bc6801","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a23b1b1aaf41e174181d5853a70e65d4d01e648c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c183d5775129a0a7495bd61a6e57ec230dcf01e5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d4e1946bea8d6441835eb3fd09b19237ba366a6f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ebf75c6301c4972a87542ebf2d994c6391eb5d46","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31624","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:41.697","lastModified":"2026-06-01T17:16:53.350","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: clamp report_size in s32ton() to avoid undefined shift\n\ns32ton() shifts by n-1 where n is the field's report_size, a value that\ncomes directly from a HID device. The HID parser bounds report_size\nonly to <= 256, so a broken HID device can supply a report descriptor\nwith a wide field that triggers shift exponents up to 256 on a 32-bit\ntype when an output report is built via hid_output_field() or\nhid_set_field().\n\nCommit ec61b41918587 (\"HID: core: fix shift-out-of-bounds in\nhid_report_raw_event\") added the same n > 32 clamp to the function\nsnto32(), but s32ton() was never given the same fix as I guess syzbot\nhadn't figured out how to fuzz a device the same way.\n\nFix this up by just clamping the max value of n, just like snto32()\ndoes."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.20.1","versionEndExcluding":"6.6.136","matchCriteriaId":"098695E6-95CE-401B-AC16-CEBD793B4DF1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.20:-:*:*:*:*:*:*","matchCriteriaId":"5AE1560A-DECA-4BC6-87F6-F3F9ED544840"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0ab048dbdb1daacf17d52e9252297eb6e1298e49","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/58386f00af710922cafb0fb69211497beddfaa95","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/69c02ffde6ed4d535fa4e693a9e572729cad3d0d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/76ad02854a30c394e0c076e6e6bed0a388573a94","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8a8333237f1f5caab8d4c3d2c2e7578c4263a97f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/932ae5309e53561197aa7d1606c7cf63af10e24f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/97014719bb8fccb1ffcbbc299e84b1f11b114195","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ea363a34086ddb4231adc581a7f36c39ec154bfc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/eb415ddaf25e09ddb8fe5736a70c9de2e6462534","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31625","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:41.807","lastModified":"2026-06-01T17:16:53.490","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: alps: fix NULL pointer dereference in alps_raw_event()\n\nCommit ecfa6f34492c (\"HID: Add HID_CLAIMED_INPUT guards in raw_event\ncallbacks missing them\") attempted to fix up the HID drivers that had\nmissed the previous fix that was done in 2ff5baa9b527 (\"HID: appleir:\nFix potential NULL dereference at raw event handle\"), but the alps\ndriver was missed.\n\nFix this up by properly checking in the hid-alps driver that it had been\nclaimed correctly before attempting to process the raw event."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15","versionEndExcluding":"6.6.136","matchCriteriaId":"73306563-4D86-4EFC-8B84-FAF53D5FB6A5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0091dfa542a362c178a7e9393097138a57d327d1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1badfc4319224820d5d890f8eab6aa52e4e83339","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4b618248d2307a219d9431a730cfe1156c8e3386","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/56850666bb5dcf7a13d76c5d02864813e17ee537","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/72516a8d7fe247fd895424bab87952f105a0c255","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8eed7bce7a4c41ab28ee4891103623a12fd41611","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c8cc765253ad89ccc106a7bdeb5aeac6cf963078","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cc411e4823d8bfa23327d9989a0fa4e0ce76aebe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ee2cb3ddfdca949dbc0c3f796ed5a439f0efc9f6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31626","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:41.907","lastModified":"2026-06-01T17:16:53.620","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()\n\nInitialize le_tmp64 to zero in rtw_BIP_verify() to prevent using\nuninitialized data.\n\nSmatch warns that only 6 bytes are copied to this 8-byte (u64)\nvariable, leaving the last two bytes uninitialized:\n\ndrivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify()\nwarn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes)\n\nInitializing the variable at the start of the function fixes this\nwarning and ensures predictable behavior."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":4.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-908"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.12","versionEndExcluding":"6.6.136","matchCriteriaId":"022BB187-782F-49F9-A3AE-9DCC0B6012CE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/51532c7c1d357145f4ac561648499f7a6847f739","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6792624d933146e2757b07092e93ad915cb58930","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8c964b82a4e97ec7f25e17b803ee196009b38a57","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9e911eead187240193516edf55a0e1ab3425aa5b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b487a7754d874230299d5a9c2710ec4df8b2ed8a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c2026c6b603ebec52f55015496703fe79077accf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c65ee4d3be5df395e48afbcd0946dd5fce4338a9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d5b8f5f8d6fc09a8af5ed139c688660f578ed732","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ef74ce5f0bc0e53ce702d8a794f3957884a26efc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31627","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:42.003","lastModified":"2026-06-01T17:16:53.753","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: s3c24xx: check the size of the SMBUS message before using it\n\nThe first byte of an i2c SMBUS message is the size, and it should be\nverified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX\nbefore processing it.\n\nThis is the same logic that was added in commit a6e04f05ce0b (\"i2c:\ntegra: check msg length in SMBUS block read\") to the i2c tegra driver."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10.1","versionEndExcluding":"6.6.136","matchCriteriaId":"FB898C76-28CD-416F-9777-F00444862F17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.10:-:*:*:*:*:*:*","matchCriteriaId":"82D28405-E1F2-43CF-AA38-B228805AFFF9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2d262da4bca6fab96e2e709feb95b31b0a9a03a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/377fae22a137b6b89f3f32399a58c52cf2325416","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/71b3c316b22c555d2769126a92b1244b15a9750d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8f756a5964396da0fc9e0db33253a5b85dbbcbb6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/aaaaec39ddbcd06770dca7f1adebc3b1242ebe7b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c0128c7157d639a931353ea344fb44aad6d6e17a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d87d5620125a03b1eadbd5df39748215d3db7ddb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fa00738ab30b07db1a43b9c85fc56b8cc3b7d197","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fd1650da24ed54c716aa9b69e9bbd8a662e492da","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31629","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:42.217","lastModified":"2026-06-01T17:16:53.893","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: add missing return after LLCP_CLOSED checks\n\nIn nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket\nstate is LLCP_CLOSED, the code correctly calls release_sock() and\nnfc_llcp_sock_put() but fails to return. Execution falls through to\nthe remainder of the function, which calls release_sock() and\nnfc_llcp_sock_put() again. This results in a double release_sock()\nand a refcount underflow via double nfc_llcp_sock_put(), leading to\na use-after-free.\n\nAdd the missing return statements after the LLCP_CLOSED branches\nin both functions to prevent the fall-through."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.6.136","matchCriteriaId":"FAB12062-558C-4570-A908-D71195858ADA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0eb1263a3b8c36418c9ba295c9ab3abed664edbf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2b5dd4632966c39da6ba74dbc8689b309065e82c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/665315df9c3486cb213fc44d83cc8bcd47fe0d26","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/796e0cac058252d0ad34ebe288e6f7979b5fc9b2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8977fad2b3c6eefd414131168d597c5d1d5e1abf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9b49e2a4b8219a2fc5cebf94f4ec34e509aff8a6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/aba4712e8f0381cd5d196534ce2ad082626a5ab6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b2a23529593d011fb433a3d711fc597ed6a6bd2f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ff3d9e8f7244293e303f7b6ef70774291c7c27e9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31630","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:42.323","lastModified":"2026-06-01T17:16:54.030","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: proc: size address buffers for %pISpc output\n\nThe AF_RXRPC procfs helpers format local and remote socket addresses into\nfixed 50-byte stack buffers with \"%pISpc\".\n\nThat is too small for the longest current-tree IPv6-with-port form the\nformatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a\ndotted-quad tail not only for v4mapped addresses, but also for ISATAP\naddresses via ipv6_addr_is_isatap().\n\nAs a result, a case such as\n\n [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535\n\nis possible with the current formatter. That is 50 visible characters, so\n51 bytes including the trailing NUL, which does not fit in the existing\nchar[50] buffers used by net/rxrpc/proc.c.\n\nSize the buffers from the formatter's maximum textual form and switch the\ncall sites to scnprintf().\n\nChanges since v1:\n- correct the changelog to cite the actual maximum current-tree case\n explicitly\n- frame the proof around the ISATAP formatting path instead of the earlier\n mapped-v4 example"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.1","versionEndExcluding":"6.18.23","matchCriteriaId":"59855615-6720-4D3F-83EB-B5CCFD90FBD3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.13","matchCriteriaId":"1490EF9B-9080-481C-8D22-1306AAE664E4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.9:-:*:*:*:*:*:*","matchCriteriaId":"592761F7-6672-484E-8490-1187F4CDD13E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/10ebed83f9f6414af4e85bc85ffaeda7effdd874","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/235b2115de892eab2e107a42efa7a4347baaa80b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/386c86412608d3449006a318a662cbcd6ca1f668","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/625af53a1564e31bb2df9adc3739df46137f46c1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a44ce6aa2efb61fe44f2cfab72bb01544bbca272","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/db297c78ce537c9ac96f0eda9b25ad72c8caefa9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31634","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:42.707","lastModified":"2026-06-01T17:16:54.157","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix reference count leak in rxrpc_server_keyring()\n\nThis patch fixes a reference count leak in rxrpc_server_keyring()\nby checking if rx->securities is already set."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-Other"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22.1","versionEndExcluding":"5.15.203","matchCriteriaId":"3CA3003D-15D3-4188-ADEA-9A0A4C5759FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.169","matchCriteriaId":"DBEC0E5D-641C-4E98-A6D9-5799B10CE451"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.135","matchCriteriaId":"15C1A1B2-14EE-494C-AF3E-D5A7BA640B39"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.82","matchCriteriaId":"02904CAE-71D2-45B3-9EC3-F6A9D18B6307"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.23","matchCriteriaId":"E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.13","matchCriteriaId":"1490EF9B-9080-481C-8D22-1306AAE664E4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.22:-:*:*:*:*:*:*","matchCriteriaId":"7F7D6C66-3384-4ACC-9D08-C5A26B4FD004"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/12de9e0e0b0b7058be7dfb8a5927eb565bc25780","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/139c750bf06649097d98b0bc41e2a678b4627e27","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/45d9584e51bdd61faf1900f82666d4ea6a85da72","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8ee931c3cd97f1c42b4fbf057f04b9dae45dfb7a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9ce36d28f67c2a477a7e2f03480de3f6783fb363","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c6d9ea26cf8756ad6f162578e94a5f82f6fae3c2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f125846ee79fcae537a964ce66494e96fa54a6de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fc76d0bd00850b7372f0a4a319c0c60f80487632","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31637","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:43.020","lastModified":"2026-06-01T17:16:54.283","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: reject undecryptable rxkad response tickets\n\nrxkad_decrypt_ticket() decrypts the RXKAD response ticket and then\nparses the buffer as plaintext without checking whether\ncrypto_skcipher_decrypt() succeeded.\n\nA malformed RESPONSE can therefore use a non-block-aligned ticket\nlength, make the decrypt operation fail, and still drive the ticket\nparser with attacker-controlled bytes.\n\nCheck the decrypt result and abort the connection with RXKADBADTICKET\nwhen ticket decryption fails."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22.1","versionEndExcluding":"6.6.135","matchCriteriaId":"CF3437DE-9B4D-4F70-8EDD-552E0695376B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.82","matchCriteriaId":"02904CAE-71D2-45B3-9EC3-F6A9D18B6307"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.23","matchCriteriaId":"E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.13","matchCriteriaId":"1490EF9B-9080-481C-8D22-1306AAE664E4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.22:-:*:*:*:*:*:*","matchCriteriaId":"7F7D6C66-3384-4ACC-9D08-C5A26B4FD004"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/22f6258e7b31dba9bf88dce4e3ee7f0f20072e60","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/252157d939d179b5d767cb860ff8fa7f8723b67a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/47073aab8a3a5a7b41c9bd37d2a3dcbeeccd6c8a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/58fcd1b156152613ba00a064a129fb69507ddd7d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a149dcae23309df9de1c3b6b5d468610ef5ab7de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a75b3b361dd481d942c5f259a82d59718a41092c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b3a808cd0790b5075aaa2bc3588edf02cd71d352","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fe4447cd95623b1cfacc15f280aab73a6d7340b2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31642","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:43.567","lastModified":"2026-06-01T17:16:54.427","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix call removal to use RCU safe deletion\n\nFix rxrpc call removal from the rxnet->calls list to use list_del_rcu()\nrather than list_del_init() to prevent stuffing up reading\n/proc/net/rxrpc/calls from potentially getting into an infinite loop.\n\nThis, however, means that list_empty() no longer works on an entry that's\nbeen deleted from the list, making it harder to detect prior deletion. Fix\nthis by:\n\nFirstly, make rxrpc_destroy_all_calls() only dump the first ten calls that\nare unexpectedly still on the list. Limiting the number of steps means\nthere's no need to call cond_resched() or to remove calls from the list\nhere, thereby eliminating the need for rxrpc_put_call() to check for that.\n\nrxrpc_put_call() can then be fixed to unconditionally delete the call from\nthe list as it is the only place that the deletion occurs."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-835"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13.1","versionEndExcluding":"6.6.135","matchCriteriaId":"36F24990-3D13-46FD-890A-DD2DC4FCEF1C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.82","matchCriteriaId":"02904CAE-71D2-45B3-9EC3-F6A9D18B6307"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.23","matchCriteriaId":"E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.13","matchCriteriaId":"1490EF9B-9080-481C-8D22-1306AAE664E4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.13:-:*:*:*:*:*:*","matchCriteriaId":"40253A59-8422-42B7-B45F-FF9C4A824F3E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/146d4ab94cf129ee06cd467cb5c71368a6b5bad6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/280efb85e9759881a9d31d0874baa04583cb6c09","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3be718f659683ad89fad6f1eb66bee99727cae64","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3e47a38e584b905359fe0ce5be5165d1e8592a90","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/93fc15be44a35b8e3c58d0238ac0d9b7c53465ff","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ac5f54691be06a32246179d41be2d73598036deb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b15b1ce96777b88989a6a4de8d01efbcd81ad2d7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c63abf25203b50243fe228090526f9dbf37727bd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31656","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:45.097","lastModified":"2026-06-01T17:16:54.583","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat\n\nA use-after-free / refcount underflow is possible when the heartbeat\nworker and intel_engine_park_heartbeat() race to release the same\nengine->heartbeat.systole request.\n\nThe heartbeat worker reads engine->heartbeat.systole and calls\ni915_request_put() on it when the request is complete, but clears\nthe pointer in a separate, non-atomic step. Concurrently, a request\nretirement on another CPU can drop the engine wakeref to zero, triggering\n__engine_park() -> intel_engine_park_heartbeat(). If the heartbeat\ntimer is pending at that point, cancel_delayed_work() returns true and\nintel_engine_park_heartbeat() reads the stale non-NULL systole pointer\nand calls i915_request_put() on it again, causing a refcount underflow:\n\n```\n<4> [487.221889] Workqueue: i915-unordered engine_retire [i915]\n<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0\n...\n<4> [487.222707] Call Trace:\n<4> [487.222711] \n<4> [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]\n<4> [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915]\n<4> [487.223566] __engine_park+0xb9/0x650 [i915]\n<4> [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915]\n<4> [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915]\n<4> [487.224797] intel_context_exit_engine+0x7c/0x80 [i915]\n<4> [487.225238] intel_context_exit+0xf1/0x1b0 [i915]\n<4> [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915]\n<4> [487.226178] i915_request_retire+0x1c/0x40 [i915]\n<4> [487.226625] engine_retire+0x122/0x180 [i915]\n<4> [487.227037] process_one_work+0x239/0x760\n<4> [487.227060] worker_thread+0x200/0x3f0\n<4> [487.227068] ? __pfx_worker_thread+0x10/0x10\n<4> [487.227075] kthread+0x10d/0x150\n<4> [487.227083] ? __pfx_kthread+0x10/0x10\n<4> [487.227092] ret_from_fork+0x3d4/0x480\n<4> [487.227099] ? __pfx_kthread+0x10/0x10\n<4> [487.227107] ret_from_fork_asm+0x1a/0x30\n<4> [487.227141] \n```\n\nFix this by replacing the non-atomic pointer read + separate clear with\nxchg() in both racing paths. xchg() is a single indivisible hardware\ninstruction that atomically reads the old pointer and writes NULL. This\nguarantees only one of the two concurrent callers obtains the non-NULL\npointer and performs the put, the other gets NULL and skips it.\n\n(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42)"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-191"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5.1","versionEndExcluding":"5.15.203","matchCriteriaId":"6A1B622D-B57C-432F-A03B-40A25B6C1E06"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.169","matchCriteriaId":"DBEC0E5D-641C-4E98-A6D9-5799B10CE451"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.135","matchCriteriaId":"15C1A1B2-14EE-494C-AF3E-D5A7BA640B39"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.82","matchCriteriaId":"02904CAE-71D2-45B3-9EC3-F6A9D18B6307"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.23","matchCriteriaId":"E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.13","matchCriteriaId":"1490EF9B-9080-481C-8D22-1306AAE664E4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.5:-:*:*:*:*:*:*","matchCriteriaId":"EE98F46A-F7D9-4609-B6A0-882E7F0D378C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2af8b200cae3fdd0e917ecc2753b28bb40c876c1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/455d98ed527fc94eed90406f90ab2391464ca657","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4c71fd099513bfa8acab529b626e1f0097b76061","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/70d3e622b10092fc483e28e57b4e8c49d9cc7f68","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/82034799c6c14b3104668878c3f3e5786f777126","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8ce44d28a84fd5e053a88b04872a89d95c0779d4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a00e92bf6583d019a4fb2c2df7007e6c9b269ce7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ca3f48c3567dd49efdc55b80029ae74659c682ee","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31657","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:45.227","lastModified":"2026-06-01T17:16:54.750","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: hold claim backbone gateways by reference\n\nbatadv_bla_add_claim() can replace claim->backbone_gw and drop the old\ngateway's last reference while readers still follow the pointer.\n\nThe netlink claim dump path dereferences claim->backbone_gw->orig and\ntakes claim->backbone_gw->crc_lock without pinning the underlying\nbackbone gateway. batadv_bla_check_claim() still has the same naked\npointer access pattern.\n\nReuse batadv_bla_claim_get_backbone_gw() in both readers so they operate\non a stable gateway reference until the read-side work is complete.\nThis keeps the dump and claim-check paths aligned with the lifetime\nrules introduced for the other BLA claim readers."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5.1","versionEndExcluding":"6.1.169","matchCriteriaId":"17B3C5B3-0F63-4D6D-A3AA-C6184C350124"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.135","matchCriteriaId":"15C1A1B2-14EE-494C-AF3E-D5A7BA640B39"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.82","matchCriteriaId":"02904CAE-71D2-45B3-9EC3-F6A9D18B6307"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.23","matchCriteriaId":"E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.13","matchCriteriaId":"1490EF9B-9080-481C-8D22-1306AAE664E4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.5:-:*:*:*:*:*:*","matchCriteriaId":"71555F5B-DEB2-417A-8E33-90276DD2EFB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1f2dc36c297d27733f1b380ea644cf15a361bd7b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2f55b58b5a0bbed192d60c444a45a49cdf1b545f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4dee4c0688443aaf5bbec74aa203c851d1d53c35","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5202f071b367ffbc8e279fc7a00db14f5e587f52","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/69d1ce9c72eca91203ffdb8d08bacd511100aec6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7962b522222628596ca9ecc8722efc95367aadbd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/82d8701b2c930d0e96b0dbc9115a218d791cb0d2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f4858832ddef2f39f21e30b7226bbcd3c4b2bc96","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31664","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-24T15:16:46.043","lastModified":"2026-06-01T17:16:54.893","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: clear trailing padding in build_polexpire()\n\nbuild_expire() clears the trailing padding bytes of struct\nxfrm_user_expire after setting the hard field via memset_after(),\nbut the analogous function build_polexpire() does not do this for\nstruct xfrm_user_polexpire.\n\nThe padding bytes after the __u8 hard field are left\nuninitialized from the heap allocation, and are then sent to\nuserspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,\nleaking kernel heap memory contents.\n\nAdd the missing memset_after() call, matching build_expire()."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12.1","versionEndExcluding":"6.1.169","matchCriteriaId":"2FCFBA57-878B-4D11-8528-850CE9FB4CB7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.135","matchCriteriaId":"15C1A1B2-14EE-494C-AF3E-D5A7BA640B39"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.82","matchCriteriaId":"02904CAE-71D2-45B3-9EC3-F6A9D18B6307"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.23","matchCriteriaId":"E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.13","matchCriteriaId":"1490EF9B-9080-481C-8D22-1306AAE664E4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*","matchCriteriaId":"6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*","matchCriteriaId":"4F76C298-81DC-43E4-8FC9-DC005A2116EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*","matchCriteriaId":"0AB349B2-3F78-4197-882B-90ADB3BF645A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*","matchCriteriaId":"6AC88830-A9BC-4607-B572-A4B502FC9FD0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*","matchCriteriaId":"476CB3A5-D022-4F13-AAEF-CB6A5785516A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/71a98248c63c535eaa4d4c22f099b68d902006d0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a5127501c8d30b5728791b1e340284ca5c9cc4bd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ac6985903db047eaff54db929e4bf6b06782788e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b1dfd6b27df35ef4f87825aa5f607378d23ff0f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c221ed63a2769a0af8bd849dfe25740048f34ef4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e1af65c669ebb1666c54576614c01a7f9ffcfff6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e6f4ffe8596947a595c9544e73a73adcb0568b88","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/eda30846ea54f8ed218468e5480c8305ca645e37","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31673","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-25T09:16:00.423","lastModified":"2026-06-01T17:16:55.040","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: read UNIX_DIAG_VFS data under unix_state_lock\n\nExact UNIX diag lookups hold a reference to the socket, but not to\nu->path. Meanwhile, unix_release_sock() clears u->path under\nunix_state_lock() and drops the path reference after unlocking.\n\nRead the inode and device numbers for UNIX_DIAG_VFS while holding\nunix_state_lock(), then emit the netlink attribute after dropping the\nlock.\n\nThis keeps the VFS data stable while the reply is being built."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.6.136","matchCriteriaId":"FAB12062-558C-4570-A908-D71195858ADA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0c739f3785f84af695952c2bac8be2f45082c9b8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/39897df386376912d561d4946499379effa1e7ef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4f6a8f10182c3a9d22e8eb183957ae7ade9e4bf7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/900a4e0910e98b8caef117d5df00471fa438dcf9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b9232421a77a649c9376c99fdfc8cb7f79cad34c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bdf206e740bf2919d818f132c8c9cc7ed91d11c0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c3ec44ab4526bbc4b6c9fc845af86488244f4c9b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e7339db13b9ddb63417b12da55fd6191e59f7442","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31676","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-25T09:16:01.210","lastModified":"2026-06-01T17:16:55.190","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: only handle RESPONSE during service challenge\n\nOnly process RESPONSE packets while the service connection is still in\nRXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before\nrunning response verification and security initialization, then use a local\nsecured flag to decide whether to queue the secured-connection work after\nthe state transition. This keeps duplicate or late RESPONSE packets from\nre-running the setup path and removes the unlocked post-transition state\ntest."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.22","versionEndExcluding":"6.6.136","matchCriteriaId":"D32EF540-B97D-4378-A852-A6F166CF1E4B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.23","matchCriteriaId":"E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.13","matchCriteriaId":"1490EF9B-9080-481C-8D22-1306AAE664E4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/03fd2ef73cb4ffd0af100a95b634af54f474414e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0afdfd4941c1b60a1f5c361760daa970edca60cd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/29b44d904dceb832be880def08b8cb17a0aba91c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6c3a0fbdafef8316e34ae22333e317a341e737cd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a1a8efde03a40b6c658d580e96644d9b9a2a0d3a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a6bcf8010af093fe04f7100562e9542ab7882585","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c43ffdcfdbb5567b1f143556df8a04b4eeea041c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d0035e634dae83237ab7f5681eb52b2f65d0ceb8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31681","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-25T09:16:01.800","lastModified":"2026-06-01T17:16:55.333","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_multiport: validate range encoding in checkentry\n\nports_match_v1() treats any non-zero pflags entry as the start of a\nport range and unconditionally consumes the next ports[] element as\nthe range end.\n\nThe checkentry path currently validates protocol, flags and count, but\nit does not validate the range encoding itself. As a result, malformed\nrules can mark the last slot as a range start or place two range starts\nback to back, leaving ports_match_v1() to step past the last valid\nports[] element while interpreting the rule.\n\nReject malformed multiport v1 rules in checkentry by validating that\neach range start has a following element and that the following element\nis not itself marked as another range start."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"6.6.136","matchCriteriaId":"A7B9FFD8-E991-452F-9730-FADDA1A54E82"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1e4baa853f1cc4227e04f52d6860524707cfb294","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/36bf0d98e180a7c384c8d8a59b0d2d4b80e5eb16","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8368ce8eb01f0b91111d814703696e780d0ef12f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8c5bf8f5b478f569191c4a7982de7cd5f5f73c1a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/aec14808271f2bf2b656de6ff12dfe73c5fd3b67","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b67d638cbee9975c765feb45c126e96ed11ec802","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c9749f6232c845e31c21d4cc72200211df15d8a2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ff64c5bfef12461df8450e0f50bb693b5269c720","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31684","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-25T09:16:02.163","lastModified":"2026-06-01T17:16:55.470","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_csum: validate nested VLAN headers\n\ntcf_csum_act() walks nested VLAN headers directly from skb->data when an\nskb still carries in-payload VLAN tags. The current code reads\nvlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without\nfirst ensuring that the full VLAN header is present in the linear area.\n\nIf only part of an inner VLAN header is linearized, accessing\nh_vlan_encapsulated_proto reads past the linear area, and the following\nskb_pull(VLAN_HLEN) may violate skb invariants.\n\nFix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and\npulling each nested VLAN header. If the header still is not fully\navailable, drop the packet through the existing error path."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.99","versionEndExcluding":"4.20","matchCriteriaId":"97340910-B0B6-42CC-B4FA-E277DFB61C71"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.6.136","matchCriteriaId":"B28CAC2A-4B06-4D07-8736-82E515099010"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0410c619e86551677fb79887a38eccad3f5a0725","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3d165d975305cf76ff0b10a3c798fb31e5f5f9a5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/46c07ad50fa2f4ba7663ee1b72b75ad7ad45cf09","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/886469b6455611a511aa6013e957e15e50577513","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a69738efea0996d05a3c7d2178551b891744df1b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c842743d073bdd683606cb414eb0ca84465dd834","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/eb3765b90eb8f2a3d6310a80c14a9e57ec4267a2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ec4930979b3f7bbeb7af5744599fc6603a4dba62","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31685","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-25T09:16:02.273","lastModified":"2026-06-01T17:16:55.610","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_eui64: reject invalid MAC header for all packets\n\n`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address\nand compares it with the low 64 bits of the IPv6 source address.\n\nThe existing guard only rejects an invalid MAC header when\n`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`\ncan still reach `eth_hdr(skb)` even when the MAC header is not valid.\n\nFix this by removing the `par->fragoff != 0` condition so that packets\nwith an invalid MAC header are rejected before accessing `eth_hdr(skb)`."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.5}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12.1","versionEndExcluding":"6.6.136","matchCriteriaId":"E2D9D9DF-0F25-43D5-9C6A-4C891E3A29FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*","matchCriteriaId":"6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*","matchCriteriaId":"4F76C298-81DC-43E4-8FC9-DC005A2116EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*","matchCriteriaId":"0AB349B2-3F78-4197-882B-90ADB3BF645A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*","matchCriteriaId":"6AC88830-A9BC-4607-B572-A4B502FC9FD0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*","matchCriteriaId":"476CB3A5-D022-4F13-AAEF-CB6A5785516A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/288138418bef956f8b295751a4536c60f0e89f4a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/309ae3e9a51a69699ca94eac5fac5688fa562d55","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4d75bc2cd093bf5803edf512c099bfb220fd6459","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7d6a57411caf54df025860c9b1a82cd42d57a562","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/807d6ee15804df6f01a35c910f09612e858739a6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9eda5478746ef7dc0e4e537b5a5e4b0ca1027091","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d5603591373441fecf9951833d6d873e09320f08","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fdce0b3590f724540795b874b4c8850c90e6b0a8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31686","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-04-27T18:16:53.987","lastModified":"2026-06-01T17:16:55.750","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kasan: fix double free for kasan pXds\n\nkasan_free_pxd() assumes the page table is always struct page aligned. \nBut that's not always the case for all architectures. E.g. In case of\npowerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache\nnamed pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's just\ndirectly pass the start of the pxd table which is passed as the 1st\nargument.\n\nThis fixes the below double free kasan issue seen with PMEM:\n\nradix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages\n==================================================================\nBUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20\nFree of addr c0000003c38e0000 by task ndctl/2164\n\nCPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted 6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARY\nHardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeries\nCall Trace:\n dump_stack_lvl+0x88/0xc4 (unreliable)\n print_report+0x214/0x63c\n kasan_report_invalid_free+0xe4/0x110\n check_slab_allocation+0x100/0x150\n kmem_cache_free+0x128/0x6e0\n kasan_remove_zero_shadow+0x9c4/0xa20\n memunmap_pages+0x2b8/0x5c0\n devm_action_release+0x54/0x70\n release_nodes+0xc8/0x1a0\n devres_release_all+0xe0/0x140\n device_unbind_cleanup+0x30/0x120\n device_release_driver_internal+0x3e4/0x450\n unbind_store+0xfc/0x110\n drv_attr_store+0x78/0xb0\n sysfs_kf_write+0x114/0x140\n kernfs_fop_write_iter+0x264/0x3f0\n vfs_write+0x3bc/0x7d0\n ksys_write+0xa4/0x190\n system_call_exception+0x190/0x480\n system_call_vectored_common+0x15c/0x2ec\n---- interrupt: 3000 at 0x7fff93b3d3f4\nNIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000\nREGS: c0000003f1b07e80 TRAP: 3000 Not tainted (6.19.0-rc1-00048-gea1013c15392)\nMSR: 800000000280f033 CR: 48888208 XER: 00000000\n<...>\nNIP [00007fff93b3d3f4] 0x7fff93b3d3f4\nLR [00007fff93b3d3f4] 0x7fff93b3d3f4\n---- interrupt: 3000\n\n The buggy address belongs to the object at c0000003c38e0000\n which belongs to the cache pgtable-2^9 of size 4096\n The buggy address is located 0 bytes inside of\n 4096-byte region [c0000003c38e0000, c0000003c38e1000)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c\n head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n memcg:c0000003bfd63e01\n flags: 0x63ffff800000040(head|node=6|zone=0|lastcpupid=0x7ffff)\n page_type: f5(slab)\n raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000\n raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01\n head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000\n head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01\n head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004\n page dumped because: kasan: bad access detected\n\n[ 138.953636] [ T2164] Memory state around the buggy address:\n[ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953661] [ T2164] >c0000003c38e0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953669] [ T2164] ^\n[ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953692] [ T2164] ==================================================================\n[ 138.953701] [ T2164] Disabling lock debugging due to kernel taint"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19","versionEndExcluding":"6.6.136","matchCriteriaId":"C65C5FE4-6002-4BBA-98A9-87D1F99A643F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2277246ea265cdca64ce6fdea4b26cd6ff0ec4db","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3298bdf5a878ded06351eb293856fa84e050029e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/51d8c78be0c27ddb91bc2c0263941d8b30a47d3b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7d7b2d5c107a1f6302cf0006d859985e7c3ddd1c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/85d98614e089a67dc6faa8ca766fe10a639f82b4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a05f77cb227c39c5069aea6f12762a29d1e6c103","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b38237a2ea9c6c19836eee2c57037e1f9f103576","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cec74b2ab7dff866b1d77eaa545b9e8fd14a1f87","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f6204f7ff6aff62ce6242a76982c5ba3a9ded707","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-33845","sourceIdentifier":"secalert@redhat.com","published":"2026-04-30T18:16:28.003","lastModified":"2026-06-01T21:16:41.813","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-191"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gnu:gnutls:-:*:*:*:*:*:*:*","matchCriteriaId":"33A22858-21E1-479F-A9C4-AD2EFD059B93"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*","matchCriteriaId":"932D137F-528B-4526-9A89-CD59FA1AB0FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*","matchCriteriaId":"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*","matchCriteriaId":"142AD0DD-4CF3-4D74-9442-459CE3347E3A"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","matchCriteriaId":"F4CFF558-3C47-480D-A2F0-BABF26042943"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*","matchCriteriaId":"7F6FB57C-2BC7-487C-96DD-132683AEB35D"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:13274","source":"secalert@redhat.com","tags":["Vendor Advisory"]},{"url":"https://access.redhat.com/errata/RHSA-2026:20611","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20613","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-33845","source":"secalert@redhat.com","tags":["Vendor Advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450624","source":"secalert@redhat.com","tags":["Issue Tracking","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-3832","sourceIdentifier":"secalert@redhat.com","published":"2026-04-30T18:16:30.433","lastModified":"2026-06-01T21:16:43.500","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-179"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gnu:gnutls:-:*:*:*:*:*:*:*","matchCriteriaId":"33A22858-21E1-479F-A9C4-AD2EFD059B93"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*","matchCriteriaId":"87DEB507-5B64-47D7-9A50-3B87FD1E571F"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*","matchCriteriaId":"932D137F-528B-4526-9A89-CD59FA1AB0FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*","matchCriteriaId":"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*","matchCriteriaId":"142AD0DD-4CF3-4D74-9442-459CE3347E3A"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","matchCriteriaId":"F4CFF558-3C47-480D-A2F0-BABF26042943"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*","matchCriteriaId":"7F6FB57C-2BC7-487C-96DD-132683AEB35D"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:13274","source":"secalert@redhat.com","tags":["Third Party Advisory"]},{"url":"https://access.redhat.com/errata/RHSA-2026:20613","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-3832","source":"secalert@redhat.com","tags":["Third Party Advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445762","source":"secalert@redhat.com","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https://gitlab.com/gnutls/gnutls/-/issues/1801","source":"secalert@redhat.com","tags":["Exploit","Issue Tracking","Vendor Advisory"]},{"url":"https://gitlab.com/gnutls/gnutls/-/issues/1801","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Issue Tracking","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-3833","sourceIdentifier":"secalert@redhat.com","published":"2026-04-30T18:16:30.577","lastModified":"2026-06-01T21:16:43.643","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.2}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-178"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gnu:gnutls:-:*:*:*:*:*:*:*","matchCriteriaId":"33A22858-21E1-479F-A9C4-AD2EFD059B93"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*","matchCriteriaId":"87DEB507-5B64-47D7-9A50-3B87FD1E571F"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*","matchCriteriaId":"932D137F-528B-4526-9A89-CD59FA1AB0FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*","matchCriteriaId":"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*","matchCriteriaId":"142AD0DD-4CF3-4D74-9442-459CE3347E3A"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","matchCriteriaId":"F4CFF558-3C47-480D-A2F0-BABF26042943"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*","matchCriteriaId":"7F6FB57C-2BC7-487C-96DD-132683AEB35D"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:13274","source":"secalert@redhat.com","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https://access.redhat.com/errata/RHSA-2026:20611","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20613","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-3833","source":"secalert@redhat.com","tags":["Third Party Advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445763","source":"secalert@redhat.com","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https://gitlab.com/gnutls/gnutls/-/issues/1803","source":"secalert@redhat.com","tags":["Exploit","Issue Tracking","Vendor Advisory"]},{"url":"https://gitlab.com/gnutls/gnutls/-/issues/1803","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Issue Tracking","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-31694","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:19.133","lastModified":"2026-06-01T17:16:55.950","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: reject oversized dirents in page cache\n\nfuse_add_dirent_to_cache() computes a serialized dirent size from the\nserver-controlled namelen field and copies the dirent into a single\npage-cache page. The existing logic only checks whether the dirent fits\nin the remaining space of the current page and advances to a fresh page\nif not. It never checks whether the dirent itself exceeds PAGE_SIZE.\n\nAs a result, a malicious FUSE server can return a dirent with\nnamelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB\npage systems this causes memcpy() to overflow the cache page by 24 bytes\ninto the following kernel page.\n\nReject dirents that cannot fit in a single page before copying them into\nthe readdir cache."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.6.136","matchCriteriaId":"6508946E-134B-4941-9550-4B3C2C1D16DD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/038e61812fa52ef62bad2cfc96bf37dc0db47c1e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1d4a517fa90480c52fd452fea2686cd80f773ce2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3059f9abe7f1ba8fddf3c86c5faa1eeacf07e7d4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/45c05af36311624c1148123caeb011312495d86b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/474ce83c96a55f2eeb14dee2be375eeadfdacdf5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/51a8de6c50bf947c8f534cd73da4c8f0a13e7bed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7de93abfaae1b2dc94da8a07a36421bd073f1d8f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d23ad78bfd205eac26766e38ba7d79f279131098","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31696","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:19.403","lastModified":"2026-06-01T17:16:56.123","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix missing validation of ticket length in non-XDR key preparsing\n\nIn rxrpc_preparse(), there are two paths for parsing key payloads: the\nXDR path (for large payloads) and the non-XDR path (for payloads <= 28\nbytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly\nvalidates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR\npath fails to do so.\n\nThis allows an unprivileged user to provide a very large ticket length.\nWhen this key is later read via rxrpc_read(), the total\ntoken size (toksize) calculation results in a value that exceeds\nAFSTOKEN_LENGTH_MAX, triggering a WARN_ON().\n\n[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]\n\nFix this by adding a check in the non-XDR parsing path of rxrpc_preparse()\nto ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,\nbringing it into parity with the XDR parsing logic."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17","versionEndExcluding":"6.6.136","matchCriteriaId":"C73D2808-65F0-4CE5-A194-0FCDE4D23BFC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1fa36cf495b0023e8475d038535c05e4063211e1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/41a117dd80371343babc52198d1114e83eb37627","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4458757c020592a3094366e0fb20457383b42f92","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/44714dfda386884919ba366411880b6fb3c3efd3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9a397aa9b5e53ca63d4d6aefb542832eca389618","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a1be1c9ece26cea69654f28b255ff9a7906b897b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ac33733b10b484d666f97688561670afd5861383","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ce383ba615339f8eaec646a166d2c2b015bb5ca0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31697","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:19.517","lastModified":"2026-06-01T17:16:56.277","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy ID to userspace if PSP command failed\n\nWhen retrieving the ID for the CPU, don't attempt to copy the ID blob to\nuserspace if the firmware command failed. If the failure was due to an\ninvalid length, i.e. the userspace buffer+length was too small, copying\nthe number of bytes _firmware_ requires will overflow the kernel-allocated\nbuffer and leak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388\n\n CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n Call Trace:\n \n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222\n sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.6.136","matchCriteriaId":"C61C6D64-BBED-49D1-A334-68BA14CE5327"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/06f06d88c05ce176c61fff8c72c372847b0dd2b5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/09427bcb1715fb20a80b6acd5156dbf15ab5c363","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0f1f2f9894893dc8a28af1b9e9dbc0abf453eb52","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1fbac0429a42adec830491757a2b53956dd797ea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4f685dbfa87c546e51d9dc6cab379d20f275e114","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/99bae2e3c3f9ba8f854c938ed2c811b6a63b28e4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a21ae9f8769e5f75433bb0a85ac3868b2100ef5b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-31698","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:19.650","lastModified":"2026-06-01T17:16:56.450","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed\n\nWhen retrieving the PDH cert, don't attempt to copy the blobs to userspace\nif the firmware command failed. If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033\n\n CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025\n Call Trace:\n \n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347\n sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"6.6.136","matchCriteriaId":"0A32447F-A6C2-4D97-8B3B-EB4280574173"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/051e51aa55fd4cdc3e8283cf4476aeeb5f563274","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/25d9b3446001185484209cf57951f3368462b631","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/50808c13452dae43a2c90b1bbbf9daa16501ce70","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/78b97e43d0b3e674d9d49ae56937b11e2ba3fcaf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/854d7846e1d29f32f1bbeb2e869e794df12067f6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/af67d35da744b6b678c7a0296d9c679658779829","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b5c14bd4da1f376f385722fe1da993f1edab6472","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e76239fed3cffd6d304d8ca3ce23984fd24f57d3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31699","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:19.777","lastModified":"2026-06-01T17:16:56.640","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed\n\nWhen retrieving the PEK CSR, don't attempt to copy the blob to userspace\nif the firmware command failed. If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\n\n BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405\n\n CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n Call Trace:\n \n dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n print_address_description ../mm/kasan/report.c:378 [inline]\n print_report+0xbc/0x260 ../mm/kasan/report.c:482\n kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n check_region_inline ../mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n copy_to_user ../include/linux/uaccess.h:236 [inline]\n sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872\n sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562\n vfs_ioctl ../fs/ioctl.c:51 [inline]\n __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"6.6.136","matchCriteriaId":"0A32447F-A6C2-4D97-8B3B-EB4280574173"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0fb87e44b81385f940b482cba5b3f0bd18fb8185","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/111dcc6d0f016076745824a787d25609d0022f4c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/372116eece159adff631b1508344c8b85ebf9559","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3b4fd8f15765d9a3105b834dba8a05d025e5e16e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/502d10a1d9d477e6c7fc7021a2dac7018f4ab8b5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/59e9ae81f8670ccc780bc75f45a355736f640ec9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/607ba280f2adb5092cf5386c3935afac2ca0031a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/abe4a6d6f606113251868c2c4a06ba904bb41eed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31701","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:20.020","lastModified":"2026-06-01T17:16:56.813","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: take a reference on the USB device in create_card()\n\nThe caiaq driver stores a pointer to the parent USB device in\ncdev->chip.dev but never takes a reference on it. The card's\nprivate_free callback, snd_usb_caiaq_card_free(), can run\nasynchronously via snd_card_free_when_closed() after the USB\ndevice has already been disconnected and freed, so any access to\ncdev->chip.dev in that path dereferences a freed usb_device.\n\nOn top of the refcounting issue, the current card_free implementation\ncalls usb_reset_device(cdev->chip.dev). A reset in a free callback\nis inappropriate: the device is going away, the call takes the\ndevice lock in a teardown context, and the reset races with the\ndisconnect path that the callback is already cleaning up after.\n\nTake a reference on the USB device in create_card() with\nusb_get_dev(), drop it with usb_put_dev() in the free callback,\nand remove the usb_reset_device() call."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*","matchCriteriaId":"5A3F9505-6B98-4269-8B81-127E55A1BF00"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1d9be95aee6c6246a21752e60c9519902649f482","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/493b3a682ededc804555755f5d2193201339612d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/59b622a043cffc58b7638cd85ae6c30a0904f8e6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6473ed16df1fe88051140611b3eb9a49be7f429e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/80bb50e2d459213cccff3111d5ef98ed4238c0d5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ac7345f68cda6989016d85d63f7b244c064aa8f6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/dbcf7588e8dea017ddb3f18ec2766f7d2e5f2a0e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f6634af5de728a46792f674a66d7843570cb68f7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31702","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:20.140","lastModified":"2026-06-01T17:16:56.963","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()\n\nIn f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring\nthe F2FS_WB_CP_DATA counter to zero, unblocking\nf2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount\nCPU. The unmount path then proceeds to call\nf2fs_destroy_page_array_cache(sbi), which destroys\nsbi->page_array_slab via kmem_cache_destroy(), and eventually\nkfree(sbi). Meanwhile, the bio completion callback is still executing:\nwhen it reaches page_array_free(sbi, ...), it dereferences\nsbi->page_array_slab — a destroyed slab cache — to call\nkmem_cache_free(), causing a use-after-free.\n\nThis is the same class of bug as CVE-2026-23234 (which fixed the\nequivalent race in f2fs_write_end_io() in data.c), but in the\ncompressed writeback completion path that was not covered by that fix.\n\nFix this by moving dec_page_count() to after page_array_free(), so\nthat all sbi accesses complete before the counter decrement that can\nunblock unmount. For non-last folios (where atomic_dec_return on\ncic->pending_pages is nonzero), dec_page_count is called immediately\nbefore returning — page_array_free is not reached on this path, so\nthere is no post-decrement sbi access. For the last folio,\npage_array_free runs while the F2FS_WB_CP_DATA counter is still\nnonzero (this folio has not yet decremented it), keeping sbi alive,\nand dec_page_count runs as the final operation."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6","versionEndExcluding":"6.6.136","matchCriteriaId":"C8FF327A-4809-4F9C-B926-FF8D39DAAA1D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*","matchCriteriaId":"0D38F0BF-A728-4133-A358-D44A2F7EE6D6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2c97dcb6147c8f7f25c629b93be1e69617de5d4a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/39d4ee19c1e7d753dd655aebee632271b171f43a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/57bc678f36ac03281e877c6b84877b43f964143f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c76cf339b87975ae5b2c06d2d774d5667d25a12a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ef57cd3329b40c739b9a2e1a8a21ecc4171c6280","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f5154cf3ce1c8193f0c1891d3769f62740cfe6fe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31704","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:20.367","lastModified":"2026-06-01T17:16:57.097","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: use check_add_overflow() to prevent u16 DACL size overflow\n\nset_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes\nin u16 variables. When a file has many POSIX ACL entries, the\naccumulated size can wrap past 65535, causing the pointer arithmetic\n(char *)pndace + *size to land within already-written ACEs. Subsequent\nwrites then overwrite earlier entries, and pndacl->size gets a\ntruncated value.\n\nUse check_add_overflow() at each accumulation point to detect the\nwrap before it corrupts the buffer, consistent with existing\ncheck_mul_overflow() usage elsewhere in smbacl.c."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6.136","matchCriteriaId":"B1ABA9F0-A5C4-4CBE-92EC-33CA7D4F7634"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/299f962c0b02d048fb45d248b4da493d03f3175d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/41e53a773db6342ac9a689ee5ba635c31744c9f0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5e7b8f3c539d69b2ed5f2408e2f75e68ce7eef43","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8d5729350b236896f51379588d9a690b7fafb8db","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e1955a94b6f17f4b058afa955a6f187eb3ed7615","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ef7902be3f215b6bf7babe4dc9dd9a7d57dad7a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31705","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:20.473","lastModified":"2026-06-01T17:16:57.243","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment\n\nsmb2_get_ea() applies 4-byte alignment padding via memset() after\nwriting each EA entry. The bounds check on buf_free_len is performed\nbefore the value memcpy, but the alignment memset fires unconditionally\nafterward with no check on remaining space.\n\nWhen the EA value exactly fills the remaining buffer (buf_free_len == 0\nafter value subtraction), the alignment memset writes 1-3 NUL bytes\npast the buf_free_len boundary. In compound requests where the response\nbuffer is shared across commands, the first command (e.g., READ) can\nconsume most of the buffer, leaving a tight remainder for the QUERY_INFO\nEA response. The alignment memset then overwrites past the physical\nkvmalloc allocation into adjacent kernel heap memory.\n\nAdd a bounds check before the alignment memset to ensure buf_free_len\ncan accommodate the padding bytes.\n\nThis is the same bug pattern fixed by commit beef2634f81f (\"ksmbd: fix\npotencial OOB in get_file_all_info() for compound requests\") and\ncommit fda9522ed6af (\"ksmbd: fix OOB write in QUERY_INFO for compound\nrequests\"), both of which added bounds checks before unconditional\nwrites in QUERY_INFO response handlers."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.145","versionEndExcluding":"5.16","matchCriteriaId":"B98C9201-BF17-4E2C-84FF-75EE2AA94DC5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.71","versionEndExcluding":"6.2","matchCriteriaId":"163E72B5-0F5D-49E2-AAEA-F11E02D730AD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.6.136","matchCriteriaId":"D1C8822E-08AF-49C3-8A31-F806E5FAE5E7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/30010c952077a1c89ecdd71fc4d574c75a8f5617","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/790304c02bf9bd7b8171feda4294d6e62d32ae8f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/922d48fe8c19f388ffa2f709f33acaae4e408de2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/98f3de6ef4efbd899348d333f0902dc4ff14380c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ddbbc8b2a09dd2cfed90871313e3691ae1db08a2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ffbce350c6fd1e99116ea57383b9031717e36d3b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31708","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:20.837","lastModified":"2026-06-01T17:16:57.450","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path\n\nsmb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL\nand the default QUERY_INFO path. The QUERY_INFO branch clamps\nqi.input_buffer_length to the server-reported OutputBufferLength and then\ncopies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but\nit never verifies that the flexible-array payload actually fits within\nrsp_iov[1].iov_len.\n\nA malicious server can return OutputBufferLength larger than the actual\nQUERY_INFO response, causing copy_to_user() to walk past the response\nbuffer and expose adjacent kernel heap to userspace.\n\nGuard the QUERY_INFO copy with a bounds check on the actual Buffer\npayload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)\nrather than an open-coded addition so the guard cannot overflow on\n32-bit builds."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.6.136","matchCriteriaId":"B28CAC2A-4B06-4D07-8736-82E515099010"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/078fae8f50adebb903ccf2252b44391324571e78","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1dd757379997b71a328a4b591ffaf481acd0ead1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/85fd46ee26a11841c670449508025965f61ce131","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a34d456934fe42e4da5d2cc07787bf418bee99c6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ac2f14e4705d020f04e806efa0d49ab8dc2b145f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31711","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:21.150","lastModified":"2026-06-01T17:16:57.597","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: fix active_num_conn leak on transport allocation failure\n\nCommit 77ffbcac4e56 (\"smb: server: fix leak of active_num_conn in\nksmbd_tcp_new_connection()\") addressed the kthread_run() failure\npath. The earlier alloc_transport() == NULL path in the same\nfunction has the same leak, is reachable pre-authentication via any\nTCP connect to port 445, and was empirically reproduced on UML\n(ARCH=um, v7.0-rc7): a small number of forced allocation failures\nwere sufficient to put ksmbd into a state where every subsequent\nconnection attempt was rejected for the remainder of the boot.\n\nksmbd_kthread_fn() increments active_num_conn before calling\nksmbd_tcp_new_connection() and discards the return value, so when\nalloc_transport() returns NULL the socket is released and -ENOMEM\nreturned without decrementing the counter. Each such failure\npermanently consumes one slot from the max_connections pool; once\ncumulative failures reach the cap, atomic_inc_return() hits the\nthreshold on every subsequent accept and every new connection is\nrejected. The counter is only reset by module reload.\n\nAn unauthenticated remote attacker can drive the server toward the\nmemory pressure that makes alloc_transport() fail by holding open\nconnections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN\n(0x00FFFFFF); natural transient allocation failures on a loaded\nhost produce the same drift more slowly.\n\nMirror the existing rollback pattern in ksmbd_kthread_fn(): on the\nalloc_transport() failure path, decrement active_num_conn gated on\nserver_conf.max_connections.\n\nRepro details: with the patch reverted, forced alloc_transport()\nNULL returns leaked counter slots and subsequent connection\nattempts -- including legitimate connects issued after the\nforced-fail window had closed -- were all rejected with \"Limit the\nmaximum number of connections\". With this patch applied, the same\nconnect sequence produces no rejections and the counter cycles\ncleanly between zero and one on every accept."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.91","versionEndExcluding":"5.16","matchCriteriaId":"ED68583F-E9BC-4090-BF89-17DA58537455"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.9","versionEndExcluding":"6.2","matchCriteriaId":"64423FA1-5CBD-4C54-B021-9A38E16861A1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2.1","versionEndExcluding":"6.6.136","matchCriteriaId":"F9B6E58F-A6C7-42EF-B789-FD0BB75AA71A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*","matchCriteriaId":"3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*","matchCriteriaId":"4AB8D555-648E-4F2F-98BD-3E7F45BD12A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc7:*:*:*:*:*:*","matchCriteriaId":"C64BDD9D-C663-4E75-AE06-356EDC392B82"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc8:*:*:*:*:*:*","matchCriteriaId":"26544390-88E4-41CA-98BF-7BB1E9D4E243"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/283027aa93380380a0994f35dde3ec95318f2654","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/295a9fc6789d1011c36ded9f0f2907bb34fa0de4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/60734c8bc3b4aa0672e251f08dda81977e4b5387","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6551300dc452ac16a855a83dbd1e74899542d3b3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/97f8d2648ef4871e4cd335e2d769cb40054a6772","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fb48185bcd946d42de7017cf27f912f8ab26acf0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31716","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:21.743","lastModified":"2026-06-01T17:16:57.753","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: validate rec->used in journal-replay file record check\n\ncheck_file_record() validates rec->total against the record size but\nnever validates rec->used. The do_action() journal-replay handlers read\nrec->used from disk and use it to compute memmove lengths:\n\n DeleteAttribute: memmove(attr, ..., used - asize - roff)\n CreateAttribute: memmove(..., attr, used - roff)\n change_attr_size: memmove(..., used - PtrOffset(rec, next))\n\nWhen rec->used is smaller than the offset of a validated attribute, or\nlarger than the record size, these subtractions can underflow allowing\nus to copy huge amounts of memory in to a 4kb buffer, generally\nconsidered a bad idea overall.\n\nThis requires a corrupted filesystem, which isn't a threat model the\nkernel really needs to worry about, but checking for such an obvious\nout-of-bounds value is good to keep things robust, especially on journal\nreplay\n\nFix this up by bounding rec->used correctly.\n\nThis is much like commit b2bc7c44ed17 (\"fs/ntfs3: Fix slab-out-of-bounds\nread in DeleteIndexEntryRoot\") which checked different values in this\nsame switch statement."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6.136","matchCriteriaId":"B1ABA9F0-A5C4-4CBE-92EC-33CA7D4F7634"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0112e6279420d4005b3d57af36fb45c01b8d0116","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0ca0485e4b2e837ebb6cbd4f2451aba665a03e4b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1393a467a9607e62123806de7d4c3a3e54e396a9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4b1613d7e2deda831a97e427d1ea586e50fe1be5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8e64d33198b5a0fb14a452708bad844f94f03b2c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f79d0403ea20a81bc29105bba54fbcab54e8c403","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f90b8a1798b750755a9e9aee66678f0a1820bbaf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31717","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T14:16:21.860","lastModified":"2026-06-01T17:16:57.890","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate owner of durable handle on reconnect\n\nCurrently, ksmbd does not verify if the user attempting to reconnect\nto a durable handle is the same user who originally opened the file.\nThis allows any authenticated user to hijack an orphaned durable handle\nby predicting or brute-forcing the persistent ID.\n\nAccording to MS-SMB2, the server MUST verify that the SecurityContext\nof the reconnect request matches the SecurityContext associated with\nthe existing open.\nAdd a durable_owner structure to ksmbd_file to store the original opener's\nUID, GID, and account name. and catpure the owner information when a file\nhandle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner()\nto validate the identity of the requester during SMB2_CREATE (DHnC)."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.32","versionEndExcluding":"6.7","matchCriteriaId":"2C15E547-F33F-4337-A576-685C65C6D439"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.18.25","matchCriteriaId":"FB3AD8C5-FEB3-4B8C-A314-EFD501361AE9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*","matchCriteriaId":"B1EF7059-E670-45F4-B422-54C40FA86390"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/00ce8d6789dae72d042a4522264964c72891ca37","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/49110a8ce654bbe56bef7c5e44cce31f4b102b8a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/712cdf917e77a6444ce3836874829d770db20ee6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c7f0f0d01c88bdcb8b1694d7d321670013f7ed7d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c908c853f304a4969b5aa10eba0b50350cc65b80","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43052","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-01T15:16:51.670","lastModified":"2026-06-01T17:17:00.917","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check tdls flag in ieee80211_tdls_oper\n\nWhen NL80211_TDLS_ENABLE_LINK is called, the code only checks if the\nstation exists but not whether it is actually a TDLS station. This\nallows the operation to proceed for non-TDLS stations, causing\nunintended side effects like modifying channel context and HT\nprotection before failing.\n\nAdd a check for sta->sta.tdls early in the ENABLE_LINK case, before\nany side effects occur, to ensure the operation is only allowed for\nactual TDLS peers."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"6.12.81","matchCriteriaId":"D380DB7C-C66B-4BEC-9529-5AC7B5E565D9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.22","matchCriteriaId":"C9DF8BCE-36D3-475D-9D21-19E4F02F9029"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.12","matchCriteriaId":"0A2B9540-02D5-41B4-B16A-82AF66FD4F36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/44839ea7e96b3659a1606f3d5267063135479b7c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6813a8b1b240756dad4375f3e020ce10e4e3871b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7d73872d949c488a1d7c308031d6a9d89b5e0a8b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8148c2fda4ebb17104a573649c9b699208ad10ee","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ba5b43db126a5e7378553869e3f7954d9187349f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/be81f17151fcb8546a95f35ca8f4231b065985de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e77b2937aaa20264e4bd699d3244bdb50e7e3343","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-22165","sourceIdentifier":"367425dc-4d06-4041-9650-c2dc6aaa27ce","published":"2026-05-01T16:16:29.437","lastModified":"2026-06-01T17:15:59.733","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger a write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable further exploits on the device."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"367425dc-4d06-4041-9650-c2dc6aaa27ce","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:imaginationtech:ddk:*:*:*:*:*:*:*:*","versionEndIncluding":"25.2","matchCriteriaId":"1D75CD5B-2B2E-44C9-8422-D808630103B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:imaginationtech:ddk:25.3:rtm:*:*:*:*:*:*","matchCriteriaId":"6B3E39FF-6C96-4A0B-9CE1-595C785DF920"}]}]}],"references":[{"url":"https://www.imaginationtech.com/gpu-driver-vulnerabilities/","source":"367425dc-4d06-4041-9650-c2dc6aaa27ce","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-22166","sourceIdentifier":"367425dc-4d06-4041-9650-c2dc6aaa27ce","published":"2026-05-01T16:16:29.563","lastModified":"2026-06-01T17:15:17.460","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable subsequent exploit on the system."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"367425dc-4d06-4041-9650-c2dc6aaa27ce","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:imaginationtech:ddk:*:*:*:*:*:*:*:*","versionEndIncluding":"25.2","matchCriteriaId":"1D75CD5B-2B2E-44C9-8422-D808630103B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:imaginationtech:ddk:25.3:rtm:*:*:*:*:*:*","matchCriteriaId":"6B3E39FF-6C96-4A0B-9CE1-595C785DF920"}]}]}],"references":[{"url":"https://www.imaginationtech.com/gpu-driver-vulnerabilities/","source":"367425dc-4d06-4041-9650-c2dc6aaa27ce","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-22167","sourceIdentifier":"367425dc-4d06-4041-9650-c2dc6aaa27ce","published":"2026-05-01T16:16:29.693","lastModified":"2026-06-01T17:10:47.440","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Software installed and run as a non-privileged user may conduct improper GPU system calls to force GPU to write to arbitrary physical memory pages.\n\n\n\nUnder certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour.\n\n\n\nThis attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"367425dc-4d06-4041-9650-c2dc6aaa27ce","type":"Secondary","description":[{"lang":"en","value":"CWE-119"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:imaginationtech:ddk:*:*:*:*:*:*:*:*","versionEndIncluding":"25.2","matchCriteriaId":"1D75CD5B-2B2E-44C9-8422-D808630103B4"},{"vulnerable":true,"criteria":"cpe:2.3:a:imaginationtech:ddk:25.3:rtm:*:*:*:*:*:*","matchCriteriaId":"6B3E39FF-6C96-4A0B-9CE1-595C785DF920"}]}]}],"references":[{"url":"https://www.imaginationtech.com/gpu-driver-vulnerabilities/","source":"367425dc-4d06-4041-9650-c2dc6aaa27ce","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-42480","sourceIdentifier":"cve@mitre.org","published":"2026-05-01T16:16:32.047","lastModified":"2026-06-01T17:08:46.640","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A stack-based out-of-bounds read vulnerability in VrmlData_Scene::ReadLine in the VRML parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows attackers to cause a denial of service via a crafted VRML file. The issue occurs because the quoted-string escape handler uses ptr[++anOffset] without proper bounds checking, which can read past the end of a fixed-size stack buffer."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.3","matchCriteriaId":"13B8FE30-EAE8-4F3E-8F5C-E81BD438FF6C"},{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:8.0.0:beta1:*:*:*:*:*:*","matchCriteriaId":"0B51DDC9-FDA5-4701-8CA3-5B589D72FA88"},{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:8.0.0:rc1:*:*:*:*:*:*","matchCriteriaId":"57733587-FB01-4201-8509-E81B6AE94AE3"},{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:8.0.0:rc2:*:*:*:*:*:*","matchCriteriaId":"86CF4B98-CCD3-4463-9A24-231128DDF85A"},{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:8.0.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F3987B9C-2448-4281-9A5C-FB6AF0336C3B"},{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:8.0.0:rc4:*:*:*:*:*:*","matchCriteriaId":"632D1594-AD1F-4F80-86F7-F8850F3574EC"},{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:8.0.0:rc5:*:*:*:*:*:*","matchCriteriaId":"267468E1-F54F-44AF-B74F-DFD29354243B"}]}]}],"references":[{"url":"https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a","source":"cve@mitre.org","tags":["Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-42481","sourceIdentifier":"cve@mitre.org","published":"2026-05-01T16:16:32.163","lastModified":"2026-06-01T17:08:02.980","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Open CASCADE Technology (OCCT) V8_0_0_rc5 contains multiple vulnerabilities in its IGES and STEP file parsers that can be triggered by crafted IGES or STEP files. These issues include an out-of-bounds read in Geom2d_BSplineCurve::EvalD0 during IGES B-spline curve evaluation, an out-of-bounds read in MakeBSplineCurveCommon during STEP B-spline curve construction, and infinite recursion in StepShape_OrientedEdge::EdgeStart when processing a self-referential OrientedEdge entity. Successful exploitation may result in denial of service or unintended memory disclosure."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.3","matchCriteriaId":"13B8FE30-EAE8-4F3E-8F5C-E81BD438FF6C"},{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:8.0.0:beta1:*:*:*:*:*:*","matchCriteriaId":"0B51DDC9-FDA5-4701-8CA3-5B589D72FA88"},{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:8.0.0:rc1:*:*:*:*:*:*","matchCriteriaId":"57733587-FB01-4201-8509-E81B6AE94AE3"},{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:8.0.0:rc2:*:*:*:*:*:*","matchCriteriaId":"86CF4B98-CCD3-4463-9A24-231128DDF85A"},{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:8.0.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F3987B9C-2448-4281-9A5C-FB6AF0336C3B"},{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:8.0.0:rc4:*:*:*:*:*:*","matchCriteriaId":"632D1594-AD1F-4F80-86F7-F8850F3574EC"},{"vulnerable":true,"criteria":"cpe:2.3:a:opencascade:open_cascade_technology:8.0.0:rc5:*:*:*:*:*:*","matchCriteriaId":"267468E1-F54F-44AF-B74F-DFD29354243B"}]}]}],"references":[{"url":"https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a","source":"cve@mitre.org","tags":["Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-43058","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-02T07:16:20.830","lastModified":"2026-06-01T17:17:01.063","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix pass-by-value structs causing MSAN warnings\n\nvidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take their\nargument structs by value, causing MSAN to report uninit-value warnings.\nWhile only vidtv_ts_null_write_into() has triggered a report so far,\nboth functions share the same issue.\n\nFix by passing both structs by const pointer instead, avoiding the\nstack copy of the struct along with its MSAN shadow and origin metadata.\nThe functions do not modify the structs, which is enforced by the const\nqualifier."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"6.6.136","matchCriteriaId":"0F98EDB3-BDF6-4821-9197-1BA4A2E056E2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1b2820c8a9887981634020db19f1a2425558b88e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/57b01d945ed68cebe486d495dadc4901a96d3aaa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5f8e73bde67e931468bc2a1860d78d72f0c6ba41","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6d75a9ec5bdb8cf8382eaf8f8fe831ba7d58a9d4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a73f84a30975e6c4ae06efd500d31c82564dba10","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a876d72ceba7fe5444005239f363c105767e0ecf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/be57e52e27c7cbfb400a8f255e475cbcff242baa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c034d8094fee474eb94142c17643eee2919079b7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e3957eb26a3d570aefc6bb184fa8b8a1e9a4e508","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-33846","sourceIdentifier":"secalert@redhat.com","published":"2026-05-04T10:15:59.690","lastModified":"2026-06-01T21:16:41.983","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-130"}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:13274","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20611","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20613","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-33846","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450625","source":"secalert@redhat.com"}]}},{"cve":{"id":"CVE-2026-43064","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-05T16:16:15.567","lastModified":"2026-06-01T17:17:01.197","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix not releasing workqueue on .release()\n\nThe workqueue associated with an DSA/IAA device is not released when\nthe object is freed."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11.22","versionEndExcluding":"5.12","matchCriteriaId":"4BA7BC58-B6BD-469F-B348-D71C30EF4397"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12.5","versionEndExcluding":"5.13","matchCriteriaId":"2CA34CAF-7251-4EB2-8208-AC54EF7AD9C9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.1.168","matchCriteriaId":"04D24E88-753A-4536-B478-6EEE3223E44B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.131","matchCriteriaId":"CE6ED4D4-0046-4573-BFA9-D64143B6A89F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.80","matchCriteriaId":"97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.21","matchCriteriaId":"ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.11","matchCriteriaId":"4CA2E747-A9EC-4518-9AA2-B4247FC748B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2bb9e9e93adff9cc8a138ae9a3a8d59b3452272e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3d33de353b1ff9023d5ec73b9becf80ea87af695","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/958e96533ddbd1edd127feb7624a7eed0cc379dc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d02c24af126dee45247dc7890409c86d1831859d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fc34f199eb576b3a73089452fdf0056cc9a9301d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43071","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-05T16:16:16.420","lastModified":"2026-06-01T17:17:01.340","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndcache: Limit the minimal number of bucket to two\n\nThere is an OOB read problem on dentry_hashtable when user sets\n'dhash_entries=1':\n BUG: unable to handle page fault for address: ffff888b30b774b0\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: Oops: 0000 [#1] SMP PTI\n RIP: 0010:__d_lookup+0x56/0x120\n Call Trace:\n d_lookup.cold+0x16/0x5d\n lookup_dcache+0x27/0xf0\n lookup_one_qstr_excl+0x2a/0x180\n start_dirop+0x55/0xa0\n simple_start_creating+0x8d/0xa0\n debugfs_start_creating+0x8c/0x180\n debugfs_create_dir+0x1d/0x1c0\n pinctrl_init+0x6d/0x140\n do_one_initcall+0x6d/0x3d0\n kernel_init_freeable+0x39f/0x460\n kernel_init+0x2a/0x260\n\nThere will be only one bucket in dentry_hashtable when dhash_entries is\nset as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,\nfollowing process will access more than one buckets(which memory region\nis not allocated) in dentry_hashtable:\n d_lookup\n b = d_hash(hash)\n dentry_hashtable + ((u32)hashlen >> d_hash_shift)\n // The C standard defines the behavior of right shift amounts\n // exceeding the bit width of the operand as undefined. The\n // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen',\n // so 'b' will point to an unallocated memory region.\n hlist_bl_for_each_entry_rcu(b)\n hlist_bl_first_rcu(head)\n h->first // read OOB!\n\nFix it by limiting the minimal number of dentry_hashtable bucket to two,\nso that 'd_hash_shift' won't exceeds the bit width of type u32."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10.55","versionEndExcluding":"3.11","matchCriteriaId":"5A516330-2A83-4603-8C0E-BBDFEECC27E9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.12.29","versionEndExcluding":"3.13","matchCriteriaId":"25875AFE-CAEF-4D99-9B64-23F2B24C08D0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.14.19","versionEndExcluding":"3.15","matchCriteriaId":"5D53296D-7B6A-4B74-A72C-45082E6C8531"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16.3","versionEndExcluding":"3.17","matchCriteriaId":"F14E1ED6-C14D-476A-BC5C-ED4B577D6D9D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17.1","versionEndExcluding":"6.6.136","matchCriteriaId":"B950BE15-DD19-43CB-8C82-340F4AE1C2F0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.17:-:*:*:*:*:*:*","matchCriteriaId":"3A351B03-87A0-405B-8A9B-488E173E1E3B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.17:rc5:*:*:*:*:*:*","matchCriteriaId":"4223286C-F679-4FEC-B144-1C3B942BD506"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.17:rc6:*:*:*:*:*:*","matchCriteriaId":"C889AAA8-186E-433F-A31D-FF09221E1EBC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.17:rc7:*:*:*:*:*:*","matchCriteriaId":"80BC78EE-50D8-4561-A6A6-A370E72F215B"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/45b06bb5ea96f75ad81d7ef446f832ea6b0026fe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43072","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-05T16:16:16.540","lastModified":"2026-06-01T17:17:01.503","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: platform_get_irq_byname() returns an int\n\nplatform_get_irq_byname() will return a negative value if an error\nhappens, so it should be checked and not just passed directly into\ndevm_request_threaded_irq() hoping all will be ok."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6.136","matchCriteriaId":"B1ABA9F0-A5C4-4CBE-92EC-33CA7D4F7634"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0","versionEndExcluding":"7.0.1","matchCriteriaId":"9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0185e0494a561edfc482507f9de89c2ad798b33d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0c1b117f7ba46fb8f6ebc5e0bfe5b58568c301ba","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/59ece0d4d1db0cf483c4c51a58691f50ff81d3a2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/63c11b19cdc154fa848a6c3b535bfb1dc7b60378","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9c10b83a004442c93d7a484c3d221a06a45821e1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e597a809a2b97e927060ba182f58eb3e6101bc70","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ef2ee9db13b68c5e332b77c0a7108a2d4d56e114","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-31893","sourceIdentifier":"security-advisories@github.com","published":"2026-05-05T20:16:35.373","lastModified":"2026-06-01T17:04:55.260","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-61"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:tunnelblick:tunnelblick:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5.3","versionEndExcluding":"8.0.1","matchCriteriaId":"0091B93B-5FCA-4B34-8578-6D73399E5D7B"},{"vulnerable":true,"criteria":"cpe:2.3:a:tunnelblick:tunnelblick:3.3:beta26:*:*:*:*:*:*","matchCriteriaId":"DA65FDFE-43E0-4846-B674-4EF26613E294"},{"vulnerable":true,"criteria":"cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta01:*:*:*:*:*:*","matchCriteriaId":"E86DA6F9-1B0E-496D-B000-3B53F32F46F9"},{"vulnerable":true,"criteria":"cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta02:*:*:*:*:*:*","matchCriteriaId":"5EEBCC0A-309F-4BF1-8B8E-548588FD9418"},{"vulnerable":true,"criteria":"cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta03:*:*:*:*:*:*","matchCriteriaId":"F94C886A-E185-4A58-B072-56B4D0FA7FAC"},{"vulnerable":true,"criteria":"cpe:2.3:a:tunnelblick:tunnelblick:9.0:beta01:*:*:*:*:*:*","matchCriteriaId":"3BBF415C-6088-4399-B99F-421E08CD79A1"}]}]}],"references":[{"url":"https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-7572","sourceIdentifier":"cve@rapid7.com","published":"2026-05-06T03:15:58.470","lastModified":"2026-06-01T16:59:31.070","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin."}],"metrics":{"cvssMetricV31":[{"source":"cve@rapid7.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","baseScore":4.4,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.8,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"cve@rapid7.com","type":"Secondary","description":[{"lang":"en","value":"CWE-193"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*","versionEndExcluding":"0.76.5","matchCriteriaId":"A433DAE3-AFBD-446B-B24F-4E1A97E3A6D9"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"},{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}],"references":[{"url":"https://docs.velociraptor.app/announcements/advisories/cve-2026-7572/","source":"cve@rapid7.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-7573","sourceIdentifier":"cve@rapid7.com","published":"2026-05-06T03:15:59.440","lastModified":"2026-06-01T16:58:59.007","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request."}],"metrics":{"cvssMetricV31":[{"source":"cve@rapid7.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4.0}]},"weaknesses":[{"source":"cve@rapid7.com","type":"Secondary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*","versionEndExcluding":"0.76.5","matchCriteriaId":"A433DAE3-AFBD-446B-B24F-4E1A97E3A6D9"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://docs.velociraptor.app/announcements/advisories/cve-2026-7573/","source":"cve@rapid7.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-43074","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:20.343","lastModified":"2026-06-01T17:17:01.667","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: defer struct eventpoll free to RCU grace period\n\nIn certain situations, ep_free() in eventpoll.c will kfree the epi->ep\neventpoll struct while it still being used by another concurrent thread.\nDefer the kfree() to an RCU callback to prevent UAF."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4.1","versionEndExcluding":"6.6.136","matchCriteriaId":"03382702-BC98-477F-87AB-A5B1011E1D0C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*","matchCriteriaId":"DE0B0BF6-0EEF-4FAD-927D-7A0DD77BEE75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/07712db80857d5d09ae08f3df85a708ecfc3b61f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5b1173b165421561db29f30afc7e97d940a398a9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7e8083f5eeedab0f460063b9c2c14c9a4e71a427","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/902120be4f44947df6311002addc7faf69bdbff1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a6566cd33f6f967a7651ebf2ce0dd31572e319cf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a6d57084372161f86660bc4607784420e00efe2c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ae0bb9c1fb7c2594519aeeb096cf2c3b7837b322","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43075","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:20.463","lastModified":"2026-06-01T17:17:01.787","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix out-of-bounds write in ocfs2_write_end_inline\n\nKASAN reports a use-after-free write of 4086 bytes in\nocfs2_write_end_inline, called from ocfs2_write_end_nolock during a\ncopy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on\na loop device. The actual bug is an out-of-bounds write past the inode\nblock buffer, not a true use-after-free. The write overflows into an\nadjacent freed page, which KASAN reports as UAF.\n\nThe root cause is that ocfs2_try_to_write_inline_data trusts the on-disk\nid_count field to determine whether a write fits in inline data. On a\ncorrupted filesystem, id_count can exceed the physical maximum inline data\ncapacity, causing writes to overflow the inode block buffer.\n\nCall trace (crash path):\n\n vfs_copy_file_range (fs/read_write.c:1634)\n do_splice_direct\n splice_direct_to_actor\n iter_file_splice_write\n ocfs2_file_write_iter\n generic_perform_write\n ocfs2_write_end\n ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)\n ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)\n memcpy_from_folio <-- KASAN: write OOB\n\nSo add id_count upper bound check in ocfs2_validate_inode_block() to\nalongside the existing i_size check to fix it."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.24.1","versionEndExcluding":"6.6.136","matchCriteriaId":"3C45350C-5A79-40F0-B6B0-BF9ED7FA81B4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.24:-:*:*:*:*:*:*","matchCriteriaId":"6F3E61F3-1CF1-4176-94CD-89A408BCFC96"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0c1af902223b6fcedb60904ca0b551254686c7b9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/22df7d4de9c5cd42edf855a1de25f2106088c4c6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2e6a254f9cedf51b75cc20b8b92e2209bfa04c3e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/68f9cc3bbf2ae501770cea7dc0005fc9a85e48ea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/69d3c69ade1e4285ab4ca48fe7acee0767e65604","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7bc5da4842bed3252d26e742213741a4d0ac1b14","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/947f953978b0d9463498d548d0f054f5a75be2e9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e2c9dc6b6e96f3585f2a1062ca3374a52db0938f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43076","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:20.590","lastModified":"2026-06-01T17:17:01.937","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: validate inline data i_size during inode read\n\nWhen reading an inode from disk, ocfs2_validate_inode_block() performs\nvarious sanity checks but does not validate the size of inline data. If\nthe filesystem is corrupted, an inode's i_size can exceed the actual\ninline data capacity (id_count).\n\nThis causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data\nbuffer, triggering a use-after-free when accessing directory entries from\nfreed memory.\n\nIn the syzbot report:\n - i_size was 1099511627576 bytes (~1TB)\n - Actual inline data capacity (id_count) is typically <256 bytes\n - A garbage rec_len (54648) caused ctx->pos to jump out of bounds\n - This triggered a UAF in ocfs2_check_dir_entry()\n\nFix by adding a validation check in ocfs2_validate_inode_block() to ensure\ninodes with inline data have i_size <= id_count. This catches the\ncorruption early during inode read and prevents all downstream code from\noperating on invalid data."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.24.1","versionEndExcluding":"6.6.136","matchCriteriaId":"3C45350C-5A79-40F0-B6B0-BF9ED7FA81B4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.24:-:*:*:*:*:*:*","matchCriteriaId":"6F3E61F3-1CF1-4176-94CD-89A408BCFC96"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/131c0b573e1b467b7d553e9ff38003f1acd8f5f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1524af3685b35feac76662cc551cbc37bd14775f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/37f074e65f24f10f8d8df224a572e4cb9e6faf63","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/77d0295725109d77f5854ef5b58c0d06c08168cc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bcd46bc261b215b3b12c557a978299eafa02ecdd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cd2d765aa7157f852999842af32148128c735d39","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d012c782abcabe68b5b9e71be58a15e9f9d83dc1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43079","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:20.990","lastModified":"2026-06-01T17:27:41.790","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/uncore: Skip discovery table for offline dies\n\nThis warning can be triggered if NUMA is disabled and the system\nboots with fewer CPUs than the number of CPUs in die 0.\n\nWARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore]\n\nCurrently, the discovery table continues to be parsed even if all CPUs\nin the associated die are offline. This can lead to an array overflow\nat \"pmu->boxes[die] = box\" in uncore_pci_pmu_register(), which may\ntrigger the warning above or cause other issues."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"5.15.209","matchCriteriaId":"9F743086-ED4F-414C-BC47-C10ACDAA072C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.175","matchCriteriaId":"92385813-D91D-480D-83A1-F423D2CBB2BA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.136","matchCriteriaId":"0A0F1E9A-F127-4699-A014-9E08441C9A14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6cfc187d85f18f976d0fe527d4c6f6171542cc19","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7a2cb02437d92ed14fe494d8994056d5bd2c72b4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7b568e9eba2fad89a696f22f0413d44cf4a1f892","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cfab2c817d2e7e0bee98d66850246ce842ed5f18","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d18da11a5e21eac7651c8897e5e0908f6c2bc9de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dfcba8c8674cead6c88a2f269b71aa4efd3d384a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f34feda8e0c9535fee3f8870ce8bab53c2798f71","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43080","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:21.110","lastModified":"2026-06-01T17:32:26.763","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: Drop large packets with UDP encap\n\nsyzbot reported a WARN on my patch series [1]. The actual issue is an\noverflow of 16-bit UDP length field, and it exists in the upstream code.\nMy series added a debug WARN with an overflow check that exposed the\nissue, that's why syzbot tripped on my patches, rather than on upstream\ncode.\n\nsyzbot's repro:\n\nr0 = socket$pppl2tp(0x18, 0x1, 0x1)\nr1 = socket$inet6_udp(0xa, 0x2, 0x0)\nconnect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c)\nconnect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\\x00', '\\xff\\xff', @empty}}}}, 0x32)\nwritev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)=\"ee\", 0x34000}], 0x1)\n\nIt basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP\nencapsulation, and l2tp_xmit_core doesn't check for overflows when it\nassigns the UDP length field. The value gets trimmed to 16 bites.\n\nAdd an overflow check that drops oversized packets and avoids sending\npackets with trimmed UDP length to the wire.\n\nsyzbot's stack trace (with my patch applied):\n\nlen >= 65536u\nWARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957\nWARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957\nWARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957\nModules linked in:\nCPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]\nRIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]\nRIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327\nCode: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f\nRSP: 0018:ffffc90003d67878 EFLAGS: 00010293\nRAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000\nRDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff\nRBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004\nR10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900\nR13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000\nFS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0\nCall Trace:\n \n pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n sock_write_iter+0x503/0x550 net/socket.c:1195\n do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1\n vfs_writev+0x33c/0x990 fs/read_write.c:1059\n do_writev+0x154/0x2e0 fs/read_write.c:1105\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f636479c629\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629\nRDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003\nRBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0\n \n\n[1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-674"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.23","versionEndExcluding":"5.10.258","matchCriteriaId":"9AC2FEF4-9199-4916-9D15-8E57D2E0E51C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.209","matchCriteriaId":"919C10A9-7951-4A74-BADD-C135A0A8D8B4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.175","matchCriteriaId":"92385813-D91D-480D-83A1-F423D2CBB2BA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.136","matchCriteriaId":"0A0F1E9A-F127-4699-A014-9E08441C9A14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/02d787fd0922c71c0264449fe82d35983613e4e5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/77c1489398c85a844f90205f5e76fd6bc8bb4089","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/86534c97abd6365a9a021fd767a2023e63c44469","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9ccce02d501335f59a02f26c878c5e095b16302f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a42452db035577e150ffd9adf98c56fef9fb9408","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c2994fd24997ed63d713c03313f863645adb4d6c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ebe560ea5f54134279356703e73b7f867c89db13","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f295fe86e22ff0a2ecebf05e30a387e5cf6f6ddc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43081","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:21.260","lastModified":"2026-06-01T17:35:53.500","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipa: fix GENERIC_CMD register field masks for IPA v5.0+\n\nFix the field masks to match the hardware layout documented in\ndownstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*).\n\nNotably this fixes a WARN I was seeing when I tried to send \"stop\"\nto the MPSS remoteproc while IPA was up."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.6.136","matchCriteriaId":"80826360-D8A8-4142-9C89-0B1B276EBDE1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2aa50d2c1f631b405849da246043c6f683af7489","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9709b56d908acc120fe8b4ae250b3c9d749ea832","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a7d326dfb13b5a0763eccfd78836fe15199fc499","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bafc45ea30d297002750396d5f10e3018bf2cd60","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d1c66396796f23f7201b1addf06f62515035354d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43082","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:21.377","lastModified":"2026-06-01T17:38:23.670","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: txgbe: leave space for null terminators on property_entry\n\nLists of struct property_entry are supposed to be terminated with an\nempty property, this driver currently seems to be allocating exactly the\namount of entry used.\n\nChange the struct definition to leave an extra element for all\nproperty_entry."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.6.136","matchCriteriaId":"633217AB-F5E5-4200-98E4-57FB4DCE39D5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/00e1d650fa4b228ef1faea8e29effe4b4861e6e4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/16eb3c2f86de9a21aefe7a6386607d4cd3947a77","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5a37d228799b0ec2c277459c83c814a59d310bc3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8eff73e58e1f8fe991522acb863164319a7f7dd3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/92c09262dac565a6b831fd724b81fe4ff76f51b4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43083","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:21.493","lastModified":"2026-06-01T17:38:57.970","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ioam6: fix OOB and missing lock\n\nWhen trace->type.bit6 is set:\n\n if (trace->type.bit6) {\n ...\n queue = skb_get_tx_queue(dev, skb);\n qdisc = rcu_dereference(queue->qdisc);\n\nThis code can lead to an out-of-bounds access of the dev->_tx[] array\nwhen is_input is true. In such a case, the packet is on the RX path and\nskb->queue_mapping contains the RX queue index of the ingress device. If\nthe ingress device has more RX queues than the egress device (dev) has\nTX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues.\nAdd a check to avoid this situation since skb_get_tx_queue() does not\nclamp the index. This issue has also revealed that per queue visibility\ncannot be accurate and will be replaced later as a new feature.\n\nWhile at it, add missing lock around qdisc_qstats_qlen_backlog(). The\nfunction __ioam6_fill_trace_data() is called from both softirq and\nprocess contexts, hence the use of spin_lock_bh() here."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"6.18.24","matchCriteriaId":"D5A7D9B4-68BE-4C7D-80A2-FEBC86F66926"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6d1d9ed9b409e0662241e3d245d574a18f643494","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/95a1334748c95dd15546056280ade0c4b8dd7b78","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b30b1675aa2bcf0491fd3830b051df4e08a7c8ca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43085","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:21.720","lastModified":"2026-06-01T18:14:48.883","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator\n\nWhen batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()\nappends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via\nnlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()\nhelper only zeroes alignment padding after the payload, not the payload\nitself, so four bytes of stale kernel heap data are leaked to userspace\nin the NLMSG_DONE message body.\n\nUse nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes\nthe nfgenmsg payload via nfnl_fill_hdr(), consistent with how\n__build_packet_message() already constructs NFULNL_MSG_PACKET headers."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.23.1","versionEndExcluding":"5.10.258","matchCriteriaId":"3917141C-6E13-46E7-A81D-C923107C5095"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.209","matchCriteriaId":"919C10A9-7951-4A74-BADD-C135A0A8D8B4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.175","matchCriteriaId":"92385813-D91D-480D-83A1-F423D2CBB2BA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.136","matchCriteriaId":"0A0F1E9A-F127-4699-A014-9E08441C9A14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.23:-:*:*:*:*:*:*","matchCriteriaId":"23283997-5446-4B11-8C13-C668D66EC888"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/15d209bccf9273b4a8b4e579ba0e92d065b6ec8c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1f3083aec8836213da441270cdb1ab612dd82cf4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/296f18e1c3a87c915a92ed27832d5040a22d1072","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/368c22aea490f6f50df831b4f9e3623787686c5b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/57cc509d82b46150a11dcecc8b25eaa177eda34d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9e2182865de781c41ab16b7985e9d26dcefea867","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d1399632ba255d2e02c757af5d9f5d9279ce168c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d552bcfca323d175664d7444989b04f55666978a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43086","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:21.837","lastModified":"2026-06-01T18:16:01.880","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix NULL deref in ip_vs_add_service error path\n\nWhen ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local\nvariable sched is set to NULL. If ip_vs_start_estimator() subsequently\nfails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)\nwith sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL\ncheck (because svc->scheduler was set by the successful bind) but then\ndereferences the NULL sched parameter at sched->done_service, causing a\nkernel panic at offset 0x30 from NULL.\n\n Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69)\n Call Trace:\n \n ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500)\n do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809)\n nf_setsockopt (net/netfilter/nf_sockopt.c:102)\n [..]\n\nFix by simply not clearing the local sched variable after a successful\nbind. ip_vs_unbind_scheduler() already detects whether a scheduler is\ninstalled via svc->scheduler, and keeping sched non-NULL ensures the\nerror path passes the correct pointer to both ip_vs_unbind_scheduler()\nand ip_vs_scheduler_put().\n\nWhile the bug is older, the problem popups in more recent kernels (6.2),\nwhen the new error path is taken after the ip_vs_start_estimator() call."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2.1","versionEndExcluding":"6.6.136","matchCriteriaId":"F9B6E58F-A6C7-42EF-B789-FD0BB75AA71A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*","matchCriteriaId":"3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4039959315008888dd53c37674d33351817a5166","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/730663352c9178f33fcf5929f4a37c1f1ca5a693","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9a91797e61d286805ae10a92cc48959c30800556","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a32dabacee111cea083ddd57a03635672e1bff29","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43087","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:21.963","lastModified":"2026-06-01T18:17:23.903","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mcp23s08: Disable all pin interrupts during probe\n\nA chip being probed may have the interrupt-on-change feature enabled on\nsome of its pins, for example after a reboot. This can cause the chip to\ngenerate interrupts for pins that don't have a registered nested handler,\nwhich leads to a kernel crash such as below:\n\n[ 7.928897] Unable to handle kernel read from unreadable memory at virtual address 00000000000000ac\n[ 7.932314] Mem abort info:\n[ 7.935081] ESR = 0x0000000096000004\n[ 7.938808] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 7.944094] SET = 0, FnV = 0\n[ 7.947127] EA = 0, S1PTW = 0\n[ 7.950247] FSC = 0x04: level 0 translation fault\n[ 7.955101] Data abort info:\n[ 7.957961] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 7.963421] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 7.968447] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 7.973734] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000089b7000\n[ 7.980148] [00000000000000ac] pgd=0000000000000000, p4d=0000000000000000\n[ 7.986913] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 7.992545] Modules linked in:\n[ 8.073678] CPU: 0 UID: 0 PID: 81 Comm: irq/18-4-0025 Not tainted 7.0.0-rc6-gd2b5a1f931c8-dirty #199\n[ 8.073689] Hardware name: Khadas VIM3 (DT)\n[ 8.073692] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 8.094639] pc : _raw_spin_lock_irq+0x40/0x80\n[ 8.098970] lr : handle_nested_irq+0x2c/0x168\n[ 8.098979] sp : ffff800082b2bd20\n[ 8.106599] x29: ffff800082b2bd20 x28: ffff800080107920 x27: ffff800080104d88\n[ 8.106611] x26: ffff000003298080 x25: 0000000000000001 x24: 000000000000ff00\n[ 8.113707] x23: 0000000000000001 x22: 0000000000000000 x21: 000000000000000e\n[ 8.120850] x20: 0000000000000000 x19: 00000000000000ac x18: 0000000000000000\n[ 8.135046] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 8.135062] x14: ffff800081567ea8 x13: ffffffffffffffff x12: 0000000000000000\n[ 8.135070] x11: 00000000000000c0 x10: 0000000000000b60 x9 : ffff800080109e0c\n[ 8.135078] x8 : 1fffe0000069dbc1 x7 : 0000000000000001 x6 : ffff0000034ede00\n[ 8.135086] x5 : 0000000000000000 x4 : ffff0000034ede08 x3 : 0000000000000001\n[ 8.163460] x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000ac\n[ 8.170560] Call trace:\n[ 8.180094] _raw_spin_lock_irq+0x40/0x80 (P)\n[ 8.184443] mcp23s08_irq+0x248/0x358\n[ 8.184462] irq_thread_fn+0x34/0xb8\n[ 8.184470] irq_thread+0x1a4/0x310\n[ 8.195093] kthread+0x13c/0x150\n[ 8.198309] ret_from_fork+0x10/0x20\n[ 8.201850] Code: d65f03c0 d2800002 52800023 f9800011 (885ffc01)\n[ 8.207931] ---[ end trace 0000000000000000 ]---\n\nThis issue has always been present, but has been latent until commit\n\"f9f4fda15e72\" (\"pinctrl: mcp23s08: init reg_defaults from HW at probe and\nswitch cache type\"), which correctly removed reg_defaults from the regmap\nand as a side effect changed the behavior of the interrupt handler so that\nthe real value of the MCP_GPINTEN register is now being read from the chip\ninstead of using a bogus 0 default value; a non-zero value for this\nregister can trigger the invocation of a nested handler which may not exist\n(yet).\nFix this issue by disabling all pin interrupts during initialization."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19.1","versionEndExcluding":"6.19.14","matchCriteriaId":"E22ACA63-5B8A-4DCA-8438-651D53A6AF34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*","matchCriteriaId":"35C8A871-4971-433E-A046-FC9F7B7D190A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/db5b8cecbdf479ad13156af750377e5b43853fab","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f8c3258541a0680a4ebc08b05b2bc5fdad3288a9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43089","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:22.200","lastModified":"2026-06-01T17:17:02.730","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm_user: fix info leak in build_mapping()\n\nstruct xfrm_usersa_id has a one-byte padding hole after the proto\nfield, which ends up never getting set to zero before copying out to\nuserspace. Fix that up by zeroing out the whole structure before\nsetting individual variables."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29.1","versionEndExcluding":"6.6.136","matchCriteriaId":"1ED513DC-018F-421C-9104-163074DC3151"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1beb76b2053b68c491b78370794b8ff63c8f8c02","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/521385cbd50ca9474396d88462fcdfa6489685d9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5a1a4b049ddde41466ccac0daeec326254b133f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/700c9622b23c33b5933e6dcea816492c064e4e10","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/72a8de41c3eb4dcf22bf3b674ea38fb2f75d6f32","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c2779ae9a3e5a044e5ccd564681511bbbcc5fc0f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d3125c541a96fb3c0fc7210112684baf22b6c24d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f779a6b6cdb6e12baa0663063ac59ab2a8f20c0c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43093","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:22.667","lastModified":"2026-06-01T17:17:02.850","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: tighten UMEM headroom validation to account for tailroom and min frame\n\nThe current headroom validation in xdp_umem_reg() could leave us with\ninsufficient space dedicated to even receive minimum-sized ethernet\nframe. Furthermore if multi-buffer would come to play then\nskb_shared_info stored at the end of XSK frame would be corrupted.\n\nHW typically works with 128-aligned sizes so let us provide this value\nas bare minimum.\n\nMulti-buffer setting is known later in the configuration process so\nbesides accounting for 128 bytes, let us also take care of tailroom space\nupfront."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.118","versionEndExcluding":"4.20","matchCriteriaId":"C1D66A78-E0DD-4D66-9446-03DE28F5FE2F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.35","versionEndExcluding":"5.5","matchCriteriaId":"4ED55BB9-F8CA-4CCD-94DD-BC6F5E60E5D9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6.7","versionEndExcluding":"5.7","matchCriteriaId":"30A44027-1F59-4AF5-B227-86E61A43A865"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7.1","versionEndExcluding":"6.6.136","matchCriteriaId":"1D0E985F-975A-4107-B163-94D4DCD5FD9B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.7:-:*:*:*:*:*:*","matchCriteriaId":"3D23CE42-BDB2-4216-8495-230ABE98FCDD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.7:rc2:*:*:*:*:*:*","matchCriteriaId":"2AAE09B2-58C0-42B8-ACDA-578904723270"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.7:rc3:*:*:*:*:*:*","matchCriteriaId":"59EEFC0E-2E5A-4113-A58D-2EE2CC7CFA3B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.7:rc4:*:*:*:*:*:*","matchCriteriaId":"3CC0A9A2-D528-49AA-AB7F-37C5EA7AB76D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.7:rc5:*:*:*:*:*:*","matchCriteriaId":"512FF86F-0B8C-4DEB-9041-8BD384DD2E58"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.7:rc6:*:*:*:*:*:*","matchCriteriaId":"F1AB4A11-C03C-4ABB-B596-0EB3B0F1A8DF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.7:rc7:*:*:*:*:*:*","matchCriteriaId":"9D26AE9C-D49F-4FE9-8A6A-5A7199B7436E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0ec4d3f6e6934deb843b561ae048cd17218e5ad1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1a6051cd7e3e4c54ff3854a43b638b9292af5e67","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5f123bc278bf4e3283d8606321bebbfd299f4384","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6523bc1b40e69301f24c14338b762af4739d6d39","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8769708add9eadeea8041a9761771bb715a87104","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9ea6ba4f3195dcba6e8b3e7b2e748593b7cafb12","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a03975beb9f6af0d8ac051e30b2abeabe618414f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a315e022a72d95ef5f1d4e58e903cb492b0ad931","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43094","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:22.790","lastModified":"2026-06-01T17:17:03.017","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nixgbevf: add missing negotiate_features op to Hyper-V ops table\n\nCommit a7075f501bd3 (\"ixgbevf: fix mailbox API compatibility by\nnegotiating supported features\") added the .negotiate_features callback\nto ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot\nto add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL\non Hyper-V VMs.\n\nDuring probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(),\nwhich unconditionally dereferences hw->mac.ops.negotiate_features().\nOn Hyper-V this results in a NULL pointer dereference:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n [...]\n Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...]\n Workqueue: events work_for_cpu_fn\n RIP: 0010:0x0\n [...]\n Call Trace:\n ixgbevf_negotiate_api+0x66/0x160 [ixgbevf]\n ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf]\n ixgbevf_probe+0x20f/0x4a0 [ixgbevf]\n local_pci_probe+0x50/0xa0\n work_for_cpu_fn+0x1a/0x30\n [...]\n\nAdd ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and\nwire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP\ngracefully."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.158","versionEndExcluding":"6.2","matchCriteriaId":"269CADBB-7B11-43CF-9BF8-954B5BBE3FC9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.114","versionEndExcluding":"6.6.136","matchCriteriaId":"3B4693AB-5652-430E-AA6D-D6005BC338E1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.55","versionEndExcluding":"6.12.83","matchCriteriaId":"BC685D6B-EAAE-4AB3-B934-49C67FD3333D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17.5","versionEndExcluding":"6.18","matchCriteriaId":"27929282-2519-484B-B04C-5B62B31FBC5E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18.1","versionEndExcluding":"6.18.24","matchCriteriaId":"A96857B3-E61E-41C6-AEFD-BCF93E7D64AC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*","matchCriteriaId":"DCE57113-2223-4308-A0F2-5E6ECFBB3C23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc2:*:*:*:*:*:*","matchCriteriaId":"A8A65C5A-918F-4E0B-8E98-08A29FFBA58A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc3:*:*:*:*:*:*","matchCriteriaId":"26CA425A-E44F-49D2-92D9-1DDD56398440"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc4:*:*:*:*:*:*","matchCriteriaId":"BEEBB43A-4C9F-46BE-AA6D-9DBFD2244E55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc5:*:*:*:*:*:*","matchCriteriaId":"2545FB83-C4A6-4F62-9ED1-09F75D2E3C78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc6:*:*:*:*:*:*","matchCriteriaId":"E955EC5D-4684-4B5D-AE4D-F2BF9ADDBA1D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.18:rc7:*:*:*:*:*:*","matchCriteriaId":"38C4D89F-9A13-4D29-8645-C9785C142C07"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1455ff8809843e6e83f1f5b5c0bcc2224c99a3cb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2270ebab53128fb73c4a70a292be09094074737f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/376d74ea03589914fbe2dedcbebf418396c04fd0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4821d563cd7f251ae728be1a6d04af82a294a5b9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4db7b61ec1d1b2b67c0881b62fc4f9583bc21484","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d8a747057a17ffc79e31df1abb11d05e1669d8e5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43098","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:23.250","lastModified":"2026-06-01T17:17:03.147","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: s3fwrn5: allocate rx skb before consuming bytes\n\ns3fwrn82_uart_read() reports the number of accepted bytes to the serdev\ncore. The current code consumes bytes into recv_skb and may already\ndeliver a complete frame before allocating a fresh receive buffer.\n\nIf that alloc_skb() fails, the callback returns 0 even though it has\nalready consumed bytes, and it leaves recv_skb as NULL for the next\nreceive callback. That breaks the receive_buf() accounting contract and\ncan also lead to a NULL dereference on the next skb_put_u8().\n\nAllocate the receive skb lazily before consuming the next byte instead.\nIf allocation fails, return the number of bytes already accepted."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-Other"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"6.6.136","matchCriteriaId":"40B9BA4F-676E-4F69-BF6A-3BF9DAF97D80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/09822d3d6f68a0cdc4626e0c507324a4927f55a9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/20a57de2e79b797ed75382659d52bf4c7d9cb446","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5c14a19d5b1645cce1cb1252833d70b23635b632","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6d931680a9851481c3243689488eafed08eeff71","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7c31f7a599cf00fad3c204092a91a924126c67e4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d8c2aa3c4a1ec530a485e46a1c4f1a118bb00156","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e4ab0fd1c91882f2a7846b1817781c8741f7f315","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43099","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:23.400","lastModified":"2026-06-01T17:17:03.280","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: icmp: fix null-ptr-deref in icmp_build_probe()\n\nipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the\nIPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing\nthis error pointer to dev_hold() will cause a kernel crash with\nnull-ptr-deref.\n\nInstead, silently discard the request. RFC 8335 does not appear to\ndefine a specific response for the case where an IPv6 interface\nidentifier is syntactically valid but the implementation cannot perform\nthe lookup at runtime, and silently dropping the request may safer than\nmisreporting \"No Such Interface\"."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.6.136","matchCriteriaId":"1CA556B4-5EB8-4B96-AEEA-6BDC9CC8BF90"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0f21bc261e60f0c696c58841c4873ff77ed83673","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/47a8bf52156ac7e7a581eca31c1f964ba4258d4d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5b9911582d441f72fe6ccb15ffe3303bbc07f6f5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6be325206850a0891896d38bcf83a09d8b54ec48","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dc5db4db19766a61ad65d81d1f55b1c1e51ba78d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f91b3ed9e7fa82a70511b5f6901c88379acf2964","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fde29fd9349327acc50d19a0b5f3d5a6c964dfd8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43103","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:23.867","lastModified":"2026-06-01T17:17:03.413","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lapbether: handle NETDEV_PRE_TYPE_CHANGE\n\nlapbeth_data_transmit() expects the underlying device type\nto be ARPHRD_ETHER.\n\nReturning NOTIFY_BAD from lapbeth_device_event() makes sure\nbonding driver can not break this expectation."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.24","versionEndExcluding":"6.6.136","matchCriteriaId":"17EDA983-F673-4AC3-9681-5368A09E90AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/328bb2cff5c2ed973f595ded769e15f4b7a117be","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/363a38044b8cd5b496d241651a1fb666e7c5fe3e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/63851f60781aa89258c8f0952cd13940aab0888e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/698642a01d53107ce9b3fc08bd801284af478a2b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a10570973619cba9dfa6d723177251b846fae587","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b117056768ab7deb434e7d72065e48d2083a0c2a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b120e4432f9f56c7103133d6a11245e617695adb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ffc5ed59f6dc87c51e8775f002619310225742e8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43104","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:23.980","lastModified":"2026-06-01T17:17:03.527","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: Fix a memory leak in hang state error path\n\nWhen vc4_save_hang_state() encounters an early return condition, it\nreturns without freeing the previously allocated `kernel_state`,\nleaking memory.\n\nAdd the missing kfree() calls by consolidating the early return paths\ninto a single place."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5","versionEndExcluding":"6.6.136","matchCriteriaId":"FCEFD340-4D12-4082-8086-2A113C4D3AAD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/259e2bba3fd7005c62cbd42365a48b3221b244e3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3eb7dd55021d0f4308fbea0bea21d2118984d8e7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9487daa18e627ac6b5ed5911be79f23362554b70","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9525d169e5fd481538cf8c663cc5839e54f2e481","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c197def3834cbee3fd824ce4c57d08cb24e18955","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d8fdd6adc07b78ad3e9ee0004876d90cb59ca941","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dd5c49787a32da96a2b154427eb17cbf12a83c28","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e352e9adc9f6df54d63150ff832f71c04e30744b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43105","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:24.097","lastModified":"2026-06-01T17:17:03.653","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: Fix memory leak of BO array in hang state\n\nThe hang state's BO array is allocated separately with kzalloc() in\nvc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the\nmissing kfree() for the BO array before freeing the hang state struct."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5","versionEndExcluding":"6.6.136","matchCriteriaId":"FCEFD340-4D12-4082-8086-2A113C4D3AAD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0d3c014a84396a147705f523a8fd6fc873e76502","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/421cea4f71f7cf65abaae878562ee4aa2b684628","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/686bb2fce082f043db50db02b5de5c64ca4dc4c4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7235fc096ece53211bd2c0e958c65f9b802aeb98","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9c092941fc1d00933bcb46ecac1cb930db3abf5d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a812008fe3a0aebb778d277b35717f64e23d0302","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b8138567c4a80fd76a647849ebd4284996cf4b17","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f4dfd6847b3e5d24e336bca6057485116d17aea4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43110","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:24.690","lastModified":"2026-06-01T17:17:03.780","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: validate bsscfg indices in IF events\n\nbrcmf_fweh_handle_if_event() validates the firmware-provided interface\nindex before it touches drvr->iflist[], but it still uses the raw\nbsscfgidx field as an array index without a matching range check.\n\nReject IF events whose bsscfg index does not fit in drvr->iflist[]\nbefore indexing the interface array.\n\n[add missing wifi prefix]"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9","versionEndExcluding":"6.6.136","matchCriteriaId":"CE6532FC-CF36-43FE-8110-CCB1D829038D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1ae1e1caa428844e481231f6dbe9b4f475f1d52d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/304950a467d83678bd0b0f46331882e2ac23b12d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3ec7437e9d11374105c2c4e47ae671537729d7e6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9c81bcc2c695e0082012a2a3d36a0eefaa51579c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9fca68c2512a362cad258e4df12a307bb2ee4b8e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b329fbcf075949a038045d8e9b86ae3d5bbd8a54","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b427c2b05222db36d32ee141609de6128e9091bb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43111","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:24.807","lastModified":"2026-06-01T17:17:03.907","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: roccat: fix use-after-free in roccat_report_event\n\nroccat_report_event() iterates over the device->readers list without\nholding the readers_lock. This allows a concurrent roccat_release() to\nremove and free a reader while it's still being accessed, leading to a\nuse-after-free.\n\nProtect the readers list traversal with the readers_lock mutex."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35","versionEndExcluding":"6.6.136","matchCriteriaId":"E870C6A6-0F0A-4202-811D-96F288F882C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/181ea51ab0f6370842c5b49cfb86824253a1189e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/20dca865460f7943cf70afca274b60dac371f546","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/36bb2d0b915014bbdc5044982b31b57b78045b93","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/441689e3103694caa3e2d62b7d57c7bccefa5e37","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bca0b595e15450dd66b1153c76c4ef1087ee011b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d802d848308b35220f21a8025352f0c0aba15c12","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e16a6d11bd77b81632165f02cf0d5946df74b3b7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e6a445513fbc6a0329d2d5ff375b6725750ec5a6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43112","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:24.927","lastModified":"2026-06-01T17:17:04.027","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath\n\nWhen cifs_sanitize_prepath is called with an empty string or a string\ncontaining only delimiters (e.g., \"/\"), the current logic attempts to\ncheck *(cursor2 - 1) before cursor2 has advanced. This results in an\nout-of-bounds read.\n\nThis patch adds an early exit check after stripping prepended\ndelimiters. If no path content remains, the function returns NULL.\n\nThe bug was identified via manual audit and verified using a\nstandalone test case compiled with AddressSanitizer, which\ntriggered a SEGV on affected inputs."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16.1","versionEndExcluding":"6.6.136","matchCriteriaId":"005FE1BE-809A-4536-BE37-C2437DE0927E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:-:*:*:*:*:*:*","matchCriteriaId":"FF588A58-013F-4DBF-A3AB-70EC054B1892"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc6:*:*:*:*:*:*","matchCriteriaId":"8A0915FE-A4AA-4C94-B783-CF29D81E7E54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc7:*:*:*:*:*:*","matchCriteriaId":"4EAC2750-F7C6-4A4E-9C04-1E450722B853"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.16:rc8:*:*:*:*:*:*","matchCriteriaId":"ED611C74-E83A-4AFA-8688-9B829C02B038"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2d29214448ec0f4e7e18bb1c14dd4a6c07f1c439","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/49b1ce6d7cfb6c5a49f68bf5ccfcfb6ba14e63c3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5d4fe469fe7dbff7d874c196bb680a82f2625d95","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/78ec5bf2f589ec7fd8f169394bfeca541b077317","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/86f9c23e0814cfdffda9eedf0c591c51ba209010","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a2ba20c17de8eb028f96b1d85f119d3d25655bd9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fbced33599653471b4581dfe1abc7b467031f126","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43113","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:25.050","lastModified":"2026-06-01T17:17:04.153","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wl1251: validate packet IDs before indexing tx_frames\n\nwl1251_tx_packet_cb() uses the firmware completion ID directly to index\nthe fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the\ncompletion block, and the callback does not currently verify that it\nfits the array before dereferencing it.\n\nReject completion IDs that fall outside wl->tx_frames[] and keep the\nexisting NULL check in the same guard. This keeps the fix local to the\ntrust boundary and avoids touching the rest of the completion flow."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.31","versionEndExcluding":"6.6.136","matchCriteriaId":"F537DD4C-1540-41DE-85CB-6B14F7030A5F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/26ee518695c484f75e3606d631278e84bd24ae02","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6509dbece7339dbc8980c706b9d623119a6de105","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8d7465be5163a923ee5d7459719ef5a021c1584a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a8a11a876f0a97061ee5d9e61d0f5a0df7e241c7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b6ba1eacf276063ebeefbbae8056043c24f2efaf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/df15adc692a802636dd3f258fc7cca8bf7a0ed9a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e0dc1ad870d6788b049bfe1511ac75b2333a7550","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43114","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:25.163","lastModified":"2026-06-01T17:17:04.280","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry\n\nNew test case fails unexpectedly when avx2 matching functions are used.\n\nThe test first loads a ranomly generated pipapo set\nwith 'ipv4 . port' key, i.e. nft -f foo.\n\nThis works. Then, it reloads the set after a flush:\n(echo flush set t s; cat foo) | nft -f -\n\nThis is expected to work, because its the same set after all and it was\nalready loaded once.\n\nBut with avx2, this fails: nft reports a clashing element.\n\nThe reported clash is of following form:\n\n We successfully re-inserted\n a . b\n c . d\n\nThen we try to insert a . d\n\navx2 finds the already existing a . d, which (due to 'flush set') is marked\nas invalid in the new generation. It skips the element and moves to next.\n\nDue to incorrect masking, the skip-step finds the next matching\nelement *only considering the first field*,\n\ni.e. we return the already reinserted \"a . b\", even though the\nlast field is different and the entry should not have been matched.\n\nNo such error is reported for the generic c implementation (no avx2) or when\nthe last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.\n\nBisection points to\n7711f4bb4b36 (\"netfilter: nft_set_pipapo: fix range overlap detection\")\nbut that fix merely uncovers this bug.\n\nBefore this commit, the wrong element is returned, but erronously\nreported as a full, identical duplicate.\n\nThe root-cause is too early return in the avx2 match functions.\nWhen we process the last field, we should continue to process data\nuntil the entire input size has been consumed to make sure no stale\nbits remain in the map."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":5.5}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.6.136","matchCriteriaId":"BC0C578E-B609-43BE-90EB-06C9FE9CA83D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/07de44424bb7f17ef9357e8535df96d9e97c40cb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0abbc43f71d99baadeeba6fa3fe1c80b676f57ed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/1c43f0dd8691ddf8884793b481ddc7511cf593c3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3d53f9aafd469ae1ea27051e00f5b96ca1b55d52","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c7babe2f28b507e17f28e9f753b7caec72d4857f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d3c0037ffe1273fa1961e779ff6906234d6cf53c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f8c39983fc9c1a978c82e6f2df7bfba8a8561587","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fa4f1f52528c73989d820f32bfca06bec5afeece","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43117","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T10:16:25.513","lastModified":"2026-06-01T17:17:04.420","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()\n\nIf overlay is used on top of btrfs, dentry->d_sb translates to overlay's\nsuper block and fsid assignment will lead to a crash.\n\nUse file_inode(file)->i_sb to always get btrfs_sb."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.6.136","matchCriteriaId":"130C6A37-2766-49E1-848F-2410950B4262"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.83","matchCriteriaId":"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24","matchCriteriaId":"8126B8B8-6D0B-4443-86C1-672AEE893555"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.14","matchCriteriaId":"D6A8A074-BBF4-4803-ABED-519A839435BB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2e4adfaec97ee053ad1bdfb5036845e66f7e0d8a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/32372781d664a9b03c40343e96c29d0a6139f97d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4a7bab35fad5251c8cb738161152578cd83b6b9c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/520e8b4bcf872a534a7bf61ccf880047642df296","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a85b46db143fda5869e7d8df8f258ccef5fa1719","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c09a7446aab5773f38d6abb25fce99b8e1dfbc97","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d110d7cdb045715c0b45b0dfd974525bb38f653d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e252db8ca2a01f82d472091f35d549b313278636","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2025-71289","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T12:16:28.103","lastModified":"2026-06-01T17:16:38.873","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: handle attr_set_size() errors when truncating files\n\nIf attr_set_size() fails while truncating down, the error is silently\nignored and the inode may be left in an inconsistent state."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.19.6","matchCriteriaId":"B425F6AD-2EF9-4AE4-A9ED-BD6089D20ECB"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3a718675d6af4992e34ffe86b8f36d471a5afe0e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/576248a34b927e93b2fd3fff7df735ba73ad7d01","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6dfea43d11513b7f2892529de55e8f0855108a2c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d73dcd1520d65a34420761641a36b951b14c8c53","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43173","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T12:16:35.707","lastModified":"2026-06-01T17:17:04.543","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: xscale: Check for PTP support properly\n\nIn ixp4xx_get_ts_info() ixp46x_ptp_find() is called\nunconditionally despite this feature only existing on\nixp46x, leading to the following splat from tcpdump:\n\nroot@OpenWrt:~# tcpdump -vv -X -i eth0\n(...)\nUnable to handle kernel NULL pointer dereference at virtual address\n 00000238 when read\n(...)\nCall trace:\n ptp_clock_index from ixp46x_ptp_find+0x1c/0x38\n ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64\n ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108\n __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648\n __dev_ethtool from dev_ethtool+0x160/0x234\n dev_ethtool from dev_ioctl+0x2cc/0x460\n dev_ioctl from sock_ioctl+0x1ec/0x524\n sock_ioctl from sys_ioctl+0x51c/0xa94\n sys_ioctl from ret_fast_syscall+0x0/0x44\n (...)\nSegmentation fault\n\nCheck for ixp46x in ixp46x_ptp_find() before trying to set up\nPTP to avoid this.\n\nTo avoid altering the returned error code from ixp4xx_hwtstamp_set()\nwhich before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP\nfrom ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter\nthe error code. The helper function ixp46x_ptp_find() helper\nreturns -ENODEV."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.15.202","matchCriteriaId":"B0330CE4-09CE-43EF-A9C8-CD49FFD1DC98"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.165","matchCriteriaId":"797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.128","matchCriteriaId":"851E9353-6C09-4CC9-877E-E09DB164A3C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.75","matchCriteriaId":"BCE16369-98ED-41CF-8995-DFDC10B288D2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.16","matchCriteriaId":"B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.6","matchCriteriaId":"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/21d1e80d0d6e7d0c3cd8b1e001ed1fa92fb9f3f5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2d74412dfd3621552a394d55cc3dd26a7cbf608e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/322437972f0a712767f6920ad34aba25f2e9b942","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/594163ea88a03bdb412063af50fc7177ef3cbeae","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cbecebd35909f6cd0f6fb773f0fb73da99e02f8c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43281","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-06T12:16:49.587","lastModified":"2026-06-01T17:17:04.680","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()\n\nAlthough it is guided that `#mbox-cells` must be at least 1, there are\nmany instances of `#mbox-cells = <0>;` in the device tree. If that is\nthe case and the corresponding mailbox controller does not provide\n`fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will\nbe used by default and out-of-bounds accesses could occur due to lack of\nbounds check in that function."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18.1","versionEndExcluding":"6.1.167","matchCriteriaId":"DF38EC6B-E140-4F00-8705-4F8DFC83958D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.130","matchCriteriaId":"C57BB918-DF28-46B3-94F7-144176841267"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.77","matchCriteriaId":"B3D12E00-E42D-4056-B354-BAD4903C03A5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.16","matchCriteriaId":"B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.6","matchCriteriaId":"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:-:*:*:*:*:*:*","matchCriteriaId":"2C941823-DB24-432E-8F78-90665662756A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:rc2:*:*:*:*:*:*","matchCriteriaId":"E909F0A0-2398-4420-AA63-605C42F5CADF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:rc3:*:*:*:*:*:*","matchCriteriaId":"77E4C479-2D2C-4009-8D71-18AF50454D7B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:rc4:*:*:*:*:*:*","matchCriteriaId":"C5AE67DB-5E94-4439-98E9-761ACCC48A4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:rc5:*:*:*:*:*:*","matchCriteriaId":"777DE673-1457-420F-AAAF-9B1E3AC79328"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:rc6:*:*:*:*:*:*","matchCriteriaId":"222D33AD-EC2D-4813-83C2-B904534BFCFE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:3.18:rc7:*:*:*:*:*:*","matchCriteriaId":"A5F9AEA5-34CE-4ED3-9821-6C7435CE3320"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/01d9a8c2615d436b2b30c19c1afe9fcd5726ff6d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2662ed331a69c0b551f78af58f12eb629a89a36f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2c7ff651ec6b660c7c96a36db9328b3232f555d8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/31c4c67dec3362094a6747a171a4848e98542265","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4caae8168d1b808c7d4ff481295292e3f97f90fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ec0874447895b994182a962d2fee9ef075de5efd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f50b39fd7c72a8734153644ee945ca0d8b2e65ab","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fcd7f96c783626c07ee3ed75fa3739a8a2052310","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-42010","sourceIdentifier":"secalert@redhat.com","published":"2026-05-07T12:16:17.977","lastModified":"2026-06-01T21:16:44.243","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-626"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gnu:gnutls:-:*:*:*:*:*:*:*","matchCriteriaId":"33A22858-21E1-479F-A9C4-AD2EFD059B93"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*","matchCriteriaId":"87DEB507-5B64-47D7-9A50-3B87FD1E571F"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*","matchCriteriaId":"932D137F-528B-4526-9A89-CD59FA1AB0FE"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*","matchCriteriaId":"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*","matchCriteriaId":"142AD0DD-4CF3-4D74-9442-459CE3347E3A"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","matchCriteriaId":"F4CFF558-3C47-480D-A2F0-BABF26042943"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*","matchCriteriaId":"7F6FB57C-2BC7-487C-96DD-132683AEB35D"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:13274","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20611","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20613","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-42010","source":"secalert@redhat.com","tags":["Vendor Advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467289","source":"secalert@redhat.com","tags":["Issue Tracking","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-42011","sourceIdentifier":"secalert@redhat.com","published":"2026-05-07T15:16:09.760","lastModified":"2026-06-01T21:16:44.383","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.2}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-295"}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:13274","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20611","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20613","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-42011","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467437","source":"secalert@redhat.com"}]}},{"cve":{"id":"CVE-2026-26129","sourceIdentifier":"secure@microsoft.com","published":"2026-05-07T22:16:33.607","lastModified":"2026-06-01T19:16:22.423","vulnStatus":"Modified","cveTags":[{"sourceIdentifier":"secure@microsoft.com","tags":["exclusively-hosted-service"]}],"descriptions":[{"lang":"en","value":"Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-138"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_copilot_chat:-:*:*:*:*:*:*:*","matchCriteriaId":"431CBC2E-E9C8-4A85-B619-F7782685F815"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26129","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-26164","sourceIdentifier":"secure@microsoft.com","published":"2026-05-07T22:16:33.773","lastModified":"2026-06-01T19:16:22.660","vulnStatus":"Modified","cveTags":[{"sourceIdentifier":"secure@microsoft.com","tags":["exclusively-hosted-service"]}],"descriptions":[{"lang":"en","value":"Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-74"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_copilot_chat:-:*:*:*:*:*:*:*","matchCriteriaId":"431CBC2E-E9C8-4A85-B619-F7782685F815"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26164","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-33844","sourceIdentifier":"secure@microsoft.com","published":"2026-05-07T22:16:34.420","lastModified":"2026-06-01T19:16:25.740","vulnStatus":"Modified","cveTags":[{"sourceIdentifier":"secure@microsoft.com","tags":["exclusively-hosted-service"]}],"descriptions":[{"lang":"en","value":"Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","baseScore":9.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6.0}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:azure_managed_instance_for_apache_cassandra:-:*:*:*:*:*:*:*","matchCriteriaId":"110D400E-5713-4224-B11D-0AB0F76E6D9C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33844","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-43319","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-08T14:16:40.480","lastModified":"2026-06-01T17:17:04.817","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spidev: fix lock inversion between spi_lock and buf_lock\n\nThe spidev driver previously used two mutexes, spi_lock and buf_lock,\nbut acquired them in different orders depending on the code path:\n\n write()/read(): buf_lock -> spi_lock\n ioctl(): spi_lock -> buf_lock\n\nThis AB-BA locking pattern triggers lockdep warnings and can\ncause real deadlocks:\n\n WARNING: possible circular locking dependency detected\n spidev_ioctl() -> mutex_lock(&spidev->buf_lock)\n spidev_sync_write() -> mutex_lock(&spidev->spi_lock)\n *** DEADLOCK ***\n\nThe issue is reproducible with a simple userspace program that\nperforms write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from\nseparate threads on the same spidev file descriptor.\n\nFix this by simplifying the locking model and removing the lock\ninversion entirely. spidev_sync() no longer performs any locking,\nand all callers serialize access using spi_lock.\n\nbuf_lock is removed since its functionality is fully covered by\nspi_lock, eliminating the possibility of lock ordering issues.\n\nThis removes the lock inversion and prevents deadlocks without\nchanging userspace ABI or behaviour."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-667"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.12.75","matchCriteriaId":"962DD04D-AFB4-4916-A3EC-C09D8519676D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.16","matchCriteriaId":"B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.6","matchCriteriaId":"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/40534d19ed2afb880ecf202dab26a8e7a5808d16","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/41ccfac7d302968a4f32b5f7b012d066c5f5cdf8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/e341e18215030af2136836b78508e0d798916df7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f8431b8672231d378b03176fe74c95adfd3522cf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/fabfed1afe273717ea33b8aee46b767360edbb80","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43328","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-08T14:16:42.397","lastModified":"2026-06-01T17:17:04.943","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path\n\nWhen kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls\nkobject_put(&dbs_data->attr_set.kobj).\n\nThe kobject release callback cpufreq_dbs_data_release() calls\ngov->exit(dbs_data) and kfree(dbs_data), but the current error path\nthen calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a\ndouble free.\n\nKeep the direct kfree(dbs_data) for the gov->init() failure path, but\nafter kobject_init_and_add() has been called, let kobject_put() handle\nthe cleanup through cpufreq_dbs_data_release()."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.10.253","matchCriteriaId":"C3D51ED9-EA30-4B3D-849A-76A8B14B442E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"6.1.168","matchCriteriaId":"D56FB7B6-F765-4875-AF39-A6EBC6F5CD4C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.134","matchCriteriaId":"F56F925B-BAF8-4F4B-B62F-1496AF19A307"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.81","matchCriteriaId":"6EF80433-B33B-43C5-8E64-0FA7B8DCE1BC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.22","matchCriteriaId":"C9DF8BCE-36D3-475D-9D21-19E4F02F9029"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.12","matchCriteriaId":"0A2B9540-02D5-41B4-B16A-82AF66FD4F36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.1.6:*:*:*:*:*:*:*","matchCriteriaId":"E0B7D43E-3632-4F0C-9719-99E6F5752967"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/019ea28629720c220daedf38107c8787f330dc05","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3bf9d023d2329a0e5379f2fd09d06ef09729cd9d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/427d048e4f6acbfa01b5a8062449fe0ee8987c0d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4b9118e93d2499bb2808ef3742fa0ce06f4f8117","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/56bc91ee78babe9578585a2bc137abc4b3115ff3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d2703b4f8fb7cc6f0dfdb2dc2359cc46189e7357","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/da39ee627fd82b52068d4d5f115749a8b7d271f9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-43350","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-08T14:16:45.123","lastModified":"2026-06-01T17:17:05.100","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: require a full NFS mode SID before reading mode bits\n\nparse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS\nmode SID and reads sid.sub_auth[2] to recover the mode bits.\n\nThat assumes the ACE carries three subauthorities, but compare_sids()\nonly compares min(a, b) subauthorities. A malicious server can return\nan ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still\nmatches sid_unix_NFS_mode and then drives the sub_auth[2] read four\nbytes past the end of the ACE.\n\nRequire num_subauth >= 3 before treating the ACE as an NFS mode SID.\nThis keeps the fix local to the special-SID mode path without changing\ncompare_sids() semantics for the rest of cifsacl."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":4.7}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4","versionEndExcluding":"6.6.136","matchCriteriaId":"69577FD5-601B-4A4B-BBA2-0FC336EB0D3E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.84","matchCriteriaId":"D4ECA0DE-AFF5-4688-B219-4CA2336CA5B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.25","matchCriteriaId":"8B0A7E0E-F6D8-45DB-8CD9-01839FE40A6C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"7.0.2","matchCriteriaId":"1BD58F1E-7C20-4C0D-92A2-FAC5CBFBE8A8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2757ad3e4b6f9e0fed4c7739594e702abc5cab21","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/38a69f08ee82c450d3e4168707fff2e317dc3ff7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/8bd4cad3f458d11650d51c2d24b03fb1770ae6cc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b53b8e98c23310294fc45fc686db5ee860311896","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c8eef12af1cc73031639ea7cf16e0b10e2536b0b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f8488c07bea2431ee12a6067d736578064fa46b4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}},{"cve":{"id":"CVE-2026-41511","sourceIdentifier":"security-advisories@github.com","published":"2026-05-08T19:16:31.363","lastModified":"2026-06-01T16:50:51.183","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. This issue has been patched in version 3.1.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":6.2,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-835"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openmcdf_project:openmcdf:*:*:*:*:*:*:*:*","versionEndExcluding":"3.1.3","matchCriteriaId":"8DD01E40-E2E0-4180-85BF-FCE5BFDA6B1B"}]}]}],"references":[{"url":"https://github.com/openmcdf/openmcdf/commit/24f445a557fc4f46461cf6d02d296cce16c293a0","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/openmcdf/openmcdf/releases/tag/v3.1.3","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/openmcdf/openmcdf/security/advisories/GHSA-jxpf-xq2m-q525","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/openmcdf/openmcdf/security/advisories/GHSA-jxpf-xq2m-q525","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-44400","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-08T21:16:28.260","lastModified":"2026-06-01T16:44:34.113","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Secondary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mailenable:mailenable:*:*:*:*:enterprise_premium:*:*:*","versionEndExcluding":"10.56","matchCriteriaId":"5BF15941-E63F-41C8-9392-26B99617407C"}]}]}],"references":[{"url":"https://www.mailenable.com/Premium-ReleaseNotes.txt","source":"disclosure@vulncheck.com","tags":["Release Notes"]},{"url":"https://www.vulncheck.com/advisories/mailenable-enterprise-premium-authorization-bypass-via-webadmin","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-42298","sourceIdentifier":"security-advisories@github.com","published":"2026-05-08T23:16:36.497","lastModified":"2026-06-01T16:42:12.873","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Postiz is an AI social media scheduling tool. Prior to commit da44801, a \"Pwn Request\" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":10.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-94"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*","versionEndExcluding":"2.21.7","matchCriteriaId":"031E8CE9-E0C5-4ED4-BD59-E846B9525F58"}]}]}],"references":[{"url":"https://github.com/gitroomhq/postiz-app/commit/da448012dd87e94944cbe83a38e7fd023269ec46","source":"security-advisories@github.com","tags":["URL Repurposed"]},{"url":"https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-v975-9h5p-xhm4","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-6815","sourceIdentifier":"cret@cert.org","published":"2026-05-11T16:17:37.257","lastModified":"2026-06-01T16:38:43.600","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with administrative privileges can perform a Path Traversal attack to create or overwrite arbitrary files anywhere on the host filesystem, bypassing the application's intended storage sandbox."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.5,"impactScore":3.4}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:casbin:casdoor:*:*:*:*:*:*:*:*","versionEndIncluding":"2.328.0","matchCriteriaId":"4105FF29-5A89-4826-ADF8-A1BE0CAEC4C8"}]}]}],"references":[{"url":"https://kb.cert.org/vuls/id/937808","source":"cret@cert.org","tags":["Third Party Advisory","VDB Entry"]},{"url":"https://www.kb.cert.org/vuls/id/937808","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"]}]}},{"cve":{"id":"CVE-2026-42349","sourceIdentifier":"security-advisories@github.com","published":"2026-05-11T17:16:33.147","lastModified":"2026-06-01T16:33:43.980","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-754"},{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/astro:*:*:*:*:*:node.js:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.17.11","matchCriteriaId":"30F84DDC-8228-4D7A-BEAC-FDE0487D41DB"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/astro:*:*:*:*:*:node.js:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.0.18","matchCriteriaId":"92B175FF-5976-481F-9FC3-52C00392997C"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/backend:*:*:*:*:*:node.js:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.33.3","matchCriteriaId":"42CE4C47-A64E-47F5-8FF2-2855F623CB3E"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/backend:*:*:*:*:*:node.js:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.2.14","matchCriteriaId":"92B0F10A-B9D0-4AE7-ACE0-DF80D552BB9C"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/chrome-extension:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.3.5","versionEndExcluding":"2.9.15","matchCriteriaId":"AD1020C4-8984-48C5-B0BA-3402BC536594"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/chrome-extension:*:*:*:*:*:node.js:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.1.15","matchCriteriaId":"93FD23D3-85FC-4D5A-A3EA-8B7407CC61CA"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/clerk-expo:*:*:*:*:*:node.js:*:*","versionStartIncluding":"2.2.11","versionEndExcluding":"2.19.36","matchCriteriaId":"24002AC3-72F0-47F4-A707-175A69CD5ECB"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/clerk-js:*:*:*:*:*:node.js:*:*","versionStartIncluding":"5.22.0","versionEndExcluding":"5.125.10","matchCriteriaId":"38BB715E-E178-45DE-B9C2-8EF360B1A9BF"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/clerk-js:*:*:*:*:*:node.js:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.7.5","matchCriteriaId":"D69C1684-8259-418D-8030-9BA5ED83DC69"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/clerk-react:*:*:*:*:*:node.js:*:*","versionStartIncluding":"5.9.0","versionEndExcluding":"5.61.6","matchCriteriaId":"9F3D0D75-CD5E-4F80-ADD5-36BEA19187EB"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/expo:*:*:*:*:*:node.js:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.2.2","matchCriteriaId":"114A7068-CDA7-4294-8EC1-A4A38E06179D"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/express:*:*:*:*:*:node.js:*:*","versionStartIncluding":"0.1.0","versionEndExcluding":"1.7.79","matchCriteriaId":"1D670F00-A86F-4157-AACE-2FB37F1D2E74"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/express:*:*:*:*:*:node.js:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.1.6","matchCriteriaId":"5EB164E5-717B-4611-8DFF-517137745E1A"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/fastify:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.0.42","versionEndExcluding":"2.6.31","matchCriteriaId":"194D3D4A-19B4-42C2-B119-35F67CEC0AFD"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/fastify:*:*:*:*:*:node.js:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.1.16","matchCriteriaId":"636525D8-19DC-47DA-AFE3-58CA0CC5E4E4"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/hono:*:*:*:*:*:node.js:*:*","versionStartIncluding":"0.0.2","versionEndExcluding":"0.1.16","matchCriteriaId":"9C6F5918-2B3F-4544-9C3E-2D02D147D803"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/nextjs:*:*:*:*:*:node.js:*:*","versionStartIncluding":"6.0.0","versionEndIncluding":"6.39.3","matchCriteriaId":"209A417F-36BB-48E0-A594-17A3D8E452E1"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/nextjs:*:*:*:*:*:node.js:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.2.4","matchCriteriaId":"6348D1BD-DD97-42E0-A121-4F58DC2BE4DC"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/nuxt:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"1.13.29","matchCriteriaId":"8D6A7B72-1686-4B16-ABB3-6594D926611C"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/nuxt:*:*:*:*:*:node.js:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.2.5","matchCriteriaId":"F5706271-25D7-4F57-A620-FD2310DB8CB2"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/react:*:*:*:*:*:node.js:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.4.3","matchCriteriaId":"3ADF13F3-1C39-4766-A0DD-BC40381D306B"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/react-router:*:*:*:*:*:node.js:*:*","versionStartIncluding":"0.0.1","versionEndExcluding":"2.4.13","matchCriteriaId":"6FD1A00D-D69F-43C8-8055-60C8DA68C97A"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/react-router:*:*:*:*:*:node.js:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.1.4","matchCriteriaId":"4657521F-E4B7-4F7F-83AB-02B1E4F865D6"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/shared:*:*:*:*:*:node.js:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.47.5","matchCriteriaId":"4A4C4196-ACCC-4115-800F-D4CC704B2DBE"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/shared:*:*:*:*:*:node.js:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.8.3","matchCriteriaId":"3F3189BA-BCCB-453A-BB4E-72B14E9CB6CA"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/tanstack-react-start:*:*:*:*:*:node.js:*:*","versionStartIncluding":"0.0.1","versionEndExcluding":"0.29.11","matchCriteriaId":"091BA1A0-5062-4B26-A829-FC9A6D38929D"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/tanstack-react-start:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"1.1.4","matchCriteriaId":"D7971F38-FE69-4A83-9DB8-803FCF3CBAE5"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/vue:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"1.17.21","matchCriteriaId":"6AC18FE5-605B-4753-8F15-BD67BF67E8C2"},{"vulnerable":true,"criteria":"cpe:2.3:a:clerk:clerk\\/vue:*:*:*:*:*:node.js:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.0.16","matchCriteriaId":"CA0368CF-A074-45E5-889E-A346F96D7A26"}]}]}],"references":[{"url":"https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]},{"url":"https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-32170","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:16:58.377","lastModified":"2026-06-01T19:16:23.163","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Double free in Windows Rich Text Edit allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","baseScore":6.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":0.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-415"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"D48FE1A3-FD94-469C-87EA-AA7B4AAC6B86"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"027462CD-8FA3-4C9F-8778-5AB3F4CDB5B1"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"94017187-8A34-41BB-A49E-0FA6986E8CB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"BB81D249-7566-44B7-914C-A3674CE87AFB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"92E25E15-66FF-45E3-A044-88A7CFDEA9DF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"0D04D4AA-D1A5-45D4-A27A-F80D3F6171AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"12B4D343-5326-4CF2-913D-F642C34B458A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"6BB3BCA4-519F-4BAB-B7C7-9E3BBCE5A6AB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"65466E7E-0BDC-4ECC-AE5F-2E4B8615D205"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"A722684E-1073-4076-82AE-3235AA1C4C9F"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"D039A905-2FE4-4A10-85BF-175947E6A017"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"4904DDBD-B183-4AA2-ABD6-47BAF1A28861"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","matchCriteriaId":"A7DF96F8-BA6A-4780-9CA3-F719B3F81074"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*","matchCriteriaId":"DB18C4CE-5917-401E-ACF7-2747084FD36E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"71D026B8-B196-4369-9AB3-5FCA21E8AA36"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"C1926806-B15D-4AF1-967A-7ADA71FF74DC"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5139","matchCriteriaId":"1F91F8A2-349F-4A04-8418-2DFA87402D5D"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2330","matchCriteriaId":"E3F26150-16EA-4D34-8BE9-2EE7C745D707"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32170","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-33840","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:06.163","lastModified":"2026-06-01T19:16:25.380","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33840","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-34330","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:06.757","lastModified":"2026-06-01T19:16:26.257","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-190"},{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"D48FE1A3-FD94-469C-87EA-AA7B4AAC6B86"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"027462CD-8FA3-4C9F-8778-5AB3F4CDB5B1"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"94017187-8A34-41BB-A49E-0FA6986E8CB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"BB81D249-7566-44B7-914C-A3674CE87AFB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"92E25E15-66FF-45E3-A044-88A7CFDEA9DF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"0D04D4AA-D1A5-45D4-A27A-F80D3F6171AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"12B4D343-5326-4CF2-913D-F642C34B458A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"6BB3BCA4-519F-4BAB-B7C7-9E3BBCE5A6AB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"65466E7E-0BDC-4ECC-AE5F-2E4B8615D205"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"A722684E-1073-4076-82AE-3235AA1C4C9F"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"D039A905-2FE4-4A10-85BF-175947E6A017"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"4904DDBD-B183-4AA2-ABD6-47BAF1A28861"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","matchCriteriaId":"A7DF96F8-BA6A-4780-9CA3-F719B3F81074"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*","matchCriteriaId":"DB18C4CE-5917-401E-ACF7-2747084FD36E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"71D026B8-B196-4369-9AB3-5FCA21E8AA36"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"C1926806-B15D-4AF1-967A-7ADA71FF74DC"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5074","matchCriteriaId":"10060868-96D5-47E4-8FEB-80A79DCC1134"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2330","matchCriteriaId":"E3F26150-16EA-4D34-8BE9-2EE7C745D707"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34330","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-34336","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:07.637","lastModified":"2026-06-01T19:16:28.317","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Integer overflow or wraparound in Windows DWM Core Library allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-122"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"D48FE1A3-FD94-469C-87EA-AA7B4AAC6B86"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"027462CD-8FA3-4C9F-8778-5AB3F4CDB5B1"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"94017187-8A34-41BB-A49E-0FA6986E8CB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"BB81D249-7566-44B7-914C-A3674CE87AFB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"92E25E15-66FF-45E3-A044-88A7CFDEA9DF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"0D04D4AA-D1A5-45D4-A27A-F80D3F6171AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"12B4D343-5326-4CF2-913D-F642C34B458A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"6BB3BCA4-519F-4BAB-B7C7-9E3BBCE5A6AB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"65466E7E-0BDC-4ECC-AE5F-2E4B8615D205"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"A722684E-1073-4076-82AE-3235AA1C4C9F"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"D039A905-2FE4-4A10-85BF-175947E6A017"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"4904DDBD-B183-4AA2-ABD6-47BAF1A28861"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"71D026B8-B196-4369-9AB3-5FCA21E8AA36"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"C1926806-B15D-4AF1-967A-7ADA71FF74DC"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5074","matchCriteriaId":"10060868-96D5-47E4-8FEB-80A79DCC1134"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2330","matchCriteriaId":"E3F26150-16EA-4D34-8BE9-2EE7C745D707"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34336","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-34345","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:09.190","lastModified":"2026-06-01T19:16:29.863","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.0,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-362"},{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"D48FE1A3-FD94-469C-87EA-AA7B4AAC6B86"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"027462CD-8FA3-4C9F-8778-5AB3F4CDB5B1"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"94017187-8A34-41BB-A49E-0FA6986E8CB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"BB81D249-7566-44B7-914C-A3674CE87AFB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"92E25E15-66FF-45E3-A044-88A7CFDEA9DF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"0D04D4AA-D1A5-45D4-A27A-F80D3F6171AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"12B4D343-5326-4CF2-913D-F642C34B458A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"6BB3BCA4-519F-4BAB-B7C7-9E3BBCE5A6AB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"65466E7E-0BDC-4ECC-AE5F-2E4B8615D205"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"A722684E-1073-4076-82AE-3235AA1C4C9F"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"D039A905-2FE4-4A10-85BF-175947E6A017"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"4904DDBD-B183-4AA2-ABD6-47BAF1A28861"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"71D026B8-B196-4369-9AB3-5FCA21E8AA36"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"C1926806-B15D-4AF1-967A-7ADA71FF74DC"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5074","matchCriteriaId":"10060868-96D5-47E4-8FEB-80A79DCC1134"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2330","matchCriteriaId":"E3F26150-16EA-4D34-8BE9-2EE7C745D707"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34345","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-35416","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:11.940","lastModified":"2026-06-01T19:16:30.657","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.0,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"D48FE1A3-FD94-469C-87EA-AA7B4AAC6B86"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"027462CD-8FA3-4C9F-8778-5AB3F4CDB5B1"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"94017187-8A34-41BB-A49E-0FA6986E8CB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"BB81D249-7566-44B7-914C-A3674CE87AFB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"92E25E15-66FF-45E3-A044-88A7CFDEA9DF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"0D04D4AA-D1A5-45D4-A27A-F80D3F6171AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"12B4D343-5326-4CF2-913D-F642C34B458A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"6BB3BCA4-519F-4BAB-B7C7-9E3BBCE5A6AB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"65466E7E-0BDC-4ECC-AE5F-2E4B8615D205"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"A722684E-1073-4076-82AE-3235AA1C4C9F"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"D039A905-2FE4-4A10-85BF-175947E6A017"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"4904DDBD-B183-4AA2-ABD6-47BAF1A28861"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","matchCriteriaId":"A7DF96F8-BA6A-4780-9CA3-F719B3F81074"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*","matchCriteriaId":"DB18C4CE-5917-401E-ACF7-2747084FD36E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"71D026B8-B196-4369-9AB3-5FCA21E8AA36"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"C1926806-B15D-4AF1-967A-7ADA71FF74DC"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5074","matchCriteriaId":"10060868-96D5-47E4-8FEB-80A79DCC1134"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2330","matchCriteriaId":"E3F26150-16EA-4D34-8BE9-2EE7C745D707"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35416","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-35417","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:12.120","lastModified":"2026-06-01T19:16:30.837","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-843"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"94017187-8A34-41BB-A49E-0FA6986E8CB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"BB81D249-7566-44B7-914C-A3674CE87AFB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"92E25E15-66FF-45E3-A044-88A7CFDEA9DF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"0D04D4AA-D1A5-45D4-A27A-F80D3F6171AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"12B4D343-5326-4CF2-913D-F642C34B458A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"6BB3BCA4-519F-4BAB-B7C7-9E3BBCE5A6AB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"65466E7E-0BDC-4ECC-AE5F-2E4B8615D205"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"A722684E-1073-4076-82AE-3235AA1C4C9F"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"D039A905-2FE4-4A10-85BF-175947E6A017"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"4904DDBD-B183-4AA2-ABD6-47BAF1A28861"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"C1926806-B15D-4AF1-967A-7ADA71FF74DC"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5074","matchCriteriaId":"10060868-96D5-47E4-8FEB-80A79DCC1134"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2330","matchCriteriaId":"E3F26150-16EA-4D34-8BE9-2EE7C745D707"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35417","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-35429","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:13.510","lastModified":"2026-06-01T19:16:32.180","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-451"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*","versionEndExcluding":"148.0.3967.55","matchCriteriaId":"2F13304F-0141-47C3-A671-1C3475FA7489"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35429","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-35433","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:13.710","lastModified":"2026-06-01T19:16:32.367","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":1.8,"impactScore":5.5}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-190"}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35433","source":"secure@microsoft.com"}]}},{"cve":{"id":"CVE-2026-35436","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:13.903","lastModified":"2026-06-01T19:16:32.593","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.0,"impactScore":6.0}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-1220"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*","matchCriteriaId":"3259EBFE-AE2D-48B8-BE9A-E22BBDB31378"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*","matchCriteriaId":"CD25F492-9272-4836-832C-8439EBE64CCF"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*","matchCriteriaId":"CF5DDD09-902E-4881-98D0-CB896333B4AA"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*","matchCriteriaId":"26A3B226-5D7C-4556-9350-5222DC8EFC2C"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*","matchCriteriaId":"851BAC4E-9965-4F40-9A6C-B73D9004F4C1"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*","matchCriteriaId":"23B2FA23-76F4-4D83-A718-B8D04D7EA37B"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*","matchCriteriaId":"D31E509A-0B2E-4B41-88C4-0099E800AFE6"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*","matchCriteriaId":"017A7041-BEF1-4E4E-AC8A-EFC6AFEB01FE"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35436","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40358","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:14.543","lastModified":"2026-06-01T19:16:34.033","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*","matchCriteriaId":"3259EBFE-AE2D-48B8-BE9A-E22BBDB31378"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*","matchCriteriaId":"CD25F492-9272-4836-832C-8439EBE64CCF"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*","matchCriteriaId":"72324216-4EB3-4243-A007-FEF3133C7DF9"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*","matchCriteriaId":"0FBB0E61-7997-4F26-9C07-54912D3F1C10"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*","matchCriteriaId":"CF5DDD09-902E-4881-98D0-CB896333B4AA"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*","matchCriteriaId":"26A3B226-5D7C-4556-9350-5222DC8EFC2C"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*","matchCriteriaId":"851BAC4E-9965-4F40-9A6C-B73D9004F4C1"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*","matchCriteriaId":"23B2FA23-76F4-4D83-A718-B8D04D7EA37B"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*","matchCriteriaId":"BF0E8112-5B6F-4E55-8E40-38ADCF6FC654"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*","matchCriteriaId":"D31E509A-0B2E-4B41-88C4-0099E800AFE6"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*","matchCriteriaId":"017A7041-BEF1-4E4E-AC8A-EFC6AFEB01FE"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*","matchCriteriaId":"EF3E56B5-E6A6-4061-9380-D421E52B9199"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40358","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40361","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:14.950","lastModified":"2026-06-01T19:16:34.313","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*","matchCriteriaId":"3259EBFE-AE2D-48B8-BE9A-E22BBDB31378"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*","matchCriteriaId":"CD25F492-9272-4836-832C-8439EBE64CCF"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*","matchCriteriaId":"CF5DDD09-902E-4881-98D0-CB896333B4AA"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*","matchCriteriaId":"26A3B226-5D7C-4556-9350-5222DC8EFC2C"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*","matchCriteriaId":"851BAC4E-9965-4F40-9A6C-B73D9004F4C1"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*","matchCriteriaId":"23B2FA23-76F4-4D83-A718-B8D04D7EA37B"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*","matchCriteriaId":"BF0E8112-5B6F-4E55-8E40-38ADCF6FC654"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*","matchCriteriaId":"D31E509A-0B2E-4B41-88C4-0099E800AFE6"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*","matchCriteriaId":"017A7041-BEF1-4E4E-AC8A-EFC6AFEB01FE"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*","matchCriteriaId":"EF3E56B5-E6A6-4061-9380-D421E52B9199"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x64:*","matchCriteriaId":"E1FE9E95-4874-46EF-AC93-9E485F7A2AC0"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x86:*","matchCriteriaId":"38479B5D-66F9-4260-A18A-F6E3D9B6991E"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40361","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40362","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:15.077","lastModified":"2026-06-01T19:16:34.450","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-122"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*","matchCriteriaId":"3259EBFE-AE2D-48B8-BE9A-E22BBDB31378"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*","matchCriteriaId":"CD25F492-9272-4836-832C-8439EBE64CCF"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*","matchCriteriaId":"CD88F667-6773-4DB7-B6C3-9C7B769C0808"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*","matchCriteriaId":"B342EF98-B414-44D0-BAFB-FCA24294EECE"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*","matchCriteriaId":"CF5DDD09-902E-4881-98D0-CB896333B4AA"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*","matchCriteriaId":"26A3B226-5D7C-4556-9350-5222DC8EFC2C"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*","matchCriteriaId":"851BAC4E-9965-4F40-9A6C-B73D9004F4C1"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*","matchCriteriaId":"23B2FA23-76F4-4D83-A718-B8D04D7EA37B"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*","matchCriteriaId":"BF0E8112-5B6F-4E55-8E40-38ADCF6FC654"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*","matchCriteriaId":"D31E509A-0B2E-4B41-88C4-0099E800AFE6"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*","matchCriteriaId":"017A7041-BEF1-4E4E-AC8A-EFC6AFEB01FE"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*","matchCriteriaId":"EF3E56B5-E6A6-4061-9380-D421E52B9199"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_online_server:*:*:*:*:*:*:*:*","versionEndExcluding":"16.0.10417.20128","matchCriteriaId":"3E735B7A-DAEB-4275-8B77-4CD6CD946DB7"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40362","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40365","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:15.483","lastModified":"2026-06-01T19:16:34.737","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-1220"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*","versionEndExcluding":"16.0.19725.20280","matchCriteriaId":"E9919927-DE08-4AE4-B9F6-2A83117EE14A"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*","matchCriteriaId":"F815EF1D-7B60-47BE-9AC2-2548F99F10E4"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*","matchCriteriaId":"6122D014-5BF1-4AF4-8B4D-80205ED7785E"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40365","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40366","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:15.610","lastModified":"2026-06-01T19:16:34.863","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*","matchCriteriaId":"3259EBFE-AE2D-48B8-BE9A-E22BBDB31378"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*","matchCriteriaId":"CD25F492-9272-4836-832C-8439EBE64CCF"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*","matchCriteriaId":"CF5DDD09-902E-4881-98D0-CB896333B4AA"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*","matchCriteriaId":"26A3B226-5D7C-4556-9350-5222DC8EFC2C"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*","matchCriteriaId":"851BAC4E-9965-4F40-9A6C-B73D9004F4C1"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*","matchCriteriaId":"23B2FA23-76F4-4D83-A718-B8D04D7EA37B"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*","matchCriteriaId":"BF0E8112-5B6F-4E55-8E40-38ADCF6FC654"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*","matchCriteriaId":"D31E509A-0B2E-4B41-88C4-0099E800AFE6"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*","matchCriteriaId":"017A7041-BEF1-4E4E-AC8A-EFC6AFEB01FE"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*","matchCriteriaId":"EF3E56B5-E6A6-4061-9380-D421E52B9199"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x64:*","matchCriteriaId":"E1FE9E95-4874-46EF-AC93-9E485F7A2AC0"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x86:*","matchCriteriaId":"38479B5D-66F9-4260-A18A-F6E3D9B6991E"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40366","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40367","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:15.760","lastModified":"2026-06-01T19:16:34.983","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-822"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*","matchCriteriaId":"3259EBFE-AE2D-48B8-BE9A-E22BBDB31378"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*","matchCriteriaId":"CD25F492-9272-4836-832C-8439EBE64CCF"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*","matchCriteriaId":"CF5DDD09-902E-4881-98D0-CB896333B4AA"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*","matchCriteriaId":"26A3B226-5D7C-4556-9350-5222DC8EFC2C"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*","matchCriteriaId":"851BAC4E-9965-4F40-9A6C-B73D9004F4C1"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*","matchCriteriaId":"23B2FA23-76F4-4D83-A718-B8D04D7EA37B"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*","matchCriteriaId":"BF0E8112-5B6F-4E55-8E40-38ADCF6FC654"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*","matchCriteriaId":"D31E509A-0B2E-4B41-88C4-0099E800AFE6"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*","matchCriteriaId":"017A7041-BEF1-4E4E-AC8A-EFC6AFEB01FE"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*","matchCriteriaId":"EF3E56B5-E6A6-4061-9380-D421E52B9199"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*","versionEndExcluding":"16.0.19725.20280","matchCriteriaId":"E9919927-DE08-4AE4-B9F6-2A83117EE14A"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*","matchCriteriaId":"F815EF1D-7B60-47BE-9AC2-2548F99F10E4"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*","matchCriteriaId":"6122D014-5BF1-4AF4-8B4D-80205ED7785E"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x64:*","matchCriteriaId":"E1FE9E95-4874-46EF-AC93-9E485F7A2AC0"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x86:*","matchCriteriaId":"38479B5D-66F9-4260-A18A-F6E3D9B6991E"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40367","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40369","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:16.023","lastModified":"2026-06-01T19:16:35.187","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-822"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40369","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40397","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:17.273","lastModified":"2026-06-01T19:16:36.433","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-191"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"D48FE1A3-FD94-469C-87EA-AA7B4AAC6B86"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"027462CD-8FA3-4C9F-8778-5AB3F4CDB5B1"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"94017187-8A34-41BB-A49E-0FA6986E8CB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"BB81D249-7566-44B7-914C-A3674CE87AFB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"92E25E15-66FF-45E3-A044-88A7CFDEA9DF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"0D04D4AA-D1A5-45D4-A27A-F80D3F6171AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"12B4D343-5326-4CF2-913D-F642C34B458A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"6BB3BCA4-519F-4BAB-B7C7-9E3BBCE5A6AB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"65466E7E-0BDC-4ECC-AE5F-2E4B8615D205"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"A722684E-1073-4076-82AE-3235AA1C4C9F"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"D039A905-2FE4-4A10-85BF-175947E6A017"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"4904DDBD-B183-4AA2-ABD6-47BAF1A28861"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","matchCriteriaId":"A7DF96F8-BA6A-4780-9CA3-F719B3F81074"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*","matchCriteriaId":"DB18C4CE-5917-401E-ACF7-2747084FD36E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"71D026B8-B196-4369-9AB3-5FCA21E8AA36"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"C1926806-B15D-4AF1-967A-7ADA71FF74DC"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5074","matchCriteriaId":"10060868-96D5-47E4-8FEB-80A79DCC1134"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2330","matchCriteriaId":"E3F26150-16EA-4D34-8BE9-2EE7C745D707"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40397","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40399","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:17.647","lastModified":"2026-06-01T19:16:36.797","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-121"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"D48FE1A3-FD94-469C-87EA-AA7B4AAC6B86"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"027462CD-8FA3-4C9F-8778-5AB3F4CDB5B1"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"94017187-8A34-41BB-A49E-0FA6986E8CB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"BB81D249-7566-44B7-914C-A3674CE87AFB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"92E25E15-66FF-45E3-A044-88A7CFDEA9DF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"0D04D4AA-D1A5-45D4-A27A-F80D3F6171AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"12B4D343-5326-4CF2-913D-F642C34B458A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"6BB3BCA4-519F-4BAB-B7C7-9E3BBCE5A6AB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"65466E7E-0BDC-4ECC-AE5F-2E4B8615D205"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"A722684E-1073-4076-82AE-3235AA1C4C9F"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"D039A905-2FE4-4A10-85BF-175947E6A017"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"4904DDBD-B183-4AA2-ABD6-47BAF1A28861"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"71D026B8-B196-4369-9AB3-5FCA21E8AA36"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"C1926806-B15D-4AF1-967A-7ADA71FF74DC"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5074","matchCriteriaId":"10060868-96D5-47E4-8FEB-80A79DCC1134"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2330","matchCriteriaId":"E3F26150-16EA-4D34-8BE9-2EE7C745D707"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40399","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40401","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:17.820","lastModified":"2026-06-01T19:16:36.983","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Windows TCP/IP Denial of Service Vulnerability"}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":4.0}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"D48FE1A3-FD94-469C-87EA-AA7B4AAC6B86"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"94017187-8A34-41BB-A49E-0FA6986E8CB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"0D04D4AA-D1A5-45D4-A27A-F80D3F6171AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"65466E7E-0BDC-4ECC-AE5F-2E4B8615D205"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"D039A905-2FE4-4A10-85BF-175947E6A017"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"4904DDBD-B183-4AA2-ABD6-47BAF1A28861"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","matchCriteriaId":"A7DF96F8-BA6A-4780-9CA3-F719B3F81074"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*","matchCriteriaId":"DB18C4CE-5917-401E-ACF7-2747084FD36E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"71D026B8-B196-4369-9AB3-5FCA21E8AA36"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"C1926806-B15D-4AF1-967A-7ADA71FF74DC"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5074","matchCriteriaId":"10060868-96D5-47E4-8FEB-80A79DCC1134"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2330","matchCriteriaId":"E3F26150-16EA-4D34-8BE9-2EE7C745D707"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40401","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40413","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:19.167","lastModified":"2026-06-01T19:16:38.390","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Windows TCP/IP Denial of Service Vulnerability"}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":4.0}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"D48FE1A3-FD94-469C-87EA-AA7B4AAC6B86"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"94017187-8A34-41BB-A49E-0FA6986E8CB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"0D04D4AA-D1A5-45D4-A27A-F80D3F6171AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"65466E7E-0BDC-4ECC-AE5F-2E4B8615D205"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"D039A905-2FE4-4A10-85BF-175947E6A017"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"4904DDBD-B183-4AA2-ABD6-47BAF1A28861"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","matchCriteriaId":"A7DF96F8-BA6A-4780-9CA3-F719B3F81074"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*","matchCriteriaId":"DB18C4CE-5917-401E-ACF7-2747084FD36E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"71D026B8-B196-4369-9AB3-5FCA21E8AA36"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"C1926806-B15D-4AF1-967A-7ADA71FF74DC"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5074","matchCriteriaId":"10060868-96D5-47E4-8FEB-80A79DCC1134"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2330","matchCriteriaId":"E3F26150-16EA-4D34-8BE9-2EE7C745D707"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40413","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40414","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:19.350","lastModified":"2026-06-01T19:16:38.570","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Windows TCP/IP Denial of Service Vulnerability"}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":4.0}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"D48FE1A3-FD94-469C-87EA-AA7B4AAC6B86"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"94017187-8A34-41BB-A49E-0FA6986E8CB8"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"0D04D4AA-D1A5-45D4-A27A-F80D3F6171AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"65466E7E-0BDC-4ECC-AE5F-2E4B8615D205"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"D039A905-2FE4-4A10-85BF-175947E6A017"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"4904DDBD-B183-4AA2-ABD6-47BAF1A28861"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*","matchCriteriaId":"A7DF96F8-BA6A-4780-9CA3-F719B3F81074"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*","matchCriteriaId":"DB18C4CE-5917-401E-ACF7-2747084FD36E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.14393.9140","matchCriteriaId":"71D026B8-B196-4369-9AB3-5FCA21E8AA36"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.17763.8755","matchCriteriaId":"C1926806-B15D-4AF1-967A-7ADA71FF74DC"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5074","matchCriteriaId":"10060868-96D5-47E4-8FEB-80A79DCC1134"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2330","matchCriteriaId":"E3F26150-16EA-4D34-8BE9-2EE7C745D707"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40414","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40418","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:19.940","lastModified":"2026-06-01T19:16:39.060","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*","matchCriteriaId":"3259EBFE-AE2D-48B8-BE9A-E22BBDB31378"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*","matchCriteriaId":"CD25F492-9272-4836-832C-8439EBE64CCF"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*","matchCriteriaId":"CF5DDD09-902E-4881-98D0-CB896333B4AA"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*","matchCriteriaId":"26A3B226-5D7C-4556-9350-5222DC8EFC2C"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*","matchCriteriaId":"851BAC4E-9965-4F40-9A6C-B73D9004F4C1"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*","matchCriteriaId":"23B2FA23-76F4-4D83-A718-B8D04D7EA37B"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*","matchCriteriaId":"D31E509A-0B2E-4B41-88C4-0099E800AFE6"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*","matchCriteriaId":"017A7041-BEF1-4E4E-AC8A-EFC6AFEB01FE"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40418","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40420","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:20.190","lastModified":"2026-06-01T19:16:39.273","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.0,"impactScore":6.0}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-284"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*","matchCriteriaId":"3259EBFE-AE2D-48B8-BE9A-E22BBDB31378"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*","matchCriteriaId":"CD25F492-9272-4836-832C-8439EBE64CCF"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*","matchCriteriaId":"CF5DDD09-902E-4881-98D0-CB896333B4AA"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*","matchCriteriaId":"26A3B226-5D7C-4556-9350-5222DC8EFC2C"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*","matchCriteriaId":"851BAC4E-9965-4F40-9A6C-B73D9004F4C1"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*","matchCriteriaId":"23B2FA23-76F4-4D83-A718-B8D04D7EA37B"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*","matchCriteriaId":"D31E509A-0B2E-4B41-88C4-0099E800AFE6"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*","matchCriteriaId":"017A7041-BEF1-4E4E-AC8A-EFC6AFEB01FE"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40420","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40421","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:20.320","lastModified":"2026-06-01T19:16:39.447","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-73"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*","matchCriteriaId":"3259EBFE-AE2D-48B8-BE9A-E22BBDB31378"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*","matchCriteriaId":"CD25F492-9272-4836-832C-8439EBE64CCF"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*","matchCriteriaId":"CF5DDD09-902E-4881-98D0-CB896333B4AA"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*","matchCriteriaId":"26A3B226-5D7C-4556-9350-5222DC8EFC2C"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2024:*:*:*:ltsc:*:x64:*","matchCriteriaId":"19F65776-446D-404C-A830-990D4232791A"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2024:*:*:*:ltsc:*:x86:*","matchCriteriaId":"017875F7-5396-4069-9F9F-0BDA05143A25"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:*:x64:*","matchCriteriaId":"75F7306B-D1DA-48C2-AF87-4480E161D794"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:*:x86:*","matchCriteriaId":"BA9BCD55-F71E-4920-B906-A1386843776A"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x64:*","matchCriteriaId":"E1FE9E95-4874-46EF-AC93-9E485F7A2AC0"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x86:*","matchCriteriaId":"38479B5D-66F9-4260-A18A-F6E3D9B6991E"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40421","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-41088","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:20.573","lastModified":"2026-06-01T19:16:40.083","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-73"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"92E25E15-66FF-45E3-A044-88A7CFDEA9DF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"0D04D4AA-D1A5-45D4-A27A-F80D3F6171AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19044.7291","matchCriteriaId":"12B4D343-5326-4CF2-913D-F642C34B458A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"6BB3BCA4-519F-4BAB-B7C7-9E3BBCE5A6AB"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"65466E7E-0BDC-4ECC-AE5F-2E4B8615D205"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*","versionEndExcluding":"10.0.19045.7291","matchCriteriaId":"A722684E-1073-4076-82AE-3235AA1C4C9F"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"D039A905-2FE4-4A10-85BF-175947E6A017"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.22631.7079","matchCriteriaId":"4904DDBD-B183-4AA2-ABD6-47BAF1A28861"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"048AD3CD-DD62-4B62-9302-61779D998B4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26100.8390","matchCriteriaId":"3682F4DD-0870-4E39-B75E-649C89BB1E08"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"C2C93D38-DFD7-4DE1-95B8-6D73E4A545D6"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.26200.8390","matchCriteriaId":"05EB89A0-2ADD-4B67-A644-41FE1DE69E4A"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"D45A5D2F-E058-4033-B184-BAE224FC1CEA"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*","versionEndExcluding":"10.0.28000.2113","matchCriteriaId":"5127F350-9271-4B74-84E0-D7E5D2D5640E"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.20348.5074","matchCriteriaId":"10060868-96D5-47E4-8FEB-80A79DCC1134"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.25398.2330","matchCriteriaId":"E3F26150-16EA-4D34-8BE9-2EE7C745D707"},{"vulnerable":true,"criteria":"cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*","versionEndExcluding":"10.0.26100.32772","matchCriteriaId":"9ABAB3B9-28AF-4278-8E78-E1191B1AFC0C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41088","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-42833","sourceIdentifier":"secure@microsoft.com","published":"2026-05-12T18:17:25.933","lastModified":"2026-06-01T19:16:44.793","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6.0}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-250"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:dynamics_365:*:*:*:*:on-premises:*:*:*","versionStartIncluding":"9.1","versionEndExcluding":"9.1.45.11","matchCriteriaId":"F717CDF4-FD7A-4170-AB31-26A5FCF7DD8C"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42833","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-44376","sourceIdentifier":"security-advisories@github.com","published":"2026-05-13T21:16:48.183","lastModified":"2026-06-01T21:16:44.973","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns exactly one product. This flaw bypasses current filters, allowing an attacker to execute malicious JavaScript in the victim's browser, leading to session hijacking, site defacement, or phishing. This vulnerability is fixed in 6.7.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://github.com/cubecart/v6/commit/b9d03e20b9d0f443f8ea55fd834e348438e2cc0c","source":"security-advisories@github.com"},{"url":"https://github.com/cubecart/v6/security/advisories/GHSA-gvcp-wpvp-c6f7","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-42009","sourceIdentifier":"secalert@redhat.com","published":"2026-05-18T13:16:32.707","lastModified":"2026-06-01T21:16:44.080","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-475"}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:13274","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20611","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20613","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-42009","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467279","source":"secalert@redhat.com"}]}},{"cve":{"id":"CVE-2026-43493","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-19T12:16:19.020","lastModified":"2026-06-01T17:17:05.240","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: pcrypt - Fix handling of MAY_BACKLOG requests\n\nMAY_BACKLOG requests can return EBUSY. Handle them by checking\nfor that value and filtering out EINPROGRESS notifications."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/1d7f07df450bac3301938fbc4251f2611be4084e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/46271895ddfb1ba41f89f7e0dffbe9c2bcf7380a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/76641449b28979ebd6c02e9598367e119e385236","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/77d55bc8675ee851ed639dc9be77325a8024cf67","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/915b692e6cb723aac658c25eb82c58fd81235110","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9f1cbca178c03188e201ed175251372149bb25f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ae7e95638d956d556d74b9abb9e780d3bd3dcd9e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/eb34e243df57e32f4c08fa191f3602ea19076276","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-5511","sourceIdentifier":"f23511db-6c3e-4e32-a477-6aa17d310630","published":"2026-05-19T17:16:23.493","lastModified":"2026-06-01T16:59:36.460","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information. \n\n\nAn authenticated attacker with administrative privileges could exploit this issue to confirm the presence of the diagnostic utility and view its valid command-line syntax and options. The exposed information is limited in scope and does not include sensitive system data."}],"metrics":{"cvssMetricV40":[{"source":"f23511db-6c3e-4e32-a477-6aa17d310630","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.6,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N","baseScore":2.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":1.4}]},"weaknesses":[{"source":"f23511db-6c3e-4e32-a477-6aa17d310630","type":"Secondary","description":[{"lang":"en","value":"CWE-209"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:tp-link:archer_ax72_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"1.4.6","matchCriteriaId":"B6055B36-B8CB-4B65-9923-F03C2F45DAA3"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:tp-link:archer_ax72:1.0:*:*:*:*:*:*:*","matchCriteriaId":"19FBF3D2-CE8E-4FB6-914B-E1AA671DAAB0"}]}]}],"references":[{"url":"https://www.tp-link.com/sg/support/download/archer-ax72/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/us/support/faq/5096/","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-42834","sourceIdentifier":"secure@microsoft.com","published":"2026-05-20T13:16:34.500","lastModified":"2026-06-01T19:16:45.123","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Secondary","description":[{"lang":"en","value":"CWE-59"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:windows_admin_center:*:*:*:*:*:azure:*:*","versionEndExcluding":"0.72.0.0","matchCriteriaId":"A03F6B4A-F5F3-4FA8-A133-D47441305B5F"}]}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42834","source":"secure@microsoft.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-43494","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-21T12:16:19.957","lastModified":"2026-06-01T17:17:05.383","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: reset op_nents when zerocopy page pin fails\n\nWhen iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),\nthe pinned pages are released with put_page(), and\nrm->data.op_mmp_znotifier is cleared. But we fail to properly\nclear rm->data.op_nents.\n\nLater when rds_message_purge() is called from rds_sendmsg() the\ncleanup loop iterates over the incorrectly non zero number of\nop_nents and frees them again.\n\nFix this by properly resetting op_nents when it should be in\nrds_message_zcopy_from_user()."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/03014551938a0887fa55f18ce49b70158a9c0113","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/290e833d1acb1093bc121fcdc97f5e6161157479","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/640e37f58f991546a87540d067279c2c1fa9fe51","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9115669faedccdda100428e2d26fd0aac8c50799","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c6e51512a784c4a7b86e1a044988696e3b3721fa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d84ce1786ce40fdd3dd98db47aec5527817e1ef6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"http://www.openwall.com/lists/oss-security/2026/05/21/2","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2026-43496","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-21T13:16:18.960","lastModified":"2026-06-01T17:17:05.553","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked\n\nWhen red qdisc has children (eg qfq qdisc) whose peek() callback is\nqdisc_peek_dequeued(), we could get a kernel panic. When the parent of such\nqdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from\nits child (red in this case), it will do the following:\n 1a. do a peek() - and when sensing there's an skb the child can offer, then\n - the child in this case(red) calls its child's (qfq) peek.\n qfq does the right thing and will return the gso_skb queue packet.\n Note: if there wasnt a gso_skb entry then qfq will store it there.\n 1b. invoke a dequeue() on the child (red). And herein lies the problem.\n - red will call the child's dequeue() which will essentially just\n try to grab something of qfq's queue.\n\n[ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]\n[ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full)\n[ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq]\n[ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d\n[ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216\n[ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048\n[ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078\n[ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000\n[ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200\n[ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000\n[ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0\n[ 78.671585][ T363] PKRU: 55555554\n[ 78.671713][ T363] Call Trace:\n[ 78.671843][ T363] \n[ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq]\n[ 78.672148][ T363] ? __pfx__printk+0x10/0x10\n[ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0\n[ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0\n[ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red]\n[ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf]\n[ 78.673566][ T363] __qdisc_run+0x169/0x1900\n\nThe right thing to do in #1b is to grab the skb off gso_skb queue.\nThis patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()\nmethod instead."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/03b0aaeba082ae981a0dfe96cdd03d02050537a1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/36aa34f42cb6842cf371f3a2d3e855d24fd57a50","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/458d5615272d3de535748342eb68ca492343048c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/45cd83c5c470ba49fe261489c8358ad7b9df7c45","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/587dcf970a525f543d8b5855d9f37a4ca97b76ef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8d09618840b99ef00154d3e731ce9b11e096196d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c7335f4dc0fa21f7015b910c6fc2f4d599732328","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ce051eede433f876d322ac3550a36a3c6fc4c231","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43497","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-21T13:16:19.090","lastModified":"2026-06-01T17:17:05.777","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free\n\ndlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages\nto userspace but sets no vm_ops on the VMA. This means the kernel cannot\ntrack active mmaps. When dlfb_realloc_framebuffer() replaces the backing\nbuffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated.\nOn USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages\nwhile userspace PTEs still reference them, resulting in a use-after-free:\nthe process retains read/write access to freed kernel pages.\n\nAdd vm_operations_struct with open/close callbacks that maintain an\natomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(),\ncheck mmap_count and return -EBUSY if the buffer is currently mapped,\npreventing buffer replacement while userspace holds stale PTEs.\n\nTested with PoC using dummy_hcd + raw_gadget USB device emulation."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.3,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/18dd358de72d57993422cbb5dfb29ccd74efe192","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4f312c30f0368e8d2a76aa650dff73f23490b5e7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5931f5651ee32bd41b3323256b31fcc8e71336ed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/60f711cfd580f86fea8284146ac133804e728f9a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8de779dc40d35d39fa07387b6f921eb11df0f511","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a2c53a3822ee26e8d758071815b9ed3bf6669fc1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/da9b065cedfd3b574f229d5be594e6aa47a27ae6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e3d9865dacd7435b8465848428210d0f0c673311","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43499","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-21T13:16:19.300","lastModified":"2026-06-01T17:17:07.230","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrtmutex: Use waiter::task instead of current in remove_waiter()\n\nremove_waiter() is used by the slowlock paths, but it is also used for\nproxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from\nfutex_requeue().\n\nIn the latter case waiter::task is not current, but remove_waiter()\noperates on current for the dequeue operation. That results in several\nproblems:\n\n 1) the rbtree dequeue happens without waiter::task::pi_lock being held\n\n 2) the waiter task's pi_blocked_on state is not cleared, which leaves a\n dangling pointer primed for UAF around.\n\n 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter\n task\n\nUse waiter::task instead of current in all related operations in\nremove_waiter() to cure those problems.\n\n[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the\n \tchangelog ]"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/3bfdc63936dd4773109b7b8c280c0f3b5ae7d349","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3fb7394a837740770f0d6b4b30567e60786a63f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6d52dfcb2a5db86e346cf51f8fcf2071b8085166","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/88614876370aac8ad1050ad785a4c095ba17ac11","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8a1fc8d698ac5e5916e3082a0f74450d71f9611f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d8cce4773c2b23d819baf5abedc62f7b430e8745","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43501","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-21T13:16:19.410","lastModified":"2026-06-01T17:17:07.350","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: rpl: reserve mac_len headroom when recompressed SRH grows\n\nipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps\nthe next segment into ipv6_hdr->daddr, recompresses, then pulls the old\nheader and pushes the new one plus the IPv6 header back. The\nrecompressed header can be larger than the received one when the swap\nreduces the common-prefix length the segments share with daddr (CmprI=0,\nCmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).\n\npskb_expand_head() was gated on segments_left == 0, so on earlier\nsegments the push consumed unchecked headroom. Once skb_push() leaves\nfewer than skb->mac_len bytes in front of data,\nskb_mac_header_rebuild()'s call to:\n\n\tskb_set_mac_header(skb, -skb->mac_len);\n\nwill store (data - head) - mac_len into the u16 mac_header field, which\nwraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB\npast skb->head.\n\nA single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two\nsegment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one\npass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.\n\nFix this by expanding the head whenever the remaining room is less than\nthe push size plus mac_len, and request that much extra so the rebuilt\nMAC header fits afterwards."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/0a9e8053f1f8a8e1bfc1dd61ffe67be6c1180402","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4babc2d9fda2df43823b85d08a0180b68f1b0854","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7398ebefbfd4f8a31d4f665a4213302fa995494b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8e8be63465a5e80394c70324603dfea1bfdad48f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9e6bf146b55999a095bb14f73a843942456d1adc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bde199c72d319a4e207f88daabc888317504e2fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/be1fa0aa9b4fdd5a8b7a61ba520a690a68391e6e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c261d07a80576dc8ccf394ef8f074f8c67a06b37","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-43502","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-21T13:16:19.520","lastModified":"2026-06-01T17:17:07.490","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: handle zerocopy send cleanup before the message is queued\n\nA zerocopy send can fail after user pages have been pinned but before\nthe message is attached to the sending socket.\n\nThe purge path currently infers zerocopy state from rm->m_rs, so an\nunqueued message can be cleaned up as if it owned normal payload pages.\nHowever, zerocopy ownership is really determined by the presence of\nop_mmp_znotifier, regardless of whether the message has reached the\nsocket queue.\n\nCapture op_mmp_znotifier up front in rds_message_purge() and use it as\nthe cleanup discriminator. If the message is already associated with a\nsocket, keep the existing completion path. Otherwise, drop the pinned\npage accounting directly and release the notifier before putting the\npayload pages.\n\nThis keeps early send failure cleanup consistent with the zerocopy\nlifetime rules without changing the normal queued completion path."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/14ef6fd18db2494098b21e0471bf27a1d8e9993e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1e262db7675e27f42c3f3f47d6011855f4454f24","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/21d70744e6d3bbf9293aa1ee6fba7c53ad75275e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3abc8983b2bae3f487f77d9da5527d7d6b210d46","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/44b550d88b267320459d518c0743a241ab2108fa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/46662f7dc59475995609bf3e9d27eb36f4acf26f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e9aefdc5c53fe9aed108c14e3d155710a1bb14c9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-4093","sourceIdentifier":"mlhess@drupal.org","published":"2026-05-21T22:16:48.290","lastModified":"2026-06-01T17:39:17.167","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline.\n\nVector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered.\n\nVector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed.\n\nExploit affects versions 7.x-1.x up to and including 7.x-1.11."}],"metrics":{"cvssMetricV40":[{"source":"mlhess@drupal.org","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"mlhess@drupal.org","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:taxonomy_term_reference_tree_widget_project:taxonomy_term_reference_tree_widget:*:*:*:*:*:drupal:*:*","versionStartIncluding":"7.x-1.0","versionEndExcluding":"7.x-1.12","matchCriteriaId":"3390651C-0E1A-4B4C-837A-A8740627DFD5"}]}]}],"references":[{"url":"https://d7es.tag1.com/security-advisories/taxonomy-term-reference-tree-widget-moderately-critical-cross-site-scripting","source":"mlhess@drupal.org","tags":["Third Party Advisory"]},{"url":"https://www.herodevs.com/vulnerability-directory/cve-2026-4093","source":"mlhess@drupal.org","tags":["Exploit","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-4929","sourceIdentifier":"mlhess@drupal.org","published":"2026-05-21T22:16:48.420","lastModified":"2026-06-01T17:41:53.030","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context.\nThis affects versions from 7.x-1.0 through (and including) 7.x-1.10."}],"metrics":{"cvssMetricV40":[{"source":"mlhess@drupal.org","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:simple_hierarchical_select_project:simple_hierarchical_select:*:*:*:*:*:drupal:*:*","versionStartIncluding":"7.x-1.0","versionEndIncluding":"7.x-1.10","matchCriteriaId":"9A776A74-A4A3-4FF7-A4F3-A5117B841270"}]}]}],"references":[{"url":"https://d7es.tag1.com/security-advisories/simple-hierarchical-select-moderately-critical-cross-site-scripting","source":"mlhess@drupal.org","tags":["Third Party Advisory"]},{"url":"https://www.herodevs.com/vulnerability-directory/cve-2026-4929","source":"mlhess@drupal.org","tags":["Exploit","Third Party Advisory"]},{"url":"https://www.herodevs.com/vulnerability-directory/cve-2026-4929?nes-for-drupal-7","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-5817","sourceIdentifier":"security@docker.com","published":"2026-05-22T20:16:35.120","lastModified":"2026-06-01T18:08:14.170","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files included in any model pulled from an OCI registry, resulting in arbitrary code execution on the Docker host as the Docker Desktop user when inference is triggered.\n\nAny container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model and request inference."}],"metrics":{"cvssMetricV40":[{"source":"security@docker.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"security@docker.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.5,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":6.0}]},"weaknesses":[{"source":"security@docker.com","type":"Secondary","description":[{"lang":"en","value":"CWE-829"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:docker:docker_desktop:*:*:*:*:*:*:*:*","versionStartIncluding":"4.62.0","versionEndExcluding":"4.68.0","matchCriteriaId":"D13BBDD8-AB90-414E-A29B-75FA2125E68F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}],"references":[{"url":"https://docs.docker.com/desktop/release-notes/#4680","source":"security@docker.com","tags":["Release Notes"]}]}},{"cve":{"id":"CVE-2026-5843","sourceIdentifier":"security@docker.com","published":"2026-05-22T20:16:35.253","lastModified":"2026-06-01T18:07:43.883","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model's config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safety check. The MLX backend runs without sandboxing, resulting in arbitrary code execution on the Docker host as the Docker Desktop user.\n\nAny container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model from an attacker-controlled OCI registry and request inference."}],"metrics":{"cvssMetricV40":[{"source":"security@docker.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"security@docker.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.5,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":6.0}]},"weaknesses":[{"source":"security@docker.com","type":"Secondary","description":[{"lang":"en","value":"CWE-829"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:docker:docker_desktop:*:*:*:*:*:*:*:*","versionStartIncluding":"4.56.0","versionEndExcluding":"4.71.0","matchCriteriaId":"8238D6AB-A793-4DC9-B0AA-D114B545AC3D"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}],"references":[{"url":"https://docs.docker.com/desktop/release-notes/#4710","source":"security@docker.com","tags":["Release Notes"]}]}},{"cve":{"id":"CVE-2026-3294","sourceIdentifier":"f23511db-6c3e-4e32-a477-6aa17d310630","published":"2026-05-22T21:16:42.960","lastModified":"2026-06-01T18:03:03.877","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation.\n\nSuccessful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability."}],"metrics":{"cvssMetricV40":[{"source":"f23511db-6c3e-4e32-a477-6aa17d310630","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"f23511db-6c3e-4e32-a477-6aa17d310630","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:tp-link:re305_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"20260515","matchCriteriaId":"A76ABE71-C8ED-431F-A699-C87B502DE6FF"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:tp-link:re305:1.0:*:*:*:*:*:*:*","matchCriteriaId":"EB800EB4-8027-4071-85B1-A3D5D4426CF7"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:tp-link:re360_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"20260515","matchCriteriaId":"06997C4E-9063-443E-84AC-458940CE880E"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:tp-link:re360:1.0:*:*:*:*:*:*:*","matchCriteriaId":"5D16136E-606D-4E4F-9310-59B0C24275D0"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:tp-link:re580d_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"20260515","matchCriteriaId":"EBC0C4A7-632D-4979-94F7-0C17C40B7576"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:tp-link:re580d:1.0:*:*:*:*:*:*:*","matchCriteriaId":"9F8FB56B-F9DC-491A-ADC3-8170CDF0052F"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:tp-link:re650_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"20260429","matchCriteriaId":"023F0049-F1F0-4700-967C-5B27DB497229"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:tp-link:re650:1.0:*:*:*:*:*:*:*","matchCriteriaId":"68ED1297-85DE-4C5C-8095-E67542D11057"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:tp-link:tl-wa860re_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"20260515","matchCriteriaId":"AEAF244D-4960-4016-B227-7B1A3F1A63EF"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:tp-link:tl-wa860re:4.0:*:*:*:*:*:*:*","matchCriteriaId":"A6C69006-B712-45E4-AE72-BA947300DD5D"}]}]}],"references":[{"url":"https://www.tp-link.com/en/support/download/re305/v1/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/en/support/download/re360/v1/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/en/support/download/re580d/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/en/support/download/re650/v1/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/en/support/download/tl-wa860re/v4/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/us/support/download/re305/v1/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/us/support/download/re360/v1/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/us/support/download/re580d/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/us/support/download/re650/v1/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/us/support/download/tl-wa860re/v4/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/us/support/faq/5101/","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-40864","sourceIdentifier":"security-advisories@github.com","published":"2026-05-22T21:16:43.177","lastModified":"2026-06-01T18:01:41.390","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker's server. This issue has been fixed in version 5.4.5. If developers are unable to immediately upgrade, they can temporarily mitigate this issue by dropping requests to JupyterHub with Sec-Fetch-Mode: no-cors if they are using a reverse proxy."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-352"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:jupyter:jupyterhub:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1.0","versionEndExcluding":"5.4.5","matchCriteriaId":"81612D2F-7819-4502-B4B1-F9FBFA915A42"}]}]}],"references":[{"url":"https://github.com/jupyterhub/jupyterhub/commit/9c5ec277d3cda5a59de2d8c8117efa77bd941127","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-m68r-v472-jgq9","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-4915","sourceIdentifier":"responsibledisclosure@mattermost.com","published":"2026-05-25T08:16:24.897","lastModified":"2026-06-01T17:57:36.300","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry.. Mattermost Advisory ID: MMSA-2026-00641"}],"metrics":{"cvssMetricV31":[{"source":"responsibledisclosure@mattermost.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"responsibledisclosure@mattermost.com","type":"Secondary","description":[{"lang":"en","value":"CWE-754"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"10.11.0","versionEndExcluding":"10.11.15","matchCriteriaId":"6696A83A-CD06-45BD-A4C1-16A09C4CA15B"},{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"11.4.0","versionEndExcluding":"11.4.5","matchCriteriaId":"AB489375-1F54-4A24-AE2C-37D92B27FF4D"},{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"11.5.0","versionEndExcluding":"11.5.4","matchCriteriaId":"617D4791-A087-42E8-BF73-B39B30CB29C8"},{"vulnerable":true,"criteria":"cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*","versionStartIncluding":"11.6.0","versionEndExcluding":"11.6.1","matchCriteriaId":"77708744-DCB4-4AE3-8146-CB043DAB6FBB"}]}]}],"references":[{"url":"https://mattermost.com/security-updates","source":"responsibledisclosure@mattermost.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45361","sourceIdentifier":"security@apache.org","published":"2026-05-25T10:16:15.087","lastModified":"2026-06-01T17:17:10.090","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to `apache-airflow-providers-google` 22.0.0 or later."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-322"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:apache-airflow-providers-google:*:*:*:*:*:*:*:*","versionEndExcluding":"22.0.0","matchCriteriaId":"5CCD22EC-C835-4540-861D-9117925690B0"}]}]}],"references":[{"url":"https://github.com/apache/airflow/pull/66746","source":"security@apache.org","tags":["Issue Tracking","Patch"]},{"url":"https://lists.apache.org/thread/3lpj7ppwxp7jtp81rnxk75xvln7qd7h2?users@airflow.apache.org","source":"security@apache.org"},{"url":"http://www.openwall.com/lists/oss-security/2026/05/24/9","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-5222","sourceIdentifier":"986d4109-89ea-491f-99fd-a8e4803919bd","published":"2026-05-25T10:16:15.273","lastModified":"2026-06-01T17:56:41.383","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack."}],"metrics":{"cvssMetricV40":[{"source":"986d4109-89ea-491f-99fd-a8e4803919bd","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"986d4109-89ea-491f-99fd-a8e4803919bd","type":"Secondary","description":[{"lang":"en","value":"CWE-647"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:rust-lang:cargo:*:*:*:*:*:rust:*:*","versionStartIncluding":"1.68.0","versionEndExcluding":"1.96.0","matchCriteriaId":"143A0C07-6AA8-4711-A789-152DA178214C"}]}]}],"references":[{"url":"https://blog.rust-lang.org/2026/05/25/cve-2026-5222/","source":"986d4109-89ea-491f-99fd-a8e4803919bd","tags":["Vendor Advisory"]},{"url":"https://github.com/rust-lang/cargo/pull/17031","source":"986d4109-89ea-491f-99fd-a8e4803919bd","tags":["Issue Tracking","Patch"]},{"url":"https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s","source":"986d4109-89ea-491f-99fd-a8e4803919bd","tags":["Third Party Advisory","Mailing List"]}]}},{"cve":{"id":"CVE-2026-5223","sourceIdentifier":"986d4109-89ea-491f-99fd-a8e4803919bd","published":"2026-05-25T10:16:15.480","lastModified":"2026-06-01T17:52:18.003","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink."}],"metrics":{"cvssMetricV40":[{"source":"986d4109-89ea-491f-99fd-a8e4803919bd","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"986d4109-89ea-491f-99fd-a8e4803919bd","type":"Secondary","description":[{"lang":"en","value":"CWE-61"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:rust-lang:cargo:*:*:*:*:*:rust:*:*","versionEndExcluding":"1.96.0","matchCriteriaId":"67F6F381-6055-48F2-A156-047F903ABE84"}]}]}],"references":[{"url":"https://blog.rust-lang.org/2026/05/25/cve-2026-5223/","source":"986d4109-89ea-491f-99fd-a8e4803919bd","tags":["Mitigation","Vendor Advisory"]},{"url":"https://github.com/rust-lang/cargo/pull/17031","source":"986d4109-89ea-491f-99fd-a8e4803919bd","tags":["Issue Tracking","Patch"]},{"url":"https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8","source":"986d4109-89ea-491f-99fd-a8e4803919bd","tags":["Third Party Advisory","Mailing List"]}]}},{"cve":{"id":"CVE-2026-4480","sourceIdentifier":"secalert@redhat.com","published":"2026-05-26T15:16:40.937","lastModified":"2026-06-01T17:53:36.910","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the \"print command\" setting via the \"%J\"\nsubstitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*","matchCriteriaId":"932D137F-528B-4526-9A89-CD59FA1AB0FE"},{"vulnerable":true,"criteria":"cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1.0","versionEndExcluding":"4.2.1","matchCriteriaId":"FFA99680-067D-486E-B752-6D5239C3E4FB"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*","matchCriteriaId":"142AD0DD-4CF3-4D74-9442-459CE3347E3A"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","matchCriteriaId":"F4CFF558-3C47-480D-A2F0-BABF26042943"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*","matchCriteriaId":"7F6FB57C-2BC7-487C-96DD-132683AEB35D"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-4480","source":"secalert@redhat.com","tags":["Mitigation","Third Party Advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452232","source":"secalert@redhat.com","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https://bugzilla.samba.org/show_bug.cgi?id=16033","source":"secalert@redhat.com","tags":["Issue Tracking","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-14290","sourceIdentifier":"psirt@us.ibm.com","published":"2026-05-26T17:16:28.417","lastModified":"2026-06-01T17:33:22.487","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"IBM webMethods Integration (on prem) -Integration Server 10.15 through IS_10.15_Core_Fix2611.1 to IS_11.1_Core_Fix10 IBM webMethods Integration is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks."}],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"psirt@us.ibm.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:webmethods_integration_server:10.15.0:*:*:*:*:*:*:*","matchCriteriaId":"BBAAEBC9-385F-4F88-BE43-742BB80A8CDD"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:webmethods_integration_server:11.1.0:*:*:*:*:*:*:*","matchCriteriaId":"DA439BCF-0074-48D7-BE5B-E1BE33D22128"}]}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7273550","source":"psirt@us.ibm.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-36126","sourceIdentifier":"psirt@us.ibm.com","published":"2026-05-26T17:16:28.713","lastModified":"2026-06-01T17:30:40.807","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."}],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":4.7}]},"weaknesses":[{"source":"psirt@us.ibm.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:*:*:*:*:*:*:*:*","versionStartIncluding":"12.1.0","versionEndExcluding":"12.1.2","matchCriteriaId":"30BF0C71-FEDA-4D86-BE94-54D67AA482BA"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2:*:*:*:*:*:*:*","matchCriteriaId":"348B7AB4-F304-461B-AC45-D8656AB73660"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*","matchCriteriaId":"1AB1B390-838B-4572-ACA0-2CFFDDB45EB1"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:*","matchCriteriaId":"D500E11C-4A99-460F-B16A-4DA5895149D5"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.2:*:*:*:*:*:*:*","matchCriteriaId":"BC703EBB-A37C-465C-8F7C-3B64AB3A71E4"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.3:*:*:*:*:*:*:*","matchCriteriaId":"8CA6708A-851A-458C-81CC-0AE78CB0F0C0"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.4:-:*:*:*:*:*:*","matchCriteriaId":"A1D81212-AFFE-4A73-AAC1-E558973FC452"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.4:fixpack1:*:*:*:*:*:*","matchCriteriaId":"07DC144D-62FC-4808-A77A-642871C1F8FC"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.4:fixpack2:*:*:*:*:*:*","matchCriteriaId":"2A61B920-B490-48A8-BF00-13B8854683FD"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.4:fixpack3:*:*:*:*:*:*","matchCriteriaId":"1F65BC6D-9A9D-45B9-919B-2855586C4F1B"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.4:fixpack4:*:*:*:*:*:*","matchCriteriaId":"684FA3C7-ABEA-4CB8-8D88-4BA18F1A73FB"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.4:fixpack5:*:*:*:*:*:*","matchCriteriaId":"3372238E-BFA8-4342-A523-9DB9628D11B7"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.4:fixpack6:*:*:*:*:*:*","matchCriteriaId":"0644AF6B-BBEB-4B56-A6A6-D6BE073DA900"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.4:interim_fix_1:*:*:*:*:*:*","matchCriteriaId":"C0259B4F-E86A-44E5-A1FA-39A57E915822"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.4:interim_fix_2:*:*:*:*:*:*","matchCriteriaId":"CEF69734-E894-49E2-9295-03330FE19F9C"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.4:interim_fix_3:*:*:*:*:*:*","matchCriteriaId":"28C2275C-A326-4914-BD31-923E0976DA5B"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.4:interim_fix_4:*:*:*:*:*:*","matchCriteriaId":"C19D8CDA-E883-4F76-ACEE-FE16A6AB75A1"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:11.2.4:interim_fix_5:*:*:*:*:*:*","matchCriteriaId":"AF2CD238-A72E-4689-B8E7-2949A0E618E2"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:12.0.0:*:*:*:*:*:*:*","matchCriteriaId":"210893AF-E67A-49C1-80FC-59A1F1C1B32F"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:12.0.1:*:*:*:*:*:*:*","matchCriteriaId":"CFDD4A63-2F81-48C8-8400-E1BE15C8EA3D"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:12.0.2:*:*:*:*:*:*:*","matchCriteriaId":"0AF83D3E-FB2F-4A73-A18B-F55CB98124D6"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:12.0.3:-:*:*:*:*:*:*","matchCriteriaId":"42EB9F80-DCF1-474F-A5A5-7BC9F0B3BF58"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:12.0.3:interim_fix_1:*:*:*:*:*:*","matchCriteriaId":"706340D8-0E0B-4775-B90A-E696CFFB9901"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:12.0.3:interim_fix_2:*:*:*:*:*:*","matchCriteriaId":"651FEB1B-83C8-4D28-8944-E8C182AC93B6"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:12.0.4:-:*:*:*:*:*:*","matchCriteriaId":"CED100CC-0C88-41B9-8742-4AD51C105527"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:12.0.4:fixpack1:*:*:*:*:*:*","matchCriteriaId":"206ABB8E-0FEB-4366-B547-514A3FF8138E"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:12.0.4:interim_fix_1:*:*:*:*:*:*","matchCriteriaId":"3C54FA39-7D14-434E-A9FB-5606A3A08185"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:12.0.4:interim_fix_2:*:*:*:*:*:*","matchCriteriaId":"BAB2758C-ECD5-4186-823A-5DB55265BC55"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_analytics:12.0.4:interim_fix_3:*:*:*:*:*:*","matchCriteriaId":"60BC347B-50AB-440E-A2C0-904DC9704581"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_transformer:11.2.4:*:*:*:*:*:*:*","matchCriteriaId":"9FF70630-4FCC-42CB-AEC0-0341335E38CC"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_transformer:12.0:*:*:*:*:*:*:*","matchCriteriaId":"91020D54-7072-4B79-AC60-DD68E8F36C7F"},{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:cognos_transformer:12.1.0:*:*:*:*:*:*:*","matchCriteriaId":"E1B1D10C-E219-4536-89AB-F7B6A16B0A97"}]}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7272628","source":"psirt@us.ibm.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-36145","sourceIdentifier":"psirt@us.ibm.com","published":"2026-05-26T17:16:28.870","lastModified":"2026-06-01T17:24:29.743","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions."}],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"psirt@us.ibm.com","type":"Primary","description":[{"lang":"en","value":"CWE-923"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:watsonx.data:*:*:*:*:*:*:*:*","versionStartIncluding":"2.2.0","versionEndIncluding":"2.3.1","matchCriteriaId":"2B8610C4-99B9-49A6-AF5D-3FCD0429437B"}]}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7272498","source":"psirt@us.ibm.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-36148","sourceIdentifier":"psirt@us.ibm.com","published":"2026-05-26T17:16:29.013","lastModified":"2026-06-01T17:22:30.150","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4.0 through 3.2.4.15 IBM Financial Transaction Manager SWIFT is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."}],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"psirt@us.ibm.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ibm:financial_transaction_manager_for_multiplatform:*:*:*:*:*:swift_services:*:*","versionStartIncluding":"3.2.4.0","versionEndExcluding":"3.2.4.16","matchCriteriaId":"BFF7757F-D9E0-4656-B64C-71A512FFCFF8"}]}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7272275","source":"psirt@us.ibm.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45834","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-26T17:16:48.073","lastModified":"2026-06-01T17:17:11.173","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb()."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0c17c8832562b2aac288e89cefd0f46074f54bcb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1810e42ff6716f320c7269d5850eca48b07b7427","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1b1c0da227bf63479bac9982fc8d12df9aaea0fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2ff1a41a912de8517b4482e946dd951b7d80edbf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5105f3e6b2df619c635b5f6a49fac131a36c7952","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/85426e97dc72f2088ba6d27e74cd58c3fbd43e31","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a2dcf1a61d056aef15b63c6eae9441344d624389","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c88c185ae0a1067823661b220aeea613df2c127b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45835","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-26T17:16:48.227","lastModified":"2026-06-01T17:17:11.307","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb()."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0a120d96166301d7a95be75b52f843837dbd1219","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/140b63cb46f2855ac4ec8fba2f1e974a9c2974e8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2422eaed0925973c0f318c94eb13e76f14c7381e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/684a1f9ee2325437ae18ac5371884e4c6a25ae73","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/741e6024e31587b0c021b6616a9e428a4ea0b64a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/76083fb80f5a38ac13326b2d810f66bd07771eea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ab77c8bc30269bee15d917059a66bea48909f5f0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bc3bb9f40da8e53896abc2d29c6d0c6686fe4ab9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45836","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-26T17:16:50.813","lastModified":"2026-06-01T17:17:11.710","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb()."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/32bd343803d4ba47cc516f9d5f037f01b855d767","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/58dc5e3d8768e121907608e6e196a908512fb083","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6e8d1a2a677a81caa60cf0aabd4217bd585fbba1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/78a88d43dab8d23aeef934ed8ce34d40e6b3d613","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a93d66907dd4d29b65c9797a93784bf61906d6d6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cf1fd517f892ded88168df878f834b625133f86d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e1863e7480feddb90125d0dd5a1b572972d75908","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fd072f833147b0bc10c43a454624cb99d02f3fc7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-44836","sourceIdentifier":"security-advisories@github.com","published":"2026-05-26T21:16:38.710","lastModified":"2026-06-01T18:22:32.550","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-749"}]}],"references":[{"url":"https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995","source":"security-advisories@github.com"},{"url":"https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-44837","sourceIdentifier":"security-advisories@github.com","published":"2026-05-26T21:16:38.853","lastModified":"2026-06-01T18:33:48.683","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-187"}]}],"references":[{"url":"https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp","source":"security-advisories@github.com"},{"url":"https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-44844","sourceIdentifier":"security-advisories@github.com","published":"2026-05-26T21:16:39.163","lastModified":"2026-06-01T18:22:32.550","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. This vulnerability is fixed in 3.0.1."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-674"}]}],"references":[{"url":"https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8","source":"security-advisories@github.com"},{"url":"https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-42012","sourceIdentifier":"secalert@redhat.com","published":"2026-05-26T22:16:41.913","lastModified":"2026-06-01T21:16:44.503","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-295"}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:20611","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20613","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-42012","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467441","source":"secalert@redhat.com"}]}},{"cve":{"id":"CVE-2026-42013","sourceIdentifier":"secalert@redhat.com","published":"2026-05-26T22:16:42.050","lastModified":"2026-06-01T21:16:44.620","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-1284"}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:20611","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20613","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-42013","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467448","source":"secalert@redhat.com"}]}},{"cve":{"id":"CVE-2026-42015","sourceIdentifier":"secalert@redhat.com","published":"2026-05-26T22:16:42.180","lastModified":"2026-06-01T21:16:44.740","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-193"}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:20611","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20613","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-42015","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467678","source":"secalert@redhat.com"}]}},{"cve":{"id":"CVE-2026-43988","sourceIdentifier":"security-advisories@github.com","published":"2026-05-26T22:16:42.303","lastModified":"2026-06-01T18:26:25.403","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the ASN.1/OER parsing pipeline of Vanetza. When processing malformed network packets containing corrupted ASN.1/OER structures (e.g., invalid length fields or malformed certificate encoding), the ASN.1 wrapper (asn1c_wrapper.cpp) raises a std::runtime_error. This exception is not caught at the parsing boundary and propagates to std::terminate, resulting in process termination. This vulnerability is fixed with commit 62dfe58a8342512b6e1947d75821402ada524f1a."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-248"}]}],"references":[{"url":"https://github.com/riebl/vanetza/commit/62dfe58a8342512b6e1947d75821402ada524f1a","source":"security-advisories@github.com"},{"url":"https://github.com/riebl/vanetza/security/advisories/GHSA-j6cj-rp87-mfrx","source":"security-advisories@github.com"},{"url":"https://github.com/riebl/vanetza/security/advisories/GHSA-j6cj-rp87-mfrx","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-44895","sourceIdentifier":"security-advisories@github.com","published":"2026-05-26T22:16:42.730","lastModified":"2026-06-01T18:22:32.550","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator's GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.2,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-306"},{"lang":"en","value":"CWE-942"}]}],"references":[{"url":"https://github.com/yoda-digital/mcp-gitlab-server/security/advisories/GHSA-8jr5-6gvj-rfpf","source":"security-advisories@github.com"},{"url":"https://github.com/yoda-digital/mcp-gitlab-server/security/advisories/GHSA-8jr5-6gvj-rfpf","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-44905","sourceIdentifier":"security-advisories@github.com","published":"2026-05-26T22:16:43.150","lastModified":"2026-06-01T18:22:32.550","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the cryptographic verification pipeline of Vanetza. When processing incoming V2X messages, the ASN.1 decoder accepts the structure as syntactically valid. However, this reveals a logic-based protocol failure where semantic constraints on specific fields are only strictly enforced during OER re-encoding. Specifically, if a crafted packet contains a certificate where the Psid (Provider Service Identifier) sub-type violates subtype constraints (e.g., out-of-range or invalid CHOICE variant), it is accepted during initial parsing, where subtype constraints are not enforced. Later, when StraightVerifyService attempts to calculate a message hash for cryptographic verification, it must re-encode the signing certificate. The underlying ASN.1 wrapper (asn1c_wrapper.cpp) detects the semantic violation during encoding and raises a std::runtime_error. This exception is not caught within the encoding path and propagates to std::terminate, resulting in immediate process termination. This vulnerability is fixed with commit e1a2e2709210d309458c3d77f98d50dec26c0df0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-248"}]}],"references":[{"url":"https://github.com/riebl/vanetza/commit/e1a2e2709210d309458c3d77f98d50dec26c0df0","source":"security-advisories@github.com"},{"url":"https://github.com/riebl/vanetza/security/advisories/GHSA-q9fq-3rx9-7xcv","source":"security-advisories@github.com"},{"url":"https://github.com/riebl/vanetza/security/advisories/GHSA-q9fq-3rx9-7xcv","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-44966","sourceIdentifier":"security-advisories@github.com","published":"2026-05-26T22:16:43.293","lastModified":"2026-06-01T18:13:02.370","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-1321"}]}],"references":[{"url":"https://github.com/shepherdwind/velocity.js/security/advisories/GHSA-j658-c2gf-x6pq","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-44983","sourceIdentifier":"security-advisories@github.com","published":"2026-05-26T22:16:43.440","lastModified":"2026-06-01T18:22:32.550","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"smallbitvec is a growable bit-vector for Rust, optimized for size. From 1.0.1 to 2.6.0, an integer overflow in the internal capacity calculation of smallbitvec can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption without requiring unsafe code from the caller. This vulnerability is fixed in 2.6.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":4.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-122"},{"lang":"en","value":"CWE-190"}]}],"references":[{"url":"https://github.com/servo/smallbitvec/security/advisories/GHSA-97wc-2hqc-cjgr","source":"security-advisories@github.com"},{"url":"https://github.com/servo/smallbitvec/security/advisories/GHSA-97wc-2hqc-cjgr","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-5260","sourceIdentifier":"secalert@redhat.com","published":"2026-05-26T22:16:44.170","lastModified":"2026-06-01T21:16:47.363","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-1284"}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:20611","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/errata/RHSA-2026:20613","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-5260","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467450","source":"secalert@redhat.com"}]}},{"cve":{"id":"CVE-2026-8606","sourceIdentifier":"product-cna@github.com","published":"2026-05-27T00:16:37.900","lastModified":"2026-06-01T18:33:07.067","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program."}],"metrics":{"cvssMetricV40":[{"source":"product-cna@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6}]},"weaknesses":[{"source":"product-cna@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*","versionEndExcluding":"3.16.19","matchCriteriaId":"8A162402-8F4C-4291-8D76-5F4F8295379D"},{"vulnerable":true,"criteria":"cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*","versionStartIncluding":"3.17.0","versionEndExcluding":"3.17.16","matchCriteriaId":"5FBFDB4E-1878-499C-9D00-52E9C074F3C9"},{"vulnerable":true,"criteria":"cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*","versionStartIncluding":"3.18.0","versionEndExcluding":"3.18.10","matchCriteriaId":"B3D5BD25-0F18-4915-9399-D42302247396"},{"vulnerable":true,"criteria":"cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19.0","versionEndExcluding":"3.19.7","matchCriteriaId":"4FF939CE-B42A-4091-ACF0-AF80FFBFDC25"},{"vulnerable":true,"criteria":"cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*","versionStartIncluding":"3.20.0","versionEndExcluding":"3.20.3","matchCriteriaId":"BA3298CD-3841-491D-8056-7AC03FC6473F"},{"vulnerable":true,"criteria":"cpe:2.3:a:github:enterprise_server:3.21.0:*:*:*:*:*:*:*","matchCriteriaId":"5CA62620-E9BF-4544-ACA8-1F2158F1D755"}]}]}],"references":[{"url":"https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.19","source":"product-cna@github.com","tags":["Product","Release Notes"]},{"url":"https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.16","source":"product-cna@github.com","tags":["Product","Release Notes"]},{"url":"https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.10","source":"product-cna@github.com","tags":["Product","Release Notes"]},{"url":"https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.7","source":"product-cna@github.com","tags":["Product","Release Notes"]},{"url":"https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.3","source":"product-cna@github.com","tags":["Product","Release Notes"]},{"url":"https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.1","source":"product-cna@github.com","tags":["Product","Release Notes"]}]}},{"cve":{"id":"CVE-2025-13593","sourceIdentifier":"security@synology.com","published":"2026-05-27T09:16:26.730","lastModified":"2026-06-01T20:05:14.403","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Origin validation error vulnerability in Synology ActiveProtect Agent before 1.1.0-0439 allows local users to write arbitrary files with restricted content when installing."}],"metrics":{"cvssMetricV31":[{"source":"security@synology.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.3,"impactScore":3.6}]},"weaknesses":[{"source":"security@synology.com","type":"Primary","description":[{"lang":"en","value":"CWE-346"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:synology:activeprotect_agent:*:*:*:*:*:*:*:*","versionEndExcluding":"1.1.0-0439","matchCriteriaId":"DF969204-387E-4284-BEEB-FD4C00687671"}]}]}],"references":[{"url":"https://www.synology.com/en-global/security/advisory/Synology_SA_25_15","source":"security@synology.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-66592","sourceIdentifier":"security@synology.com","published":"2026-05-27T09:16:27.633","lastModified":"2026-06-01T20:03:08.153","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An origin validation error vulnerability in Synology Active Backup for Business Agent before 3.1.0-4967 allows local users to write arbitrary files with restricted content during installation."}],"metrics":{"cvssMetricV31":[{"source":"security@synology.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.3,"impactScore":3.6}]},"weaknesses":[{"source":"security@synology.com","type":"Primary","description":[{"lang":"en","value":"CWE-346"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:synology:active_backup_for_business_agent:*:*:*:*:*:*:*:*","versionEndExcluding":"3.1.0-4967","matchCriteriaId":"D44F30B1-C1B4-4FC9-ABF7-477968A00D15"}]}]}],"references":[{"url":"https://www.synology.com/en-global/security/advisory/Synology_SA_25_16","source":"security@synology.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-66593","sourceIdentifier":"security@synology.com","published":"2026-05-27T09:16:27.760","lastModified":"2026-06-01T20:01:29.880","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An origin validation error vulnerability in Synology Assistant before 7.0.6-50085 allows local users to write arbitrary files with restricted content during installation."}],"metrics":{"cvssMetricV31":[{"source":"security@synology.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.3,"impactScore":3.6}]},"weaknesses":[{"source":"security@synology.com","type":"Primary","description":[{"lang":"en","value":"CWE-346"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:synology:assistant:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.6-50085","matchCriteriaId":"D60EF831-1679-44D7-802D-C4454C34D682"}]}]}],"references":[{"url":"https://www.synology.com/en-global/security/advisory/Synology_SA_25_17","source":"security@synology.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-2237","sourceIdentifier":"security@synology.com","published":"2026-05-27T09:16:27.877","lastModified":"2026-06-01T19:55:06.910","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local attackers to obtain sensitive information."}],"metrics":{"cvssMetricV31":[{"source":"security@synology.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":6.2,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.5,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"security@synology.com","type":"Primary","description":[{"lang":"en","value":"CWE-598"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:synology:storage_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0.1-1100","matchCriteriaId":"756F5C37-D90E-4935-8A45-2A6833731D74"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:synology:diskstation_manager:7.2.1:*:*:*:*:*:*:*","matchCriteriaId":"591E364C-B846-4FFF-815C-5E1BC2FB8A6C"},{"vulnerable":false,"criteria":"cpe:2.3:o:synology:diskstation_manager:7.2.2:*:*:*:*:*:*:*","matchCriteriaId":"4E22F435-F709-495B-84B4-A478C63331B9"},{"vulnerable":false,"criteria":"cpe:2.3:o:synology:diskstation_manager:7.3:*:*:*:*:*:*:*","matchCriteriaId":"B4B9ADBD-1F6B-4BA9-9B78-042C5EF41EC4"}]}]}],"references":[{"url":"https://www.synology.com/en-global/security/advisory/Synology_SA_26_01","source":"security@synology.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45838","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T11:16:23.130","lastModified":"2026-06-01T17:17:11.967","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix end-of-list detection in cgroup_storage_get_next_key()\n\nlist_next_entry() never returns NULL -- when the current element is the\nlast entry it wraps to the list head via container_of(). The subsequent\nNULL check is therefore dead code and get_next_key() never returns\n-ENOENT for the last element, instead reading storage->key from a bogus\npointer that aliases internal map fields and copying the result to\nuserspace.\n\nReplace it with list_entry_is_head() so the function correctly returns\n-ENOENT when there are no more entries."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0f3d9dd5e1fd52b39e25328307c6a694e994ffe3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/26d3339e465e54107bd85884341d1609c5300d6a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/32ce55d424395904986f5066f8755f6cb9993377","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5828b9e5b272ecff7cf5d345128d3de7324117f7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/85a2f30e40f7468db732f55659bc6318874f49af","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b4b5a20bed82130da2f2818f04d52378952fbd0b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fc39753b7f92e09177777e9c648afe5aa3abb81f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45839","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T11:16:23.247","lastModified":"2026-06-01T17:17:12.313","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()\n\nCO-RE accessor strings are colon-separated indices that describe a path\nfrom a root BTF type to a target field, e.g. \"0:1:2\" walks through\nnested struct members. bpf_core_parse_spec() parses each component with\nsscanf(\"%d\"), so negative values like -1 are silently accepted. The\nsubsequent bounds checks (access_idx >= btf_vlen(t)) only guard the\nupper bound and always pass for negative values because C integer\npromotion converts the __u16 btf_vlen result to int, making the\ncomparison (int)(-1) >= (int)(N) false for any positive N.\n\nWhen -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff,\nproducing an out-of-bounds read far past the members array. A crafted\nBPF program with a negative CO-RE accessor on any struct that exists in\nvmlinux BTF (e.g. task_struct) crashes the kernel deterministically\nduring BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y\n(default on major distributions). The bug is reachable with CAP_BPF:\n\n BUG: unable to handle page fault for address: ffffed11818b6626\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: Oops: 0000 [#1] SMP KASAN NOPTI\n CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)\n RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)\n RAX: 00000000ffffffff\n Call Trace:\n \n bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)\n bpf_core_apply (kernel/bpf/btf.c:9507)\n check_core_relo (kernel/bpf/verifier.c:19475)\n bpf_check (kernel/bpf/verifier.c:26031)\n bpf_prog_load (kernel/bpf/syscall.c:3089)\n __sys_bpf (kernel/bpf/syscall.c:6228)\n \n\nCO-RE accessor indices are inherently non-negative (struct member index,\narray element index, or enumerator index), so reject them immediately\nafter parsing."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/1c22483a2c4bbf747787f328392ca3e68619c4dc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3ff85ae79e1a74baeb916b78a63d821f6d19a994","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/669349b4612c26b3d7aacfa99d7174681bd19223","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/76f2ebaf79a9ae6d0737b87f045fe769e425d78f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a9e777f856cd2f1efc106afc7bf21aef868509d5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45840","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T11:16:23.363","lastModified":"2026-06-01T17:17:12.587","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: cap upcall PID array size and pre-size vport replies\n\nThe vport netlink reply helpers allocate a fixed-size skb with\nnlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID\narray via ovs_vport_get_upcall_portids(). Since\novs_vport_set_upcall_portids() accepts any non-zero multiple of\nsizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID\narray large enough to overflow the reply buffer, causing nla_put() to\nfail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with\nunprivileged user namespaces enabled (e.g., Ubuntu default), this is\nreachable via unshare -Urn since OVS vport mutation operations use\nGENL_UNS_ADMIN_PERM.\n\n kernel BUG at net/openvswitch/datapath.c:2414!\n Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1\n RIP: 0010:ovs_vport_cmd_set+0x34c/0x400\n Call Trace:\n \n genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)\n genl_rcv_msg (net/netlink/genetlink.c:1194)\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n genl_rcv (net/netlink/genetlink.c:1219)\n netlink_unicast (net/netlink/af_netlink.c:1344)\n netlink_sendmsg (net/netlink/af_netlink.c:1894)\n __sys_sendto (net/socket.c:2206)\n __x64_sys_sendto (net/socket.c:2209)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n \n Kernel panic - not syncing: Fatal exception\n\nReject attempts to set more PIDs than nr_cpu_ids in\novs_vport_set_upcall_portids(), and pre-compute the worst-case reply\nsize in ovs_vport_cmd_msg_size() based on that bound, similar to the\nexisting ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already\nused by the per-CPU dispatch configuration on the datapath side\n(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the\ntwo sides stay consistent."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8d59b80e69dddb665eb2de36e62859ab2073470e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b39f763d720d623218bc1d95ace6855d7b474e81","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d9e47e29aacb9f8a9d59feb6ab5b128a9bbb40b0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45841","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T11:16:23.493","lastModified":"2026-06-01T17:17:14.157","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO\n\nnf_osf_match_one() computes ctx->window % f->wss.val in the\nOSF_WSS_MODULO branch with no guard for f->wss.val == 0. A\nCAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a\nsubsequent matching TCP SYN divides by zero and panics the kernel.\n\nReject the bogus fingerprint in nfnl_osf_add_callback() above the\nper-option for-loop. f->wss is per-fingerprint, not per-option, so\nthe check must run regardless of f->opt_num (including 0). Also\nreject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that\nas \"should not happen\".\n\nCrash:\n Oops: divide error: 0000 [#1] SMP KASAN NOPTI\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n \n nf_osf_match (net/netfilter/nfnetlink_osf.c:220)\n xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)\n nf_hook_slow (net/netfilter/core.c:622)\n ip_local_deliver (net/ipv4/ip_input.c:265)\n ip_rcv (include/linux/skbuff.h:1162)\n __netif_receive_skb_one_core (net/core/dev.c:6181)\n process_backlog (net/core/dev.c:6642)\n __napi_poll (net/core/dev.c:7710)\n net_rx_action (net/core/dev.c:7945)\n handle_softirqs (kernel/softirq.c:622)"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0694618cf3e9b120666e31f5f383a6e466d95a0d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2195574dc6d9017d32ac346987e12659f931d932","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/26900306a5a2c3e4f75c643a064525526bb6e5f3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8def8fbd23f40e945febe913d04b731012ce0082","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9a05e195618a6d474f2bcd5b6376d0ffc2f00366","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c55940895245d8ef658ab381248a28755218d625","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cb833bbc1b3c51e08652d3c86298307c07d3f2db","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45842","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T11:16:23.600","lastModified":"2026-06-01T17:17:14.320","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nslip: reject VJ receive packets on instances with no rstate array\n\nslhc_init() accepts rslots == 0 as a valid configuration, with the\ndocumented meaning of 'no receive compression'. In that case the\nallocation loop in slhc_init() is skipped, so comp->rstate stays\nNULL and comp->rslot_limit stays 0 (from the kzalloc of struct\nslcompress).\n\nThe receive helpers do not defend against that configuration.\nslhc_uncompress() dereferences comp->rstate[x] when the VJ header\ncarries an explicit connection ID, and slhc_remember() later assigns\ncs = &comp->rstate[...] after only comparing the packet's slot number\nto comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the\nrange check, and the code dereferences a NULL rstate.\n\nThe configuration is reachable in-tree through PPP. PPPIOCSMAXCID\nstores its argument in a signed int, and (val >> 16) uses arithmetic\nshift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1\nis 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because\n/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path\nis reachable from an unprivileged user namespace. Once the malformed\nVJ state is installed, any inbound VJ-compressed or VJ-uncompressed\nframe that selects slot 0 crashes the kernel in softirq context:\n\n Oops: general protection fault, probably for non-canonical\n address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)\n Call Trace:\n \n ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)\n ppp_input (drivers/net/ppp/ppp_generic.c:2359)\n ppp_async_process (drivers/net/ppp/ppp_async.c:492)\n tasklet_action_common (kernel/softirq.c:926)\n handle_softirqs (kernel/softirq.c:623)\n run_ksoftirqd (kernel/softirq.c:1055)\n smpboot_thread_fn (kernel/smpboot.c:160)\n kthread (kernel/kthread.c:436)\n ret_from_fork (arch/x86/kernel/process.c:164)\n \n\nReject the receive side on such instances instead of touching rstate.\nslhc_uncompress() falls through to its existing 'bad' label, which\nbumps sls_i_error and enters the toss state. slhc_remember() mirrors\nthat with an explicit sls_i_error increment followed by slhc_toss();\nthe sls_i_runt counter is not used here because a missing rstate is\nan internal configuration state, not a runt packet.\n\nThe transmit path is unaffected: the only in-tree caller that picks\nrslots from userspace (ppp_generic.c) still supplies tslots >= 1, and\nslip.c always calls slhc_init(16, 16), so comp->tstate remains valid\nand slhc_compress() continues to work."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/3d71c961febddd855d3ae9a519eeb96c8023f430","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4aa9eca6fda2919027dfd7a7cc69334982d89586","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/72304fec672e8aac9ee7b9c475db96b37cca8d8d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45843","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T11:16:23.743","lastModified":"2026-06-01T17:17:14.660","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nslip: bound decode() reads against the compressed packet length\n\nslhc_uncompress() parses a VJ-compressed TCP header by advancing a\npointer through the packet via decode() and pull16(). Neither helper\nbounds-checks against isize, and decode() masks its return with\n& 0xffff so it can never return the -1 that callers test for -- those\nerror paths are dead code.\n\nA short compressed frame whose change byte requests optional fields\nlets decode() read past the end of the packet. The over-read bytes\nare folded into the cached cstate and reflected into subsequent\nreconstructed packets.\n\nMake decode() and pull16() take the packet end pointer and return -1\nwhen exhausted. Add a bounds check before the TCP-checksum read.\nThe existing == -1 tests now do what they were always meant to."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"references":[{"url":"https://git.kernel.org/stable/c/0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/335957df4ed60f02a2ec0432fbedbf0cc7241d8b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/37537e42e6df387398bee85cb85070cc80bb1e10","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4cefe32639933d652614b0bd50f818f9af4af78f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6268f01ae989013671b526c883e92655342c6f6f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9aafba2f49e1fcccc2018816f5836a609c925879","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d42bec6e4f6d6d658be365539400b3314b76b2a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45844","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T11:16:23.847","lastModified":"2026-06-01T17:17:14.947","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: arp_tables: fix IEEE1394 ARP payload parsing\n\nWeiming Shi says:\n\n\"arp_packet_match() unconditionally parses the ARP payload assuming two\nhardware addresses are present (source and target). However,\nIPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address\nfield, and arp_hdr_len() already accounts for this by returning a\nshorter length for ARPHRD_IEEE1394 devices.\n\nAs a result, on IEEE1394 interfaces arp_packet_match() advances past a\nnonexistent target hardware address and reads the wrong bytes for both\nthe target device address comparison and the target IP address. This\ncauses arptables rules to match against garbage data, leading to\nincorrect filtering decisions: packets that should be accepted may be\ndropped and vice versa.\n\nThe ARP stack in net/ipv4/arp.c (arp_create and arp_process) already\nhandles this correctly by skipping the target hardware address for\nARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"\n\nMangle the original patch to always return 0 (no match) in case user\nmatches on the target hardware address which is never present in\nIEEE1394.\n\nNote that this returns 0 (no match) for either normal and inverse match\nbecause matching in the target hardware address in ARPHRD_IEEE1394 has\nnever been supported by arptables. This is intentional, matching on the\ntarget hardware address should never evaluate true for ARPHRD_IEEE1394.\n\nMoreover, adjust arpt_mangle to drop the packet too as AI suggests:\n\nIn arpt_mangle, the logic assumes a standard ARP layout. Because\nIEEE1394 (FireWire) omits the target hardware address, the linear\npointer arithmetic miscalculates the offset for the target IP address.\nThis causes mangling operations to write to the wrong location, leading\nto packet corruption. To ensure safety, this patch drops packets\n(NF_DROP) when mangling is requested for these fields on IEEE1394\ndevices, as the current implementation cannot correctly map the FireWire\nARP payload.\n\nThis omits both mangling target hardware and IP address. Even if IP\naddress mangling should be possible in IEEE1394, this would require\nto adjust arpt_mangle offset calculation, which has never been\nsupported.\n\nBased on patch from Weiming Shi ."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/03ea11dbefaa55c502735ee551c89ef773fe753b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0f23a1457695f1a61f64367e39f0f9cfa29947d1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1c55053f8ffdc060006df898fd3664e3d1bfac7b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1e285362ef7096eb12733370d59e033f4a1d294a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1e8e3f449b1e73b73a843257635b9c50f0cc0f0a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/84e8536c981338d0d8cc6e712cf71a936a93e13f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ac698d81fd6619c7504cee913f1cab5285fba1b7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45846","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T11:16:24.083","lastModified":"2026-06-01T17:17:15.133","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()\n\nbareudp_fill_metadata_dst() passes bareudp->sock to\nudp_tunnel6_dst_lookup() in the IPv6 path without a NULL check.\nThe socket is only created in bareudp_open() and NULLed in\nbareudp_stop(), so calling this function while the device is down\ntriggers a NULL dereference via sock->sk.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)\n Call Trace:\n \n bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)\n do_execute_actions (net/openvswitch/actions.c:901)\n ovs_execute_actions (net/openvswitch/actions.c:1589)\n ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)\n genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)\n genl_rcv_msg (net/netlink/genetlink.c:1209)\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n \n\nAdd a NULL check returning -ESHUTDOWN, consistent with the xmit paths\nin the same driver."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/31e010a106ff6cd8ccac4bfee547fd3fa1015574","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/35a115a204be08f97450b0389413e218268ef4a2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/51eef9c072aa3405a6823a96ae666d38a3b48750","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/55193df8d6d33318435f19572bf5ea47a22eee28","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/638905520fc4fae6a80991563f264131545ba3df","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/74a02921c48fcd35a7881956c9e5c52b86595f5d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a0f4e4e8e0f5e24ddd83e3d1221732621cf34636","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/aa6c6d9ee064aabfede4402fd1283424e649ca19","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-36045","sourceIdentifier":"cve@mitre.org","published":"2026-05-27T14:16:45.287","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-78"}]}],"references":[{"url":"https://gist.github.com/NucleiAv/41899be6266a9813840301577792ed68","source":"cve@mitre.org"},{"url":"https://github.com/sipeed/picoclaw/releases/tag/v0.1.2","source":"cve@mitre.org"},{"url":"https://gist.github.com/NucleiAv/41899be6266a9813840301577792ed68","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45981","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:15.233","lastModified":"2026-06-01T17:17:15.263","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: Fix device lifecycle handling in css_alloc_subchannel()\n\n`css_alloc_subchannel()` calls `device_initialize()` before setting up\nthe DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails,\nthe error path frees the subchannel structure directly, bypassing\nthe device model reference counting.\n\nOnce `device_initialize()` has been called, the embedded struct device\nmust be released via `put_device()`, allowing the release callback to\nfree the container structure.\n\nFix the error path by dropping the initial device reference with\n`put_device()` instead of calling `kfree()` directly.\n\nThis ensures correct device lifetime handling and avoids potential\nuse-after-free or double-free issues."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/6715560527e343a387e4a0d2e6c401748e89fa55","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/abb6e07f46a740cda4f07d1b561ae4eaa7a1df42","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c35cfbb5341ba05ad1b4476ffc3c21cc3ff8f603","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f65c75b0b9b5a390bc3beadcde0a6fbc3ad118f7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f96c5ccf95ae5f27218c1ce2d6a3ad2d3e105424","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45986","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:15.963","lastModified":"2026-06-01T17:17:15.383","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccree - fix a memory leak in cc_mac_digest()\n\nAdd cc_unmap_result() if cc_map_hash_request_final()\nfails to prevent potential memory leak."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/02c64052fad03699b9c6d1df2f9b444d17e4ac50","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/22f1dd4ca3bfe77db52cc7df3cc353dc114aab8b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3061c9bfb3f5b3522ab174e2fa7473b24422d1c6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/502440c235fe34cee02b24d7f893841f7565b3bc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7c21d58fcd6ad8e15a539347254093c93224a8b2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7cd17993adb8a5d14a7e84d751316a5fdf0c251f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/910f335786a0a0f0b46c3c8c19a13d25cb4454b6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f53458c7c756b3e0838d51cf1e9f41b25079801a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45987","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:16.113","lastModified":"2026-06-01T17:17:15.497","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2\n\nAfter VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs\nfields written by the CPU from vmcb02 to the cached vmcb12. This is\nbecause the cached vmcb12 is used as the authoritative copy of some of\nthe controls, and is the payload when saving/restoring nested state.\n\nint_state is also written by the CPU, specifically bit 0 (i.e.\nSVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync'd to\ncached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE\npreceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow\nwould be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites\nwhat KVM_SET_NESTED_STATE restored in int_state).\n\nHowever, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an\ninterrupt shadow would be restored into vmcb01 instead of vmcb02. This\nwould mostly be benign for L1 (delays an interrupt), but not for L2. For\nL2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before\na HLT that should have been in an interrupt shadow).\n\nSync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02()\nto avoid this problem. With that, KVM_SET_NESTED_STATE restores the\ncorrect interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it\nwould overwrite it with the same value."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/03bee264f8ebfd39e0254c98e112d033a7aa9055","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0c1f74d8b74d8a31751fb6ea5417e48e02c93b58","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1709418535a8df95532999d61b03d59975280258","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2f950eeb27af6885416232761700b8820cae0a61","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/497f6af9679fc9c6ce2f438e11ed5d51b1aa8297","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4b44aa1a134e499c4517597118378b308602a16c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e0377e52f3c10ee572732d11b04625b7f517a862","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e39a77a9b1e17d2d831c304eafac4c41a784a0be","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45992","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:16.747","lastModified":"2026-06-01T17:17:15.630","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: Fix potentially leftover ep1_in_urb at error path\n\nThe previous fix for handling the error from setup_card() missed that\nan internal URB cdev->ep1_in_urb might have been already submitted\nbeforehand. In the normal case, this URB gets killed at the\ndisconnection, but in the error path, we didn't do it, hence there can\nbe a potential leak.\n\nFix it in the error path for setup_card(), too."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/089940d969e13e129b54f104a578cbafd99e308b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0a7b5221b5b51cc798fcfc3be00d02eade149d69","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1d160e30aa42b7c41163e51366bb34432367260d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2d42c3386b7389d33caea7184cdb0188997fa6a9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/438ab932dc6fef5b001dfeba08a18a491edc8f7b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/be62c8bb03b6aec3790a943d4a7567d4d73b8be9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d50223ae98148fcc3bba18e718e4b0608df83bce","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e0fb842af7052f0ab9e709db0c59300aa4051fc0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45994","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:16.970","lastModified":"2026-06-01T17:17:16.687","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nibmasm: fix OOB reads in command_file_write due to missing size checks\n\nThe command_file_write() handler allocates a kernel buffer of exactly\ncount bytes and copies user data into it, but does not validate the\nbuffer against the dot command protocol before passing it to\nget_dot_command_size() and get_dot_command_timeout().\n\nSince both the allocation size (count) and the header fields (command_size,\ndata_size) are independently user-controlled, an attacker can cause\nget_dot_command_size() to return a value exceeding the allocation,\ntriggering OOB reads in get_dot_command_timeout() and an out-of-bounds\nmemcpy_toio() that leaks kernel heap memory to the service processor.\n\nFix with two guards: reject writes smaller than sizeof(struct\ndot_command_header) before allocation, then after copying user data\nreject commands where the buffer is smaller than the total size declared\nby the header (sizeof(header) + command_size + data_size). This ensures\nall subsequent header and payload field accesses stay within the buffer."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0eb09f737428e482a32a2e31e5e223f2b35a71d3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/44ee19422aa82a6847594866de7e5a31e4ef98b3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7b8a574da5d7ea99b943f7a3458a17a1d95e8838","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a672682d39dd34e2b5ba4feb436723bed65125ff","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/aefc1a97da17d8309974690c8a03e439a91ebb1c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d0fb4d1dc43f8d5179917a2daaa82680993d4cdf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d50e2019c9d7c433f56d9dff65703eb904aa1fb1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ee5737891464030a189837467df3b81a273718ad","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-45997","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:17.280","lastModified":"2026-06-01T17:17:16.817","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sd: fix missing put_disk() when device_add(&disk_dev) fails\n\nIf device_add(&sdkp->disk_dev) fails, put_device() runs\nscsi_disk_release(), which frees the scsi_disk but leaves the gendisk\nreferenced. The device_add_disk() error path in sd_probe() calls\nput_disk(gd); call put_disk(gd) here to mirror that cleanup."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/13e550fbfccdb311e76ec96892dfe35f0dba0657","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1e111c4b3a726df1254670a5cc4868cedb946d37","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/262152ec37101f9dc524743ccdbd6c7641d14573","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2c2c14b7dfccad8c5a28802849e40c21252e4c28","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a95d38c5701431bfc826e7b18acc0785919d5c88","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b64b4f499801b12d0e2785447e4df6c164c608a9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46002","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:17.880","lastModified":"2026-06-01T17:17:16.983","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next2: reject inodes with zero i_nlink and valid mode in ext2_iget()\n\next2_iget() already rejects inodes with i_nlink == 0 when i_mode is\nzero or i_dtime is set, treating them as deleted. However, the case of\ni_nlink == 0 with a non-zero mode and zero dtime slips through. Since\next2 has no orphan list, such a combination can only result from\nfilesystem corruption - a legitimate inode deletion always sets either\ni_dtime or clears i_mode before freeing the inode.\n\nA crafted image can exploit this gap to present such an inode to the\nVFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via\next2_unlink(), ext2_rename() and ext2_rmdir():\n\nWARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n \n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295\n vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477\n do_unlinkat+0x53e/0x730 fs/namei.c:4541\n __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nWARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1\nCall Trace:\n \n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_rename+0x35e/0x850 fs/ext2/namei.c:374\n vfs_rename+0xf2f/0x2060 fs/namei.c:5021\n do_renameat2+0xbe2/0xd50 fs/namei.c:5178\n __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nWARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n \n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311\n vfs_rmdir+0x204/0x690 fs/namei.c:4348\n do_rmdir+0x372/0x3e0 fs/namei.c:4407\n __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \n\nExtend the existing i_nlink == 0 check to also catch this case,\nreporting the corruption via ext2_error() and returning -EFSCORRUPTED.\nThis rejects the inode at load time and prevents it from reaching any\nof the namei.c paths.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/1b80cf48bcf0e1937af9cd6c7beb188762bbf7c5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/25947cc5b2374cd5bf627fe3141496444260d04f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2dde6377ab2e46bb80cf066c659ef016f3ad7a9b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/32e0b925572686399243834ec99e2a9d85c62eae","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/470264bbec499e276a89a6431144ae58f411ea4d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9e2d67fb2b73eeff8b601e26b332128eae8147bb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a69a0c5156b6f0092b9fcf44517f5831a962de2d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d3af04a43db86379df7438bf8bade71685b8a239","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46004","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:18.120","lastModified":"2026-06-01T17:17:17.150","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: Handle probe errors properly\n\nThe probe procedure of setup_card() in caiaq driver doesn't treat the\nerror cases gracefully, e.g. the error from snd_card_register() calls\nsnd_card_free() but continues. This would lead to a UAF for the\nfurther calls like snd_usb_caiaq_control_init(), as Berk suggested in\nanother patch in the link below.\n\nHowever, the problem is not only that; in general, this function drops\nthe all error handlings (as it's a void function) although its caller\ncan propagate an error to snd_probe(), which eventually calls\nsnd_card_free() as a proper error path. That said, we should treat\neach error case in setup_card(), and just return the error code\npromptly, which is then handled later as a fatal error in snd_probe().\n\nThis patch achieves it by changing the setup_card() to return an error\ncode. Also, the superfluous snd_card_free() call is removed, too.\n\nNote that card->private_free can be set still safely at returning an\nerror. All called functions in card_free() have checks of the\nunassigned resources or NULL checks."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/09616e25f502080ba684fc7fcf959d1376ab756d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/096dd8519cf2f768e9e14f224b627f7aaee1a9c5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/28abd224db4a49560b452115bca3672a20e45b2f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6251e3e256337a30160ef59ab1580dde4d1acd28","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b956e48371f2ff72b76be9a829800ecec963bd45","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/da938aa9fc7826901921dcea225948ab21a97e45","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e59ecd4ee3a450db6cb4e4ecaa3efdd593f80056","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f537e3ad69609f6924a4db6b4a7f6561f5288bdd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46006","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:18.353","lastModified":"2026-06-01T17:17:17.480","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix u32 overflow in pushbuf reloc bounds check\n\nnouveau_gem_pushbuf_reloc_apply() validates each relocation with\n\n if (r->reloc_bo_offset + 4 > nvbo->bo.base.size)\n\nbut reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer\nliteral 4 promotes to unsigned int, so the addition is performed in 32\nbits and wraps before the comparison against the size_t bo size.\n\nCast to u64 so the addition happens in 64-bit arithmetic.\n\n[ Add Fixes: tag. - Danilo ]"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/2fc87d37be1b730a149b035f9375fdb8cc5333a5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/332884f5eb79dd60a7162b079d09d39208567a31","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/45a45184b9c0b0b26ead06e370cda2073616a7cc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/573a1104bd36e49c067a9dc62e7c476d5ee7e92a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d749a9a0ee4014681487e7ae549901aa8c176637","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e441d5c23ec644c8d27593db3b8928e8933512a9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fa297e919d1680c38ab268ff952b1698dac987f6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46009","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:18.710","lastModified":"2026-06-01T17:17:17.817","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown\n\nepf_ntb_epc_destroy() duplicates the teardown that the caller is\nsupposed to do later. This leads to an oops when .allow_link fails or\nwhen .drop_link is performed. Remove the helper.\n\nAlso drop pci_epc_put(). EPC device refcounting is tied to configfs EPC\ngroup lifetime, and pci_epc_put() in the .drop_link path is sufficient."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/3446beddba450c8d6f9aca2f028712ac527fead3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/65fc57c8b8f0b31be62be291cb1bb01755cec85d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/72099f015d3c77bf2eb703d1aab113bd7a60915a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/756ca5e7ed22d9045bb4de4c981f9149278d5cd3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c3029721b84f59e790285ad27544ed5d3cb0f2a6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c72f6a7ea638f95c486a5cfd86e567b646027687","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e813c95e4c8edd31599081e6356e20ada30e266d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46015","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:19.840","lastModified":"2026-06-01T17:17:18.063","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: call sk_data_ready() after listener migration\n\nWhen inet_csk_listen_stop() migrates an established child socket from\na closing listener to another socket in the same SO_REUSEPORT group,\nthe target listener gets a new accept-queue entry via\ninet_csk_reqsk_queue_add(), but that path never notifies the target\nlistener's waiters. A nonblocking accept() still works because it\nchecks the queue directly, but poll()/epoll_wait() waiters and\nblocking accept() callers can also remain asleep indefinitely.\n\nCall READ_ONCE(nsk->sk_data_ready)(nsk) after a successful migration\nin inet_csk_listen_stop().\n\nHowever, after inet_csk_reqsk_queue_add() succeeds, the ref acquired\nin reuseport_migrate_sock() is effectively transferred to\nnreq->rsk_listener. Another CPU can then dequeue nreq via accept()\nor listener shutdown, hit reqsk_put(), and drop that listener ref.\nSince listeners are SOCK_RCU_FREE, wrap the post-queue_add()\ndereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also\ncovers the existing sock_net(nsk) access in that path.\n\nThe reqsk_timer_handler() path does not need the same changes for two\nreasons: half-open requests become readable only after the final ACK,\nwhere tcp_child_process() already wakes the listener; and once nreq is\nvisible via inet_ehash_insert(), the success path no longer touches\nnsk directly."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/12625b4da84caf4d84a04988710a7b9bcf702b18","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/14e9bb6eba8f59dcc637702e4744ae5e30660d76","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3864c6ba1e041bc75342353a70fa2a2c6f909923","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7aa7933a5607b1e5b56f322d17265c1d0ea02c51","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/83bb57635d7cbafde32f865b577ecfd969f02337","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ab5fdcd535645f6dbe6e9e21d96a08d141e88b4b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bebd058ef40c67a81fe6d9ee8beaa4ede90e0704","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46018","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:20.240","lastModified":"2026-06-01T17:17:18.380","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES\n\nparse_uac2_sample_rate_range() caps the number of enumerated\nrates at MAX_NR_RATES, but it only breaks out of the current\nrate loop. A malformed UAC2 RANGE response with additional\ntriplets continues parsing the remaining triplets and repeatedly\nprints \"invalid uac2 rates\" while probe still holds\nregister_mutex.\n\nStop the whole parse once the cap is reached and return the\nnumber of rates collected so far."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0da05fedf5e1966b7e7d389866cb86fcf09f4b32","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3c318f97dcc50b2e0556a1813bd6958678e881fd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4d7893a137eadb6163ea4298bf67d74b811d76ef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5436bc1b07d4656f99412dc72871d250d7d55205","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a0b78639ef09b2e77974a3de3b1c07f6de3c5e56","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ab5ba9fd138758ddc50222264ff246b31e397abf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ba036305323814ec1f8655313b2fa6a0f7048716","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f14bd323eec4b4f0ef662520ec852e593ece1d4c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46019","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:20.353","lastModified":"2026-06-01T17:17:18.540","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup\n\natmel_aes_buff_init() allocates 4 pages using __get_free_pages() with\nATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only the\nfirst page using free_page(), leaking the remaining 3 pages. Use\nfree_pages() with ATMEL_AES_BUFFER_ORDER to fix the memory leak."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/03e00aafa5f747d07811589e8d5fee638245431b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/230ad8a78fe67266b1ba4685da1abdd61471c5b8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3fcfff4ed35f963380a68741bcd52742baff7f76","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5ad40cde96d603a88d68f8ed59f6d36407ab1f3c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/61516b4a5b2647dc3f8f67b5dffaf038be997511","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/65b3589d39d05699c3850202f8333e5361033ea3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b63f1e2f0e319ad3fe4a58eb3db4fd50cc98baca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/de6952e0af2acbada900d742437e848285c01d11","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46022","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:20.670","lastModified":"2026-06-01T17:17:18.680","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()\n\nibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read\nwhen the queue reader or writer index from hardware exceeds\nREMOTE_QUEUE_SIZE (60).\n\nA compromised service processor can trigger this by writing an\nout-of-range value to the reader or writer MMIO register before\nasserting an interrupt. Since writer is re-read from hardware on\nevery loop iteration, it can also be set to an out-of-range value\nafter the loop has already started.\n\nThe root cause is that get_queue_reader() and get_queue_writer() return\nraw readl() values that are passed directly into get_queue_entry(),\nwhich computes:\n\n queue_begin + reader * sizeof(struct remote_input)\n\nwith no bounds check. This unchecked MMIO address is then passed to\nmemcpy_fromio(), reading 8 bytes from unintended device registers.\nFor sufficiently large values the address falls outside the PCI BAR\nmapping entirely, triggering a machine check exception.\n\nFix by checking both indices against REMOTE_QUEUE_SIZE at the top of\nthe loop body, before any call to get_queue_entry(). On an out-of-range\nvalue, reset the reader register to 0 via set_queue_reader() before\nbreaking, so that normal queue operation can resume if the corrupted\nhardware state is transient."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/07c4f18b303106e6b24492c12b95d48a4b985841","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1ca75f6b74ec7f685464e5745ecfcf3a76d284e9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/22a16d3eafee92a165c756081587c95850127107","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4b6e6ead556734bdc14024c5f837132b1e7a4b84","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6f6ecc9153df176e956d0664b56f93080b0a45f0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bac8643486f854dd53af9b23aea7dbbd9b7c1865","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f7e5b4eefd7be3e09f8bd5fee63ed478fd7446ab","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fc7e9a74e32299d7e93e178ca482a0b59ef1595b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46023","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:20.783","lastModified":"2026-06-01T17:17:18.813","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm mirror: fix integer overflow in create_dirty_log()\n\nThe argument count calculation in create_dirty_log() performs\n`*args_used = 2 + param_count` before validating against argc. When a\nuser provides a param_count close to UINT_MAX via the device mapper\ntable string, this unsigned addition wraps around to a small value,\ncausing the subsequent `argc < *args_used` check to be bypassed.\n\nThe overflowed param_count is then passed as argc to dm_dirty_log_create(),\nwhere it can cause out-of-bounds reads on the argv array.\n\nFix by comparing param_count against argc - 2 before performing the\naddition, following the same pattern used by parse_features() in the\nsame file. Since argc >= 2 is already guaranteed, the subtraction is\nsafe."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/17a08791d428885d00e510864283a7b839792368","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/249c831183fb806c8e3b14c7c4c1d2fb68cf37fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/35f6b3281efd44d19110574663bc17a610bc73b9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/47dad9eea75d33212d3d2cea10e7ed6a1bfc0713","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4c788c6f921b22f9b6c3f316c4a071c05683e7de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/87c99a50e0fdc68a5b9b52a94d49452cd3ff02ca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ae59b3025609d5a0a39cf5b2b94e2467f6231573","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e5e0ae3237584ebef510366c4cb3d5cc7c22b610","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46024","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:20.890","lastModified":"2026-06-01T17:17:18.953","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()\n\nIf a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both\nprotocol and result, this is currently not treated as an error. In case\nof ac->negotiating == true and ac->protocol > 0, this leads to setting\nac->protocol = 0 and ac->ops = NULL. Thereafter, the check for\nac->protocol != protocol returns false, and init_protocol() is not\ncalled. Subsequently, ac->ops->handle_reply() is called, which leads to\na null pointer dereference, because ac->ops is still NULL.\n\nThis patch changes the check for ac->protocol != protocol to\n!ac->protocol, as this also includes the case when the protocol was set\nto zero in the message. This causes the message to be treated as\ncontaining a bad auth protocol."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"references":[{"url":"https://git.kernel.org/stable/c/016bc663657366d386993f63eb31072eb45a2b77","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4b2738b93edad661178340239de657d876b73d3d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5199c125d25aeae8615c4fc31652cc0fe624338e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8f2be7285941a33a9f72579a23b96392f83c758e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/927e4bd5692f2a4901808822981fb2c8d4456548","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9ded62c302c0342efdb5eda3bf6e75720caad0df","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f101271fcf55d7eacfefd610b51ec65f46ba8118","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46027","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:21.303","lastModified":"2026-06-01T17:17:19.090","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: avoid early lgr access in smc_clc_wait_msg\n\nA CLC decline can be received while the handshake is still in an early\nstage, before the connection has been associated with a link group.\n\nThe decline handling in smc_clc_wait_msg() updates link-group level sync\nstate for first-contact declines, but that state only exists after link\ngroup setup has completed. Guard the link-group update accordingly and\nkeep the per-socket peer diagnosis handling unchanged.\n\nThis preserves the existing sync_err handling for established link-group\ncontexts and avoids touching link-group state before it is available."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"references":[{"url":"https://git.kernel.org/stable/c/22546729b96fc873b23065dc49e3d73c45cfb874","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/257cdf0c5ced9c0fba8aba501d94b0a5fcef2086","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5a8db80f721deee8e916c2cfdee78decda02ce4f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5eedbfd82c2884e0010fdfb3c9446a6ebcadb691","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6180a296ca65b08a81914805cbc0f78da5f10a1f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/83bcf9228b0501694fb2589ed1d142855a2887f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ea0b5d0fe96356dce38f98375a57c52a04e13712","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f0858e1d5624bb120b198f2a8528f97a9b0ae069","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46031","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:22.057","lastModified":"2026-06-01T17:17:19.227","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Reinstate disabling of BHs around IRQ handler\n\nIf the driver executes ks8851_irq() AND a TX packet has been sent, then\nthe driver enables TX queue via netif_wake_queue() which schedules TX\nsoftirq to queue packets for this device.\n\nIf CONFIG_PREEMPT_RT=y is set AND a packet has also been received by\nthe MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to\nallocate SKBs for the received packets. If netdev_alloc_skb_ip_align()\nis called with BH enabled, then local_bh_enable() at the end of\nnetdev_alloc_skb_ip_align() will trigger the pending softirq processing,\nwhich may ultimately call the .xmit callback ks8851_start_xmit_par().\nThe ks8851_start_xmit_par() will try to lock struct ks8851_net_par\n.lock spinlock, which is already locked by ks8851_irq() from which\nks8851_start_xmit_par() was called. This leads to a deadlock, which\nis reported by the kernel, including a trace listed below.\n\nIf CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0\n(\"net: ks8851: Fix deadlock with the SPI chip variant\") the deadlock\ncan also be triggered without received packet in the RX FIFO. The\npending softirqs will be processed on return from\nspin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the\ndeadlock as well.\n\nFix the problem by disabling BH around critical sections, including the\nIRQ handler, thus preventing the net_tx_action() softirq from triggering\nduring these critical sections. The net_tx_action() softirq is triggered\nonce BH are re-enabled and at the end of the IRQ handler, once all the\nother IRQ handler actions have been completed.\n\n __schedule from schedule_rtlock+0x1c/0x34\n schedule_rtlock from rtlock_slowlock_locked+0x548/0x904\n rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c\n rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8\n ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44\n netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188\n dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c\n sch_direct_xmit from __qdisc_run+0x1f8/0x4ec\n __qdisc_run from qdisc_run+0x1c/0x28\n qdisc_run from net_tx_action+0x1f0/0x268\n net_tx_action from handle_softirqs+0x1a4/0x270\n handle_softirqs from __local_bh_enable_ip+0xcc/0xe0\n __local_bh_enable_ip from __alloc_skb+0xd8/0x128\n __alloc_skb from __netdev_alloc_skb+0x3c/0x19c\n __netdev_alloc_skb from ks8851_irq+0x388/0x4d4\n ks8851_irq from irq_thread_fn+0x24/0x64\n irq_thread_fn from irq_thread+0x178/0x28c\n irq_thread from kthread+0x12c/0x138\n kthread from ret_from_fork+0x14/0x28"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"references":[{"url":"https://git.kernel.org/stable/c/1962027a6d223f90df8b372929f9d1a8d321ad6a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/21f1707a8e978558dcb11b053855521e32ac0eec","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/518040324067d8efaa2da1992297b7e7bf5640f4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5c9fcac3c872224316714d0d8914d9af16c76a6d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/640a7631d31db87d5fa1b34cea44a99b6e78854b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/be8aad558b4675f45b43080f81a9ffdeddea73a5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46033","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:22.313","lastModified":"2026-06-01T17:17:19.380","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - reject short ahash digests during instance creation\n\nauthencesn requires either a zero authsize or an authsize of at least\n4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of\nhigh-order sequence number data at the end of the authenticated data.\n\nWhile crypto_authenc_esn_setauthsize() already rejects explicit\nnon-zero authsizes in the range 1..3, crypto_authenc_esn_create()\nstill copied auth->digestsize into inst->alg.maxauthsize without\nvalidating it. The AEAD core then initialized the tfm's default\nauthsize from that value.\n\nAs a result, selecting an ahash with digest size 1..3, such as\ncbcmac(cipher_null), exposed authencesn instances whose default\nauthsize was invalid even though setauthsize() would have rejected the\nsame value. AF_ALG could then trigger the ESN tail handling with a\ntoo-short tag and hit an out-of-bounds access.\n\nReject authencesn instances whose ahash digest size is in the invalid\nnon-zero range 1..3 so that no tfm can inherit an unsupported default\nauthsize."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/2f31cd1e64a079c845bca31d2da7b3c90a311726","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5db6ef9847717329f12c5ea8aba7e9f588a980c0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/67f1f0933cc3d78dde222842bcad2778ec7a0b88","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/77f59fb2d3aa33e90ec6cbbf45dcfb20ab82b1a9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9aff81e8217e9de2929084b03b3c7f81988c112b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b42821c15445f93daea3e76ada682b2b7181c476","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b69933e97efea238ebbfcf70c2b1be1cd03f13e3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d4c6a6d08e70bb1083c7c405fc7faacbf19aebc0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46037","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:23.027","lastModified":"2026-06-01T17:17:19.513","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: icmp: validate reply type before using icmp_pointers\n\nExtended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type.\nThat value is outside the range covered by icmp_pointers[], which only\ndescribes the traditional ICMP types up to NR_ICMP_TYPES.\n\nAvoid consulting icmp_pointers[] for reply types outside that range, and\nuse array_index_nospec() for the remaining in-range lookup. Normal ICMP\nreplies keep their existing behavior unchanged."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.2}]},"references":[{"url":"https://git.kernel.org/stable/c/67bf002a2d7387a6312138210d0bd06e3cf4879b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/92e7c209036dcc0e8ffdf806fdfd3645b263bea5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/93df2af4f491de33827550b9d420f01808c0706b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b3a88fc5ae024d43c5ecf653f3bbe837e4a6dc99","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bc64a66e0b9ad937d3d49934242ee62b01ba9a94","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c2178ff1c70ebfc2ab9651b230c58a34683db759","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d700c34a5d186b9ba0715bcb19e0ff80ffbfbfc1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46040","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:23.387","lastModified":"2026-06-01T17:17:20.490","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ninotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails\n\nWhen fsnotify_add_inode_mark_locked() fails in inotify_new_watch(),\nthe error path calls inotify_remove_from_idr() but does not call\ndec_inotify_watches() to undo the preceding inc_inotify_watches().\nThis leaks a watch count, and repeated failures can exhaust the\nmax_user_watches limit with -ENOSPC even when no watches are active.\n\nPrior to commit 1cce1eea0aff (\"inotify: Convert to using per-namespace\nlimits\"), the watch count was incremented after fsnotify_add_mark_locked()\nsucceeded, so this path was not affected. The conversion moved\ninc_inotify_watches() before the mark insertion without adding the\ncorresponding rollback.\n\nAdd the missing dec_inotify_watches() call in the error path."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/10edf7e0ffdc7faa18e2244b17722c1b882b8273","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3ab58cf42c46bf2366d2f55ae5c59299d5e178b7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3ad9ccea1b25435f6179b57aa891960beb7ce8f9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6a320935fa4293e9e599ec9f85dc9eb3be7029f8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/73ddc8518a32baff6bc17afda4ee1ebae5b4ed12","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8bcc1cd237ab5ccfdd102869fa031c541943cf40","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9e48844f708eb48bae4e79cb21edc097c966306d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fdaa42ca370d056428e5e171247c8fdce8dff36a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46043","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:23.743","lastModified":"2026-06-01T17:17:20.607","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\n\nrxe_rcv() currently checks only that the incoming packet is at least\nheader_size(pkt) bytes long before payload_size() is used.\n\nHowever, payload_size() subtracts both the attacker-controlled BTH pad\nfield and RXE_ICRC_SIZE from pkt->paylen:\n\n payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt)\n - RXE_ICRC_SIZE\n\nThis means a short packet can still make payload_size() underflow even\nif it includes enough bytes for the fixed headers. Simply requiring\nheader_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a\npacket with a forged non-zero BTH pad can still leave payload_size()\nnegative and pass an underflowed value to later receive-path users.\n\nFix this by validating pkt->paylen against the full minimum length\nrequired by payload_size(): header_size(pkt) + bth_pad(pkt) +\nRXE_ICRC_SIZE."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}]},"references":[{"url":"https://git.kernel.org/stable/c/2c0d71ef12f46c57d37bc571f3f2797db7eb50cc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2fd4f8b749309a61c3f3f88ee8891d94f79e1240","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5fedefec757192dcaad29a664ac332c7601be144","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7244491dab347f648e661da96dc0febadd9daec3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9b924f3a26b21330a837cfe72e819b6393bbeeaa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c4376c672c3648d5bdc31dfffc329d07164f93c4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e8ee0e792d475b1067c199ef0af1b6221fa6f43d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f83519a4c122c9c7a850a2197648a9ff4c67c520","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46044","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:23.853","lastModified":"2026-06-01T17:17:20.740","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipmi:ssif: Clean up kthread on errors\n\nIf an error occurs after the ssif kthread is created, but before the\nmain IPMI code starts the ssif interface, the ssif kthread will not\nbe stopped.\n\nSo make sure the kthread is stopped on an error condition if it is\nrunning."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/549607af66a0efdb41307ba6343eed31de8b133e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/75c486cb1bcaa1a3ec3a6438498176a3a4998ae4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/800febc637d1c1974b1e899dea8a07e115d60766","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/858bc8b9edb6eaf0522900128bb9053e2df6b0f6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f2d0a3ede5ebf404d4c334a1f04ef439e0086857","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46046","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:24.083","lastModified":"2026-06-01T17:17:20.837","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()\n\nThe commit c8e008b60492 (\"ext4: ignore xattrs past end\")\nintroduced a refcount leak in when block_csum is false.\n\next4_xattr_inode_dec_ref_all() calls ext4_get_inode_loc() to\nget iloc.bh, but never releases it with brelse()."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/097227f1ffe1a85bc3c359f81c71e3d40e06e920","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/153ab2c52355fbebcae622db8e7b506492c73a29","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1bc1107a3a403a6d440673ed6666f7b07ef868a8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1e6b0a69bf2c9c819255c7566e4355536d81d9cf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/77d059519382bd66283e6a4e83ee186e87e7708f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b706d00206a9e82362a9633efbd8b5775650169b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/dd98a5603a212ea9c96c6982ccdbcc748fdb9a56","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f072906688933bf47fabbaf63560be03357c8298","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46047","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:24.200","lastModified":"2026-06-01T17:17:20.980","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Fix use-after-free in driver remove()\n\nIn the remove callback, if a packet arrives after destroy_workqueue() is\ncalled, but before sock_release(), the qrtr_ns_data_ready() callback will\ntry to queue the work, causing use-after-free issue.\n\nFix this issue by saving the default 'sk_data_ready' callback during\nqrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at\nthe start of remove(). This ensures that even if a packet arrives after\ndestroy_workqueue(), the work struct will not be dereferenced.\n\nNote that it is also required to ensure that the RX threads are completed\nbefore destroying the workqueue, because the threads could be using the\nqrtr_ns_data_ready() callback."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0f313eb6a8f6dffa491373cf3afab979fa1c02f4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2e127ceb1c415e246076d8e09e23e443a7a2038f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4ae0bd51bf7079e9c2a06b5de0ae04ba70d10167","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/65168712c216584ff482a7d1a67589f2079b2634","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7809fea20c9404bfcfa6112ec08d1fe1d3520beb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/db3c60ec772de30acae92d560dfcc5258e58dbe8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/dff081c3602f2fd810f69ef47945a226980dd05d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f96779e916576e81430ebb326baff6e433fef8ae","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46048","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:24.310","lastModified":"2026-06-01T17:17:21.090","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: fix usb_dev refcount leak on probe failure\n\ncreate_card() takes a reference on the USB device with usb_get_dev()\nand stores the matching usb_put_dev() in card_free(), which is\ninstalled as the snd_card's ->private_free destructor.\n\nHowever, ->private_free is only assigned near the end of init_card(),\nafter several failure points (usb_set_interface(), EP type checks,\nusb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its\ntimeout). When any of those fail, init_card() returns an error to\nsnd_probe(), which calls snd_card_free(card). Because ->private_free\nis still NULL, card_free() never runs, the usb_get_dev() reference\nis not dropped, and the struct usb_device leaks along with its\ndescriptor allocations and device_private.\n\nsyzbot reproduces this with a malformed UAC3 device whose only valid\naltsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call\nfails with -EIO and triggers the leak.\n\nMove the ->private_free assignment into create_card(), immediately\nafter usb_get_dev(), so that every error path reaching snd_card_free()\nbalances the reference. card_free()'s callees (snd_usb_caiaq_input_free,\nfree_urbs, kfree) already tolerate the partially-initialized state\nbecause the chip private area is zero-initialized by snd_card_new()."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6153878c5255bb69b7d0868105ca078ef13cbcf8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6fa8dff64fb6c401ced40a05797b327659317498","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a8d907acc3e5a078c2e5637ff60c30c6d2ddc23a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c874db8a1d2f9f08161470d00cfe8db2f5cca2cc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46049","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:24.433","lastModified":"2026-06-01T17:17:21.210","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Add fallback to default RSR for S/PDIF\n\nspdif_passthru_playback_get_resources() uses atc->pll_rate as the RSR\nfor the MSR calculation loop. However, pll_rate is only updated in\natc_pll_init() and not in hw_pll_init(), so it remains 0 after the\ncard init.\n\nWhen spdif_passthru_playback_setup() skips atc_pll_init() for\n32000 Hz, (rsr * desc.msr) always becomes 0, causing the loop to spin\nindefinitely.\n\nAdd fallback to use atc->rsr when atc->pll_rate is 0. This reflects\nthe hardware state, since hw_card_init() already configures the PLL\nto the default RSR."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/09496158f6ebba8830593f8972035c02f97124c1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/25ded535ee261161bcf19dafd525c542e606559d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/30f9494c6f2b53a78822cfb653ffbb1d092d44c8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/615b7a5e5d8be68d52f262579906f7e015ba4606","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7d61662197ecdc458e33e475b6ada7f6da61d364","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/95b1ee8442cabbde83b2848e7c6100df90f3a00d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d0b53842211f73a10ea174100a213f7fa14b9f33","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/dfc00979ff00d9dfdfa1df32144a272ee2728102","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46050","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:24.547","lastModified":"2026-06-01T17:17:21.323","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix deadlock with check operation and nowait requests\n\nWhen an array check is running it will raise the barrier at which point\nnormal requests will become blocked and increment the nr_pending value to\nsignal there is work pending inside of wait_barrier(). NOWAIT requests\ndo not block and so will return immediately with an error, and additionally\ndo not increment nr_pending in wait_barrier(). Upstream change commit\n43806c3d5b9b (\"raid10: cleanup memleak at raid10_make_request\") added a\ncall to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit\nthis condition. raid_end_bio_io() eventually calls allow_barrier() and\nit will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even\nthough the corresponding increment on nr_pending didn't happen in the\nNOWAIT case.\n\nThis can be easily seen by starting a check operation while an application\nis doing nowait IO on the same array. This results in a deadlocked state\ndue to nr_pending value underflowing and so the md resync thread gets stuck\nwaiting for nr_pending to == 0.\n\nOutput of r10conf state of the array when we hit this condition:\n\ncrash> struct r10conf\n\tbarrier = 1,\n nr_pending = {\n counter = -41\n },\n nr_waiting = 15,\n nr_queued = 0,\n\nExample of md_sync thread stuck waiting on raise_barrier() and other\nrequests stuck in wait_barrier():\n\nmd1_resync\n[<0>] raise_barrier+0xce/0x1c0\n[<0>] raid10_sync_request+0x1ca/0x1ed0\n[<0>] md_do_sync+0x779/0x1110\n[<0>] md_thread+0x90/0x160\n[<0>] kthread+0xbe/0xf0\n[<0>] ret_from_fork+0x34/0x50\n[<0>] ret_from_fork_asm+0x1a/0x30\n\nkworker/u1040:2+flush-253:4\n[<0>] wait_barrier+0x1de/0x220\n[<0>] regular_request_wait+0x30/0x180\n[<0>] raid10_make_request+0x261/0x1000\n[<0>] md_handle_request+0x13b/0x230\n[<0>] __submit_bio+0x107/0x1f0\n[<0>] submit_bio_noacct_nocheck+0x16f/0x390\n[<0>] ext4_io_submit+0x24/0x40\n[<0>] ext4_do_writepages+0x254/0xc80\n[<0>] ext4_writepages+0x84/0x120\n[<0>] do_writepages+0x7a/0x260\n[<0>] __writeback_single_inode+0x3d/0x300\n[<0>] writeback_sb_inodes+0x1dd/0x470\n[<0>] __writeback_inodes_wb+0x4c/0xe0\n[<0>] wb_writeback+0x18b/0x2d0\n[<0>] wb_workfn+0x2a1/0x400\n[<0>] process_one_work+0x149/0x330\n[<0>] worker_thread+0x2d2/0x410\n[<0>] kthread+0xbe/0xf0\n[<0>] ret_from_fork+0x34/0x50\n[<0>] ret_from_fork_asm+0x1a/0x30"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/1cdff2937c618f81058422bbdc4974a3e7ec9379","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2249983d971e6839b36284e6610390b2c217dfa1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/42fe37c90184cd1568838b84b488934c3671c963","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7d96f3120a7fb7210d21b520c5b6f495da6ba436","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ae356d5eb1331d678985799f893e436314834a87","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cac2106bb9a2180b288079b49ed626414fb5bc45","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46051","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:24.693","lastModified":"2026-06-01T17:17:21.457","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix soft lockup in retry_aligned_read()\n\nWhen retry_aligned_read() encounters an overlapped stripe, it releases\nthe stripe via raid5_release_stripe() which puts it on the lockless\nreleased_stripes llist. In the next raid5d loop iteration,\nrelease_stripe_list() drains the stripe onto handle_list (since\nSTRIPE_HANDLE is set by the original IO), but retry_aligned_read()\nruns before handle_active_stripes() and removes the stripe from\nhandle_list via find_get_stripe() -> list_del_init(). This prevents\nhandle_stripe() from ever processing the stripe to resolve the\noverlap, causing an infinite loop and soft lockup.\n\nFix this by using __release_stripe() with temp_inactive_list instead\nof raid5_release_stripe() in the failure path, so the stripe does not\ngo through the released_stripes llist. This allows raid5d to break out\nof its loop, and the overlap will be resolved when the stripe is\neventually processed by handle_stripe()."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/09880592f5a9dc73377d6eb5ac123537b5f8df49","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1985cb3247e87ff6b8ca4bc5f9626f4f51024507","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4166d5234fe8b6c3c7f796a6c198605356c5b355","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/66df9f30673db66ac35145820a8e24906069ae57","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/80fc6ca2cbde018d52e13f305edcd643911bd94b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/883cc33b7af1c448663287f069ef9dfea001e90f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a9055300e07d9d6800264d3c2560e1d0144689ca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46053","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:24.937","lastModified":"2026-06-01T17:17:21.587","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rds: fix MR cleanup on copy error\n\n__rds_rdma_map() hands sg/pages ownership to the transport after\nget_mr() succeeds. If copying the generated cookie back to user space\nfails after that point, the error path must not free those resources\nagain before dropping the MR reference.\n\nRemove the duplicate unpin/free from the put_user() failure branch so\nthat MR teardown is handled only through the existing final cleanup\npath."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/033370ffb3c9c0264d19f8ba9ef769523266589a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/106dc689206610cfa2098f593fdd1e020c997835","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8141a2dc70080eda1aedc0389ed2db2b292af5bd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8fdbb6262a4a3ed44a0830a7793903b54bb27bdc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/91a44b406bc1f9e1c5da0cb7d0d5991b43b79147","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b3cb8cae530b2727d8245684148bb49425f6765c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d95cea9298be1ba8876e3f156be96d3a492085ca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ec55a86f7fba7d9111df94b9c11a4755ed492995","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46056","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:25.317","lastModified":"2026-06-01T17:17:21.700","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: fix potential UAF in SSP passkey handlers\n\nhci_conn lookup and field access must be covered by hdev lock in\nhci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise\nthe connection can be freed concurrently.\n\nExtend the hci_dev_lock critical section to cover all conn usage in both\nhandlers.\n\nKeep the existing keypress notification behavior unchanged by routing\nthe early exits through a common unlock path."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/01a6431766c35dfedb86e0cb5d3fc80c6d604a47","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/204028af77a265e31ceb4ba7f643349a3cca72b2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/85fa3512048793076eef658f66489112dcc91993","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8c6443bb9257b780986fb67ec08565bf48ecb8d7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b6ae482f88654db407c8c17619d4b62959b903ef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e08d75753db17aa943d7622f09d9c217b5bfd3b8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46058","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:25.537","lastModified":"2026-06-01T17:17:21.827","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: amphion: Fix race between m2m job_abort and device_run\n\nFix kernel panic caused by race condition where v4l2_m2m_ctx_release()\nfrees m2m_ctx while v4l2_m2m_try_run() is about to call device_run\nwith the same context.\n\nRace sequence:\n v4l2_m2m_try_run(): v4l2_m2m_ctx_release():\n lock/unlock v4l2_m2m_cancel_job()\n job_abort()\n v4l2_m2m_job_finish()\n kfree(m2m_ctx) <- frees ctx\n device_run() <- use-after-free crash at 0x538\n\nCrash trace:\n Unable to handle kernel read from unreadable memory at virtual address\n 0000000000000538\n v4l2_m2m_try_run+0x78/0x138\n v4l2_m2m_device_run_work+0x14/0x20\n\nThe amphion vpu driver does not rely on the m2m framework's device_run\ncallback to perform encode/decode operations.\n\nFix the race by preventing m2m framework job scheduling entirely:\n- Add job_ready callback returning 0 (no jobs ready for m2m framework)\n- Remove job_abort callback to avoid the race condition"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/42dc622776f3ce1a6c31b13bdc686f7295e3b323","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/516467052fdfc6a13eadc70d43420ae57436bf3c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6be2cb75bc1300080cfc8051579f22efae9401f7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8cd35ceadcfc8c5da2eb7f7ce24525ce9d4ee62e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/da4f46c5cf1d26e6b09418ad453e152f2e75a02c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fdc150dac1adb9a98be9d6956cff0348838b024a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46062","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:26.063","lastModified":"2026-06-01T17:17:21.940","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: fix integer overflow in run_unpack() volume boundary check\n\nThe volume boundary check `lcn + len > sbi->used.bitmap.nbits` uses raw\naddition which can wrap around for large lcn and len values, bypassing\nthe validation. Use check_add_overflow() as is already done for the\nadjacent prev_lcn + dlcn and vcn64 + len checks added by commit\n3ac37e100385 (\"ntfs3: Fix integer overflow in run_unpack()\").\n\nFound by fuzzing with a source-patched harness (LibAFL + QEMU)."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/424858f9a048057bb8f834bfe03d18f5e477e747","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/60dab3e2931f3d792438a77a6cb0cb731c43300b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6175d09c23bec4b60860ee9a0170308ff4b56e10","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/984a415f019536ea2d24de9010744e5302a9a948","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a954061b334ec67c79ae9d0cadd83fa521396487","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e73cd5aed6b15e55c1c47577bdb473b5e88d6a69","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f1af27cec07a9fd0847166bdb23c99e86b05bfdc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46064","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:26.867","lastModified":"2026-06-01T17:17:22.067","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nibmasm: fix heap over-read in ibmasm_send_i2o_message()\n\nThe ibmasm_send_i2o_message() function uses get_dot_command_size() to\ncompute the byte count for memcpy_toio(), but this value is derived from\nuser-controlled fields in the dot_command_header (command_size: u8,\ndata_size: u16) and is never validated against the actual allocation size.\nA root user can write a small buffer with inflated header fields, causing\nmemcpy_toio() to read up to ~65 KB past the end of the allocation into\nadjacent kernel heap, which is then forwarded to the service processor\nover MMIO.\n\nSilently clamping the copy size is not sufficient: if the header fields\nclaim a larger size than the buffer, the SP receives a dot command whose\nown header is inconsistent with the I2O message length, which can cause\nthe SP to desynchronize. Reject such commands outright by returning\nfailure.\n\nValidate command_size before calling get_mfa_inbound() to avoid leaking\nan I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware\nframe from the controller's free pool, and returning without a\ncorresponding set_mfa_inbound() call would permanently exhaust it.\n\nAdditionally, clamp command_size to I2O_COMMAND_SIZE before the\nmemcpy_toio() so the MMIO write stays within the I2O message frame,\nconsistent with the clamping already performed by outgoing_message_size()\nfor the header field."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/9aad71144fa3682cca3837a06c8623016790e7ec","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9e8f6c9d4ecddda2f28baa1678340286cff3969c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b870f652877bfbe321bd0f4096fc37a93296f7b6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c1c2417c60dbdca5ebb00462f21ee71c2d7f7083","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ca1c857e2bb74a9fc0606128334f85316d57067b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ce57fa439bd1b5d664f334a0c3e3f0e42abb0153","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fd19eb1c75047a4ed4e855f56cafd704dc3914e0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fe31722b0194ff76bf8b461e8bf97a2081147787","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46070","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:28.283","lastModified":"2026-06-01T17:17:22.187","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: validate payload size before accessing journal metadata\n\nr5c_recovery_analyze_meta_block() and\nr5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a\njournal metadata block using on-disk payload size fields without\nvalidating them against the remaining space in the metadata block.\n\nA corrupted journal contains payload sizes extending beyond the PAGE_SIZE\nboundary can cause out-of-bounds reads when accessing payload fields or\ncomputing offsets.\n\nAdd bounds validation for each payload type to ensure the full payload\nfits within meta_size before processing."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"references":[{"url":"https://git.kernel.org/stable/c/28d3ff7109c66e99dc1b7cddacb5c760849620ef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/33698bd1b2db9764a29df7751533d33967ff5c98","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/406aa86394ead347c47428fb51b6359bdaa2257d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/73ce72edd113374801045924d4417199963f73a3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c3a1cf78bd1bbb51b2cc5189b4743056553c1e0e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c96c6f01d84b5c67db1bf1cc8591c0b7146826fc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ef4851d8324fd978ca1ff9ec76a275438f887743","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46072","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:28.503","lastModified":"2026-06-01T17:17:22.330","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: add buffer boundary checks to run_unpack()\n\nrun_unpack() checks `run_buf < run_last` at the top of the while loop\nbut then reads size_size and offset_size bytes via run_unpack_s64()\nwithout verifying they fit within the remaining buffer. A crafted NTFS\nimage with truncated run data in an MFT attribute triggers an OOB heap\nread of up to 15 bytes when the filesystem is mounted.\n\nAdd boundary checks before each run_unpack_s64() call to ensure the\ndeclared field size does not exceed the remaining buffer.\n\nFound by fuzzing with a source-patched harness (LibAFL + QEMU)."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/41aadf5cb482793a24e05aa136224e179a778586","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/425de2aba0d061b3e715d51a3b1992c112ed5b99","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b62567bca47408e6739dee75f02a2113548af875","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bbad75336870b51b81979b97613746237fcb02fe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bf7ac4a1d3bfc6e56e54635c3d331a68170d37c9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d3012690a7065d9ca86521a525ad11e8af491d45","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e64f7dfcaff79e7dfff9121a382dd77f9b462f62","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46075","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:28.823","lastModified":"2026-06-01T17:17:22.443","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: atmel-sha204a - Fix potential UAF and memory leak in remove path\n\nUnregister the hwrng to prevent new ->read() calls and flush the Atmel\nI2C workqueue before teardown to prevent a potential UAF if a queued\ncallback runs while the device is being removed.\n\nDrop the early return to ensure sysfs entries are removed and\n->hwrng.priv is freed, preventing a memory leak."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/1193c12126d39bf986a5a9214827b73707b193ab","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/31901371ccd16b42d2f167b1018ba9ae8bd5a6c7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6dbeb0f788582e1ab5dfc3f41994eac0ec88c2b5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/775c00d87c385b758da9504cf053acea00e2ed40","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bab1adf3b87e4bfac92c4f5963c63db434d561c1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c5a45d14234bf26e28a89e3a5dcc08336595cf11","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46077","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:29.040","lastModified":"2026-06-01T17:17:22.537","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: atmel-tdes - fix DMA sync direction\n\nBefore DMA output is consumed by the CPU, ->dma_addr_out must be synced\nwith dma_sync_single_for_cpu() instead of dma_sync_single_for_device().\nUsing the wrong direction can return stale cache data on non-coherent\nplatforms."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/12a0adfe498cd5d87e6365d7ca5f6b3eed79e523","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5281e6e2302362f6b75b70cbfe4098d2a25dafd9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/863d11b3927703ad95077c81a8a6489c5c7872f7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b5f5df801d161ba244f391519cbff2f4e5c6edc2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b9b28f3881dd514e74f98ae04e79a635022a4804","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c0f3002c02a3a83250e25582ffbe8df7eb78a8bd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c8a9a647532f5c2a04180352693215e24e9dba03","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ce3224678acb8c0b3473daa7d7dbffc998c6951a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46078","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:29.143","lastModified":"2026-06-01T17:17:22.650","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix the out-of-bounds nameoff handling for trailing dirents\n\nCurrently we already have boundary-checks for nameoffs, but the trailing\ndirents are special since the namelens are calculated with strnlen()\nwith unchecked nameoffs.\n\nIf a crafted EROFS has a trailing dirent with nameoff >= maxsize,\nmaxsize - nameoff can underflow, causing strnlen() to read past the\ndirectory block.\n\nnameoff0 should also be verified to be a multiple of\n`sizeof(struct erofs_dirent)` as well [1].\n\n[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"references":[{"url":"https://git.kernel.org/stable/c/1d55445226c75ddd4e78b09b3e7d99109b28c366","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/222055e6b4063abd2d9e13c3d49bbd1724c50789","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/48b27a955d22391c7f30169fa7b6b2e1977f1ce4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/80a23c6d1aba35be8746d74ac14e6ba5ae46da21","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8ebb951a284b7446e025afc7dc5e9516ef9a7214","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d18a3b5d337fa412a38e776e6b4b857a58836575","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46079","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:29.253","lastModified":"2026-06-01T17:17:22.790","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrbd: fix null-ptr-deref when device_add_disk() fails\n\ndo_rbd_add() publishes the device with device_add() before calling\ndevice_add_disk(). If device_add_disk() fails after device_add()\nsucceeds, the error path calls rbd_free_disk() directly and then later\nfalls through to rbd_dev_device_release(), which calls rbd_free_disk()\nagain. This double teardown can leave blk-mq cleanup operating on\ninvalid state and trigger a null-ptr-deref in\n__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set().\n\nFix this by following the normal remove ordering: call device_del()\nbefore rbd_dev_device_release() when device_add_disk() fails after\ndevice_add(). That keeps the teardown sequence consistent and avoids\nre-entering disk cleanup through the wrong path.\n\nThe bug was first flagged by an experimental analysis tool we are\ndeveloping for kernel memory-management bugs while analyzing\nv6.13-rc1. The tool is still under development and is not yet publicly\navailable.\n\nWe reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64\nguest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer\nconfines failslab injections to the __add_disk() range and injects\nfail-nth while mapping an RBD image through\n/sys/bus/rbd/add_single_major.\n\nOn the unpatched kernel, fail-nth=4 reliably triggered the fault:\n\n\tOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n\tKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n\tCPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy)\n\tHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n\tRIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240\n\tCode: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00\n\tRSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246\n\tRAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000\n\tRDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4\n\tRBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b\n\tR10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000\n\tR13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004\n\tFS: 00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000\n\tCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0\n\tPKRU: 55555554\n\tCall Trace:\n\t \n\t blk_mq_free_tag_set+0x77/0x460\n\t do_rbd_add+0x1446/0x2b80\n\t ? __pfx_do_rbd_add+0x10/0x10\n\t ? lock_acquire+0x18c/0x300\n\t ? find_held_lock+0x2b/0x80\n\t ? sysfs_file_kobj+0xb6/0x1b0\n\t ? __pfx_sysfs_kf_write+0x10/0x10\n\t kernfs_fop_write_iter+0x2f4/0x4a0\n\t vfs_write+0x98e/0x1000\n\t ? expand_files+0x51f/0x850\n\t ? __pfx_vfs_write+0x10/0x10\n\t ksys_write+0xf2/0x1d0\n\t ? __pfx_ksys_write+0x10/0x10\n\t do_syscall_64+0x115/0x690\n\t entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\tRIP: 0033:0x7f0fbea15907\n\tCode: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\n\tRSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n\tRAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907\n\tRDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001\n\tRBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141\n\tR10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058\n\tR13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004\n\t \n\nWith this fix applied, rerunning the reproducer over fail-nth=1..256\nyields no KASAN reports.\n\n[ idryomov: rename err_out_device_del -> err_out_device ]"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2f4809a879f0750c7790bbeeae86c9505797a06f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/564cd8f4aeb9a938e470c5c91922fd02e4d41acc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/78bd0c143dea4b7a4c23c13356987ca0eafb442e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ad0126ffcba8777109852979eaaa6dca6703abdb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d1fef92e414433ca7b89abf85cb0df42b8d475eb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46080","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:29.397","lastModified":"2026-06-01T17:17:23.117","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: split transactions in dio completion to avoid credit exhaustion\n\nDuring ocfs2 dio operations, JBD2 may report warnings via following\ncall trace:\nocfs2_dio_end_io_write\n ocfs2_mark_extent_written\n ocfs2_change_extent_flag\n ocfs2_split_extent\n ocfs2_try_to_merge_extent\n ocfs2_extend_rotate_transaction\n ocfs2_extend_trans\n jbd2__journal_restart\n start_this_handle\n output: JBD2: kworker/6:2 wants too many credits credits:5450 rsv_credits:0 max:5449\n\nTo prevent exceeding the credits limit, modify ocfs2_dio_end_io_write() to\nhandle extents in a batch of transaction.\n\nAdditionally, relocate ocfs2_del_inode_from_orphan(). The orphan inode\nshould only be removed from the orphan list after the extent tree update\nis complete. This ensures that if a crash occurs in the middle of extent\ntree updates, we won't leave stale blocks beyond EOF.\n\nThis patch also changes the logic for updating the inode size and removing\norphan, making it similar to ext4_dio_write_end_io(). Both operations are\nperformed only when everything looks good.\n\nFinally, thanks to Jans and Joseph for providing the bug fix prototype and\nsuggestions."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/069c3fb310e9336cf48cfdf8748a32c29fd0193d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1e99bb19994246514d63e656492904176f9d5edd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3c636a3edca9c3f180b3079f94fe7e115730d9c6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/886f97fa59d0bbfa9859fb1a66dd9e014b522d89","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/91e05ac2336d00d5b99fc774be4bd50039084796","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/97c03c0e9f73a5049794b3c69ee60fb5e8b0ebd8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d647c5b2fbf81560818dacade360abc8c00a9665","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ea5bb1d20da756e4f41a48dad42b2e7d6e73f71e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46082","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:29.617","lastModified":"2026-06-01T17:17:23.390","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0\n\nINVLPGA should cause a #UD when EFER.SVME is not set. Add a check to\nproperly inject #UD when EFER.SVME=0.\n\n[sean: tag for stable@]"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/3ac9d4241d205f5d0df06358349ca718ebb0fa12","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/491139c17f8ad5773303068411f6ac5eed438b51","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/643125b66ffc1147c66616b749475ba9efb15971","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c15392ed9e49c1a16b4d3a3ccf1b3bf2318a6c28","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d99df02ff427f461102230f9c5b90a6c64ee8e23","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ebb63390142c6458fc37758e0892759989cc159f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ee24928ecd85db4b68ed111e91fef36af0ca37b0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46088","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:30.333","lastModified":"2026-06-01T17:17:23.500","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()\n\nsnd_ctl_elem_init_enum_names() advances pointer p through the names\nbuffer while decrementing buf_len. If buf_len reaches zero but items\nremain, the next iteration calls strnlen(p, 0).\n\nWhile strnlen(p, 0) returns 0 and would hit the existing name_len == 0\nerror path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks\nmaxlen against __builtin_dynamic_object_size(). When Clang loses track\nof p's object size inside the loop, this triggers a BRK exception panic\nbefore the return value is examined.\n\nAdd a buf_len == 0 guard at the loop entry to prevent calling fortified\nstrnlen() on an exhausted buffer.\n\nFound by kernel fuzz testing through Xiaomi Smartphone."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/654c818a69c21d2bea4e8fd9eae7da865df9a5c8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/708f6ec9bcdf58bfd561409110baaf4fd3be4ea3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/82012fd3e78a14360fbc2f1a7491589896704f97","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8ba0214c3dd32b8ec652947e3f2bc5b8f6e6be9e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a470f7cabc4df72d9bd132f5719a8717292bb440","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bfcbb4994da9e979c4bcfcf24aaaac69e457e48e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e0da8a8cac74f4b9f577979d131f0d2b88a84487","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46098","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:31.453","lastModified":"2026-06-01T17:17:23.633","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: clear client service pointer on teardown\n\n`caif_connect()` can tear down an existing client after remote shutdown by\ncalling `caif_disconnect_client()` followed by `caif_free_client()`.\n`caif_free_client()` releases the service layer referenced by\n`adap_layer->dn`, but leaves that pointer stale.\n\nWhen the socket is later destroyed, `caif_sock_destructor()` calls\n`caif_free_client()` again and dereferences the freed service pointer.\n\nClear the client/service links before releasing the service object so\nrepeated teardown becomes harmless."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/3ac6db584d9d420267bb8413115707eeec76d9cf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7ef97d4675b05a103648bd9244d91dff7d8c08b0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/914c6456fcfc21a3d553945dff62fd1621d6155d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a4b191ddc12c55ddb62feb096536f819f384d6f1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cffca7a18b8f9de7c3d3013a1f5740c412b2a501","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e16859f3f4426fa349bc5519d582a93d28f5a15d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46099","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:31.557","lastModified":"2026-06-01T17:17:23.787","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels\n\nseg6_input_core() and rpl_input() call ip6_route_input() which sets a\nNOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking\ndst_hold() unconditionally.\nOn PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can\nrelease the underlying pcpu_rt between the lookup and the caching\nthrough a concurrent FIB lookup on a shared nexthop.\nSimplified race sequence:\n\n ksoftirqd/X higher-prio task (same CPU X)\n ----------- --------------------------------\n seg6_input_core(,skb)/rpl_input(skb)\n dst_cache_get()\n -> miss\n ip6_route_input(skb)\n -> ip6_pol_route(,skb,flags)\n [RT6_LOOKUP_F_DST_NOREF in flags]\n -> FIB lookup resolves fib6_nh\n [nhid=N route]\n -> rt6_make_pcpu_route()\n [creates pcpu_rt, refcount=1]\n pcpu_rt->sernum = fib6_sernum\n [fib6_sernum=W]\n -> cmpxchg(fib6_nh.rt6i_pcpu,\n NULL, pcpu_rt)\n [slot was empty, store succeeds]\n -> skb_dst_set_noref(skb, dst)\n [dst is pcpu_rt, refcount still 1]\n\n rt_genid_bump_ipv6()\n -> bumps fib6_sernum\n [fib6_sernum from W to Z]\n ip6_route_output()\n -> ip6_pol_route()\n -> FIB lookup resolves fib6_nh\n [nhid=N]\n -> rt6_get_pcpu_route()\n pcpu_rt->sernum != fib6_sernum\n [W <> Z, stale]\n -> prev = xchg(rt6i_pcpu, NULL)\n -> dst_release(prev)\n [prev is pcpu_rt,\n refcount 1->0, dead]\n\n dst = skb_dst(skb)\n [dst is the dead pcpu_rt]\n dst_cache_set_ip6(dst)\n -> dst_hold() on dead dst\n -> WARN / use-after-free\n\nFor the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without\nPREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release\nthe pcpu_rt. Shared nexthop objects provide such a path, as two routes\npointing to the same nhid share the same fib6_nh and its rt6i_pcpu\nentry.\n\nFix seg6_input_core() and rpl_input() by calling skb_dst_force() after\nip6_route_input() to force the NOREF dst into a refcounted one before\ncaching.\nThe output path is not affected as ip6_route_output() already returns a\nrefcounted dst."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/51fef5a7c4d160839199e941929456ba21ddf73c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b258b849a580285a1692e782ebc902b44c884a71","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46101","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:32.147","lastModified":"2026-06-01T17:17:23.950","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: reject zero shift in nft_bitwise\n\nReject zero shift operands for nft_bitwise left and right shift\nexpressions during initialization.\n\nThe carry propagation logic computes the carry from the adjacent 32-bit\nword using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this\ninto a 32-bit shift, which is undefined behaviour.\n\nReject zero shift operands in the control plane, alongside the existing\ncheck for values greater than or equal to 32, so malformed rules never\nreach the packet path."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/4fccea585631621c975883911a08d15b6671f7dc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6f820139d16a4c9865a145d4a9cf9c92cc632c14","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9ad26c272405f53834871cc2e46b9b5393a666c3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9baa08d6b6b096fad70049533f0d705d85fdc979","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bffef0acec9c3b837a785248a893137fb7f26c95","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ca24f1243ad1a4d12d6a23876bbbe3ed02099853","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f370205974f171a5868c13ff30d7642fed46e47b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fe11e5c40817b84abaa5d83bfb6586d8412bfd07","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46102","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:32.323","lastModified":"2026-06-01T17:17:24.093","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: strparser: fix skb_head leak in strp_abort_strp()\n\nWhen the stream parser is aborted, for example after a message assembly timeout,\nit can still hold a reference to a partially assembled message in\nstrp->skb_head.\n\nThat skb is not released in strp_abort_strp(), which leaks the partially\nassembled message and can be triggered repeatedly to exhaust memory.\n\nFix this by freeing strp->skb_head and resetting the parser state in the\nabort path. Leave strp_stop() unchanged so final cleanup still happens in\nstrp_done() after the work and timer have been synchronized."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"references":[{"url":"https://git.kernel.org/stable/c/19ca9475f18f991735f98a22e735c43e95e6298d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5327dad2ffe9c1b49881dd6d51ff3c6893847568","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/56082f442023db9be1a5a29d4ee361de4017c0b7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a470ed71c906cc8cbad0d74c9942216698911f8b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c2e57695ec9ff9d42f23de70f3805199153d007b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d6668ce0e78d23eabecef9a6bc4f0f739cb28ad3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e9ae00490d474757c0f9c65073de83e6bb1e5a00","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fe72340daaf1af588be88056faf98965f39e6032","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46103","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-27T14:17:32.457","lastModified":"2026-06-01T17:17:24.230","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ucan: fix devres lifetime\n\nUSB drivers bind to USB interfaces and any device managed resources\nshould have their lifetime tied to the interface rather than parent USB\ndevice. This avoids issues like memory leaks when drivers are unbound\nwithout their devices being physically disconnected (e.g. on probe\ndeferral or configuration changes).\n\nFix the control message buffer lifetime so that it is released on driver\nunbind."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/10b7b676b78a7bd888d19729b459aad7fc1f428b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3df5b9110ac08f67ccfe382fc172bfee95688eec","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4b7d07747400cfd7eff1ba7b8b5a7c8d5a58f705","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c0d3ccc6929e4509076df8f30a4fb1dc5018b0ae","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c524c124e3094d2de12235a513854c03d06a2b58","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fed4626501c871890da287bec62a96e52da1af89","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-44830","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T15:16:28.297","lastModified":"2026-06-01T18:22:32.550","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when API_TOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS allow_origins=[\"*\"], operators following the Docker setup without explicitly setting API_TOKEN expose the full Knowledge-Graph read/write API to any LAN-reachable client. An attacker on the same network can read, write, or delete all memory entries — including system://boot and core://* URIs that auto-load into downstream agent sessions, enabling persistent prompt-injection. This vulnerability is fixed in 2.4.1."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-306"}]}],"references":[{"url":"https://github.com/Dataojitori/nocturne_memory/security/advisories/GHSA-crr4-xrj9-ww8g","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-44971","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T15:16:29.547","lastModified":"2026-06-01T18:23:33.000","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and capture the GH_TOKEN used by GuardDog. This vulnerability is fixed in ."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/DataDog/guarddog/security/advisories/GHSA-587r-mc96-6f2p","source":"security-advisories@github.com"},{"url":"https://github.com/DataDog/guarddog/security/advisories/GHSA-587r-mc96-6f2p","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-44988","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T15:16:29.830","lastModified":"2026-06-01T18:42:52.373","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, the client processes the server-controlled rectangle width and writes beyond fixed-size Gradient buffers. This vulnerability is fixed with commit 5b270544b85233668b98161323297d418a8f5fd1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-787"}]}],"references":[{"url":"https://github.com/LibVNC/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1","source":"security-advisories@github.com"},{"url":"https://github.com/LibVNC/libvncserver/security/advisories/GHSA-jcc5-8wj4-7c58","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2025-70116","sourceIdentifier":"cve@mitre.org","published":"2026-05-27T17:16:29.187","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV)."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"references":[{"url":"https://github.com/gpac/gpac/issues/3345","source":"cve@mitre.org"},{"url":"https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/68/68_gf_media_map_esd_media_tools_isom_tools_c_1364","source":"cve@mitre.org"},{"url":"https://infosec.exchange/@sigdevel/116624563750949972","source":"cve@mitre.org"},{"url":"http://www.openwall.com/lists/oss-security/2026/05/30/2","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://github.com/gpac/gpac/issues/3345","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-38945","sourceIdentifier":"cve@mitre.org","published":"2026-05-27T17:16:34.207","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of rvia's Java search using the find command."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-77"}]}],"references":[{"url":"https://github.com/Wise-Security/CVE-2026-38945","source":"cve@mitre.org"},{"url":"https://support.raynet.de/","source":"cve@mitre.org"},{"url":"https://support.raynet.de/hc/en-us/articles/46163206384788-RSEC200967-Java-Detection-Path-Traversal","source":"cve@mitre.org"},{"url":"https://github.com/Wise-Security/CVE-2026-38945/blob/main/CVE-2026-38945.sh","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-44353","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T17:16:38.927","lastModified":"2026-06-01T20:14:22.827","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream. This vulnerability is fixed in 8.4.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:streamlink:streamlink:*:*:*:*:*:python:*:*","versionEndExcluding":"8.4.0","matchCriteriaId":"7E68CF92-B890-47B2-A480-071E5BDC9107"}]}]}],"references":[{"url":"https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]},{"url":"https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-44483","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T17:16:39.510","lastModified":"2026-06-01T18:31:49.033","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process. This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected. This vulnerability is fixed in 6.0.4 and 7.0.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-1321"}]}],"references":[{"url":"https://github.com/airjp73/rvf/security/advisories/GHSA-c567-44rc-m5hq","source":"security-advisories@github.com"},{"url":"https://github.com/airjp73/rvf/security/advisories/GHSA-c567-44rc-m5hq","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2025-67903","sourceIdentifier":"cve@mitre.org","published":"2026-05-27T18:16:21.507","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Northern.tech Mender Client 5 before 5.0.4 allows a Cryptographic signature verification bypass."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-347"}]}],"references":[{"url":"https://mender.io/blog/cve-2025-67903-signature-verification-bypass-in-mender-client","source":"cve@mitre.org"},{"url":"https://northern.tech","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2025-69600","sourceIdentifier":"cve@mitre.org","published":"2026-05-27T18:16:21.780","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Command injection in Raynet rvia RayVentory Scan Engine 12.6 Update 8 and previous versions allows adversaries to execute commands via getconfig, upload, inventory, and oracle options."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-77"}]}],"references":[{"url":"https://github.com/Wise-Security/CVE-2025-69600","source":"cve@mitre.org"},{"url":"https://support.raynet.de/hc/en-us/articles/19518792826132-RVY200865-RayVentory-12-6","source":"cve@mitre.org"},{"url":"https://support.raynet.de/hc/en-us/articles/46163185339284-RSEC200966-Command-Injection-via-Unsafe-System-Calls-CVE-2025-69600","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-42328","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T18:16:22.653","lastModified":"2026-06-01T18:23:33.000","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic). This vulnerability is fixed in 0.23.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":6.2,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-674"}]}],"references":[{"url":"https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-w239-58x2-q8p5","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-42553","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T18:16:22.857","lastModified":"2026-06-01T18:23:33.000","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Cinny is a Matrix client. Prior to 4.10.3, A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes (for example in a DM) can cause the victim's client to send their Matrix access token to an attacker-controlled server. This occurs when the victim opens the emoji or sticker picker for the room containing a malicious emote pack. This is caused by an incorrect fallback in EmojiBoard that uses untrusted pack.meta.avatar (user-controlled) without converting/validating it as an MXC URL, allowing arbitrary HTTP(S) URLs to be used. Also, the service worker attaching the user's Authorization bearer token to all outbound GET requests whose URL contains /_matrix/client/v1/media/download or /_matrix/client/v1/media/thumbnail without verifying the request host matches the configured homeserver origin. An attacker-controlled URL containing those path fragments and permissive CORS will receive the victim's Authorization header (access token). This vulnerability is fixed in 4.10.3."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-20"}]}],"references":[{"url":"https://github.com/cinnyapp/cinny/releases/tag/v4.10.3","source":"security-advisories@github.com"},{"url":"https://github.com/cinnyapp/cinny/security/advisories/GHSA-j944-w549-3453","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-44460","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T18:16:23.707","lastModified":"2026-06-01T18:33:29.313","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the password check (state pending_login_user). When the target account already has TOTP configured, the endpoint decrypts and returns the user's existing TOTP secret inside the QR PNG instead of refusing or generating a new secret. An attacker who already possesses the victim's password can therefore retrieve the live TOTP secret, derive a valid one-time code, submit it to /api/totp_verify.php, and obtain a fully authenticated session without ever possessing the victim's authenticator device. This vulnerability is fixed in 3.12.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-200"},{"lang":"en","value":"CWE-287"},{"lang":"en","value":"CWE-306"}]}],"references":[{"url":"https://github.com/error311/FileRise/security/advisories/GHSA-84hw-8g73-v3f8","source":"security-advisories@github.com"},{"url":"https://github.com/error311/FileRise/security/advisories/GHSA-84hw-8g73-v3f8","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-44521","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T18:16:23.953","lastModified":"2026-06-01T18:23:33.000","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service. This vulnerability only affects installations configured to use the MySQL volume driver. This vulnerability is fixed in 2.1.68."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://github.com/Studio-42/elFinder/security/advisories/GHSA-c3gj-q88f-7hqj","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45047","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T18:16:24.150","lastModified":"2026-06-01T18:26:25.403","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"bird-lg-go is a BIRD looking glass in Go. Prior to 1.4.5, the apiHandler (and similarly webHandlerTelegramBot) processes user-provided JSON payloads by directly using json.NewDecoder(r.Body).Decode(&request) without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload (e.g., several Gigabytes of padding) over a single TCP connection. Because Go's JSON decoder attempts to allocate memory for the entire parsed structure, this rapidly exhausts the host's physical RAM or container limits, leading to an unrecoverable fatal error: runtime: out of memory. This vulnerability is fixed in 1.4.5."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-400"}]}],"references":[{"url":"https://github.com/xddxdd/bird-lg-go/security/advisories/GHSA-39qr-rc93-vhqm","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45081","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T18:16:24.433","lastModified":"2026-06-01T18:26:25.403","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"references":[{"url":"https://github.com/frappe/hrms/security/advisories/GHSA-9jpf-5vrm-hpcj","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-44635","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T19:16:20.947","lastModified":"2026-06-01T18:31:49.033","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters (., [, ], *, **, ?). When attacker-controlled input flows into eb.ref(col, '->$').key(input) or .at(input) — including type-safe code where the JSON column is shaped like Record so K extends string is the inferred type — every dot becomes a path-leg separator, letting an attacker traverse from the intended key into sibling and child fields the developer never meant to expose. The result is read access (and, in update statements, write access) to JSON sub-fields outside the intended scope across MySQL, PostgreSQL ->$/->>$, and SQLite. This vulnerability is fixed in 0.28.17."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"},{"lang":"en","value":"CWE-89"},{"lang":"en","value":"CWE-915"},{"lang":"en","value":"CWE-1284"}]}],"references":[{"url":"https://github.com/kysely-org/kysely/security/advisories/GHSA-pv5w-4p9q-p3v2","source":"security-advisories@github.com"},{"url":"https://github.com/kysely-org/kysely/security/advisories/GHSA-pv5w-4p9q-p3v2","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45046","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T19:16:21.793","lastModified":"2026-06-01T18:26:25.403","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Gryph provides a security layer for AI coding agents. Prior to 0.7.0, Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard. Source code review shows sensitive file-write content remains in the stored payload as ContentPreview, OldString, or NewString at the default standard logging level and at full. This leads to logging of potentially sensitive file content in the local sqlite database, violating Gryphs sensitive file filter and log level contracts. This vulnerability is fixed in 0.7.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-212"}]}],"references":[{"url":"https://github.com/safedep/gryph/security/advisories/GHSA-f3jg-756w-gm35","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-33552","sourceIdentifier":"cve@mitre.org","published":"2026-05-27T20:16:35.947","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Northern.tech Mender Enterprise Server before 4.1.1 has Incorrect Access Control."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-269"}]}],"references":[{"url":"https://Northern.tech","source":"cve@mitre.org"},{"url":"https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-42197","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T20:16:36.260","lastModified":"2026-06-01T18:26:25.403","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The `get_user()` method in `ParticipationAdmin` renders user-controlled input using `mark_safe` combined with Python's % string formatting. This bypasses Django\\'s automatic HTML escaping entirely. The value returned by `get_full_name` is derived directly from the `first_name` and `last_name` fields of the User model. These fields are freely editable by any authenticated user through the profile page (`/profile/`) with no sanitization applied. When an admin views the Participation list in the Django admin panel, the unsanitized value is rendered directly into the HTML response, causing the injected script to execute in the admin's browser. Commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 fixes the issue."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":5.8}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://github.com/inducer/relate/blob/550b8c54eb4d5f3e5f6698dcba361bf34d715599/course/admin.py#L347-L368","source":"security-advisories@github.com"},{"url":"https://github.com/inducer/relate/commit/555f0efb1c5bd7531c07cd73724d7e566a81f620","source":"security-advisories@github.com"},{"url":"https://github.com/inducer/relate/security/advisories/GHSA-37xm-vhx8-g6w3","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-44724","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T20:16:37.617","lastModified":"2026-06-01T18:50:57.210","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-78"}]}],"references":[{"url":"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9","source":"security-advisories@github.com"},{"url":"https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45102","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T20:16:38.250","lastModified":"2026-06-01T18:50:57.210","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-693"}]}],"references":[{"url":"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-g9cp-35m2-fjv6","source":"security-advisories@github.com"},{"url":"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-g9cp-35m2-fjv6","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45108","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T20:16:38.550","lastModified":"2026-06-01T18:31:49.033","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow that allowed a user within the same Entra ID domain to obtain a local Unix session as another user by providing their own valid credentials. The vulnerability existed in the token_validate function, which validated domain aliases for legitimate multi-domain scenarios but failed to verify that the local part (username) of the authenticated user's UPN matched the requested account username. The function only compared domains, not the complete usernames. This vulnerability is fixed in 3.1.5 and 2.3.11."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":1.8,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"references":[{"url":"https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-pmxh-j4r6-88mv","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-47161","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T20:16:39.420","lastModified":"2026-06-01T18:31:49.033","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted 'pickle' data. An attacker who can reach the message broker can execute arbitrary commands on the host server. Combined with missing network isolation in the code execution sandbox, this allows an authenticated student to achieve full Remote Code Execution (RCE) on the host system. Commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb fixes the issue."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]}],"references":[{"url":"https://github.com/inducer/relate/commit/d66ba5659b459bf1ba56b7109b5f9ecf197cbefb","source":"security-advisories@github.com"},{"url":"https://github.com/inducer/relate/security/advisories/GHSA-4mwh-mwv4-m252","source":"security-advisories@github.com"},{"url":"https://github.com/inducer/relate/security/advisories/GHSA-4mwh-mwv4-m252","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-49009","sourceIdentifier":"cve@mitre.org","published":"2026-05-27T20:16:41.930","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Northern.tech Mender Server v4.1.0, v4.0.1 and below, and fixed in v4.1.1 and v4.0.2 allows Directory Traversal."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":3.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":1.4}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server","source":"cve@mitre.org"},{"url":"https://northern.tech","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-9759","sourceIdentifier":"cve@gitlab.com","published":"2026-05-27T20:16:46.797","lastModified":"2026-06-01T19:26:36.530","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"ROHC protocol dissector crash in Wireshark 4.6.0 to 4.6.5 and 4.4.0 to 4.4.15 allows denial of service"}],"metrics":{"cvssMetricV31":[{"source":"cve@gitlab.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"cve@gitlab.com","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.0","versionEndExcluding":"4.4.16","matchCriteriaId":"7EE37E9D-2C45-4E53-AC1F-698639E2DA41"},{"vulnerable":true,"criteria":"cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6.0","versionEndExcluding":"4.6.6","matchCriteriaId":"26F2DB88-ABDA-4A7F-93A2-9CB460F8FB59"}]}]}],"references":[{"url":"https://gitlab.com/wireshark/wireshark/-/work_items/21243","source":"cve@gitlab.com","tags":["Issue Tracking","Vendor Advisory"]},{"url":"https://www.wireshark.org/security/wnpa-sec-2026-51.html","source":"cve@gitlab.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-21785","sourceIdentifier":"psirt@hcl.com","published":"2026-05-27T21:16:17.327","lastModified":"2026-06-01T18:04:45.503","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources."}],"metrics":{"cvssMetricV31":[{"source":"psirt@hcl.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.0,"impactScore":2.7}]},"weaknesses":[{"source":"psirt@hcl.com","type":"Secondary","description":[{"lang":"en","value":"CWE-1021"}]}],"references":[{"url":"https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130581","source":"psirt@hcl.com"}]}},{"cve":{"id":"CVE-2026-44660","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T21:16:17.650","lastModified":"2026-06-01T18:50:49.997","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-401"}]}],"references":[{"url":"https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9","source":"security-advisories@github.com"},{"url":"https://github.com/ultrajson/ultrajson/releases/tag/5.12.1","source":"security-advisories@github.com"},{"url":"https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg","source":"security-advisories@github.com"},{"url":"https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45152","sourceIdentifier":"security-advisories@github.com","published":"2026-05-27T22:16:36.963","lastModified":"2026-06-01T18:31:49.033","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system when common uniget operations such as describe, install, update, or inspect are performed. This vulnerability can lead to arbitrary code execution with the privileges of the user running uniget. This vulnerability is fixed in 0.27.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-78"}]}],"references":[{"url":"https://github.com/uniget-org/cli/security/advisories/GHSA-qqq4-5773-pmw5","source":"security-advisories@github.com"},{"url":"https://github.com/uniget-org/cli/security/advisories/GHSA-qqq4-5773-pmw5","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-32995","sourceIdentifier":"support@hackerone.com","published":"2026-05-28T05:16:35.477","lastModified":"2026-06-01T18:04:45.503","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage() without checking Meteor.userId() or verifying room membership. Any authenticated DDP user can read the content of any message by ID from any room (private channels, DMs, E2EE rooms) by calling this method."}],"metrics":{"cvssMetricV30":[{"source":"support@hackerone.com","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"support@hackerone.com","type":"Secondary","description":[{"lang":"en","value":"CWE-284"}]}],"references":[{"url":"https://github.com/RocketChat/Rocket.Chat/pull/40528","source":"support@hackerone.com"},{"url":"https://hackerone.com/reports/3734326","source":"support@hackerone.com"}]}},{"cve":{"id":"CVE-2026-46107","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:26.063","lastModified":"2026-06-01T17:17:24.353","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm-thin: fix metadata refcount underflow\n\nThere's a bug in dm-thin in the function rebalance_children. If the\ninternal btree node has one entry, the code tries to copy all btree\nentries from the node's child to the node itself and then decrement the\nchild's reference count.\n\nIf the child node is shared (it has reference count > 1), we won't free\nit, so there would be two pointers to each of the grandchildren nodes.\nBut the reference counts of the grandchildren is not increased, thus the\nreference count doesn't match the number of pointers that point to the\ngrandchildren. This results in \"device mapper: space map common: unable\nto decrement block\" errors.\n\nFix this bug by incrementing reference counts on the grandchildren if the\nbtree node is shared."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/09a65adc7d8bbfce06392cb6d375468e2728ead5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/12161e03d33afce781f68fa11cc6060538862fad","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/323d252a4a378834e4fe68298ca61cfc5dd3a460","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5ec0debbcfd43596e32c1239e993de06a704e04c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/85311a585a26640760cd0f3349ab9f2905691044","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f06f6aededd792a754cd677c02b3d3016d868c2c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f49b41c9eb7c6ff00df27cd49cea210abbadd8ad","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46108","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:26.190","lastModified":"2026-06-01T17:17:24.480","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipmi:si: Return state to normal if message allocation fails\n\nThere were places where nothing would get started if a message\nallocation failed, so the driver needs to return to normal state."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/09dd798270ff582d7309f285d4aaf5dbebae01cb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/88881dc1da86064f479378bc9d0a4956c3d0bb12","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9c6ded95ac6281e390d167637ccbde6cea2ba1ae","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ab48817aebe4d831f87d4da6f94f50498c130d9e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ba60140d4133231b49185ac8bf6e54f318d3134e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bc13fce9eeec88c4950924754c3347c6dc66ff4c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c204fab7f76a055eac346e3b1a75c6b4bb99600e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ce905b65e649eee378a0f37e8219f1d70efb3007","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46109","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:26.307","lastModified":"2026-06-01T17:17:24.583","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ulpi: fix memory leak on ulpi_register() error paths\n\nCommit 01af542392b5 (\"usb: ulpi: fix double free in\nulpi_register_interface() error path\") removed kfree(ulpi) from\nulpi_register_interface() to fix a double-free when device_register()\nfails.\n\nBut when ulpi_of_register() or ulpi_read_id() fail before\ndevice_register() is called, the ulpi allocation is leaked.\n\nAdd kfree(ulpi) on both error paths to properly clean up the allocation."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0b9fcab1b8608d429e5f239afb197de928d4de7d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0c2c0c6820fe96fa4be0a0499f8d3f3321b9af6c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2a71e01b2cf9b4329ff67102c1bea7448c2a2d2d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7bd61ed0bf9f4f1f2673d489b3bda1555b48d054","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b0c0d44adb55c66663886cb6e30ee92cbb0f5385","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/be2c1d825f54277472c87019e82013ac534ddc4c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f1b855c00988a9cb41134cab7cf9faedba775dd9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f30ccfc2985590b33a23a3d8bed7ca16c0af551b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46112","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:26.660","lastModified":"2026-06-01T17:17:24.710","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix unlocked call to hns_roce_qp_remove()\n\nSashiko points out that hns_roce_qp_remove() requires the caller to hold\nlocks. The error flow in hns_roce_create_qp_common() doesn't hold those\nlocks for the error unwind so it risks corrupting memory.\n\nGrab the same locks the other two callers use."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/0c99acbc8b6c6dd526ae475a48ee1897b61072fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1912f78798505dc9c637081bbddfbf1c22494c49","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1f0a3aa8b569d010316b427238222c5d899f9618","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/615d9d260c32bb678504ca96f29ae46f9d745155","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b6296ff2475fc95ee6ea1b528c4b385302808186","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fb4ae739811d467409bd07d0e36cfd4140f3d26a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fcf6a832c0d5b2bc5398d6996c5570d3ee7993fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46113","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:26.760","lastModified":"2026-06-01T17:17:24.820","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix shadow paging use-after-free due to unexpected GFN\n\nThe shadow MMU computes GFNs for direct shadow pages using sp->gfn plus\nthe SPTE index. This assumption breaks for shadow paging if the guest\npage tables are modified between VM entries (similar to commit\naad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even\nwhen creating an MMIO SPTE\", 2026-03-27). The flow is as follows:\n\n- a PDE is installed for a 2MB mapping, and a page in that area is\n accessed. KVM creates a kvm_mmu_page consisting of 512 4KB pages;\n the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because\n the guest's mapping is a huge page (and thus contiguous).\n\n- the PDE mapping is changed from outside the guest.\n\n- the guest accesses another page in the same 2MB area. KVM installs\n a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN\n (i.e. based on the new mapping, as changed in the previous step) but\n that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore\n the rmap entry cannot be found and removed when the kvm_mmu_page\n is zapped.\n\n- the memslot that covers the first 2MB mapping is deleted, and the\n kvm_mmu_page for the now-invalid GPA is zapped. However, rmap_remove()\n only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,\n and fails to find the rmap entry that was recorded by step 3.\n\n- any operation that causes an rmap walk for the same page accessed\n by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.\n This includes dirty logging or MMU notifier invalidations (e.g., from\n MADV_DONTNEED).\n\nThe underlying issue is that KVM's walking of shadow PTEs assumes that\nif a SPTE is present when KVM wants to install a non-leaf SPTE, then the\nexisting kvm_mmu_page must be for the correct gfn. Because the only way\nfor the gfn to be wrong is if KVM messed up and failed to zap a SPTE...\nwhich shouldn't happen, but *actually* only happens in response to a\nguest write.\n\nThat bug dates back literally forever, as even the first version of KVM\nassumes that the GFN matches and walks into the \"wrong\" shadow page.\nHowever, that was only an imprecision until 2032a93d66fa (\"KVM: MMU:\nDon't allocate gfns page for direct mmu pages\") came along.\n\nFix it by checking for a target gfn mismatch and zapping the existing\nSPTE. That way the old SP and rmap entries are gone, KVM installs\nthe rmap in the right location, and everyone is happy."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.0,"impactScore":6.0}]},"references":[{"url":"https://git.kernel.org/stable/c/06c19c967b845b63172601fe459667d973b7e6b7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0cb2af2ea66ad8ff195c156ea690f11216285bdf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/14d1e55dfd2cf4711bff164a6aaaddb783552134","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/488e386484ec8c0e558be6e156edf34ed9f4d5c8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/738ec97b1855df6c08fe2369f798fa0b972e556b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e9d4ea13aa2b6400bb10ec64b370ba3dadcd22f0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46119","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:27.390","lastModified":"2026-06-01T17:17:24.953","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix slab-out-of-bounds access in auth message processing\n\nIf a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY\ncontains a positive value in its result field, it is treated as an\nerror code by ceph_handle_auth_reply() and returned to\nhandle_auth_reply(). Thereafter, an attempt is made to send the\npreallocated message of type CEPH_MSG_AUTH, where the returned value is\ninterpreted as the size of the front segment to send. If the result\nvalue in the message is greater than the size of the memory buffer\nallocated for the front segment, an out-of-bounds access occurs, and\nthe content of the memory region beyond this buffer is sent out.\n\nThis patch fixes the issue by treating only negative values in the\nresult field as errors. Positive values are therefore treated as success\nin the same way as a zero value. Additionally, a BUG_ON is added to\n__send_prepared_auth_request() comparing the len parameter to\nfront_alloc_len to prevent sending the message if it exceeds the bounds\nof the allocation and to make it easier to catch any logic flaws leading\nto this."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}]},"references":[{"url":"https://git.kernel.org/stable/c/1c439de70b1c3eb3c6bffa8245c16b9fc318f114","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2ae0afd98432536562fa8261538ae795446f0589","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/38fdf04c602d52c42c67fc1617211492753b7e8b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/408e85ee708b6aa03eeb0220ffa0915f4d407181","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8517b6c8d2c759918ba0058cb6c7e14d59643202","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b7df9fbd4869fdfe09a3f501ffd228486521e062","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c2374b92c729d0388a538b3cde7b3e3b5e55ef39","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46120","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:27.497","lastModified":"2026-06-01T17:17:25.083","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: Use cached t->net in ip6erspan_changelink().\n\nAfter commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of\nrtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns\nip6gre hash via link_net. ip6erspan_changelink() was not converted in\nthat series and still uses dev_net(dev), which diverges from the\ndevice's creation netns after IFLA_NET_NS_FD migration.\n\nThis re-inserts the tunnel into the wrong per-netns hash. The\noriginal netns keeps a stale entry. When that netns is later\ndestroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a\nslab-use-after-free reported by KASAN, followed by a kernel BUG at\nnet/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().\n\nReachable from an unprivileged user namespace (unshare --user\n--map-root-user --net).\n\nip6gre_changelink() earlier in the same file already uses the cached\nt->net; only ip6erspan_changelink() has the wrong shape."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/01b71ff2857d3598337de11e7840a8e3ff21553c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0fcf6731706f73494245a9c0d64f93bebf95bb51","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1d324c2f43f70c965f25c58cc3611c779adbe47e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/311fdd26eb4443d43b909cc67a10f3a5fd1b21b2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7bd0f2b162b426b343a114e1b329f0d8d14fdc6e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cf7fc624329e76c6394653d12353e1d033adea91","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/eca62bb0569de4d43a4dac06a2092a9d4ca1d702","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46122","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:27.713","lastModified":"2026-06-01T17:17:26.570","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: b43: enforce bounds check on firmware key index in b43_rx()\n\nThe firmware-controlled key index in b43_rx() can exceed the dev->key[]\narray size (58 entries). The existing B43_WARN_ON is non-enforcing in\nproduction builds, allowing an out-of-bounds read.\n\nMake the B43_WARN_ON check enforcing by dropping the frame when the\nfirmware returns an invalid key index."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/135cb49c9a42a02cceeac7b49ec03e267f7ed6d6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1e9e55cf66f0fa4799f4d86ef3aaba8e606b5c14","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1f4f78bf8549e6ac4f04fba4176854f3a6e0c332","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/219ba67e69e49681e48c822d6eaafb5def032f34","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3157ad40b084a8f3932da2641749ab45e99b933e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/765709720e6af9a178abc40244a8d1aa39ac4e71","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c3d7b90dc95020cd9282c4630e402fe224f7644e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d7029879bafdac2006c67553807d122283dc6cbf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46123","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:27.810","lastModified":"2026-06-01T17:17:26.790","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: virtio_bt: clamp rx length before skb_put\n\nvirtbt_rx_work() calls skb_put(skb, len) where len comes directly\nfrom virtqueue_get_buf() with no validation against the buffer we\nposted to the device. The RX skb is allocated in virtbt_add_inbuf()\nand exposed to virtio as exactly 1000 bytes via sg_init_one().\n\nChecking len against skb_tailroom(skb) is not sufficient because\nalloc_skb() can leave more tailroom than the 1000 bytes actually\nhanded to the device. A malicious or buggy backend can therefore\nreport used.len between 1001 and skb_tailroom(skb), causing skb_put()\nto include uninitialized kernel heap bytes that were never written by\nthe device.\n\nThe same path also accepts len == 0, in which case skb_put(skb, 0)\nleaves the skb empty but virtbt_rx_handle() still reads the pkt_type\nbyte from skb->data, consuming uninitialized memory.\n\nDefine VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and\nsg_init_one(), and gate virtbt_rx_work() on that same constant so\nthe bound checked matches the buffer actually exposed to the device.\nReject used.len == 0 in the same gate so an empty completion can\nno longer reach virtbt_rx_handle().\n\nUse bt_dev_err_ratelimited() because the length value comes from an\nuntrusted backend that can otherwise flood the kernel log.\n\nSame class of bug as commit c04db81cd028 (\"net/9p: Fix buffer\noverflow in USB transport layer\"), which hardened the USB 9p\ntransport against unchecked device-reported length."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":5.2}]},"references":[{"url":"https://git.kernel.org/stable/c/21bd244b6de5d2fe1063c23acc93fbdd2b20d112","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4236e55b2d9d1ffd3b4bdf8ebbb86e5a0a526b4a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6c1730099a6fc18b183bd6c1adad3b54adcaeda9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b40cdd1b1370d76e9e760af4490cb4a351cceead","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e6b4296f170d949ebba937cf6a3f247ec9550d2c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ed41c81d30b211a671667259c3b5feeba0e062d5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fd91fa2678ab603dfb285416c1cf3843d7be1e41","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46124","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:27.920","lastModified":"2026-06-01T17:17:26.930","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: validate block number from NFS file handle in isofs_export_iget\n\nisofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-\ncontrolled block number (ifid->block or ifid->parent_block) from\nthe NFS file handle to isofs_export_iget(), which only rejects\nblock == 0 before calling isofs_iget() and ultimately sb_bread().\nA crafted file handle with fh_len sufficient to pass the check\nadded by commit 0405d4b63d08 (\"isofs: Prevent the use of too small\nfid\") can still drive the server to read any in-range block on the\nbacking device as if it were an iso_directory_record. That earlier\nfix was assigned CVE-2025-37780.\n\nsb_bread() on an out-of-range block returns NULL cleanly via the\nEIO path, so there is no memory-safety violation. For in-range\nreads of adjacent-partition data on the same block device, the\nunrelated bytes end up in iso_inode_info fields that reach the NFS\nclient as dentry metadata. The deployment surface (isofs exported\nover NFS from loop-mounted images) is narrow and requires an\nauthenticated NFS peer, but the malformed-file-handle class is\nreportable as hardening next to the existing CVE-2025-37780 fix.\n\nReject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so\nthe check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()\ncall sites with a single line."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"references":[{"url":"https://git.kernel.org/stable/c/0a1af74ae2177bda3aee0837a0546309aa539d0d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/24376458138387fb251e782e624c7776e9826796","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/31dbb4ba0f719ae7774e4c0c95172c9bf81692f5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/908a76f0b1038035e6ebb4f2293ce079f92e0a02","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bb0988ed4f2e26d59bbb58f644cb3a55b7521e21","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ee0024f5a7e3c73aa253869fae9650ae054093ca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46127","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:28.250","lastModified":"2026-06-01T17:17:27.143","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()\n\nSashiko points out that pd->uctx isn't initialized until late in the\nfunction so all these error flow references are NULL and will crash. Use\nthe uctx that isn't NULL."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/27b6eb1f27fda9bdd5cae028e396758cdf525845","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/34fbf48cf3b410d2a6e8c586fa952a36331ca5ba","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/443c991fbc954cc9363e963c09f404b9f281f3a2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/75fc130664ae324e7b2f9ad3630e0f175e9ca6c8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8832626a483439e207734e027afff322ccdf726e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b610f33c5523fe26f6dd897667fff9c7a1de5905","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e01a957561f663d3b68d2fd233a4502e3367efcd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ec44c00a4fe1327efa35083f98b39c01cb535a51","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46128","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:28.373","lastModified":"2026-06-01T17:17:27.533","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: Check event message buffer response for bad data\n\nThe event message buffer response data size got checked later when\nprocessing, but check it right after the response comes back. It\nappears some BMCs may return an empty message instead of an error\nwhen fetching events.\n\nThere are apparently some new BMCs that make this error, so we need to\ncompensate."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/01f8387fa5b796f13cf50014c171f6da7abc46ea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2418e4b21fb1355504d095da5d5f0a210564a43d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/24269264c3d59a49eb09b10af2c75b14f2931482","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/36920f30e78e69df01f9691c470b6f3ba8aebf98","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/42432b579a594b66ac32e5e7b7c26e6bc578ec89","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/474e53d4397087913a5b9c9eb90fa068da4808bf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cf1ef30c42a7079e5bad863cd01c52aa3a17c3ac","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46129","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:28.473","lastModified":"2026-06-01T17:17:27.807","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free in create_space_info() error path\n\nWhen kobject_init_and_add() fails, the call chain is:\n\ncreate_space_info()\n-> btrfs_sysfs_add_space_info_type()\n-> kobject_init_and_add()\n-> failure\n-> kobject_put(&space_info->kobj)\n-> space_info_release()\n-> kfree(space_info)\n\nThen control returns to create_space_info():\n\nbtrfs_sysfs_add_space_info_type() returns error\n-> goto out_free\n-> kfree(space_info)\n\nThis causes a double free.\n\nKeep the direct kfree(space_info) for the earlier failure path, but\nafter btrfs_sysfs_add_space_info_type() has called kobject_put(), let\nthe kobject release callback handle the cleanup."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/3f487be81292702a59ea9dbc4088b3360a50e837","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9a060970fd7b5e1c561e4ce73cb9949e4269a738","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c2670ec4aa49ca226bce9776601e0da37502be07","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/dd6ade0fdd59218d71a981ae7c937a304e49209c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f414b3abbba59ef379a2b3c31f2bdd9358ed5e53","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46132","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:28.753","lastModified":"2026-06-01T17:17:27.993","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo\n\nrtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack\nwithout initialisation:\n\n\tstruct ifla_vf_broadcast vf_broadcast;\n\nThe struct contains a single fixed 32-byte field:\n\n\t/* include/uapi/linux/if_link.h */\n\tstruct ifla_vf_broadcast {\n\t\t__u8 broadcast[32];\n\t};\n\nThe function then copies dev->broadcast into it using dev->addr_len\nas the length:\n\n\tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);\n\nOn Ethernet devices (the overwhelming majority of SR-IOV NICs)\ndev->addr_len is 6, so only the first 6 bytes of broadcast[] are\nwritten. The remaining 26 bytes retain whatever was previously on\nthe kernel stack. The full struct is then handed to userspace via:\n\n\tnla_put(skb, IFLA_VF_BROADCAST,\n\t\tsizeof(vf_broadcast), &vf_broadcast)\n\nleaking up to 26 bytes of uninitialised kernel stack per VF per\nRTM_GETLINK request, repeatable.\n\nThe other vf_* structs in the same function are explicitly zeroed\nfor exactly this reason - see the memset() calls for ivi,\nvf_vlan_info, node_guid and port_guid a few lines above.\nvf_broadcast was simply missed when it was added.\n\nReachability: any unprivileged local process can open AF_NETLINK /\nNETLINK_ROUTE without capabilities and send RTM_GETLINK with an\nIFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks\neach VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per\nVF per request. Stack residue at this call site can include return\naddresses and transient sensitive data; KASAN with stack\ninstrumentation, or KMSAN, will flag the nla_put() when reproduced.\n\nZero the on-stack struct before the partial memcpy, matching the\nexisting pattern used for the other vf_* structs in the same\nfunction."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/14271b401ec6a4bf0d88054106fc2956084717e1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a44fbb631cba646532f3948636626f81717365a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cccce3190ba4356432b9f22369b56123d3d89f0d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46133","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:28.863","lastModified":"2026-06-01T17:17:28.133","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Reject unknown opcodes before ICRC processing\n\nEven after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC\nbefore payload_size() in rxe_rcv\"), a single unauthenticated UDP packet\ncan still trigger panic. That patch handled payload_size() underflow only\nfor valid opcodes with short packets, not for packets carrying an unknown\nopcode. The unknown-opcode OOB read described below predates that commit\nand reaches back to the initial Soft RoCE driver.\n\nThe check added there reads\n\n pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE\n\nwhere header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The\nrxe_opcode[] array has 256 entries but is only populated for defined IB\nopcodes; any other entry (for example opcode 0xff) is zero-initialized, so\nlength == 0 and the check degenerates to\n\n pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE\n\nwhich does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes\n\n rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES\n\nwhich underflows when length == 0 and passes a huge value to rxe_crc32(),\ncausing an out-of-bounds read of the skb payload.\n\nReproduced on v7.0-rc7 with that fix applied, QEMU/KVM with\nCONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after\n\n rdma link add rxe0 type rxe netdev eth0\n\nA single 48-byte UDP packet to port 4791 with BTH opcode=0xff and\nQPN=IB_MULTICAST_QPN triggers:\n\n BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170\n Read of size 1 at addr ...\n The buggy address is located 0 bytes to the right of\n allocated 704-byte region\n Call Trace:\n crc32_le+0x115/0x170\n rxe_icrc_hdr.isra.0+0x226/0x300\n rxe_icrc_check+0x13f/0x3a0\n rxe_rcv+0x6e1/0x16e0\n rxe_udp_encap_recv+0x20a/0x320\n udp_queue_rcv_one_skb+0x7ed/0x12c0\n\nSubsequent packets with the same shape fault on unmapped memory and panic\nthe kernel. The trigger requires only module load and \"rdma link add\"; no\nQP, no connection, and no authentication.\n\nFix this by rejecting packets whose opcode has no rxe_opcode[] entry,\ndetected via the zero mask or zero length, before any length arithmetic\nruns."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"references":[{"url":"https://git.kernel.org/stable/c/006a3a5f75345c6a0dbf13fd3ee01406e93b6733","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/318787fa7193bd79691f2ebce4e80cb6abd0faef","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4c6f86d85d03cdb33addce86aa69aa795ca6c47a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/599cfdf44c1701c581cd4a21f1e1e03f8dc3840b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6a79b1ea0fcb2c998fda6a793050f66146e9cc42","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6fa18025e5782afff91415fd5217b39c1e4837d7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e3dc3a2fb05f4ed49c7f20594c4c52350d032189","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f8ee926431a7bbec2b10c1290664af2cb290b983","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46136","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:29.160","lastModified":"2026-06-01T17:17:28.283","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: fix a potential clc buffer length underflow\n\nThe buf_len is used to limit the iterations for retrieving the country\npower setting and may underflow under certain conditions due to changes\nin the power table in CLC.\n\nThis underflow leads to an almost infinite loop or an invalid power\nsetting resulting in driver initialization failure."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0aa63d33742b805d1a218d18d12b983cce4b2f7b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2a79b1a492bcfa725383b6580cd93a6862308c85","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5373f8b19e568b5c217832b9bbef165bd2b2df14","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/90cc573fd2f46ddbc2c329e7814b5ba3deb7b939","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a0111847f0b4f6023f6dd320114697514e024ba3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e451c325b000b9a0081fd93bc6d103d6943d4b55","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46143","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:29.903","lastModified":"2026-06-01T17:17:28.547","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens\n\nAs prepare can be called mulitple times, this can result in multiple\ngraph opens for playback path.\n\nThis will result in a memory leaks, fix this by adding a check before\nopening."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/3141d8b00cad6d3331953c79060ccc3a0262311b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/69acc488aaf39d0ddf6c3cf0e47c1873d39919a2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7cab9f2ad51c858263da836baebad050a1bc7914","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/af9cc7c622e596455c5190e6ef53c5b40ea7a90d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b97493f0f42ab9d882a62466782e1900e481a9d6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c91b7bcc70346d07f57ef03d1b9a338324e213de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46146","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:30.203","lastModified":"2026-06-01T17:17:28.687","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()\n\nThe convert_chmap_v3() has a loop with its increment size of\ncs_desc->wLength, but we forgot to validate cs_desc->wLength itself,\nwhich may lead to potential endless loop by a malformed descriptor.\n\nAdd a proper size check to abort the loop for plugging the hole."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/076d5d13eb9c1ad259a7f246149f6676c62285f9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/24a40df79307ca7ca0eec0889361cf6ac146d72a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/316aa0b1e3c5600eae5ab876394c1ac70e6db581","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4e0ee232ebe3df04874125d7c7f3e6c25ea5483d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6e7247d8f5fefeceb0bb9cc80a5388a636b219cd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/be09b47ed8677d76962e3240c145502e2ad9f3c8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e0e3dcf48189603f3865f1a0b799b3b42baae96d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fa5b19ce69067874b1413f3c2027563bae8c2cb3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46149","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:30.513","lastModified":"2026-06-01T17:17:28.823","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()\n\ntarget_tg_pt_gp_members_show() formats LUN paths with snprintf() into a\n256-byte stack buffer, then will memcpy() cur_len bytes from that\nbuffer. snprintf() returns the length the output would have had, which\ncan exceed the buffer size when the fabric WWN is long because iSCSI IQN\nnames can be up to 223 bytes. The check at the memcpy() site only\nguards the destination page write, not the source read, so memcpy() will\nread past the stack buffer and copy adjacent stack contents to the sysfs\nreader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()\nwill be triggered.\n\nCommit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length\ncheck to avoid buffer overflow\") added the same bound to the\ntarget_lu_gp_members_show() but the tg_pt_gp variant was missed so\nresolve that here."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"references":[{"url":"https://git.kernel.org/stable/c/00d91bfdce5033f5d9b4915638ae9b0553848b5d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/12f2201a56957ba020392223a7393a5eba080c1b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1f678d13e939f91840cb1ebe9b88544923539d3c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/772a896a56e0e3ef9424a025cec9176f9d8f4552","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d3cc9d490c207d57a289054397349f6f8c90354e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/db0a4759d62cad4ff891e2d81ae4be73bb57f4a4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e501154f9d82c95d2719bcbbaf679d8fd3226ef7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46150","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:30.630","lastModified":"2026-06-01T17:17:28.973","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfanotify: fix false positive on permission events\n\nfsnotify_get_mark_safe() may return false for a mark on an unrelated group,\nwhich results in bypassing the permission check.\n\nFix by skipping over detached marks that are not in the current group."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":5.2}]},"references":[{"url":"https://git.kernel.org/stable/c/04bb66be92f48ed13c3faf1139d892df228789bc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4a7611ad653785fcdea5ff5f4441e2b7d05b7f11","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7746e3bd4cc19b5092e00d32d676e329bfcb6900","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7baa02b0ae9d17ec5f08836d8ea88ce1927d0678","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/895ebbedf88318607c24acc0f591c74b165e1d0a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a24765332e129c1916d5a6615418b75599b8fcdc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b7b24b28c8cd55844cab908f4f39dded638d5538","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f130790f1acc8399f32652846c875a251efd040f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46151","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:30.723","lastModified":"2026-06-01T17:17:29.137","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usblp: fix heap leak in IEEE 1284 device ID via short response\n\nusblp_ctrl_msg() collapses the usb_control_msg() return value to\n0/-errno, discarding the actual number of bytes transferred. A broken\nprinter can complete the GET_DEVICE_ID control transfer short and the\ndriver has no way to know.\n\nusblp_cache_device_id_string() reads the 2-byte big-endian length prefix\nfrom the response and trusts it (clamped only to the buffer bounds).\nThe buffer is kmalloc(1024) at probe time. A device that sends exactly\ntwo bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves\ndevice_id_string[2..1022] holding stale kmalloc heap.\n\nThat stale data is then exposed:\n - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated\n at the first NUL in the stale heap), and\n - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full\n claimed length regardless of NULs, up to 1021 bytes of uninitialized\n heap, with the leak size chosen by the device.\n\nFix this up by just zapping the buffer with zeros before each request\nsent to the device."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/4220d4dd062ea3d3eb056a6cbe0b568e740d20b1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4650cce898fcd0bb8c33e529984687a8caed10c3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/522d17e93a85575256894212d10e5a1fa6f36529","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/612640abbd9e0947fe8f37aaf0cf324265d7caa4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6d8142141c942c0d8e79343cffda9c44bb1f3f4f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6e29c32a27218f2dcd4a4e9b0b3c5e7728640698","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7a400c6fe3617e31e690e3f7ca37bb335e0498f3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8247f52d822180e94ccbfdab91613af386a4e34d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46156","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:31.233","lastModified":"2026-06-01T17:17:29.270","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()\n\nThe switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and\nreadl(crtc_reg) will access with random address, because the \"device\" is\nfrom \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong\nwhen my platform inserts a discrete GPU:\n\nlspci -tv\n-[0000:00]-+-00.0 Loongson Technology LLC Hyper Transport Bridge Controller\n...\n +-06.0 Loongson Technology LLC LG100 GPU\n +-06.2 Loongson Technology LLC Device 7a37\n...\n\nAdd a default switch case to fix the panic as below:\n\n Kernel ade access[#1]:\n CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4\n pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0\n a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002\n a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001\n t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000\n t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0\n t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8\n s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000\n s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000\n ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210\n ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 00000004 (PPLV0 +PIE -PWE)\n EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)\n BADV: 7fffffffffffff00\n PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)\n Modules linked in:\n Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))\n Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007\n 0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff\n 900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08\n 0000000000000000 0000000000000000 0000000000000006 90000001002fb778\n 90000001000530b8 90000000027af000 0000000000000000 9000000100054000\n 9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001\n 90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000\n 0000000000000006 90000000027af000 0000000000000030 90000000027af000\n 900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560\n 7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030\n ...\n Call Trace:\n [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210\n [<9000000000eebc08>] pci_fixup_device+0x108/0x280\n [<9000000000ebb70c>] pci_setup_device+0x24c/0x690\n [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140\n [<9000000000ebc684>] pci_scan_slot+0xc4/0x280\n [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0\n [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420\n [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440\n [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0\n [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0\n [<90000000010e200c>] device_for_each_child+0x6c/0xe0\n [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70\n [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0\n [<90000000010e200c>] device_for_each_child+0x6c/0xe0\n [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70\n [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0\n [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280\n [<900000000189c028>] acpi_scan_init+0x194/0x310\n [<900000000189bc6c>] acpi_init+0xcc/0x140\n [<9000000000220cdc>] do_one_initcall+0x4c/0x310\n [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4\n [<900000000184326c>] kernel_init+0x28/0x13c\n [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/07d190e4ec689d6478f7f5e36099fb9bf457e7c5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2cb19b06c09983727573bbe7d7430cbad480a714","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/81fef1c278436e6bd68ee4ca05a0acb96e256561","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8dfa2f8780e486d05b9a0ffce70b8f5fbd62053e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9e1aed63a5552958ef2a9bfd699a3f990e52a77f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bfde8accc3e3260c0ecbb8cc34361739e1e16f31","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46158","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:31.460","lastModified":"2026-06-01T17:17:29.427","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: ADD_ADDR rtx: always decrease sk refcount\n\nWhen an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer().\nIt should then be released in all cases at the end.\n\nSome (unlikely) checks were returning directly instead of calling\nsock_put() to decrease the refcount. Jump to a new 'exit' label to call\n__sock_put() (which will become sock_put() in the next commit) to fix\nthis potential leak.\n\nWhile at it, drop the '!msk' check which cannot happen because it is\nnever reset, and explicitly mark the remaining one as \"unlikely\"."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/25e37407442b8766ec2cf52fb4e31b5c3d3aeeae","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9426265e157dd77ec237c795901ed4dea6d69b5c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9634cb35af17019baec21ca648516ce376fa10e6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/acd3d3562315c99f3c0db16f0fcc5f0306638982","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b41dd76f3b9735096c21d3e799a2b9fe36498d57","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46161","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:31.770","lastModified":"2026-06-01T17:17:29.547","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix divide-by-zero in setup_geo() with zero far_copies\n\nsetup_geo() extracts near_copies (nc) and far_copies (fc) from the\nuser-provided layout parameter without checking for zero. When fc=0\nwith the \"improved\" far set layout selected, 'geo->far_set_size =\ndisks / fc' triggers a divide-by-zero.\n\nValidate nc and fc immediately after extraction, returning -1 if\neither is zero."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0b43a70394ce492274e67463326be03e0a9897c5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4af2e558e6fdfb972c61350653fd55d1f62b60a5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/553e32adfa1a96b217651139a3f8c3b92b9984ac","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/913d556e4bd1b56ed822815655b82c7bb54edc51","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9aa6d860b0930e2f72795665c42c44252a558a0c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9d8e03b9a2b1e8ce5c198bf3a409a629f4d02cda","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c716ab3034f84f8a6c226814247b8c5ac9f95da1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f9ddb621b2325eb69c95692958daf2bab4dea2c4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46163","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:31.950","lastModified":"2026-06-01T17:17:29.673","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: b43legacy: enforce bounds check on firmware key index in RX path\n\nSame fix as b43: the firmware-controlled key index in b43legacy_rx()\ncan exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is\nnon-enforcing in production builds, allowing an out-of-bounds read of\ndev->key[].\n\nMake the check enforcing by dropping the frame for invalid indices."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/1baaeb6adecb9691748c0253dab6ddd19a2b4e9e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4242db36de99de734cc1f60e5edd86cda7e598c6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6ee946077607d7783ae6709a899213fc4fe08f35","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9d1bc155802943e92c57a5fb923d23edfbf0b525","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a035766f970bde2d4298346a31a80685be5c0205","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a92bd0503df2488f2cc040f329ebccff1c1934cb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/df805c1d085b7a96077f0964185764c87060950d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fdd4e51979f42ca8b1ab7e6176b607e1caabf2a5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46165","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:32.143","lastModified":"2026-06-01T17:17:29.803","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: vport: fix self-deadlock on release of tunnel ports\n\nvports are used concurrently and protected by RCU, so netdev_put()\nmust happen after the RCU grace period. So, either in an RCU call or\nafter the synchronize_net(). The rtnl_delete_link() must happen under\nRTNL and so can't be executed in RCU context. Calling synchronize_net()\nwhile holding RTNL is not a good idea for performance and system\nstability under load in general, so calling netdev_put() in RCU call\nis the right solution here.\n\nHowever,\nwhen the device is deleted, rtnl_unlock() will call netdev_run_todo()\nand block until all the references are gone. In the current code this\nmeans that we never reach the call_rcu() and the vport is never freed\nand the reference is never released, causing a self-deadlock on device\nremoval.\n\nFix that by moving the rcu_call() before the rtnl_unlock(), so the\nscheduled RCU callback will be executed when synchronize_net() is\ncalled from the rtnl_unlock()->netdev_run_todo() while the RTNL itself\nis already released."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/366c482965c673565ecb8bcfb15d5548f13a6a10","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3df75fff46b1517eb479d8e6b8e3500763715dd0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6522d59fb7de55ce0f0f285d962243ddffebb01f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8ae6c15fc473c9ad03b0173330cce9a092c76154","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/aa69918bd418e700309fdd08509dba324fb24296","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c741433f6c8dcdecd1d9549d89053761fd1ea413","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46167","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:32.340","lastModified":"2026-06-01T17:17:29.937","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl\n\nJust like in a previous problem in this driver, usblp_ctrl_msg() will\ncollapse the usb_control_msg() return value to 0/-errno, discarding the\nactual number of bytes transferred.\n\nIdeally that short command should be detected and error out, but many\nprinters are known to send \"incorrect\" responses back so we can't just\ndo that.\n\nstatusbuf is kmalloc(8) at probe time and never filled before the first\nLPGETSTATUS ioctl.\n\nusblp_read_status() requests 1 byte. If a malicious printer responds\nwith zero bytes, *statusbuf is one byte of stale kmalloc heap,\nsign-extended into the local int status, which the LPGETSTATUS path then\ncopy_to_user()s directly to the ioctl caller.\n\nFix this all by just zapping out the memory buffer when allocated at\nprobe time. If a later call does a short read, the data will be\nidentical to what the device sent it the last time, so there is no\n\"leak\" of information happening."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/087d97342c100138ea7d75a50977c9c2319f957b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0f7c41314ebf17049917a452684db371babf711a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6b0e7438e31c74b01514d31ff35c1e688c4baaba","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/762a6ccf391db0d629e590a803a3a2231e17dd3f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a502b997668401a6821501fc98b7f9220f9b6ff2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b38e53cbfb9d84732e5984fbd73e128d592415c5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cf24991619be317e2769310b4a367bf4a04b82bc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d06d937b0a4cdb8867f04275c8100a8b943da31a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46168","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:32.440","lastModified":"2026-06-01T17:17:30.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix scheduling with atomic in timestamp sockopt\n\nUsing lock_sock_fast() (atomic context) around sock_set_timestamp()\nand sock_set_timestamping() is unsafe, as both helpers can sleep.\n\nReplace lock_sock_fast() with sleepable lock_sock()/release_sock()\nto avoid scheduling while atomic panic."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0949d8bbbedbafe0136a1723c41eb823c2f1e09d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7eb513b42721bee4b96da69f6188d5a7783f210d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8a005fe451c73fd2b3d1faa5643c11e6bd07acfc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b157dab93a7af44a84e78cf0cb311dde475cff5b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b5c52908d52c6c8eb8933264aa6087a0600fd892","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e792cfb6aeaf65612cdf8e3ac431d65e66283654","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ebeb70e29e37cfce899309cc2665a3bfe960ed94","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46170","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:32.650","lastModified":"2026-06-01T17:17:30.190","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: ADD_ADDR rtx: free sk if last\n\nWhen an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(),\nand released at the end.\n\nIf at that moment, it was the last reference being held, the sk would\nnot be freed. sock_put() should then be called instead of __sock_put().\n\nBut that's not enough: if it is the last reference, sock_put() will call\nsk_free(), which will end up calling sk_stop_timer_sync() on the same\ntimer, and waiting indefinitely to finish. So it is needed to mark that\nthe timer is done at the end of the timer handler when it has not been\nrescheduled, not to call sk_stop_timer_sync() on \"itself\"."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/531c537b8fb620beabccfb1594e8d43cbebbb87a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6a3af482188f6db4186d1605f64d911d7330abb3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8143a224785ceaf2b0856e08d4498916f38228fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b74ad20198652b6b39a761c277ba65ae82b1e107","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b7b9a461569734d33d3259d58d2507adfac107ed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46172","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:32.830","lastModified":"2026-06-01T17:17:30.307","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: xfrm6: release dst on error in xfrm6_rcv_encap()\n\nxfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not\nalready have a dst attached. ip6_route_input_lookup() returns a\nreferenced dst entry even when the lookup resolves to an error route.\n\nIf dst->error is set, xfrm6_rcv_encap() drops the skb without attaching\nthe dst to the skb and without releasing the reference returned by the\nlookup. Repeated packets hitting this path therefore leak dst entries.\n\nRelease the dst before jumping to the drop path."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/554c9b090c8ac5b1c5c507f4badf8d5d0c9c6e13","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6a5eec0a2a0e99ec9743cf8f1c4082178811d90a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/870560015ce6e0d8f841c6a8aba33c44be52c727","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9d5047782f9bd2829e529df69209bf3232eb561f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a0721bcd72641c32b281f227a94505b31cf54117","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a20b34f6e854fe6f2aa82528fae7a88759919eb4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bc0fcb9823cd0894934cf968b525c575833d7078","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c2efc4956981066df2fef1cc77391b523db6d8e4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46173","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:32.923","lastModified":"2026-06-01T17:17:30.430","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nexit: prevent preemption of oopsing TASK_DEAD task\n\nWhen an already-exiting task oopses, make_task_dead() currently calls\ndo_task_dead() with preemption enabled. That is forbidden:\ndo_task_dead() calls __schedule(), which has a comment saying \"WARNING:\nmust be called with preemption disabled!\".\n\nIf an oopsing task is preempted in do_task_dead(), between becoming\nTASK_DEAD and entering the scheduler explicitly, bad things happen:\nfinish_task_switch() assumes that once the scheduler has switched away\nfrom a TASK_DEAD task, the task can never run again and its stack is no\nlonger needed; but that assumption apparently doesn't hold if the dead\ntask was preempted (the SM_PREEMPT case).\n\nThis means that the scheduler ends up repeatedly dropping references on\nthe dead task's stack, which can lead to use-after-free or double-free\nof the entire task stack; in other words, two tasks can end up running\non the same stack, resulting in various kinds of memory corruption.\n\n(This does not just affect \"recursively oopsing\" tasks; it is enough to\noops once during task exit, for example in a file_operations::release\nhandler)"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/3d6fb8a7690c23e3213c4b008f64d89a44b98737","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/640b4c00fb0e2920327435f6176cbefc3c546165","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6f49f94f3b11fe8bff1bf2a054143789e76aaf17","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7b2800ba5f5f77a8ee7f4cbadb19cf1264597a34","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9756b3db5db6c2f5eccb32dddbd88eb4c54f575e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46177","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:33.320","lastModified":"2026-06-01T17:17:30.557","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: Add limits to event and receive message requests\n\nThe driver would just fetch events and receive messages until the\nBMC said it was done. To avoid issues with BMCs that never say they are\ndone, add a limit of 10 fetches at a time.\n\nIn addition, an si interface has an attn state it can return from the\nhardware which is supposed to cause a flag fetch to see if the driver\nneeds to fetch events or message or a few other things. If the attn\nbit gets stuck, it's a similar problem. So allow messages in between\nflag fetches so the driver itself doesn't get stuck.\n\nThis is a more general fix than the previous fix for the specific bad\nBMC, but should fix the more general issue of a BMC that won't stop\nsaying it has data.\n\nThis has been there from the beginning of the driver. It's not a bug\nper-se, but it is accounting for bugs in BMCs."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"references":[{"url":"https://git.kernel.org/stable/c/112df8e631636cafda64dcee4561daf09ce74a4a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/304b56883b7eff73eb606c35d062c8101aaf5471","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3d37d2165df9504ea99d9e6181552dc4d2d1ab37","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/67c44e0deba936d5edaebea356b4589eb43acb5c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9059dc94421e1d4f8e5844204608b37ebfddb3da","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c024167fb00489baee08c72182ca2e7dc5fb9f20","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c4cca236968683eb0d59abfb12d5c7e4d8514227","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e20212b431bef217d3886b86bbc90cc3ed00de68","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46178","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:33.423","lastModified":"2026-06-01T17:17:30.690","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()\n\nSashiko points out that mlx4_srq_alloc() was not undone during error\nunwind, add the missing call to mlx4_srq_free()."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/0be6ae614ca7fa53e7389e3c7462ed20abbd4192","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0dbd619716fb07b7de1acd64fec673ee6e1adde7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/388617f44d81604a760742a0b5de292d411e63e3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/53fd4c03558672ccb167754fbacbf045c7ab335c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5b3b220d54e6a3d77380cb7caa1ef79cb8f4fc94","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c54c7e4cb679c0aaa1cb489b9c3f2cd98e63a44c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c5dc30da990045105c9762248d23076223e7878a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e01b8c9286c470b71a38acd320106f2c4f2826a1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46179","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:33.540","lastModified":"2026-06-01T17:17:30.820","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Don't allow pointer operations on unconfigured streams\n\nWhen reporting the pointer for a compressed stream we report the current\nI/O frame position by dividing the position by the number of channels\nmultiplied by the number of container bytes. These values default to 0 and\nare only configured as part of setting the stream parameters so this allows\na divide by zero to be configured. Validate that they are non zero,\nreturning an error if not"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0f0c0c1397a42aacaacae828206ee1b921623952","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/327a64241f30c74b6f35537eb9e1fc6c3cbe060b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4f42dd01f5217465f23a763e27b3984e114d0972","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/76ff6bfc9a809571793f425ba99f6a759108dcf8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/98ed1383f597f8a45b6cb816bb20b96d46eeceda","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c5b6285aae050ff1c3ea824ca3d88ac4be1e69c8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46184","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:34.023","lastModified":"2026-06-01T17:17:30.917","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsound: ua101: fix division by zero at probe\n\nAdd a missing sanity check for bNrChannels in detect_usb_format()\nto prevent a division by zero in playback_urb_complete() and\ncapture_urb_complete().\n\nUSB core does not validate class-specific descriptor fields such\nas bNrChannels, so drivers must verify them before use. If a\ndevice provides bNrChannels = 0, frame_bytes becomes zero and is\nlater used as a divisor in the URB completion handlers, leading\nto a kernel crash."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0ff2b713f406e9ecadb406014d74e7a020ac12b1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/593dd7e6c890d8e4ca21b3e2f796b7cb8e8da983","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6162e8212e88c39492d981b248b5e37002486c66","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/66d9c2ed081f299cfb201d9e9c4faf920e56e0bf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/aae1498c59f48d03ee358df84f07a5af9885f827","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d1f73f169c1014463b5060e3f60813e13ddc7b87","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e02897c5b041c9b980055fa9a6167023d6dc5caf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f1862dbf09080254c52175a448290c784dd7d3de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46185","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:34.117","lastModified":"2026-06-01T17:17:31.057","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: fix out-of-bounds read in symlink_data()\n\nSince smb2_check_message() returns success without length validation for\nthe symlink error response, in symlink_data() it is possible for\niov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer\nonly contains the base SMB2 header (64 bytes), accessing\nerr->ErrorContextCount (at offset 66) or err->ByteCount later in\nsymlink_data() will cause an out-of-bounds read."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}]},"references":[{"url":"https://git.kernel.org/stable/c/15dc0a4de743a1aaa7b859b3aea79f08c695396c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2be11faf79e49fb8250a181ff0b4d2b2f084af83","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b8c8a704f0bc133deb171f6aeb6f3a684203e212","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b9561402489d41149f63e001a74384863b7b30a6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d62b8d236fab503c6fec1d3e9a38bea71feaca20","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ef6495d4df6e7af8f3de67e65150881c880f696c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46186","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:34.223","lastModified":"2026-06-01T17:17:31.180","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: virtio_bt: validate rx pkt_type header length\n\nvirtbt_rx_handle() reads the leading pkt_type byte from the RX skb\nand forwards the remainder to hci_recv_frame() for every\nevent/ACL/SCO/ISO type, without checking that the remaining payload\nis at least the fixed HCI header for that type.\n\nAfter the preceding patch bounds the backend-supplied used.len to\n[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches\nhci_recv_frame() with skb->len already pulled to 0. If the byte\nhappened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification\nfast-path in hci_dev_classify_pkt_type() dereferences\nhci_acl_hdr(skb)->handle whenever the HCI device has an active\nCIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of\nuninitialized RX-buffer data. The same hazard exists for every\npacket type the driver accepts because none of the switch cases in\nvirtbt_rx_handle() check skb->len against the per-type minimum HCI\nheader size before handing the frame to the core.\n\nAfter stripping pkt_type, require skb->len to cover the fixed\nheader size for the selected type (event 2, ACL 4, SCO 3, ISO 4)\nbefore calling hci_recv_frame(); drop ratelimited otherwise.\nUnknown pkt_type values still take the original kfree_skb() default\npath.\n\nUse bt_dev_err_ratelimited() because both the length and pkt_type\nvalues come from an untrusted backend that can otherwise flood the\nkernel log."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/149cfb42ad69c7964fd9f2c43831da9152007129","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1e1e509b6fd2a42421745bbcd98bd16daad20904","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2c1143564c71e7497b42d8360a8379ccbb011d3c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3485c7236c59c8c34a41af1c4b52982437554e79","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7b2d4c04816cdc887f472caaf7fc966cfc107e40","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/daf23014e5d975e72ea9c02b5160d3fcf070ea47","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f743eab6486965f276c7e3f1700895f014fdc6db","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46187","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:34.333","lastModified":"2026-06-01T17:17:31.307","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rsi: fix kthread lifetime race between self-exit and external-stop\n\nRSI driver use both self-exit(kthread_complete_and_exit) and external-stop\n(kthread_stop) when killing a kthread. Generally, kthread_stop() is called\nfirst, and in this case, no particular issues occur.\n\nHowever, in rare instances where kthread_complete_and_exit() is called\nfirst and then kthread_stop() is called, a UAF occurs because the kthread\nobject, which has already exited and been freed, is accessed again.\n\nTherefore, to prevent this with minimal modification, you must remove\nkthread_stop() and change the code to wait until the self-exit operation\nis completed."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/16d9f674c619838bdeae42abc0929c9c5477ea1f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4ac3095da22fc50e51ec10c3b8323c21ab3e441a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4f4c9b13c485abd0a2d2c97f9db339d1dd8e147f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4f697813162d5f9151726a6d2bee82bffe4b0256","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4f9a4ae8d2c198f01611ea376034c326ef43ab56","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/95fcb436586dc3c2983537d557ac05bbc6a027f3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9dfe8a4458a063c6433526bc59112a169eee1aa3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/db57a1aa54ff68669781976e4edb045e09e2b65b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46189","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:34.540","lastModified":"2026-06-01T17:17:31.440","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path\n\nSashiko points out that pvrdma_uar_free() is already called within\npvrdma_dealloc_ucontext(), so calling it before triggers a double free."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0c63333ff97bd1275294fd12840a0efe9d7a4c59","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1df5711121cdc11e76b889408fdbe459feba1d39","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/269967d7693304e1f06ed2dff4ebbbeeb397cda4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3a231c34c5bc3d3cfc850b877758ec9fdaa8a483","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/45d25e3ec17900bf5a9d6876ff16ceee31c4c0e0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/935ee27d0904aa944cbcc979094c20e5ef62eead","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e38e86995df27f1f854063dab1f0c6a513db3faf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ecc36a82ecfcfdf3c6606d209f22ec5543c410e0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46197","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:35.360","lastModified":"2026-06-01T17:17:31.547","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: validate SVM ioctl nattr against buffer size\n\nValidate nattr field against the buffer size, preventing\nout-of-bounds buffer access via user-controlled attribute count.\n\n(cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/045e0ff208f0838a246c10204105126611b267a1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6abd3a4417cb73a7d0db7e25bf11fae1074bdba3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/91c6dc5a41695d02dfc6299f106ac38a6c493e52","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ccd060b5c7cc75ae7e211c250b97c5b6272e7efc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/daa8bc5f83814b55b71d2b5b3a090d57a5219c21","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/db9530a9873a7c85d2266a922589ebcf427fa631","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fb07a0c9c8419164812e07274947f11b1d92dd61","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46198","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:35.460","lastModified":"2026-06-01T17:17:31.690","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix integer overflow on buff_pos\n\nFixing an integer overflow present in batadv_iv_ogm_send_to_if. The size\ncheck is done using the int type in batadv_iv_ogm_aggr_packet whereas the\nbuff_pos variable uses the s16 type. This could lead to an out-of-bound\nread."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/0799e5943611006b346b8813c7daf7dd5aa26bfd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/10bb1f366d884d506c38a947b43026a75d1afe9a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/867cd090760e8f5cd206f387b47ff9c56fac04e9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/96c9c0ed9a9579a9085765aceaa4556a6666eb82","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/974542d1efc48b7e9fe16184e647615cba39969b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b252797bfced986d6d92ec2f4cfcca842ce8aa78","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bf872db54f91ffe70104b98c20068b2d5910e018","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f61499359fa529f0d45a53bf7c573a49eb6322e6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46199","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:35.570","lastModified":"2026-06-01T17:17:31.807","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg\n\nCheck bounds against the end of the BO whenever we access the msg."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"references":[{"url":"https://git.kernel.org/stable/c/0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3c817a60b09eaab926e475088e750936efcc95ae","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/63b51e8a9d54317d31cc3856c1e12407070d5fc2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7688143ca62edeecacb3ba0a2cea129dbd262a18","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/88411caee8f576d6b5abf6531232fcc0ce756dc5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c72a8b4dc6d598e3831ef3abd9c6527dfbf4810e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46205","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:36.153","lastModified":"2026-06-01T17:17:31.920","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: media: atomisp: Disallow all private IOCTLs\n\nDisallow all private IOCTLs. These aren't quite as safe as one could\nassume of IOCTL handlers; disable them for now. Instead of removing the\ncode, return in the beginning of the function if cmd is non-zero in order\nto keep static checkers happy."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/2b7eb2c5dc72f0fc954ac4aa155f9e285e937f7c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/64e85679beafe082fc2e70a557ec356c7fd27548","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6850a439f8d23d4979624f1d6880d3118d473a28","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6f1ce75a75c65061e7a720c3d0ee5f8adab7a2d3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8774f8cb661f57ae43cc3bc0509d16ef1f406e45","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8c7a281a99224a5b9af99c4dcd98d68eea75926c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c7848b67ef10f581114b6a2f52b160fc20eb52c9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ceb1b5f910e58986ea544ff8c9c2f23ae9a52414","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46206","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:36.243","lastModified":"2026-06-01T17:17:32.030","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: reject new tp_meter sessions during teardown\n\nPrevent tp_meter from starting new sender or receiver sessions after\nmesh_state has left BATADV_MESH_ACTIVE."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/0a7a840074c9ca5ebffc9c52358c8ea55828ec71","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3243543592425beec83d453793e9d27caa0d8e66","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/52e6ec3e972cf27792cc1559874dbee19f286869","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ca39545cf07c142b39d474a1439a046bf28def3d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/dcff44644bb518598b1a6be722706d6174b2f6a1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e1e2194cc725ec1d41f9412496212f0fa0519c36","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e4a3c4a4c8f6efd243c3e448c05b7bebcbf7b3b6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ff93f86ecbb50a4709c403fc279a396e308edde5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46209","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:36.567","lastModified":"2026-06-01T17:17:32.143","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()\n\ndrm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions\nusing plain integer division:\n\n unsigned int width = mode_cmd->width / (i ? info->hsub : 1);\n unsigned int height = mode_cmd->height / (i ? info->vsub : 1);\n\nHowever, the ioctl-level framebuffer_check() in drm_framebuffer.c uses\ndrm_format_info_plane_width/height() which round up dimensions via\nDIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object\nsize check for certain pixel format and dimension combinations.\n\nFor example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the\nGEM size validation path sees height=0 instead of height=1. The\nexpression (height - 1) then wraps to UINT_MAX as an unsigned int,\ncausing min_size to overflow and wrap back to a small value. A tiny\nGEM object therefore passes the size guard, yet when the GPU accesses\nthe chroma plane it will read or write memory beyond the object's\nbounds.\n\nFix by replacing the open-coded divisions with drm_format_info_plane_width()\nand drm_format_info_plane_height(), which use DIV_ROUND_UP() and match\nthe calculation already used in framebuffer_check()."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/11427ad6c9f0def5ce567982b785da3191946430","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1a17ea9861e89585361caa8bc231bd22dc6dbe7d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1da4ab7189f1064b3b712b388772c008b4d82580","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/22922f7dae74409fc4bf0f1142710cb6b8ce8cc2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3d4c2268bd7243c3780fe32bf24ff876da272acf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6b992591e04f2cce813bcf239b354f375bbf84d3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/adfc5ba4ef4dd2bca5969f40e8fc7b41fb3902ad","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c5fc49d8470c5ebf3b41607600f277158f159950","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46212","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:36.853","lastModified":"2026-06-01T17:17:32.290","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bla: prevent use-after-free when deleting claims\n\nWhen batadv_bla_del_backbone_claims() removes all claims for a backbone, it\ndoes this by dropping the link entry in the hash list. This list entry\nitself was one of the references which need to be dropped at the same time\nvia batadv_claim_put().\n\nBut the batadv_claim_put() must not be done before the last access to the\nclaim object in this function. Otherwise the claim might be freed already\nby the batadv_claim_release() function before the list entry was dropped."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0cc9847c64cb6e61118bc78c9187c8209a7197fa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1d4b241482d9025c537afb3c7c8419c72c0e0c82","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/368449e467d5f1e2c2e987bf2bd57000ba75e10b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4ae1709a314060a196981b344610d023ea841e57","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a1a99837bb6169cfb9187abaa2005e8f12079426","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b88c865dcf6e9f20bfe66a360d4b62941ef769b8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46214","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:37.050","lastModified":"2026-06-01T17:17:32.413","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: fix accept queue count leak on transport mismatch\n\nvirtio_transport_recv_listen() calls sk_acceptq_added() before\nvsock_assign_transport(). If vsock_assign_transport() fails or\nselects a different transport, the error path returns without\ncalling sk_acceptq_removed(), permanently incrementing\nsk_ack_backlog.\n\nAfter approximately backlog+1 such failures, sk_acceptq_is_full()\nreturns true, causing the listener to reject all new connections.\n\nFix by moving sk_acceptq_added() to after the transport validation,\nmatching the pattern used by vmci_transport and hyperv_transport."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/29371f3cc83e2a92265b4768014a30b80234112f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2ea5d2c79edcc99c7dbe0bb7518f5e1ee2a2391f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/52bcb57a4e8a0865a76c587c2451906342ae1b2d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/65c484726e74013a2ec7ba67a34d87760ae8f390","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6d3275fc4ed968938e1d556c344798046776668d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e9edf9893cf26d060705c910a9b62d8cc96ed56a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f66c7904fb6f0e420a654bc90909e64a25d00896","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fd51e810affa38d735d04261e673b2a5fe9c8665","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46216","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:37.237","lastModified":"2026-06-01T17:17:32.523","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()\n\nWhen media GT is disabled via configfs, there is no allocation for\nmedia_gt, which is kept as NULL. In such scenario,\nintel_hdcp_gsc_check_status() results in a kernel pagefault error due to\n>->uc.gsc being evaluated as an invalid memory address.\n\nFix that by introducing a NULL check on media_gt and bailing out early\nif so.\n\nWhile at it, also drop the NULL check for gsc, since it can't be NULL if\nmedia_gt is not NULL.\n\nv2:\n - Get address for gsc only after checking that gt is not NULL.\n (Shuicheng)\n - Drop the NULL check for gsc. (Shuicheng)\nv3:\n - Add \"Fixes\" and \"Cc: \" tags. (Matt)\n\n(cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/60a1e131a811b68703da58fd805ab359b704ab03","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/814326e86e929b865020ff44f4576dbdfe3f7ff3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cad210d2851f3a7d9573bdfc02aa61d9287bbe8c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d8ab4b47edf4578dbfbe5e95817107a514fa34cc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46217","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:37.330","lastModified":"2026-06-01T17:17:32.613","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vcn4: Avoid overflow on msg bound check\n\nAs pointed out by SDL, the previous condition may be vulnerable to\noverflow.\n\n(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885)"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/271cd5429513ff9b364a9bf8903e5b65b687eb25","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/30d12ee310a6024ff4c7b9eafdbbeab2db450d4a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5bb5faff4837b1d98fd655cf8bd7b5d4da0fc4dc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/65bce27ea6192320448c30267ffc17ffa094e713","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/73043d296787bf187d89ffb5c5dcf5bdc3db7885","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f7bf02dcb7c76229ea8ace11b7d0d0c7b87ee57e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46218","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:37.423","lastModified":"2026-06-01T17:17:32.703","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Add bounds checking to ib_{get,set}_value\n\nThe uvd/vce/vcn code accesses the IB at predefined offsets without\nchecking that the IB is large enough. Check the bounds here. The caller\nis responsible for making sure it can handle arbitrary return values.\n\nAlso make the idx a uint32_t to prevent overflows causing the condition\nto fail."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"references":[{"url":"https://git.kernel.org/stable/c/0fb5cb556b249b2b64c0f818136c4c3e838ef53f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/5da6c6430be0acb25b4242bce0323fc514d4e3cf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/66085e206431ef88ce36f53c1f53d570790ccc9e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a853178d23e774adfe3a35073c375b04b3b20f7d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ee26fcf7c5cf131f0b6a732faa27d79ec61b8ec7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fec8b11b55e53ff51a741e56894fe331a516f5c6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46219","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:37.530","lastModified":"2026-06-01T17:17:32.803","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nspi: mpc52xx: fix use-after-free on unbind\n\nThe state machine work is scheduled by the interrupt handler and\ntherefore needs to be cancelled after disabling interrupts to avoid a\npotential use-after-free."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0944b20e9dfa2917bd70eb5b301cbb67fe54a718","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6c3e413919a12627d04a31a4a5fccb9fc129bb02","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ac8316c896c79f32c1d0a38cb41fd2b14cf8112e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bb6b50f709c5a01906ff72a07fdc070bb3357188","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bbcd6dd8e9f264440eaf6167382bf404911c1c46","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ed929d40963073f23cfb50219ccbcc6e0c3ea641","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ee52da0dd83ebcd89ecbbe2660c57b15a25489f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46220","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:37.640","lastModified":"2026-06-01T17:17:32.923","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission\n\nsdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions\nthat verify fence writeback addresses are dword-aligned. These\nassertions can be reached from unprivileged userspace via crafted\nDRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a\nscheduler worker thread.\n\nReplace both BUG_ON() calls with WARN_ON() to log the condition without\ncrashing the kernel. A misaligned fence address at this point indicates\na driver bug, but crashing the kernel is never the correct response when\nthe assertion is reachable from userspace.\n\nThe CS IOCTL path is the correct place to filter invalid submissions;\nthe ring emission callback is too late to do anything about it.\n\n(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)"}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0b91ea46bb68abf98a082bf239092253bbd6aaa2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/25e7d56a39657d56d1ea6d78992f7ed15dedb412","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/4f7ca00fa91daf0795ec6b3b130c5ebba1f155fe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/78d2e624fa073c14970aa097adcf3ea31c157a66","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a4fd82fb0757c180bf622907397c528b89a827b2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d331fb241a4602253976ddd65144a8ba2b05665d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d4c56932d29773e278be6a65a5384a36c95b89a4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ecaa80318e900ca0c3f687742ede33b41cfd2f8e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46227","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:38.317","lastModified":"2026-06-01T17:17:33.050","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\n\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\nthe loop body runs. The body calls sctp_sendmsg_to_asoc(), which may\ndrop the socket lock inside sctp_wait_for_sndbuf().\n\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\nassociation cached in @tmp, migrating it to a new endpoint via\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\nnewep->asocs), and optionally close the new socket which frees the\nassociation via kfree_rcu(). The cached @tmp can also be freed by a\nnetwork ABORT for that association, processed in softirq while the\nlock is dropped.\n\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\nvia the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing\nrevalidates @tmp. After a successful return, the iterator advances to\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\nwas closed) or a list-walk onto the new endpoint's list head (type\nconfusion of &newep->asocs as a struct sctp_association *).\n\nBoth are reachable from CapEff=0; the type-confusion path gives\ncontrolled indirect call via the outqueue.sched->init_sid pointer.\n\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\nreturns. @asoc is known to still be on ep->asocs at that point: the\nonly callers that list_del an association from ep->asocs are\nsctp_association_free() (which sets asoc->base.dead) and\nsctp_assoc_migrate() (which changes asoc->base.sk), and\nsctp_wait_for_sndbuf() checks both under the lock before any\nsuccessful return; a tripped check propagates as err < 0 and the loop\nbails before the re-derive.\n\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\nloop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so\nthe @tmp cached by list_for_each_entry_safe() still covers the\nlock-held free that ba59fb027307 (\"sctp: walk the list of asoc\nsafely\") was added for."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/0c7b55974f97b78d1109025eadf084e74cbf330f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0dbc8cde64280fc37cdd678cced34eaf96cfb197","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6187a172d6ed57d6b2c327836e4407c6456e639d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/abb5f36771cc4c05899b34000829a787572a8817","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/bf0f40d8107e2ce827521968dc6926f3e13728ae","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/c9dadb31f36045a8cb65df4bd75e7237ef21a4b5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f3a3f0b406b4b7eb3cea35a23fa2bf170848b104","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46230","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:38.643","lastModified":"2026-06-01T17:17:33.207","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg\n\nCheck bounds against the end of the BO whenever we access the msg."}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"references":[{"url":"https://git.kernel.org/stable/c/638d3e0b9eb77aa53fdd60e2b928761d16ba76fa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/638e48ee39d0f2af9336f917a6f5d6692dd64d93","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/82c535eff05490c71153af57de9fe85502fcb5d5","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/870c8738c3774336baedddd0240951d078a703b8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b193019860d61e92da395eae2011f2f6716b182f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e382e0b81a3e7bd21504fee1d01ae8b08f84d3a7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f55552adb100eb54a6e6dabff4fbdc8679bd3fa0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46231","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:38.743","lastModified":"2026-06-01T17:17:33.327","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bla: put backbone reference on failed claim hash insert\n\nWhen batadv_bla_add_claim() fails to insert a new claim into the hash, it\nleaked a reference to the backbone_gw for which the claim was intended.\nCall batadv_backbone_gw_put() on the error path to release the reference\nand avoid leaking the backbone_gw object."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0baf4b659cdc7305cf685b5a5d60f9e3816ab5d0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2888c9a154123db0254ae4fb9bea570c7e1f2e06","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/65419eb4259a26a3cd3f56fa0e3b3c113bf8c256","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6c8b68a7ed667a63aa603ba4d3a7088be143007e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/769f413d374ff2b6ff6d8d8c37b4c1178e6cdf14","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7cccf4eb4f96d3c3af91a00b7a9caa652439542e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ba9d20ee9076dac32c371116bacbe72480eb356c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/fd0ca034c1e71ca7613cde9dd892836b2c2831bd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46233","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:38.943","lastModified":"2026-06-01T17:17:33.437","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bla: only purge non-released claims\n\nWhen batadv_bla_purge_claims() goes through the list of claims, it is only\ntraversing the hash list with an rcu_read_lock(). Due to a potential\nparallel batadv_claim_put(), it can happen that it encounters a claim which\nwas actually in the process of being released+freed by\nbatadv_claim_release(). In this case, backbone_gw is set to NULL before the\ndelayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is\nthen no longer allowed because it would cause a NULL-ptr derefence.\n\nTo avoid this, only claims with a valid reference counter must be purged.\nAll others are already taken care of."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/6725c523a35eeca611ff37e7d4a8712fae92aefd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7b8fbcee3184d848b5aee085ca16d0cf05c9b641","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a9f58d5e3261f3deeae69ec1e237f38ef3ff5cbe","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/afb5436f6028fd68f408f189230fbaa19c910d72","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/b65365d2b1e6095c538d49baeb140dd1c166c1b3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cf6b604011591865ae39ac82de8978c1120d17af","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46234","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:39.043","lastModified":"2026-06-01T17:17:33.543","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: fix buffer size clamping order\n\nIn vsock_update_buffer_size(), the buffer size was being clamped to the\nmaximum first, and then to the minimum. If a user sets a minimum buffer\nsize larger than the maximum, the minimum check overrides the maximum\ncheck, inverting the constraint.\n\nThis breaks the intended socket memory boundaries by allowing the\nvsk->buffer_size to grow beyond the configured vsk->buffer_max_size.\n\nFix this by checking the minimum first, and then the maximum. This\nensures the buffer size never exceeds the buffer_max_size."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/01ef69785dc3162f588a361ab770b1e312800188","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0b68881501460c3761f196469e1e503218c5e536","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2602f7bb5818e92315feeaeb71d8ce4d5c9ab160","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/310da27932dd0afe7ce7456dfe1f0814c3301f41","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a998a7e250bf976539e05a00ec64a81292afecaa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/caf11dfea5233a69298a1c448bbf8d1639c80536","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d114bfdc9b76bf93b881e195b7ec957c14227bab","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f6ec135941d2c1c2dbb87b5ce1783f4f6ac6ccca","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46235","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:39.143","lastModified":"2026-06-01T17:17:33.653","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: saa7164: add ioremap return checks and cleanups\n\nAdd checks for ioremap return values in saa7164_dev_setup(). If\nioremap for BAR0 or BAR2 fails, release the already allocated PCI\nmemory regions, remove the device from the global list, decrement\nthe device count, and return -ENODEV.\n\nThis prevents potential null pointer dereferences and ensures proper\ncleanup on memory mapping failures."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/23dee5990d2c27ed79567fd61ccfe6876768531a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3ce8f3057c51bb0a66aa3fab0862be74e9f88684","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6047dc542fa404b5c187cc2c7906aaaaec6d11ed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6c22a6d8e4c1507bba504aeebe80476144a373eb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a9b83f46e52cf1239d780920d1a7a3e415f7b5d9","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/d51c60a498e83c9a79884c8e420f97e3885c9583","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46236","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:39.240","lastModified":"2026-06-01T17:17:33.750","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: xbox_remote: heed DMA restrictions\n\nThe buffer for IO must not be part of the device structure\nbecause that violates the DMA coherency rules."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/0bd8ac88ec5f74cd0f4b8cfc54f4cc0827007249","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0cc9251833bf02c8c7863404157c94dab5928fcf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/0ea67a135335e51be50e83ee4cc99560b8b89c25","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/465d27ab83692167f06a6f917bdfd0a0d4fc8ff3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/48a668c22e8f92637bc496e84d1cf06900f74a5c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/63a960b39de9c51f29ca19aa5067934f865c0bc7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e0301883ec779c21158a3923b2eb666074fa976e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46237","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:39.333","lastModified":"2026-06-01T17:17:33.860","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/vcn3: Avoid overflow on msg bound check\n\nAs pointed out by SDL, the previous condition may be vulnerable to\noverflow.\n\n(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"references":[{"url":"https://git.kernel.org/stable/c/016b64a0313ea5346cf526e30c8d3e66aca10175","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/1936310f68c54be961de38ac539cef9b543207cb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2e43b66fceacd6e982b94f2e3f8b34edd7463396","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/94a2b37399807fd2ca78dc1906986c4fbd72968e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/95b0f6df8d7fad2eabf265d2c3d2538ef58e4465","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e6e9faba8100628990cccd13f0f044a648c303cf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/e8124121b79ab5d32fa8fbbd101f7208eca9cd7d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-46238","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-05-28T10:16:39.427","lastModified":"2026-06-01T17:17:33.953","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: stop caching unowned originator pointers in BAT IV\n\nBAT IV keeps the last-hop neighbor address in each neigh_node, but some\npaths also cache an originator pointer derived from a temporary lookup.\nThat pointer is not owned by the neigh_node and may no longer refer to a\nlive originator entry after purge handling runs.\n\nStop storing the auxiliary originator pointer in the BAT IV neighbor\nstate. When BAT IV needs the neighbor originator data, resolve it from\nthe stored neighbor address and drop the reference again after use.\n\n[sven: avoid bonding logic for outgoing OGM]"}],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"references":[{"url":"https://git.kernel.org/stable/c/09dc0d1a12222ffca6481916eab3cfea477b9620","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/384e3050a42be9085d50507b4d5f8266a588d742","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/67bceeb22207f1f5a402973a3a0809e5f2698f38","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/6e20700f8c524ac379ba8274ff5d453023b7c006","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/86b2b58d7c228d850c8c78e4144e6123e8ed2718","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/8c16c68fdbb69778f8d04f650340c3f4d1518f8e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/aafcbaf1159ea224528ca4075d0ba8c10ef374af","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f03e8583532941b07761c5429de7d50766fa3110","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}},{"cve":{"id":"CVE-2026-9658","sourceIdentifier":"9b29abf9-4ab0-4765-b253-1875cd9b441e","published":"2026-05-28T13:16:25.067","lastModified":"2026-06-01T19:16:56.177","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.\n\nThe header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example,\n\n GET /path\\r\\nHTTP/1.1\\r\\nHost: secret.example.com\n\nNote that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"weaknesses":[{"source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","type":"Secondary","description":[{"lang":"en","value":"CWE-113"},{"lang":"en","value":"CWE-790"}]}],"references":[{"url":"https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"http://www.openwall.com/lists/oss-security/2026/05/28/9","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2026-37579","sourceIdentifier":"cve@mitre.org","published":"2026-05-28T14:16:19.427","lastModified":"2026-06-01T21:16:42.943","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]}],"references":[{"url":"https://github.com/wudijun/jun.github.io/blob/main/SMSGate%20deserialization%20vulnerability.md","source":"cve@mitre.org"},{"url":"https://github.com/wudijun/jun.github.io/blob/main/SMSGate%20deserialization%20vulnerability.md","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-44358","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T16:16:24.210","lastModified":"2026-06-01T18:33:48.683","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary resolution and Node.js module resolution. A fork pull request processed by a pull_request_target workflow could therefore cause fork-supplied code to execute inside the action container in place of the action's own code. This vulnerability is fixed in 1.0.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-427"},{"lang":"en","value":"CWE-829"}]}],"references":[{"url":"https://github.com/espressif/shared-github-dangerjs/commit/d742408028135ea200982b5b2e3e438dc4e5a25d","source":"security-advisories@github.com"},{"url":"https://github.com/espressif/shared-github-dangerjs/security/advisories/GHSA-wm3p-pv54-6w73","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-44672","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T16:16:24.843","lastModified":"2026-06-01T18:33:29.313","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dynamic table without being authenticated. This vulnerability is fixed in 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://github.com/mapfish/mapfish-print/security/advisories/GHSA-q7m6-wpvf-mvwx","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-48522","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T16:16:29.150","lastModified":"2026-06-01T17:44:43.350","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained \"plant a JWKS to forge tokens\" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku derivation) that this fix does not address. This vulnerability is fixed in 2.13.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N","baseScore":4.2,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":2.5}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-441"},{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:*","versionEndExcluding":"2.13.0","matchCriteriaId":"2692B308-E3F9-4586-AD28-F64C14358242"}]}]}],"references":[{"url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-48523","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T16:16:29.280","lastModified":"2026-06-01T17:44:48.617","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature verification is performed with the algorithm bound to the PyJWK object instead of the header algorithm. An attacker who controls a registered JWK/JWKS private key can sign with a disallowed algorithm, advertise an allowed algorithm in the JWT header, and still be accepted. The issue affects the documented PyJWKClient.get_signing_key_from_jwt(...) flow. This vulnerability is fixed in 2.13.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-347"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:*","versionStartIncluding":"2.9.0","versionEndExcluding":"2.12.1","matchCriteriaId":"AD0759FF-955F-482B-9EB8-C2F445D540E4"}]}]}],"references":[{"url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-48524","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T16:16:29.403","lastModified":"2026-06-01T17:44:55.037","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.2,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-460"},{"lang":"en","value":"CWE-755"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:*","versionEndExcluding":"2.13.0","matchCriteriaId":"2692B308-E3F9-4586-AD28-F64C14358242"}]}]}],"references":[{"url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-48525","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T16:16:29.533","lastModified":"2026-06-01T17:45:15.763","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option (\"b64\": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled “work amplifier”: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-400"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:*","versionStartIncluding":"2.8.0","versionEndIncluding":"2.12.1","matchCriteriaId":"71DC0C43-352F-449C-B411-5040A311A35F"}]}]}],"references":[{"url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory","Mitigation"]},{"url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory","Mitigation"]}]}},{"cve":{"id":"CVE-2026-48526","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T16:16:29.657","lastModified":"2026-06-01T17:45:32.253","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"},{"lang":"en","value":"CWE-347"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:*","versionEndExcluding":"2.13.0","matchCriteriaId":"2692B308-E3F9-4586-AD28-F64C14358242"}]}]}],"references":[{"url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-24444","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-28T17:16:20.143","lastModified":"2026-06-01T16:55:20.100","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password vulnerability in the web management interface recovery endpoints (mgmt.php, npcmd.php) that allows unauthenticated attackers to gain root access by submitting the hardcoded credential to the recovery endpoint via HTTP. Attackers can leverage this hardcoded password to enable filtered SSH and Telnet services on the device, resulting in unauthenticated root-level remote access to the underlying system."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-798"}]}],"references":[{"url":"https://en.sdmctech.com/product/DOCSIS_234.html","source":"disclosure@vulncheck.com"},{"url":"https://www.kr3bz.wtf/posts/sdmc-ne6037-router-recovery-backdoor/","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-44543","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T17:16:30.967","lastModified":"2026-06-01T18:33:48.683","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by rancher/local-path-provisioner. The helperPod.yaml template is loaded by the provisioner and used to create HelperPods during PVC provisioning and cleanup operations. However, the template is not sufficiently validated before use. Security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities can be injected into the template. When a PVC operation triggers HelperPod creation, the provisioner creates the HelperPod using the attacker-controlled template. This can result in a privileged pod running on the target node with the host root filesystem mounted. This may allow the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants' local-path volume data, or modify files on the host node. This vulnerability is fixed in 0.0.36."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":5.8}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-269"}]}],"references":[{"url":"https://github.com/rancher/local-path-provisioner/security/advisories/GHSA-7fxv-8wr2-mfc4","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45261","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T17:16:31.900","lastModified":"2026-06-01T18:38:18.703","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"ACTIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://github.com/gitbutlerapp/gitbutler/security/advisories/GHSA-xpmj-536r-9fc6","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-9092","sourceIdentifier":"cret@cert.org","published":"2026-05-28T17:16:34.083","lastModified":"2026-06-01T19:16:55.387","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"references":[{"url":"https://kb.cert.org/vuls/id/780781","source":"cret@cert.org"}]}},{"cve":{"id":"CVE-2026-45058","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T18:16:34.313","lastModified":"2026-06-01T18:38:18.703","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-94"},{"lang":"en","value":"CWE-345"},{"lang":"en","value":"CWE-494"},{"lang":"en","value":"CWE-915"}]}],"references":[{"url":"https://github.com/electerm/electerm/security/advisories/GHSA-jgg9-rw32-44pj","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45307","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T18:16:34.907","lastModified":"2026-06-01T18:38:18.703","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the is_safe_url() helper used to validate post-login redirect targets applied urljoin(request.host_url, target) before parsing, while the controller passed the raw target to redirect(). A scheme-relative input such as ////evil.com resolved to a same-host URL during validation but was emitted verbatim in the Location header, where the browser interpreted it as a network-path-relative redirect to an attacker-controlled host. This vulnerability is fixed in 0.8.20-alpha."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-601"}]}],"references":[{"url":"https://github.com/murtaza-nasir/speakr/security/advisories/GHSA-5cpp-mqgh-4c38","source":"security-advisories@github.com"},{"url":"https://github.com/murtaza-nasir/speakr/security/advisories/GHSA-5cpp-mqgh-4c38","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45311","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T18:16:35.170","lastModified":"2026-06-01T21:16:45.620","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the run_tests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user approval prompt. cargo test compiles and executes arbitrary code: test binaries, build.rs build scripts, and proc macros. While auto-approving test execution is a deliberate design choice, it creates an inconsistency in the security boundary. However, in a malicious repository, test code can execute arbitrary shell commands, exfiltrate credentials, or establish persistence with zero approval. The attack is amplified by AGENTS.md (auto-loaded into the system prompt), which can instruct the model to run tests proactively at session start. This vulnerability is fixed in 0.8.23."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-wx44-2q6h-j6p8","source":"security-advisories@github.com"},{"url":"https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-wx44-2q6h-j6p8","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-43979","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T19:16:38.067","lastModified":"2026-06-01T18:38:18.703","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.0, PDFService._markdown_to_html() constructs an HTML document by interpolating user-controlled values — specifically title (sourced from research.title or research.query) and metadata key-value pairs — directly into an f-string without any HTML escaping. An authenticated attacker can craft a research query containing HTML special characters to inject arbitrary HTML tags into the document processed by WeasyPrint during PDF export. This injection can be chained to trigger a Server-Side Request Forgery (SSRF), bypassing the application's existing SSRF defenses in ssrf_validator.py. This vulnerability is fixed in 1.6.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"},{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/LearningCircuit/local-deep-research/pull/3082","source":"security-advisories@github.com"},{"url":"https://github.com/LearningCircuit/local-deep-research/pull/3613","source":"security-advisories@github.com"},{"url":"https://github.com/LearningCircuit/local-deep-research/security/advisories/GHSA-fj2m-qvh9-jq4q","source":"security-advisories@github.com"},{"url":"https://github.com/LearningCircuit/local-deep-research/security/advisories/GHSA-fj2m-qvh9-jq4q","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45332","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T19:16:39.133","lastModified":"2026-06-01T18:50:57.210","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-200"},{"lang":"en","value":"CWE-306"}]}],"references":[{"url":"https://github.com/marcantondahmen/automad/security/advisories/GHSA-xm76-r88j-vm3g","source":"security-advisories@github.com"},{"url":"https://github.com/marcantondahmen/automad/security/advisories/GHSA-xm76-r88j-vm3g","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-46509","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T19:16:39.280","lastModified":"2026-06-01T18:38:18.703","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"deepobj provides get, set, delete deep objects in javascript. Prior to 1.0.3, prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input. This vulnerability is fixed in 1.0.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-1321"}]}],"references":[{"url":"https://github.com/ranfdev/deepobj/security/advisories/GHSA-x7q7-fchv-8h2j","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-46526","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T19:16:39.430","lastModified":"2026-06-01T18:43:56.377","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.10, the URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. The current project uses validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks. However, there are indeed differences in parsing between urlparse and the library that actually sends the request. For example, in safe_get, validate_url is first used to perform an SSRF check, and then requests.get is used to send the actual request. This vulnerability is fixed in 1.6.10."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/LearningCircuit/local-deep-research/pull/3873","source":"security-advisories@github.com"},{"url":"https://github.com/LearningCircuit/local-deep-research/pull/3882","source":"security-advisories@github.com"},{"url":"https://github.com/LearningCircuit/local-deep-research/pull/3889","source":"security-advisories@github.com"},{"url":"https://github.com/LearningCircuit/local-deep-research/pull/3932","source":"security-advisories@github.com"},{"url":"https://github.com/LearningCircuit/local-deep-research/releases/tag/v1.6.10","source":"security-advisories@github.com"},{"url":"https://github.com/LearningCircuit/local-deep-research/security/advisories/GHSA-g23j-2vwm-5c25","source":"security-advisories@github.com"},{"url":"https://github.com/LearningCircuit/local-deep-research/security/advisories/GHSA-g23j-2vwm-5c25","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45288","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T21:16:31.220","lastModified":"2026-06-01T18:41:24.920","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://github.com/JasperFx/marten/commit/626249656829860b9c55895b5b6046b61a2a695f","source":"security-advisories@github.com"},{"url":"https://github.com/JasperFx/marten/pull/4343","source":"security-advisories@github.com"},{"url":"https://github.com/JasperFx/marten/security/advisories/GHSA-vmw2-qwm8-x84c","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-9645","sourceIdentifier":"vulnreport@tenable.com","published":"2026-05-28T21:16:34.950","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root."}],"metrics":{"cvssMetricV31":[{"source":"vulnreport@tenable.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0}]},"weaknesses":[{"source":"vulnreport@tenable.com","type":"Secondary","description":[{"lang":"en","value":"CWE-78"}]}],"references":[{"url":"https://www.tenable.com/security/research/tra-2026-46","source":"vulnreport@tenable.com"}]}},{"cve":{"id":"CVE-2026-9646","sourceIdentifier":"vulnreport@tenable.com","published":"2026-05-28T21:16:35.087","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A reflected cross-site scripting issue exists in URL handling."}],"metrics":{"cvssMetricV31":[{"source":"vulnreport@tenable.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"vulnreport@tenable.com","type":"Secondary","description":[{"lang":"en","value":"CWE-80"}]}],"references":[{"url":"https://www.tenable.com/security/research/tra-2026-46","source":"vulnreport@tenable.com"}]}},{"cve":{"id":"CVE-2026-10044","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-28T22:16:58.453","lastModified":"2026-06-01T16:55:20.100","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/{filename} endpoint on Windows deployments that allows unauthenticated remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal sequences. Attackers can bypass the incomplete path traversal guard, which only blocks forward slashes and '..', by providing absolute paths such as Windows system file locations, causing os.path.join to discard the intended prompts directory prefix and expose files accessible to the application process."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Secondary","description":[{"lang":"en","value":"CWE-36"}]}],"references":[{"url":"https://github.com/Usagi-org/ai-goofish-monitor/commit/f85d140b6b45029d9a0925feb96dad733b41396d","source":"disclosure@vulncheck.com"},{"url":"https://github.com/Usagi-org/ai-goofish-monitor/issues/488","source":"disclosure@vulncheck.com"},{"url":"https://github.com/Usagi-org/ai-goofish-monitor/pull/489","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/ai-goofish-monitor-unauthenticated-arbitrary-file-read-via-get-api-prompts","source":"disclosure@vulncheck.com"},{"url":"https://github.com/Usagi-org/ai-goofish-monitor/issues/488","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-39929","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-28T22:16:58.693","lastModified":"2026-06-01T16:52:20.117","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-125"},{"lang":"en","value":"CWE-754"}]}],"references":[{"url":"https://documentation.lakesidesoftware.com/docs/112128-hotfix-agent-release-notes","source":"disclosure@vulncheck.com"},{"url":"https://documentation.lakesidesoftware.com/docs/1130xxx-hotfix-agent-release-notes","source":"disclosure@vulncheck.com"},{"url":"https://documentation.lakesidesoftware.com/docs/1140xxx-hotfix-agent-release-notes","source":"disclosure@vulncheck.com"},{"url":"https://documentation.lakesidesoftware.com/docs/1150xxx-hotfix-agent-release-notes","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/lakeside-systrack-agent-lsiagent-exe-out-of-bounds-read-via-udp","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-44848","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T22:16:58.837","lastModified":"2026-06-01T21:16:45.080","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, The Docker plugin management endpoints (/plugins/*) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations — including installing and enabling plugins — directly against the underlying Docker daemon. The vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker endpoint via Portainer RBAC. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.33.0","versionEndExcluding":"2.33.8","matchCriteriaId":"4E7FE81D-D489-4034-9DB4-D48E3B6C3CE4"},{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.34.0","versionEndExcluding":"2.39.2","matchCriteriaId":"42BB76C6-ADCE-4D73-BAF0-7DBBB707C360"},{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:2.40.0:*:*:*:community:*:*:*","matchCriteriaId":"69F71AFC-F50D-4D10-9918-413D8E841CC2"}]}]}],"references":[{"url":"https://github.com/portainer/portainer/security/advisories/GHSA-rrmm-9v76-h3p4","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/portainer/portainer/security/advisories/GHSA-rrmm-9v76-h3p4","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-44849","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T22:16:58.973","lastModified":"2026-06-01T17:59:18.843","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts. These restrictions are enforced on the standard container creation path, but several of them are not applied on the Docker Swarm service API. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.33.0","versionEndExcluding":"2.33.8","matchCriteriaId":"4E7FE81D-D489-4034-9DB4-D48E3B6C3CE4"},{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.34.0","versionEndExcluding":"2.39.1","matchCriteriaId":"3717D3CE-5226-41F7-A131-7CCAF164914D"},{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:2.40.0:*:*:*:community:*:*:*","matchCriteriaId":"69F71AFC-F50D-4D10-9918-413D8E841CC2"}]}]}],"references":[{"url":"https://github.com/portainer/portainer/security/advisories/GHSA-5fxq-qcf3-244w","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-44850","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T22:16:59.107","lastModified":"2026-06-01T17:59:49.683","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer offers an environment-level Disable bind mounts for non-administrators security setting that blocks regular users from binding host paths into containers they create through the Portainer-mediated Docker API. The check that enforces this setting only inspected the legacy HostConfig.Binds array on the container-create proxy and never looked at the equivalent HostConfig.Mounts array. Any authenticated user with rights to create containers on a Docker environment where the restriction is enabled could submit a bind-typed entry under HostConfig.Mounts and mount any host path into their container. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.33.0","versionEndExcluding":"2.33.8","matchCriteriaId":"4E7FE81D-D489-4034-9DB4-D48E3B6C3CE4"},{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.34.0","versionEndExcluding":"2.39.1","matchCriteriaId":"3717D3CE-5226-41F7-A131-7CCAF164914D"},{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:2.40.0:*:*:*:community:*:*:*","matchCriteriaId":"69F71AFC-F50D-4D10-9918-413D8E841CC2"}]}]}],"references":[{"url":"https://github.com/portainer/portainer/security/advisories/GHSA-7fw3-x4r2-g7wc","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-44881","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T22:16:59.247","lastModified":"2026-06-01T18:02:17.783","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer supports deploying stacks from Git repositories. When a Git-backed stack is created or updated, Portainer clones the repository using go-git v5, which translates Git blob entries with mode 0o120000 (symlink) into real OS symlinks on the host filesystem via os.Symlink. The only entry blocked from becoming a symlink is .gitmodules; every other path is created as a symlink without validation. Portainer's GET /api/stacks/{id}/file endpoint then reads the stack entry point with os.ReadFile, which follows OS symlinks transparently. A repository containing docker-compose.yml as a symlink to an arbitrary filesystem path causes the symlink target's contents to be returned verbatim in the HTTP response. Any authenticated user with rights to create or update a Git-backed stack — the default configuration in Portainer CE — can read arbitrary files accessible to the Portainer process. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-59"},{"lang":"en","value":"CWE-200"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.33.0","versionEndExcluding":"2.33.8","matchCriteriaId":"4E7FE81D-D489-4034-9DB4-D48E3B6C3CE4"},{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.34.0","versionEndExcluding":"2.39.2","matchCriteriaId":"42BB76C6-ADCE-4D73-BAF0-7DBBB707C360"},{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:2.40.0:*:*:*:community:*:*:*","matchCriteriaId":"69F71AFC-F50D-4D10-9918-413D8E841CC2"}]}]}],"references":[{"url":"https://github.com/portainer/portainer/security/advisories/GHSA-rpgq-m5fp-32wr","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-44882","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T22:16:59.380","lastModified":"2026-06-01T18:03:51.673","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer (kubeClientMiddleware) that validates the requesting user's token before forwarding traffic to the cluster. When security.RetrieveTokenData returned an error, the middleware wrote an HTTP 403 response but was missing a return statement — execution continued into the handler with a nil tokenData value. The Kubernetes endpoints sit behind Portainer's outer AuthenticatedAccess bouncer, so an attacker requires a valid Portainer session. However, a user whose secondary token validation fails in kubeClientMiddleware — for example a user without permission to access a given Kubernetes endpoint — would have their request forwarded to the cluster anyway, bypassing the authorization check. The same defect was present in both the CE and EE codebases. This vulnerability is fixed in 2.33.8."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.33.0","versionEndExcluding":"2.33.8","matchCriteriaId":"4E7FE81D-D489-4034-9DB4-D48E3B6C3CE4"}]}]}],"references":[{"url":"https://github.com/portainer/portainer/security/advisories/GHSA-mgq6-4x29-88r3","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-44883","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T22:16:59.537","lastModified":"2026-06-01T18:03:20.590","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer's authentication middleware accepts JWT bearer tokens passed as the ?token= URL query parameter on any authenticated API endpoint, in addition to the standard Authorization: Bearer header. URLs are recorded in reverse-proxy access logs, browser history, and HTTP Referer headers on outbound navigation, so any JWT passed this way can be harvested by anyone with access to those logs or by an external site the user subsequently visits. A leaked token grants the full privileges of the user it was issued to, until the token expires (default 8 hours, configurable). The ?token= parameter was used by Portainer's browser-based container attach, exec, and pod shell features, so any user with exec or attach rights on a container was exposed — not only administrators. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-598"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.33.0","versionEndExcluding":"2.33.8","matchCriteriaId":"4E7FE81D-D489-4034-9DB4-D48E3B6C3CE4"},{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.34.0","versionEndExcluding":"2.39.2","matchCriteriaId":"42BB76C6-ADCE-4D73-BAF0-7DBBB707C360"},{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.40.0","versionEndExcluding":"2.41.0","matchCriteriaId":"4955234B-5329-4420-9F58-1C14B1C2E506"}]}]}],"references":[{"url":"https://github.com/portainer/portainer/security/advisories/GHSA-jvp4-q659-95mj","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-44884","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T22:16:59.677","lastModified":"2026-06-01T18:07:59.060","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.33.0","versionEndExcluding":"2.33.8","matchCriteriaId":"4E7FE81D-D489-4034-9DB4-D48E3B6C3CE4"},{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.39.0","versionEndExcluding":"2.39.1","matchCriteriaId":"69AF042A-AD6A-4580-9862-B9C1E54946DF"}]}]}],"references":[{"url":"https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-44885","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T22:16:59.803","lastModified":"2026-06-01T18:08:20.353","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, Portainer's backup restore feature accepts a .tar.gz archive and extracts it to a target directory on the server. The extraction function (ExtractTarGz in api/archive/targz.go) constructed output paths using filepath.Clean(filepath.Join(outputDirPath, header.Name)). This combination does not prevent directory traversal — a tar entry named ../../etc/cron.d/evil resolves to a path outside the extraction root, so a crafted archive can write files to arbitrary locations on the server filesystem. This vulnerability is fixed in 2.33.8."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":1.2,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:portainer:portainer:*:*:*:*:community:*:*:*","versionStartIncluding":"2.33.0","versionEndExcluding":"2.33.8","matchCriteriaId":"4E7FE81D-D489-4034-9DB4-D48E3B6C3CE4"}]}]}],"references":[{"url":"https://github.com/portainer/portainer-suite/pull/1875","source":"security-advisories@github.com","tags":["Broken Link"]},{"url":"https://github.com/portainer/portainer/security/advisories/GHSA-m8fg-67j7-cx4v","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-45344","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T22:17:00.497","lastModified":"2026-06-01T21:16:45.717","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-74"}]}],"references":[{"url":"https://github.com/Kovah/LinkAce/security/advisories/GHSA-37m5-936h-w455","source":"security-advisories@github.com"},{"url":"https://github.com/Kovah/LinkAce/security/advisories/GHSA-37m5-936h-w455","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45364","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T22:17:00.633","lastModified":"2026-06-01T18:41:24.920","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-307"}]}],"references":[{"url":"https://github.com/better-auth/better-auth/commit/43e719bcc0c223c7079fa0c611a9cf7ea1188254","source":"security-advisories@github.com"},{"url":"https://github.com/better-auth/better-auth/commit/57af0f7b910dcf7b1a5c0615d10b9bd56bb69bef","source":"security-advisories@github.com"},{"url":"https://github.com/better-auth/better-auth/pull/7470","source":"security-advisories@github.com"},{"url":"https://github.com/better-auth/better-auth/pull/7509","source":"security-advisories@github.com"},{"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-p6v2-xcpg-h6xw","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45366","sourceIdentifier":"security-advisories@github.com","published":"2026-05-28T22:17:00.773","lastModified":"2026-06-01T18:41:24.920","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"typescript-utcp is a typescript implementation of UTCP. Prior to 1.1.2, the @utcp/http package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual() validates the discovery URL against an HTTPS / loopback allowlist, but callTool() reuses the resolved toolCallTemplate.url directly without revalidating, and the OpenApiConverter blindly trusts whatever servers[0].url an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. servers: [{ url: \"http://127.0.0.1:9090\" }] or servers: [{ url: \"http://169.254.169.254\" }]; the converter then produces tools whose URL points at internal services on the agent host. This vulnerability is fixed in 1.1.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/universal-tool-calling-protocol/typescript-utcp/security/advisories/GHSA-r8j5-8747-88cm","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-10005","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:42.293","lastModified":"2026-06-01T18:47:08.450","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in WebAppInstalls in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/513750089","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-10013","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:43.130","lastModified":"2026-06-01T17:22:23.570","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in WebCodecs in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory","Release Notes"]},{"url":"https://issues.chromium.org/issues/514715455","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-10014","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:43.233","lastModified":"2026-06-01T18:45:22.350","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in WebMIDI in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:148.0.7778.216:*:*:*:*:*:*:*","matchCriteriaId":"F375CA63-A23A-4AF0-97A9-C332F67A7418"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/514742327","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-10020","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:43.887","lastModified":"2026-06-01T18:45:15.917","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Insufficient validation of untrusted input in Skia in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/496565479","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-5343","sourceIdentifier":"mlhess@drupal.org","published":"2026-05-28T23:16:44.520","lastModified":"2026-06-01T17:29:21.430","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation.\n\nThis issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.2}]},"weaknesses":[{"source":"mlhess@drupal.org","type":"Secondary","description":[{"lang":"en","value":"CWE-754"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:*:*:*:*:*:drupal:*:*","versionStartIncluding":"3.0.1","versionEndExcluding":"3.1.4","matchCriteriaId":"C6F52B9A-3CFE-466F-A234-164246498A37"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.0:*:*:*:*:drupal:*:*","matchCriteriaId":"84285C85-DA43-4E22-B037-E386D9F1278B"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.1:*:*:*:*:drupal:*:*","matchCriteriaId":"A217C5B5-0FD8-4AD1-932A-EACD0392F6A4"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.2:*:*:*:*:drupal:*:*","matchCriteriaId":"AE11E8A3-B5BB-4937-8B57-630E64E42AE5"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.3:*:*:*:*:drupal:*:*","matchCriteriaId":"D23AA5C4-A6AE-4AA2-82B8-DF3AA0FF04D6"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.4:*:*:*:*:drupal:*:*","matchCriteriaId":"DF86737D-3CAD-44E9-B071-E81C7FC1CF01"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.5:*:*:*:*:drupal:*:*","matchCriteriaId":"C2E647DD-FCF7-4E66-822B-8B80010C5D08"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.6:*:*:*:*:drupal:*:*","matchCriteriaId":"9078C79B-5A2F-4A7C-A8D5-3DB9496BD935"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.7:*:*:*:*:drupal:*:*","matchCriteriaId":"2C7BD10D-4D5A-4570-893A-6ED20A6D0901"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.8:*:*:*:*:drupal:*:*","matchCriteriaId":"8AECFEA3-9D8C-4255-9B51-E352620F1EA2"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.9:*:*:*:*:drupal:*:*","matchCriteriaId":"D447F116-3078-4C45-B2DE-2CE1AF527EAB"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.91:*:*:*:*:drupal:*:*","matchCriteriaId":"5B610F53-4CA8-4871-ABB6-748924CAAADB"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.92:*:*:*:*:drupal:*:*","matchCriteriaId":"A5709CAD-064C-4E3D-9851-F2B5659AB779"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.93:*:*:*:*:drupal:*:*","matchCriteriaId":"B6C89604-FC97-42B2-9768-E9CA843303C0"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.94:*:*:*:*:drupal:*:*","matchCriteriaId":"81AB4FDD-0AB7-4ADA-BE5D-29DAFA89AED8"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.95:*:*:*:*:drupal:*:*","matchCriteriaId":"9158E6F7-B368-4D4D-941D-24FE1CF4C469"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.96:*:*:*:*:drupal:*:*","matchCriteriaId":"55E46423-A251-46BC-8390-E9B96B0C9999"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.97:*:*:*:*:drupal:*:*","matchCriteriaId":"9116503B-159E-45CE-AC5B-9DCC6FBA2F55"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.98:*:*:*:*:drupal:*:*","matchCriteriaId":"BCE0965A-307A-481F-AE89-3D59ACB89587"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.99:*:*:*:*:drupal:*:*","matchCriteriaId":"BAD4936D-A79B-4C0D-AC57-05A6CB550368"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.991:*:*:*:*:drupal:*:*","matchCriteriaId":"0DB94412-B773-46DD-A30A-B17B18279FF9"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.992:*:*:*:*:drupal:*:*","matchCriteriaId":"740A7FA8-562D-4F1E-A88F-0425B15C96B1"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.993:*:*:*:*:drupal:*:*","matchCriteriaId":"A499A397-6C64-45E4-AE5E-4EB8E70AC0F5"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.994:*:*:*:*:drupal:*:*","matchCriteriaId":"BEDB2E6B-66E4-4C56-B838-E67070C3E415"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-1.995:*:*:*:*:drupal:*:*","matchCriteriaId":"4A0528F0-9033-4E86-92EF-AEC3CFBEBE4B"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.0:*:*:*:*:drupal:*:*","matchCriteriaId":"407D66FF-2DAA-4508-BEBC-381E689E9584"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.1:*:*:*:*:drupal:*:*","matchCriteriaId":"B054CF40-DBE3-4D24-BF0D-DCDD6A398493"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.2:*:*:*:*:drupal:*:*","matchCriteriaId":"30136A1D-2253-46E5-9487-2CC862854AFA"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.3:*:*:*:*:drupal:*:*","matchCriteriaId":"F445C5E5-8EE3-4169-AD4B-DAD3F4CF2F5E"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.4:*:*:*:*:drupal:*:*","matchCriteriaId":"47613A3A-88F5-40D0-B601-67F28C2FA6FA"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.5:*:*:*:*:drupal:*:*","matchCriteriaId":"853ECB89-56FE-47EB-97A9-F0F3D45DEB70"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.51:*:*:*:*:drupal:*:*","matchCriteriaId":"83B7C3E3-362B-48A2-9529-38B4A5A30383"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.52:*:*:*:*:drupal:*:*","matchCriteriaId":"98F5FE3F-446F-44D4-8A9C-254C425F7B9E"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.53:*:*:*:*:drupal:*:*","matchCriteriaId":"FE593D34-2523-443F-884F-AB9F70BDA8B6"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.54:*:*:*:*:drupal:*:*","matchCriteriaId":"58AB1D59-B200-4A40-81B8-93DABFADE728"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.55:*:*:*:*:drupal:*:*","matchCriteriaId":"BDF488FE-0D7F-4FC3-AACA-C3EBA95467BB"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.56:*:*:*:*:drupal:*:*","matchCriteriaId":"69BF5026-7266-4DE8-8C3D-2DD587E94F83"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.60:*:*:*:*:drupal:*:*","matchCriteriaId":"8FB34EA2-CEE6-4BCD-8CA0-1ACE01303972"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.61:*:*:*:*:drupal:*:*","matchCriteriaId":"1CD65BCA-FA32-4B29-8ABC-DDD6E5F5F983"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.70:*:*:*:*:drupal:*:*","matchCriteriaId":"D622AC8B-9C93-4980-9ED7-FB44AB85D053"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.71:*:*:*:*:drupal:*:*","matchCriteriaId":"63130FF1-60A0-4A9F-ACED-749E30E150AE"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:7.x-2.72:*:*:*:*:drupal:*:*","matchCriteriaId":"86DAA1E4-A7C4-4E8D-BAAC-EA29D0830645"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.0:*:*:*:*:drupal:*:*","matchCriteriaId":"624524CC-7E86-4399-9D07-42A62B8DE86E"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.1:*:*:*:*:drupal:*:*","matchCriteriaId":"0261A511-1FE4-4FED-A585-008D30B14BD6"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.2:*:*:*:*:drupal:*:*","matchCriteriaId":"8843F860-4870-4401-89E4-EF3B03C1FC76"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.3:*:*:*:*:drupal:*:*","matchCriteriaId":"AA1F8D0E-1456-4F72-9A23-D9694472F6CC"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.4:*:*:*:*:drupal:*:*","matchCriteriaId":"CB400C08-920F-4164-B370-17731952492B"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.5:*:*:*:*:drupal:*:*","matchCriteriaId":"EF010763-BC6C-4FC7-BD4E-972520493670"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.6:*:*:*:*:drupal:*:*","matchCriteriaId":"90079A7B-4EA8-4E92-A9E7-EE083D064D55"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.7:*:*:*:*:drupal:*:*","matchCriteriaId":"5B9FBE9C-AB62-43C8-8909-B028E9906031"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.8:*:*:*:*:drupal:*:*","matchCriteriaId":"9B46E4C7-3C88-46D3-9DAA-47AD4C93491C"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.9:*:*:*:*:drupal:*:*","matchCriteriaId":"1982052F-853F-444D-A00E-D80A40048CA7"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.10:*:*:*:*:drupal:*:*","matchCriteriaId":"72204C78-006C-4E3B-850D-FB752D82F8A8"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.11:*:*:*:*:drupal:*:*","matchCriteriaId":"50CFB922-DE38-483D-899E-57E068BE2907"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.12:*:*:*:*:drupal:*:*","matchCriteriaId":"F7082734-DCE0-4E86-BB04-D564FE389E9B"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.121:*:*:*:*:drupal:*:*","matchCriteriaId":"E13D9239-F933-4551-A75E-E8B27B3F6E19"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-1.122:*:*:*:*:drupal:*:*","matchCriteriaId":"8C9F4CC7-8E97-4760-94F7-F958AB1757F9"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.0:*:*:*:*:drupal:*:*","matchCriteriaId":"99FA10EB-189D-463B-A3F5-DC9696ACAC02"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.1:*:*:*:*:drupal:*:*","matchCriteriaId":"BDDF6A07-C809-42FB-8F0D-309AB75E878A"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.11:*:*:*:*:drupal:*:*","matchCriteriaId":"2522FA4B-CE2A-4400-ACFA-9149B2C761FC"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.12:*:*:*:*:drupal:*:*","matchCriteriaId":"ACAF856A-7A89-4F4C-BABA-438294EDD065"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.13:*:*:*:*:drupal:*:*","matchCriteriaId":"E63DEF35-CE9F-4FAF-B120-1C3E798BA839"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.14:*:*:*:*:drupal:*:*","matchCriteriaId":"2340C0C5-F37A-4412-8571-CECAC5A8FEA8"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.15:*:*:*:*:drupal:*:*","matchCriteriaId":"065C2669-52AB-4852-92B6-EF79E3CDB75B"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.16:*:*:*:*:drupal:*:*","matchCriteriaId":"CC0025F1-3A5E-44BD-A7B2-5603A5AAC751"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.17:*:*:*:*:drupal:*:*","matchCriteriaId":"F9822AF6-0821-45C9-BAB5-E0A33A525857"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.18:*:*:*:*:drupal:*:*","matchCriteriaId":"9D363A34-FB03-4B57-BD85-761986741353"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.19:*:*:*:*:drupal:*:*","matchCriteriaId":"FB3F72BF-5BD2-48BF-B42E-2FF9E649C22E"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.20:*:*:*:*:drupal:*:*","matchCriteriaId":"3BC649B6-F649-4C99-9737-4DDFF07734DF"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.21:*:*:*:*:drupal:*:*","matchCriteriaId":"3158F7E5-2657-4842-A255-DE7899FE387D"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.22:*:*:*:*:drupal:*:*","matchCriteriaId":"B2656DB3-7F25-484B-9F78-FE9A00619DC2"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.23:*:*:*:*:drupal:*:*","matchCriteriaId":"AC3A9AF8-538D-4E86-BDFB-4517A531AA92"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.24:*:*:*:*:drupal:*:*","matchCriteriaId":"0931AC5F-8D6E-426E-B7CC-B00B490AB305"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.25:*:*:*:*:drupal:*:*","matchCriteriaId":"280E6981-783C-4395-9A37-1D82A617B78B"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.26:*:*:*:*:drupal:*:*","matchCriteriaId":"8ED53809-CB59-403B-B0A5-CB6985AC64EC"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.27:*:*:*:*:drupal:*:*","matchCriteriaId":"EB67935B-EB59-4EB1-849B-0DAA9C71A6D9"},{"vulnerable":true,"criteria":"cpe:2.3:a:miniorange:saml_sso_-_service_provider:8.x-2.28:*:*:*:*:drupal:*:*","matchCriteriaId":"0DC0D68D-893F-47B9-9AC8-1109ED5F524B"}]}]}],"references":[{"url":"https://www.drupal.org/sa-contrib-2026-031","source":"mlhess@drupal.org","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-6816","sourceIdentifier":"mlhess@drupal.org","published":"2026-05-28T23:16:44.637","lastModified":"2026-06-01T17:15:34.127","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.\n\n\nThis issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2."}],"metrics":{"cvssMetricV40":[{"source":"mlhess@drupal.org","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N","baseScore":3.8,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":2.5}]},"weaknesses":[{"source":"mlhess@drupal.org","type":"Secondary","description":[{"lang":"en","value":"CWE-267"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:tfa_basic_plugins_project:tfa_basic_plugins:*:*:*:*:*:drupal:*:*","versionStartIncluding":"7.x-1.0","versionEndExcluding":"7.x-1.3","matchCriteriaId":"ACFFA1F8-5F80-4E2C-8366-3EEEB26F279C"}]}]}],"references":[{"url":"https://d7es.tag1.com/security-advisories/tfa-basic-plugins-less-critical-access-bypass-sa-contrib-2025-085","source":"mlhess@drupal.org","tags":["Third Party Advisory"]},{"url":"https://www.herodevs.com/vulnerability-directory/cve-2026-6816","source":"mlhess@drupal.org","tags":["Exploit","Third Party Advisory"]},{"url":"https://www.herodevs.com/vulnerability-directory/cve-2026-6816?nes-for-drupal-7","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-9872","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:45.140","lastModified":"2026-06-01T18:45:09.070","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds write in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/505077859","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9875","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:45.443","lastModified":"2026-06-01T18:45:00.900","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/507508103","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9876","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:45.543","lastModified":"2026-06-01T18:44:53.453","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/493747593","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9888","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:46.787","lastModified":"2026-06-01T18:44:48.220","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in WebView in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/511715166","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9889","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:46.893","lastModified":"2026-06-01T18:44:39.550","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds read and write in Dawn in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-125"},{"lang":"en","value":"CWE-787"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/511727159","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9892","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:47.187","lastModified":"2026-06-01T18:44:31.123","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Inappropriate implementation in Skia in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-269"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/513948178","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9898","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:47.803","lastModified":"2026-06-01T18:44:19.397","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Insufficient validation of untrusted input in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/496282591","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9905","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:48.553","lastModified":"2026-06-01T18:43:48.160","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in Accessibility in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/498883610","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9906","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:48.663","lastModified":"2026-06-01T18:47:00.967","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds write in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/499005260","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9907","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:48.767","lastModified":"2026-06-01T18:46:49.920","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds read in Dawn in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/499091269","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9908","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:48.867","lastModified":"2026-06-01T18:46:36.447","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/499091328","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9911","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:49.197","lastModified":"2026-06-01T18:46:29.307","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-472"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/499205491","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9912","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:49.300","lastModified":"2026-06-01T18:46:23.207","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Inappropriate implementation in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/499873765","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9913","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:49.393","lastModified":"2026-06-01T18:46:16.930","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Inappropriate implementation in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/500046096","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9914","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:49.487","lastModified":"2026-06-01T18:46:10.680","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/500047428","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9915","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:49.593","lastModified":"2026-06-01T18:46:04.880","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-122"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/500063836","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9916","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:49.697","lastModified":"2026-06-01T18:45:58.517","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/500080303","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9917","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:49.797","lastModified":"2026-06-01T18:48:51.183","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-457"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/500095304","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9918","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:49.897","lastModified":"2026-06-01T18:48:43.230","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Inappropriate implementation in Tint in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6.0}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-269"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/500099471","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9919","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:49.990","lastModified":"2026-06-01T18:48:34.020","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/500114058","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9920","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:50.090","lastModified":"2026-06-01T18:48:25.537","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":3.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":1.4}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-457"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/500138014","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9921","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:50.200","lastModified":"2026-06-01T18:48:16.937","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin information via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-457"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/500150338","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9923","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:50.407","lastModified":"2026-06-01T18:48:09.230","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/500393328","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9924","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:50.503","lastModified":"2026-06-01T18:47:58.167","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Heap buffer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-122"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/500398345","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9929","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:50.997","lastModified":"2026-06-01T18:47:48.787","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Inappropriate implementation in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/501367791","source":"chrome-cve-admin@google.com","tags":["Permissions Required","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-9930","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:51.090","lastModified":"2026-06-01T18:47:42.193","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds write in Dawn in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/501499832","source":"chrome-cve-admin@google.com","tags":["Permissions Required","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-9932","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:51.300","lastModified":"2026-06-01T18:47:34.850","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in ANGLE in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/501563323","source":"chrome-cve-admin@google.com","tags":["Permissions Required","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-9934","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:51.513","lastModified":"2026-06-01T18:49:58.750","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in Aura in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/501576946","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9940","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:52.123","lastModified":"2026-06-01T18:49:45.727","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-122"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"},{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/502738003","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9941","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:52.233","lastModified":"2026-06-01T18:49:52.143","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/502812366","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9943","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:52.433","lastModified":"2026-06-01T18:43:30.223","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/503464551","source":"chrome-cve-admin@google.com","tags":["Permissions Required","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-9944","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:52.540","lastModified":"2026-06-01T18:31:22.740","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":3.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":1.4},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":3.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":1.4}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-457"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/503471286","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9948","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:52.940","lastModified":"2026-06-01T18:31:07.577","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in Views in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/503790201","source":"chrome-cve-admin@google.com","tags":["Permissions Required","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-9950","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:53.150","lastModified":"2026-06-01T18:30:38.330","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":3.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":1.4}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*","matchCriteriaId":"B5415705-33E5-46D5-8E4D-9EBADC8C5705"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/503862359","source":"chrome-cve-admin@google.com","tags":["Permissions Required","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-9953","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:53.470","lastModified":"2026-06-01T18:30:14.680","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/503985322","source":"chrome-cve-admin@google.com","tags":["Permissions Required","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-9954","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:53.590","lastModified":"2026-06-01T18:29:45.503","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in TabStrip in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/504175497","source":"chrome-cve-admin@google.com","tags":["Permissions Required","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-9955","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:53.703","lastModified":"2026-06-01T18:29:14.460","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*","matchCriteriaId":"B5415705-33E5-46D5-8E4D-9EBADC8C5705"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/504184408","source":"chrome-cve-admin@google.com","tags":["Permissions Required","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-9958","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:54.000","lastModified":"2026-06-01T18:28:51.363","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Release Notes"]},{"url":"https://issues.chromium.org/issues/504555886","source":"chrome-cve-admin@google.com","tags":["Permissions Required","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-9967","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:54.913","lastModified":"2026-06-01T17:22:08.447","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds write in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory","Release Notes"]},{"url":"https://issues.chromium.org/issues/506414791","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9971","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:55.310","lastModified":"2026-06-01T18:27:35.103","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*","matchCriteriaId":"B5415705-33E5-46D5-8E4D-9EBADC8C5705"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/508448586","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9972","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:55.407","lastModified":"2026-06-01T18:27:14.093","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Uninitialized Use in Gamepad in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-457"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/508463705","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9975","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:55.740","lastModified":"2026-06-01T17:21:37.367","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds read and write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-125"},{"lang":"en","value":"CWE-787"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory","Release Notes"]},{"url":"https://issues.chromium.org/issues/511719039","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9977","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:55.927","lastModified":"2026-06-01T18:26:36.997","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Insufficient validation of untrusted input in WebShare in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:android:-:*:*:*:*:*:*:*","matchCriteriaId":"F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/511741173","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9979","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:56.127","lastModified":"2026-06-01T17:21:20.453","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Insufficient validation of untrusted input in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.6,"impactScore":3.4}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory","Release Notes"]},{"url":"https://issues.chromium.org/issues/511742228","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9980","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:56.230","lastModified":"2026-06-01T18:23:07.330","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Insufficient validation of untrusted input in Printing in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.6,"impactScore":3.4}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/511776372","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9981","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:56.333","lastModified":"2026-06-01T18:22:39.580","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Inappropriate implementation in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/512995705","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9982","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:56.437","lastModified":"2026-06-01T18:27:01.863","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":6.0}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/513001247","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9985","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:56.740","lastModified":"2026-06-01T18:20:31.750","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Insufficient validation of untrusted input in Media in Google Chrome on ChromeOS prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":3.6}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:google:chrome_os:-:*:*:*:*:*:*:*","matchCriteriaId":"D32ACF6F-5FF7-4815-8EAD-4719F5FC9B79"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/513019760","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9989","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:57.140","lastModified":"2026-06-01T18:17:46.003","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to bypass same origin policy via a crafted video file. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-346"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.215","matchCriteriaId":"875ACED4-0D6D-4BAA-8FAF-F13B5FEDF09A"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"},{"vulnerable":false,"criteria":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","matchCriteriaId":"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/513054053","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9990","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:57.233","lastModified":"2026-06-01T18:15:58.320","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Use after free in WebAppInstalls in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/513128608","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9991","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:57.340","lastModified":"2026-06-01T18:15:06.033","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Inappropriate implementation in Media in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","baseScore":3.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":1.4}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/513173565","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9996","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:57.830","lastModified":"2026-06-01T18:14:44.440","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Out of bounds read in WebRTC in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"chrome-cve-admin@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/513268100","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-9999","sourceIdentifier":"chrome-cve-admin@google.com","published":"2026-05-28T23:16:58.140","lastModified":"2026-06-01T18:14:19.900","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Inappropriate implementation in ANGLE in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-269"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*","versionEndExcluding":"148.0.7778.216","matchCriteriaId":"E59192D9-BF13-4B43-B69F-869A6BF83955"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*","matchCriteriaId":"387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}],"references":[{"url":"https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html","source":"chrome-cve-admin@google.com","tags":["Vendor Advisory"]},{"url":"https://issues.chromium.org/issues/513364480","source":"chrome-cve-admin@google.com","tags":["Permissions Required"]}]}},{"cve":{"id":"CVE-2026-10056","sourceIdentifier":"96d4e157-0bf0-48b3-8efd-382c68caf4e0","published":"2026-05-29T09:16:17.147","lastModified":"2026-06-01T17:06:59.370","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround:\n\nFor existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {\"supportedOrigins\": \"null\"}. Alternatively, select High security level during initial setup.\n\nSolution:\n\nUpdate to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration."}],"metrics":{"cvssMetricV31":[{"source":"96d4e157-0bf0-48b3-8efd-382c68caf4e0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9}]},"weaknesses":[{"source":"96d4e157-0bf0-48b3-8efd-382c68caf4e0","type":"Secondary","description":[{"lang":"en","value":"CWE-942"}]}],"references":[{"url":"https://support.networkoptix.com/hc/en-us/articles/39254208939159-How-to-Enable-CORS-Validation","source":"96d4e157-0bf0-48b3-8efd-382c68caf4e0"}]}},{"cve":{"id":"CVE-2025-41265","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:21.743","lastModified":"2026-06-01T18:58:02.493","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41265","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41266","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:22.823","lastModified":"2026-06-01T18:57:56.067","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41266","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41267","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:22.947","lastModified":"2026-06-01T18:57:47.757","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41267","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41268","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:23.067","lastModified":"2026-06-01T18:57:41.540","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to delete arbitrary files on the Host machines."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-23"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41268","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41269","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:23.190","lastModified":"2026-06-01T18:57:33.487","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41269","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41270","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:23.323","lastModified":"2026-06-01T18:57:27.617","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41270","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41271","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:23.450","lastModified":"2026-06-01T18:57:20.287","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to read arbitrary files from the device."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-23"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41271","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41272","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:23.570","lastModified":"2026-06-01T18:57:09.137","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41272","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41273","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:23.690","lastModified":"2026-06-01T18:57:02.450","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-288: Authentication Bypass Using an Alternate Path or Channel in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to bypass authentication of the Console web application and perform actions as an authenticated user."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-288"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41273","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41274","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:23.810","lastModified":"2026-06-01T18:56:56.250","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41274","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41275","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:23.930","lastModified":"2026-06-01T18:56:49.327","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41275","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41276","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:24.050","lastModified":"2026-06-01T18:56:42.323","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41276","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41277","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:24.167","lastModified":"2026-06-01T18:56:32.923","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41277","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41278","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:24.293","lastModified":"2026-06-01T18:56:23.933","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7.10.0.0 R2601141040 that allows attackers with access to the TX Host to execute code on the RX Host."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41278","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41279","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:24.420","lastModified":"2026-06-01T18:55:55.647","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 RX Host."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41279","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41280","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:24.547","lastModified":"2026-06-01T18:56:05.647","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-23: Relative Path Traversal (Zip Slip) in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured and file compression is enabled."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-23"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41280","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2025-41281","sourceIdentifier":"prodsec@nozominetworks.com","published":"2026-05-29T12:16:24.670","lastModified":"2026-06-01T18:55:43.283","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured."}],"metrics":{"cvssMetricV40":[{"source":"prodsec@nozominetworks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"prodsec@nozominetworks.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"7.9.1.0_r2502171040","matchCriteriaId":"782D151E-F2E5-45F8-BAC5-AB1D5E71592F"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*","matchCriteriaId":"84599551-DFC4-44DA-A647-24D4818F1EDE"}]}]}],"references":[{"url":"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41281","source":"prodsec@nozominetworks.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45312","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T13:16:22.770","lastModified":"2026-06-01T18:41:24.920","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the SSTI."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-1336"}]}],"references":[{"url":"https://github.com/infiniflow/ragflow/security/advisories/GHSA-wpg4-h5g2-jxm6","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-44237","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:27.060","lastModified":"2026-06-01T18:42:00.963","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-1390"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*","versionEndExcluding":"17.0.8","matchCriteriaId":"8BF91BA0-8921-4FB0-A8B8-F968920663F9"}]}]}],"references":[{"url":"https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vgjf-4h63-8vcc","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-44238","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:27.233","lastModified":"2026-06-01T18:41:40.330","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*","versionEndExcluding":"16.0.50","matchCriteriaId":"5C008D8A-5192-4D70-9241-F4F613169CFF"},{"vulnerable":true,"criteria":"cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*","versionStartIncluding":"17.0","versionEndExcluding":"17.0.11","matchCriteriaId":"75F770D7-C403-4592-94A1-4A2BA8B53553"}]}]}],"references":[{"url":"https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p9fq-fmpw-2h9x","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-44239","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:27.363","lastModified":"2026-06-01T18:41:28.630","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-98"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*","versionEndExcluding":"16.0.22","matchCriteriaId":"09612421-8EA7-4425-8A9F-1B5846E76EC5"},{"vulnerable":true,"criteria":"cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*","versionStartIncluding":"17.0","versionEndExcluding":"17.0.5","matchCriteriaId":"ADED51B0-38B0-44A5-9116-A07EA67CA59A"}]}]}],"references":[{"url":"https://github.com/FreePBX/security-reporting/security/advisories/GHSA-hw7v-v2jp-wc4v","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45555","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:30.113","lastModified":"2026-06-01T18:43:56.377","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Roslyn CodeLens MCP Server is a Roslyn-based MCP server providing semantic code intelligence for .NET codebases. From 0.0.9 to 1.17.0, the get_diagnostics MCP tool loads and executes all DiagnosticAnalyzer assemblies referenced by the target solution without any allowlist, signature check, or user confirmation; includeAnalyzers defaults to true, so no explicit opt-in is required. An attacker who can place a malicious .csproj referencing an attacker-controlled DLL in a location the victim opens with the MCP server will achieve arbitrary code execution in the server process with the server's OS privileges. This vulnerability is fixed in 1.17.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://github.com/MarcelRoozekrans/roslyn-codelens-mcp/security/advisories/GHSA-552p-8f74-6x7q","source":"security-advisories@github.com"},{"url":"https://github.com/MarcelRoozekrans/roslyn-codelens-mcp/security/advisories/GHSA-552p-8f74-6x7q","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45578","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:30.253","lastModified":"2026-06-01T18:41:19.310","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation, single-quoting each argument but never calling escapeshellarg(). A ' in any of the three interpolated values ($users_id, $m3u8, $obj->liveTransmitionHistory_id) closes the quoted token and lets the attacker append arbitrary commands."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"29.0","matchCriteriaId":"AC38CA07-71C1-4C86-B84A-83CF96367CBA"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-xw67-cg5f-4m2r","source":"security-advisories@github.com","tags":["Vendor Advisory","Mitigation"]}]}},{"cve":{"id":"CVE-2026-45580","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:30.413","lastModified":"2026-06-01T18:41:10.970","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's \"YouTube-style\" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing \" plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"29.0","matchCriteriaId":"AC38CA07-71C1-4C86-B84A-83CF96367CBA"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-m5j4-7r85-2cj2","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45582","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:30.563","lastModified":"2026-06-01T18:41:02.210","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters — could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md. This vulnerability is fixed in 2.51.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-201"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:n8n-mcp:n8n-mcp:*:*:*:*:*:*:*:*","versionEndExcluding":"2.51.3","matchCriteriaId":"5692C0AE-4633-443D-BFE0-CC15797A4EDD"}]}]}],"references":[{"url":"https://github.com/czlonkowski/n8n-mcp/commit/6cf6fef653fcd6d598f2f356aac4754931c7329f","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/czlonkowski/n8n-mcp/pull/782","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.51.3","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-f3rg-xqjj-cj9w","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45610","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:30.713","lastModified":"2026-06-01T18:40:48.320","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest() call, no isTokenValid() check, no X-CSRF-Token/SameSite enforcement, and no re-authentication step. A cross-origin page that the victim visits while logged into the AVideo dashboard issues the POST via a hidden form (or fetch without credentials:\"omit\") and disables the victim's 2FA in one request."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-306"},{"lang":"en","value":"CWE-352"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"29.0","matchCriteriaId":"AC38CA07-71C1-4C86-B84A-83CF96367CBA"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-3mv2-vmwh-rwfx","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-3mv2-vmwh-rwfx","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45615","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:30.847","lastModified":"2026-06-01T18:45:39.580","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"mouse07410/asn1c is an ASN.1 compiler. In 1.4 and earlier, a memory safety vulnerability was identified in the OER decoding skeleton files generated by asn1c (specifically INTEGER_oer.c). When parsing a maliciously crafted, zero-length OER payload for a variable-length, non-negative INTEGER type, the decoder fails to validate the required bytes before extracting the Most Significant Bit (MSB). This forces a precise 1-byte Heap Out-of-Bounds (OOB) Read. Because asn1c generated code is primarily deployed to parse untrusted network inputs (such as V2X network protocols, 5G telecom headers, or X.509 certificates), when the decoder processes untrusted network-originated input, a remote attacker can exploit this to cause a Denial of Service (DoS) or trigger incorrect integer interpretation in downstream applications (e.g., protocol state poisoning or logic bypass)."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-125"},{"lang":"en","value":"CWE-130"}]}],"references":[{"url":"https://github.com/mouse07410/asn1c/security/advisories/GHSA-wxx8-76rw-96j2","source":"security-advisories@github.com"},{"url":"https://github.com/mouse07410/asn1c/security/advisories/GHSA-wxx8-76rw-96j2","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45619","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:30.980","lastModified":"2026-06-01T18:40:21.603","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS-rebinding TOCTOU."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-367"},{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"29.0","matchCriteriaId":"AC38CA07-71C1-4C86-B84A-83CF96367CBA"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-c3ch-22rq-xfwr","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45620","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:31.107","lastModified":"2026-06-01T18:39:48.203","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables unauthenticated user enumeration."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-204"},{"lang":"en","value":"CWE-285"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"29.0","matchCriteriaId":"AC38CA07-71C1-4C86-B84A-83CF96367CBA"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45707","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:31.240","lastModified":"2026-06-01T18:39:40.983","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers — or supplied only one of them — silently fell back to the process-level N8N_API_URL / N8N_API_KEY credentials configured for the operator's own n8n instance. As a result, an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own. This affects HTTP-mode deployments of n8n-mcp that are run as a shared multi-tenant service. Single-tenant deployments (ENABLE_MULTI_TENANT unset or false) are not affected. This vulnerability is fixed in 2.51.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:n8n-mcp:n8n-mcp:*:*:*:*:*:*:*:*","versionEndExcluding":"2.51.2","matchCriteriaId":"C2C49EE6-8E35-48F8-BE46-407510123226"}]}]}],"references":[{"url":"https://github.com/czlonkowski/n8n-mcp/commit/853015d0897be7cf2d9d4726de195c938e4395ab","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.51.2","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-jxx9-px88-pj69","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45731","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:31.383","lastModified":"2026-06-01T18:39:21.090","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","baseScore":4.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"29.0","matchCriteriaId":"AC38CA07-71C1-4C86-B84A-83CF96367CBA"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-3mjv-375j-6h92","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-3mjv-375j-6h92","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-46337","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:31.520","lastModified":"2026-06-01T18:39:10.063","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via .. traversal. The endpoint requires no authentication."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"29.0","matchCriteriaId":"AC38CA07-71C1-4C86-B84A-83CF96367CBA"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-w4qq-74h6-58wq","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-w4qq-74h6-58wq","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-46376","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:31.677","lastModified":"2026-06-01T18:38:48.663","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by the Administrator who enabled UCP. Authenticated access to ACP is required for the initial setup of UCP generic templates, but after that, without further steps by the admin, unauthenticated users may be able to gain access. This vulnerability is fixed in 16.0.45 and 17.0.7."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-798"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*","versionEndExcluding":"16.0.45","matchCriteriaId":"00B991B6-9E55-48BB-8BAB-AB021347E07A"},{"vulnerable":true,"criteria":"cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*","versionStartIncluding":"17.0","versionEndExcluding":"17.0.7","matchCriteriaId":"683B9ECF-40AF-4DA2-9938-DEC0597DFA3D"}]}]}],"references":[{"url":"https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m55x-h47x-v3gx","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-46510","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:31.807","lastModified":"2026-06-01T18:41:24.920","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. This vulnerability is fixed in 1.0.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-1321"}]}],"references":[{"url":"https://github.com/kaspernj/form-data-objectizer/commit/7c54b99408e6e9cd6533b7245bf197dadc2a2dbc","source":"security-advisories@github.com"},{"url":"https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-wjq3-28wq","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-47694","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:31.997","lastModified":"2026-06-01T18:38:37.050","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. This is a stored XSS in the category description field, separate from previously fixed XSS issues in video titles or comments."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"29.0","matchCriteriaId":"AC38CA07-71C1-4C86-B84A-83CF96367CBA"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-c8h8-vq34-9fw2","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-c8h8-vq34-9fw2","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-47696","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T14:16:32.127","lastModified":"2026-06-01T18:38:28.563","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating\nany Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-345"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"29.0","matchCriteriaId":"AC38CA07-71C1-4C86-B84A-83CF96367CBA"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-39292","sourceIdentifier":"cve@mitre.org","published":"2026-05-29T15:16:22.483","lastModified":"2026-06-01T21:16:43.327","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Falco Solutions PHPPageBuilder v0.31.0 contains an unrestricted file upload vulnerability in the pagemanager/pagebuilder module that allows remote attackers to upload arbitrary files and achieve remote code execution. The vulnerability exists due to insufficient validation of uploaded file types and executable content."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-434"}]}],"references":[{"url":"https://github.com/HansSchouten/PHPageBuilder","source":"cve@mitre.org"},{"url":"https://github.com/krishnadevpmelevila/CVE-2026-39292/tree/main","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-41150","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T15:16:22.673","lastModified":"2026-06-01T18:37:37.857","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). This vulnerability is fixed in 10.9.6 and 11.15.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-835"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mermaid_project:mermaid:*:*:*:*:*:node.js:*:*","versionEndExcluding":"10.9.6","matchCriteriaId":"FDEEC1E5-342A-4D63-9E8E-B3885FD0126B"},{"vulnerable":true,"criteria":"cpe:2.3:a:mermaid_project:mermaid:*:*:*:*:*:node.js:*:*","versionStartIncluding":"11.0.0","versionEndExcluding":"11.15.0","matchCriteriaId":"1E9D25F0-A61B-4AE3-8BE6-4246FADCAEFF"}]}]}],"references":[{"url":"https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-41159","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T15:16:22.813","lastModified":"2026-06-01T18:38:02.903","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS :has() selectors. This vulnerability is fixed in 10.9.6 and 11.15.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-94"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mermaid_project:mermaid:*:*:*:*:*:node.js:*:*","versionEndExcluding":"10.9.6","matchCriteriaId":"FDEEC1E5-342A-4D63-9E8E-B3885FD0126B"},{"vulnerable":true,"criteria":"cpe:2.3:a:mermaid_project:mermaid:*:*:*:*:*:node.js:*:*","versionStartIncluding":"11.0.0","versionEndExcluding":"11.15.0","matchCriteriaId":"1E9D25F0-A61B-4AE3-8BE6-4246FADCAEFF"}]}]}],"references":[{"url":"https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aahttps://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/mermaid-js/mermaid/releases/tag/mermaid@11.15.0","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p","source":"security-advisories@github.com","tags":["Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-45609","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T15:16:23.463","lastModified":"2026-06-01T18:42:52.373","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"mcp-security provides Security and Authorization support for Model Context Protocol in Spring AI. Prior to 0.1.9, the mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. This only affects installations with Dynamic Client Registration (DCR) enabled This vulnerability is fixed in 0.1.9."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2018-25396","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-29T16:16:19.107","lastModified":"2026-06-01T16:55:20.100","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Attackers can request the networkSetup.htm endpoint and extract plaintext username and password values from HTML form fields to gain administrative access to the thermostat."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-256"}]}],"references":[{"url":"https://www.exploit-db.com/exploits/45623","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/heatmiser-wifi-thermostat-credential-disclosure-via-networksetup-htm","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-10099","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-29T16:16:24.333","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":4.0,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.5,"impactScore":1.4}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-1286"}]}],"references":[{"url":"https://github.com/XX-net/XX-Net/commit/a68b972a84ed6e52df9f30237cf47493b9231b53","source":"disclosure@vulncheck.com"},{"url":"https://github.com/XX-net/XX-Net/issues/14169","source":"disclosure@vulncheck.com"},{"url":"https://github.com/XX-net/XX-Net/pull/14170","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/xx-net-websocket-frame-parsing-data-corruption-via-simple-http-server-py","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-32905","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-29T16:16:25.093","lastModified":"2026-06-01T18:36:42.410","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll devices with operator/node capabilities, granting persistent credentials until manual removal."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":5.5}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2026.5.4","matchCriteriaId":"1DB0930F-B55B-4A66-BD55-CB2B635B1C8A"}]}]}],"references":[{"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xr4f-mjxj-w6w5","source":"disclosure@vulncheck.com","tags":["Mitigation","Vendor Advisory"]},{"url":"https://www.vulncheck.com/advisories/openclaw-unauthorized-device-pairing-bootstrap-code-issuance-via-chat-command","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-32906","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-29T16:16:25.220","lastModified":"2026-06-01T18:37:51.897","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attackers with limited exec approval permissions can bypass intended approval splits to approve plugin actions outside operator configuration."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2026.5.12","matchCriteriaId":"DE7E74F5-925B-4DC3-AFAF-9C0CAD4AADE9"}]}]}],"references":[{"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wv26-j37q-2g7p","source":"disclosure@vulncheck.com","tags":["Mitigation","Vendor Advisory"]},{"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-in-slack-plugin-approvals-via-exec-approver-gate","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-34507","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-29T16:16:25.950","lastModified":"2026-06-01T18:36:35.930","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have blocked."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2026.4.29","matchCriteriaId":"FD093CBC-6B1F-481A-B12D-0E06B0F4FF8C"}]}]}],"references":[{"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w4v6-g3wm-w36c","source":"disclosure@vulncheck.com","tags":["Mitigation","Vendor Advisory"]},{"url":"https://www.vulncheck.com/advisories/openclaw-policy-bypass-in-qqbot-admin-commands-via-dm-only-and-allowfrom-checks","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-35630","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-29T16:16:26.097","lastModified":"2026-06-01T18:23:38.640","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","baseScore":8.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.1,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openclaw:openclaw:*:-:*:*:*:node.js:*:*","versionEndExcluding":"2026.5.18","matchCriteriaId":"306D4306-DA61-4560-B003-C4F4C2114BAF"}]}]}],"references":[{"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mgq6-vr84-7m2j","source":"disclosure@vulncheck.com","tags":["Mitigation","Vendor Advisory"]},{"url":"https://www.vulncheck.com/advisories/openclaw-qqbot-missing-approver-identity-enforcement-in-native-approval-buttons","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-35673","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-29T16:16:26.230","lastModified":"2026-06-01T18:23:13.137","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can bypass private-network SSRF policies by reusing blocked tabs to export or inspect content that should remain protected."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.3,"impactScore":4.7}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2026.4.29","matchCriteriaId":"FD093CBC-6B1F-481A-B12D-0E06B0F4FF8C"}]}]}],"references":[{"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hcm3-8f6r-6xwg","source":"disclosure@vulncheck.com","tags":["Mitigation","Vendor Advisory"]},{"url":"https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-via-browser-debug-export-routes","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-35674","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-29T16:16:26.377","lastModified":"2026-06-01T18:22:54.813","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scope requirements, enabling unauthorized plugin, config, MCP, allowlist, and ACP mutations."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openclaw:openclaw:*:-:*:*:*:node.js:*:*","versionEndExcluding":"2026.5.18","matchCriteriaId":"306D4306-DA61-4560-B003-C4F4C2114BAF"}]}]}],"references":[{"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hw9r-h9mr-4jff","source":"disclosure@vulncheck.com","tags":["Mitigation","Vendor Advisory"]},{"url":"https://www.vulncheck.com/advisories/openclaw-scope-bypass-via-inherited-chat-send-route","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-36324","sourceIdentifier":"cve@mitre.org","published":"2026-05-29T16:16:26.620","lastModified":"2026-06-01T17:16:58.027","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"SourceCodester Doctor Appointment System 1.0 is vulnerable to Cross Site Scripting (XSS) due to improper handling of user supplied input in the user registration functionality in register.php."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://github.com/adhiyaksactf/MyCVE-Disclosures/blob/main/rems-DoctorAppointmentSystem/CVE-2026-36324/README.md","source":"cve@mitre.org"},{"url":"https://www.sourcecodester.com/php/18453/doctor-appointment-system-using-php-and-mysql-source-code.html","source":"cve@mitre.org"},{"url":"https://github.com/adhiyaksactf/MyCVE-Disclosures/blob/main/rems-DoctorAppointmentSystem/CVE-2026-36324/README.md","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-39276","sourceIdentifier":"cve@mitre.org","published":"2026-05-29T16:16:26.833","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious ZIP archive containing directory traversal sequences in filenames, an attacker can overwrite default template files or directly include malicious code files in the current template."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://github.com/LING12138-sg/Emlog-v2.6.9-Vulnerability-Report","source":"cve@mitre.org"},{"url":"https://www.emlog.net/","source":"cve@mitre.org"},{"url":"https://github.com/LING12138-sg/Emlog-v2.6.9-Vulnerability-Report","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-44697","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T18:17:09.697","lastModified":"2026-06-01T18:43:56.377","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress (data/batch/batch.go) allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on the receiving node from a sub-50 KiB gossip payload. A single packet is sufficient to OOM-kill a validator with conventional memory provisioning. Fleet-wide application affects chain liveness. This vulnerability is fixed in 1.7.17."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-409"},{"lang":"en","value":"CWE-770"}]}],"references":[{"url":"https://github.com/klever-io/klever-go/security/advisories/GHSA-87m7-qffr-542v","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45577","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T18:17:10.007","lastModified":"2026-06-01T18:45:39.580","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials. This vulnerability is fixed in 0.11.1."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-288"},{"lang":"en","value":"CWE-306"}]}],"references":[{"url":"https://github.com/markmhendrickson/neotoma/releases/tag/v0.11.1","source":"security-advisories@github.com"},{"url":"https://github.com/markmhendrickson/neotoma/security/advisories/GHSA-5cvp-p7p4-mcx9","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45630","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T18:17:11.103","lastModified":"2026-06-01T19:16:52.343","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L","baseScore":9.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":2.3,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-78"}]}],"references":[{"url":"https://github.com/Dokploy/dokploy/security/advisories/GHSA-p787-6gqg-cvp5","source":"security-advisories@github.com"},{"url":"https://github.com/Dokploy/dokploy/security/advisories/GHSA-p787-6gqg-cvp5","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45631","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T18:17:11.243","lastModified":"2026-06-01T17:17:10.617","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback (\"better-auth-secret-123456789\") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":10.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-798"}]}],"references":[{"url":"https://github.com/Dokploy/dokploy/pull/4374","source":"security-advisories@github.com"},{"url":"https://github.com/Dokploy/dokploy/security/advisories/GHSA-w3gm-rc4p-9rhj","source":"security-advisories@github.com"},{"url":"https://github.com/Dokploy/dokploy/security/advisories/GHSA-w3gm-rc4p-9rhj","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-45660","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T18:17:11.640","lastModified":"2026-06-01T18:45:39.580","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected. This vulnerability is fixed in 5.73.22 and 6.18.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/statamic/cms/security/advisories/GHSA-pf9c-ch8r-2958","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45668","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T18:17:11.917","lastModified":"2026-06-01T18:50:57.210","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled achieves RCE via #docName path traversal and XSS by combining a payload note (type: code, mime: text/plain) containing raw HTML/JS and a trigger note (type: doc or type: launcher) with a #docName label that uses ../ path traversal to point at the payload note's API endpoint. The desktop client Electron renderer runs with nodeIntegration enabled, so an RCE is triggered once the payload is executed. This vulnerability is fixed in 0.102.2."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"},{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://github.com/TriliumNext/Trilium/security/advisories/GHSA-9jjc-cccq-f6rh","source":"security-advisories@github.com"},{"url":"https://github.com/TriliumNext/Trilium/security/advisories/GHSA-9jjc-cccq-f6rh","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-5386","sourceIdentifier":"ics-cert@hq.dhs.gov","published":"2026-05-29T18:17:12.867","lastModified":"2026-06-01T17:07:57.203","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings."}],"metrics":{"cvssMetricV31":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"ics-cert@hq.dhs.gov","type":"Primary","description":[{"lang":"en","value":"CWE-620"}]}],"references":[{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-06.json","source":"ics-cert@hq.dhs.gov"},{"url":"https://main.kmw.ro/pub/Firmware/521_421.zip","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-06","source":"ics-cert@hq.dhs.gov"}]}},{"cve":{"id":"CVE-2026-5768","sourceIdentifier":"ics-cert@hq.dhs.gov","published":"2026-05-29T18:17:12.997","lastModified":"2026-06-01T17:07:57.203","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities, triggering vibrations, causing denial-of-service conditions, and fuzzing characteristic values to induce unexpected behavior. Additionally, the Frontier X mobile application lacks proper BLE device authentication, allowing attackers to impersonate a legitimate Frontier X2 device and connect to the application. By cloning BLE advertisements and exposing expected GATT characteristics, attackers can manipulate activity states and inject fabricated health telemetry such as breathing rate, heart rate, strain, and other health-related data into the mobile application."}],"metrics":{"cvssMetricV31":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"ics-cert@hq.dhs.gov","type":"Primary","description":[{"lang":"en","value":"CWE-306"}]}],"references":[{"url":"https://fourthfrontier.com/pages/contact-us","source":"ics-cert@hq.dhs.gov"},{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-148-01.json","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-148-01","source":"ics-cert@hq.dhs.gov"}]}},{"cve":{"id":"CVE-2026-6824","sourceIdentifier":"ics-cert@hq.dhs.gov","published":"2026-05-29T18:17:13.147","lastModified":"2026-06-01T17:07:57.203","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft."}],"metrics":{"cvssMetricV31":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.7,"impactScore":6.0}]},"weaknesses":[{"source":"ics-cert@hq.dhs.gov","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://drive.google.com/file/d/1Ctxdp55UtlrQY7CSepkImM9zFgdcuCyL/view","source":"ics-cert@hq.dhs.gov"},{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-05.json","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-05","source":"ics-cert@hq.dhs.gov"}]}},{"cve":{"id":"CVE-2026-7786","sourceIdentifier":"ics-cert@hq.dhs.gov","published":"2026-05-29T18:17:13.403","lastModified":"2026-06-01T17:07:57.203","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter\ndevice firmware contains plaintext administrative credentials embedded in the firmware image. These credentials can be extracted through firmware analysis and used to authenticate to device services."}],"metrics":{"cvssMetricV31":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"ics-cert@hq.dhs.gov","type":"Primary","description":[{"lang":"en","value":"CWE-798"}]}],"references":[{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-02.json","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-02","source":"ics-cert@hq.dhs.gov"}]}},{"cve":{"id":"CVE-2026-40425","sourceIdentifier":"ics-cert@hq.dhs.gov","published":"2026-05-29T19:16:23.673","lastModified":"2026-06-01T17:07:57.203","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"The administrator account for the\n\nDanelec MacGregor Voyage Data Recorder\nweb interface can directly edit sensitive files related to authentication, potentially changing the root password."}],"metrics":{"cvssMetricV40":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":0.9,"impactScore":4.7}]},"weaknesses":[{"source":"ics-cert@hq.dhs.gov","type":"Primary","description":[{"lang":"en","value":"CWE-552"}]}],"references":[{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-01.json","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-01","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.danelec.com/contact","source":"ics-cert@hq.dhs.gov"}]}},{"cve":{"id":"CVE-2026-42929","sourceIdentifier":"ics-cert@hq.dhs.gov","published":"2026-05-29T19:16:23.830","lastModified":"2026-06-01T17:07:57.203","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Danelec MacGregor Voyage Data Recorder\nincludes default accounts with hard-coded credentials."}],"metrics":{"cvssMetricV40":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":5.5}]},"weaknesses":[{"source":"ics-cert@hq.dhs.gov","type":"Primary","description":[{"lang":"en","value":"CWE-798"}]}],"references":[{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-01.json","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-01","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.danelec.com/contact","source":"ics-cert@hq.dhs.gov"}]}},{"cve":{"id":"CVE-2026-42941","sourceIdentifier":"ics-cert@hq.dhs.gov","published":"2026-05-29T19:16:23.970","lastModified":"2026-06-01T17:07:57.203","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"The Danelec MacGregor Voyage Data Recorder\n\ndevice includes a default username and password, with no enforced password change."}],"metrics":{"cvssMetricV40":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":5.5}]},"weaknesses":[{"source":"ics-cert@hq.dhs.gov","type":"Primary","description":[{"lang":"en","value":"CWE-1392"}]}],"references":[{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-01.json","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-01","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.danelec.com/contact","source":"ics-cert@hq.dhs.gov"}]}},{"cve":{"id":"CVE-2026-42951","sourceIdentifier":"ics-cert@hq.dhs.gov","published":"2026-05-29T19:16:24.113","lastModified":"2026-06-01T17:07:57.203","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"An authenticated\nuser can download a backup of the Danelec MacGregor Voyage Data Recorder\n\n\ndevice which includes account data and password hashes."}],"metrics":{"cvssMetricV40":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"ADJACENT","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":4.2}]},"weaknesses":[{"source":"ics-cert@hq.dhs.gov","type":"Primary","description":[{"lang":"en","value":"CWE-522"}]}],"references":[{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-01.json","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-01","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.danelec.com/contact","source":"ics-cert@hq.dhs.gov"}]}},{"cve":{"id":"CVE-2026-44518","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T19:16:24.263","lastModified":"2026-06-01T18:45:47.457","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a signature buffer shorter than the expected signature size for the given parameter set, the implementation does not validate the caller-supplied length and proceeds to read past the end of the buffer. The out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle exists to leak their contents to an attacker. The primary observable effect is a possible crash (denial of service) of the verifying process if the read crosses into an unmapped memory page. This vulnerability is fixed in 0.16.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-125"}]}],"references":[{"url":"https://github.com/open-quantum-safe/liboqs/commit/ef70dea7c85e5637f37828d75e5b9bb29dbfe513","source":"security-advisories@github.com"},{"url":"https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-wf7v-fhxj-73m2","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-44611","sourceIdentifier":"ics-cert@hq.dhs.gov","published":"2026-05-29T19:16:24.423","lastModified":"2026-06-01T17:07:57.203","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Danelec MacGregor Voyage Data Recorder\npasswords are stored with a hashing method which limits password length and is susceptible to brute force attacks."}],"metrics":{"cvssMetricV40":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"ADJACENT","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":4.2}]},"weaknesses":[{"source":"ics-cert@hq.dhs.gov","type":"Primary","description":[{"lang":"en","value":"CWE-916"}]}],"references":[{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-01.json","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-01","source":"ics-cert@hq.dhs.gov"},{"url":"https://www.danelec.com/contact","source":"ics-cert@hq.dhs.gov"}]}},{"cve":{"id":"CVE-2026-46344","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T19:16:25.350","lastModified":"2026-06-01T18:45:47.457","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a correctly-sized signature buffer for the declared algorithm but a public key whose OID bytes (pk[0..3]) reference a different XMSS parameter set with a larger sig_bytes, the implementation re-parses the OID from the public key inside xmss_sign_open / xmssmt_sign_open and uses the resulting (larger) sig_bytes to index the caller-supplied signature buffer. As with CVE-2026-44518, the out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle exists to leak their contents to an attacker. The primary observable effect is a possible crash (denial of service) of the verifying process if the read crosses into an unmapped memory page. This vulnerability is fixed in 0.16.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"references":[{"url":"https://github.com/open-quantum-safe/liboqs/commit/077e32a94f39af02209dbbc680bf8a43b774b305","source":"security-advisories@github.com"},{"url":"https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-2wxh-55qf-c7wg","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-9051","sourceIdentifier":"security@ni.com","published":"2026-05-29T19:16:28.800","lastModified":"2026-06-01T17:06:59.370","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"There is an authentication bypass vulnerability in the NI SystemLink Enterprise Dashboard application that may allow an unauthenticated remote attacker to bypass authentication controls leading to privilege escalation or information disclosure. Successful exploitation requires an attacker to send a specially crafted HTTP request. This vulnerability affects NI SystemLink Enterprise 2026-04 and prior versions."}],"metrics":{"cvssMetricV40":[{"source":"security@ni.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"security@ni.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"security@ni.com","type":"Secondary","description":[{"lang":"en","value":"CWE-306"}]}],"references":[{"url":"https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/authentication-bypass-vulnerability-in-ni-systemlink-enterprise.html","source":"security@ni.com"}]}},{"cve":{"id":"CVE-2026-34127","sourceIdentifier":"f23511db-6c3e-4e32-a477-6aa17d310630","published":"2026-05-29T20:16:22.607","lastModified":"2026-06-01T18:35:34.023","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A stored\ncross-site scripting (XSS) vulnerability has been identified in the web\nmanagement interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM\nconfiguration parameter during configuration file import. An attacker with\nadministrator access can inject malicious script into the device configuration,\nwhich may be stored and executed in the administrator’s browser when the\naffected interface is viewed. \n\n\n\n\n\nSuccessful\nexploitation may allow session cookie theft, unauthorized configuration\nchanges, or access to sensitive information exposed through the management\ninterface."}],"metrics":{"cvssMetricV40":[{"source":"f23511db-6c3e-4e32-a477-6aa17d310630","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.7,"impactScore":2.7}]},"weaknesses":[{"source":"f23511db-6c3e-4e32-a477-6aa17d310630","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:tp-link:tl-sg108pe_firmware:1.0.1:*:*:*:*:*:*:*","matchCriteriaId":"10182445-7806-49DE-86AE-3F04ADC3F27B"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:tp-link:tl-sg108pe:5.0:*:*:*:*:*:*:*","matchCriteriaId":"17A11BAA-CD62-40ED-AD34-EC4ED3F692CB"}]}]}],"references":[{"url":"https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Product"]},{"url":"https://www.tp-link.com/us/support/faq/5110/","source":"f23511db-6c3e-4e32-a477-6aa17d310630","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-42500","sourceIdentifier":"security@golang.org","published":"2026-05-29T20:16:23.627","lastModified":"2026-06-01T18:16:02.273","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4}]},"references":[{"url":"https://go.dev/cl/781500","source":"security@golang.org"},{"url":"https://go.dev/issue/79576","source":"security@golang.org"},{"url":"https://groups.google.com/g/golang-announce/c/uhYX90BlBvI","source":"security@golang.org"},{"url":"https://pkg.go.dev/vuln/GO-2026-5031","source":"security@golang.org"}]}},{"cve":{"id":"CVE-2026-44285","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T20:16:24.103","lastModified":"2026-06-01T17:17:07.853","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress network protection and make arbitrary HTTP GET requests to internal network services. This is achieved by exploiting an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when utilizing the externalFile data import type. This vulnerability is fixed in 4.15.0-beta1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/labring/FastGPT/security/advisories/GHSA-c65v-7vx6-f8m3","source":"security-advisories@github.com"},{"url":"https://github.com/labring/FastGPT/security/advisories/GHSA-c65v-7vx6-f8m3","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-44420","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T20:16:24.383","lastModified":"2026-06-01T17:37:05.593","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-122"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*","versionEndExcluding":"3.26.0","matchCriteriaId":"186FAA8A-CF9D-40F3-8509-DAC168BFDA2F"}]}]}],"references":[{"url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvpx-xj7r-3p3r","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory","Mitigation"]}]}},{"cve":{"id":"CVE-2026-44421","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T20:16:24.513","lastModified":"2026-06-01T19:16:48.333","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-122"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*","versionEndExcluding":"3.26.0","matchCriteriaId":"186FAA8A-CF9D-40F3-8509-DAC168BFDA2F"}]}]}],"references":[{"url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]},{"url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-44422","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T20:16:24.660","lastModified":"2026-06-01T17:26:33.080","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-415"},{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*","versionEndExcluding":"3.26.0","matchCriteriaId":"186FAA8A-CF9D-40F3-8509-DAC168BFDA2F"}]}]}],"references":[{"url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j9q5-7g8m-jc9v","source":"security-advisories@github.com","tags":["Vendor Advisory","Exploit","Mitigation"]},{"url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j9q5-7g8m-jc9v","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Vendor Advisory","Exploit","Mitigation"]}]}},{"cve":{"id":"CVE-2026-45149","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T20:16:25.550","lastModified":"2026-06-01T18:45:47.457","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-400"}]}],"references":[{"url":"https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45352","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T20:16:26.140","lastModified":"2026-06-01T18:35:06.977","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul(\"-2\", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of \"-1\"), but any other negative value such as \"-2\" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-770"},{"lang":"en","value":"CWE-1285"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*","versionEndExcluding":"0.43.4","matchCriteriaId":"E8AD5B92-E320-454E-B226-B5312048001D"}]}]}],"references":[{"url":"https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h6wq-j5mv-f3q8","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45372","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T20:16:26.473","lastModified":"2026-06-01T19:16:51.283","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \\r\\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":5.3}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-93"},{"lang":"en","value":"CWE-444"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*","versionEndExcluding":"0.44.0","matchCriteriaId":"80135DFE-EACD-44FD-990F-0239F78D0518"}]}]}],"references":[{"url":"https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjxg-64p4-vj4m","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]},{"url":"https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjxg-64p4-vj4m","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-45700","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T20:16:27.533","lastModified":"2026-06-01T17:23:57.630","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*","versionEndExcluding":"3.26.0","matchCriteriaId":"186FAA8A-CF9D-40F3-8509-DAC168BFDA2F"}]}]}],"references":[{"url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mpxh-8fq3-x8mh","source":"security-advisories@github.com","tags":["Vendor Advisory","Exploit","Mitigation"]},{"url":"https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mpxh-8fq3-x8mh","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Vendor Advisory","Exploit","Mitigation"]}]}},{"cve":{"id":"CVE-2026-46385","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T20:16:27.990","lastModified":"2026-06-01T17:17:34.323","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is 64-bit on amd64 / arm64 targets — so a producer can declare a block of up to math.MaxInt64 (~9.2 × 10¹⁸) elements followed by EOF (or any truncated payload), and the decoder will attempt that many no-op iterations before propagating the error. The realistic ceiling is \"indefinite until the worker is killed externally\" — a single hostile payload pins a CPU core until the process is OOM-killed, deadline-cancelled, or terminated. Remote, unauthenticated denial-of-service. This vulnerability is fixed in 2.33.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-400"}]}],"references":[{"url":"https://github.com/iskorotkov/avro/security/advisories/GHSA-w8j3-pq8g-8m7w","source":"security-advisories@github.com"},{"url":"https://github.com/iskorotkov/avro/security/advisories/GHSA-w8j3-pq8g-8m7w","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-46527","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T20:16:28.137","lastModified":"2026-06-01T18:32:26.637","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::set_trusted_proxies() with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid IP segments. The code path then executes get_client_ip(), which calls front() on an empty std::vector—undefined behavior in C++. On typical implementations this manifests as abnormal process termination (denial of service). With Sanitizers enabled, you get an explicit runtime diagnostic. This vulnerability is fixed in 0.44.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*","versionEndExcluding":"0.44.0","matchCriteriaId":"80135DFE-EACD-44FD-990F-0239F78D0518"}]}]}],"references":[{"url":"https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-hg3g-vrg8-578g","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]},{"url":"https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-hg3g-vrg8-578g","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Mitigation","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-46599","sourceIdentifier":"security@golang.org","published":"2026-05-29T20:16:28.280","lastModified":"2026-06-01T18:16:02.273","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-770"}]}],"references":[{"url":"https://go.dev/cl/759960","source":"security@golang.org"},{"url":"https://go.dev/issue/79577","source":"security@golang.org"},{"url":"https://groups.google.com/g/golang-announce/c/uhYX90BlBvI","source":"security@golang.org"},{"url":"https://pkg.go.dev/vuln/GO-2026-5032","source":"security@golang.org"}]}},{"cve":{"id":"CVE-2026-48810","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T20:16:29.083","lastModified":"2026-06-01T19:16:54.050","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, while investigating the ThreadPolicy::delete issue reported previously, the same missing mailbox membership check was found in the sibling ThreadPolicy::edit method. A user with the PERM_EDIT_CONVERSATIONS permission who created a message or internal note in Mailbox A can rewrite that thread's body after an administrator removes them from Mailbox A, because the policy checks only authorship and a global permission flag — not current mailbox membership. This vulnerability is fixed in 1.8.221."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-285"}]}],"references":[{"url":"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-3w38-h42v-3h6w","source":"security-advisories@github.com"},{"url":"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-3w38-h42v-3h6w","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-48811","sourceIdentifier":"security-advisories@github.com","published":"2026-05-29T20:16:29.233","lastModified":"2026-06-01T17:17:34.573","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user's access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vx8-gx3p-9mh6","source":"security-advisories@github.com"},{"url":"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vx8-gx3p-9mh6","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-4387","sourceIdentifier":"ebf2cdfb-f390-4894-8ec9-f81bf1c57e6b","published":"2026-05-29T20:16:30.650","lastModified":"2026-06-01T17:17:35.210","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\\Users\\\\.sdm\\state.kv. The file is protected only by default user-level NTFS permissions.\n\n\n\nExploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host.\n\n\n\nThe condition was reported through coordinated disclosure by Hope Walker (SpecterOps)."}],"metrics":{"cvssMetricV40":[{"source":"ebf2cdfb-f390-4894-8ec9-f81bf1c57e6b","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.0,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"ebf2cdfb-f390-4894-8ec9-f81bf1c57e6b","type":"Secondary","description":[{"lang":"en","value":"CWE-312"},{"lang":"en","value":"CWE-522"}]}],"references":[{"url":"https://security.strongdm.com/?tcuUid=56fde839-9388-4361-8d3b-9baa7b2de2ed","source":"ebf2cdfb-f390-4894-8ec9-f81bf1c57e6b"},{"url":"https://specterops.io/blog/2026/06/01/cve-2026-4387-strongdm-state-file-reuse/","source":"ebf2cdfb-f390-4894-8ec9-f81bf1c57e6b"}]}},{"cve":{"id":"CVE-2026-9831","sourceIdentifier":"1c053176-eef3-4d6a-ae0b-24728c86587b","published":"2026-05-29T22:16:23.980","lastModified":"2026-06-01T18:02:29.343","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A race condition in the shared Extreme Platform\nONE IAM Gateway API-key authentication path could, under specific\nhigh-concurrency traffic conditions, intermittently allow requests\nauthenticated with an Extreme Platform ONE /IAM-issued API key to receive\nresponse data for another tenant. The issue was observed through ExtremeCloud\nIQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE\n/Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT\nauthentication were not affected."}],"metrics":{"cvssMetricV31":[{"source":"1c053176-eef3-4d6a-ae0b-24728c86587b","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":4.0}]},"weaknesses":[{"source":"1c053176-eef3-4d6a-ae0b-24728c86587b","type":"Secondary","description":[{"lang":"en","value":"CWE-362"},{"lang":"en","value":"CWE-488"}]}],"references":[{"url":"https://community.extremenetworks.com/t5/security-advisories-formerly/sa-2026-048-extremecloud-iq-cross-tenant-data-exposure-via/ba-p/121851","source":"1c053176-eef3-4d6a-ae0b-24728c86587b"}]}},{"cve":{"id":"CVE-2026-48840","sourceIdentifier":"cve@mitre.org","published":"2026-05-30T02:16:19.790","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Exim 4.88 before 4.99.4, in some proxy configurations, mishandles certain short payloads, leading to disclosure of uninitialized stack memory values to a client."}],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"cve@mitre.org","type":"Secondary","description":[{"lang":"en","value":"CWE-839"}]}],"references":[{"url":"https://exim.org/static/doc/security/EXIM-Security-2026-05-19.1","source":"cve@mitre.org"},{"url":"https://www.openwall.com/lists/oss-security/2026/05/29/3","source":"cve@mitre.org"},{"url":"http://www.openwall.com/lists/oss-security/2026/05/29/3","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2026-5071","sourceIdentifier":"vulnerabilities@zephyrproject.org","published":"2026-05-30T08:16:16.370","lastModified":"2026-06-01T16:48:12.330","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can supply an incomplete or truncated frame, causing socketcan_to_can_frame() to dereference fields beyond the end of the buffer. This results in an out-of-bounds read that can cause denial-of-service crashes or, because the parsed frame contents are transmitted on the network, leak adjacent memory."}],"metrics":{"cvssMetricV31":[{"source":"vulnerabilities@zephyrproject.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":4.2}]},"weaknesses":[{"source":"vulnerabilities@zephyrproject.org","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"references":[{"url":"https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c3w6-x7m3-3c58","source":"vulnerabilities@zephyrproject.org"}]}},{"cve":{"id":"CVE-2018-25405","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:16:55.650","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters to extract sensitive database information including usernames, database names, and version details."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"http://www.endonesia.org/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/endonesia/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45654","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/endonesia-portal-sql-injection-via-mod-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25406","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:00.303","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database credentials, usernames, and version information."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"http://www.endonesia.org/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/endonesia/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45654","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/endonesia-portal-sql-injection-via-mod-php-2","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25407","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:01.303","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database information including usernames, database names, and version details."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"http://www.endonesia.org/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/endonesia/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45654","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/endonesia-portal-sql-injection-via-mod-php-3","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25408","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:01.437","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory traversal sequences ../ in the filename parameter to access files outside the intended directory, including configuration files and system files."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"http://openises.sourceforge.net/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/openises/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45655","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/the-open-ises-project-3-30a-path-traversal-arbitrary-file-download","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25409","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:01.587","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-434"}]}],"references":[{"url":"https://simpkh.sourceforge.io/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/simpkh/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45659","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/sim-pkh-arbitrary-file-upload-via-aksi-pengurus-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25410","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:01.723","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQL UNION statements to extract database information including usernames, database names, and version details."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://simpkh.sourceforge.io/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/simpkh/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45664","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/sim-pkh-sql-injection-via-media-php-id-parameter","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25411","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:01.853","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to email.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table and column names."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"http://www.m-gb.org/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/mopzz-gb/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45665","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/mgb-opensource-guestbook-sql-injection-via-email-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25412","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:01.990","lastModified":"2026-06-01T16:52:20.117","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form data. Attackers can upload PHP files with arbitrary content to the upload directory and execute them on the server for remote code execution."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-306"}]}],"references":[{"url":"http://deltasql.sourceforge.net/","source":"disclosure@vulncheck.com"},{"url":"http://deltasql.sourceforge.net/deltasql/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/deltasql/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45685","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/delta-sql-arbitrary-file-upload-via-docs-upload-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25413","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:02.130","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Attackers can send GET requests to search.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://aiopmsd.sourceforge.io/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/aiopmsd/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45690","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/aiopmsd-final-sql-injection-via-search-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25414","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:02.257","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Attackers can send GET requests to actor.php with crafted SQL payloads in the actor parameter to extract sensitive database information including usernames, database names, and version details."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://aiopmsd.sourceforge.io/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/aiopmsd/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45690","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/aiopmsd-final-sql-injection-via-actor-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25415","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:02.390","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Attackers can send GET requests to director.php with crafted SQL payloads in the director parameter to extract sensitive database information including usernames, database names, and version details."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://aiopmsd.sourceforge.io/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/aiopmsd/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45690","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/aiopmsd-final-sql-injection-via-director-parameter","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25416","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:02.580","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Attackers can send GET requests to country.php with crafted SQL payloads in the country parameter to extract sensitive database information including usernames, database names, and version details."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://aiopmsd.sourceforge.io/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/aiopmsd/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45690","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/aiopmsd-final-sql-injection-via-country-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25417","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:02.717","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Attackers can send GET requests to quality.php with crafted SQL payloads in the quality parameter to extract sensitive database information including usernames, database names, and version details."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://aiopmsd.sourceforge.io/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/aiopmsd/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45690","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/aiopmsd-final-sql-injection-via-quality-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25418","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:02.847","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Attackers can send GET requests to year.php with crafted SQL payloads in the year parameter to extract sensitive database information including usernames, database names, and version details."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://aiopmsd.sourceforge.io/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/aiopmsd/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45690","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/aiopmsd-final-sql-injection-via-year-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25419","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:02.980","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Attackers can send GET requests to genre.php with crafted SQL payloads in the genre parameter to extract sensitive database information including usernames, database names, and version details."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://aiopmsd.sourceforge.io/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/aiopmsd/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45690","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/aiopmsd-final-sql-injection-via-genre-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25420","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:03.110","lastModified":"2026-06-01T16:51:36.193","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to watch.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://aiopmsd.sourceforge.io/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/aiopmsd/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45690","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/aiopmsd-final-sql-injection-via-watch-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25421","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:03.247","lastModified":"2026-06-01T16:55:20.100","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Attackers can send GET requests to modules/backup/actions.php with op=getfile and traverse directories using ../ sequences to access sensitive system files."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"http://www.openstamanager.com/","source":"disclosure@vulncheck.com"},{"url":"https://sourceforge.net/projects/openstamanager/files/latest/download","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45693","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/open-sta-manager-arbitrary-file-download-via-path-traversal","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25422","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:03.377","lastModified":"2026-06-01T16:55:20.100","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Attackers can send GET requests to play.php with crafted SQL payloads in the id parameter to extract sensitive database information including usernames and other data."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://github.com/spider312/mtgas","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45717","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/mogg-web-simulator-script-all-version-sql-injection-via-play-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25423","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:03.577","lastModified":"2026-06-01T16:55:20.100","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Arm Whois 3.11 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized input string. Attackers can paste a malicious buffer of 700 bytes into the IP address or domain input field to trigger a denial of service condition."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":6.2,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":3.6}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-120"}]}],"references":[{"url":"http://www.armcode.com/","source":"disclosure@vulncheck.com"},{"url":"http://www.armcode.com/downloads/arm-whois.exe","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45762","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/arm-whois-denial-of-service-via-buffer-overflow","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25424","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:03.713","lastModified":"2026-06-01T16:55:20.100","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Attackers can submit crafted POST requests to login-exec.php with SQL injection payloads in form parameters to authenticate without valid credentials and gain access to the application."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"http://www.livebms.com","source":"disclosure@vulncheck.com"},{"url":"https://netcologne.dl.sourceforge.net/project/gatepass/gpms_Update.zip","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45766","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/gate-pass-management-system-sql-injection-via-login-exec-php","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25425","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:03.847","lastModified":"2026-06-01T16:55:20.100","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Attackers can send GET requests to index.php with crafted SQL payloads in the aid or cid parameters to extract database information including table and column names."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://ayera.dl.sourceforge.net/project/yot/Yot%203.3.1.zip","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45768","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/yot-cms-sql-injection-via-aid-and-cid-parameters","source":"disclosure@vulncheck.com"},{"url":"https://yot.sourceforge.io/","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2018-25426","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-30T16:17:03.993","lastModified":"2026-06-01T16:48:12.330","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"WinMTR 0.91 contains a denial of service vulnerability that allows attackers to crash the application by sending a malformed payload file containing a large buffer of repeated characters. Attackers can create a specially crafted input file with 238 bytes of data to trigger a buffer overflow condition that causes the application to crash."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-120"}]}],"references":[{"url":"http://winmtr.net","source":"disclosure@vulncheck.com"},{"url":"http://winmtr.net/winmtr_download/","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/45769","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/winmtr-denial-of-service-via-buffer-overflow","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-8594","sourceIdentifier":"9b29abf9-4ab0-4765-b253-1875cd9b441e","published":"2026-05-30T16:17:05.067","lastModified":"2026-06-01T17:17:35.620","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters.\n\nText::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment.\n\nA side effect of this is that the full input can be duplicated for each segment. Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service.\n\nNote that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":6.2,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":3.6}]},"weaknesses":[{"source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","type":"Secondary","description":[{"lang":"en","value":"CWE-405"},{"lang":"en","value":"CWE-407"}]}],"references":[{"url":"https://github.com/hatukanezumi/Unicode-LineBreak/pull/6","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"https://metacpan.org/release/NEZUMI/Unicode-LineBreak-2019.001/source/lib/Text/LineFold.pm#L407-415","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"https://security.metacpan.org/patches/U/Unicode-LineBreak/2019.001/CVE-2026-8594-r1.patch","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"http://www.openwall.com/lists/oss-security/2026/05/30/6","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2026-10154","sourceIdentifier":"cna@vuldb.com","published":"2026-05-31T00:16:33.527","lastModified":"2026-06-01T17:16:39.960","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","baseScore":4.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Secondary","description":[{"lang":"en","value":"CWE-285"},{"lang":"en","value":"CWE-639"}]}],"references":[{"url":"https://github.com/Dolibarr/dolibarr/releases/tag/23.0.3","source":"cna@vuldb.com"},{"url":"https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/818838","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367407","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367407/cti","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/818838","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-49489","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-31T13:16:49.090","lastModified":"2026-06-01T16:55:20.100","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"OpenCATS through 0.9.7.4 contains a sql injection vulnerability in the sortDirection parameter of the DataGrid component that allows authenticated users to extract database contents. Attackers can inject malicious SQL via the sortDirection parameter in ajax/getDataGridPager.php to perform time-based blind injection attacks and read sensitive data."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"HIGH","subIntegrityImpact":"NONE","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.1,"impactScore":4.7}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://github.com/opencats/OpenCATS/security/advisories/GHSA-8mc8-5gw6-c7w4","source":"disclosure@vulncheck.com"},{"url":"https://packetstorm.news/files/id/222200/","source":"disclosure@vulncheck.com"},{"url":"https://www.exploit-db.com/exploits/52579","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/opencats-sql-injection-in-datagrid-sortdirection-parameter","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-49490","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-05-31T13:16:49.243","lastModified":"2026-06-01T16:55:20.100","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manipulating filter requests to execute arbitrary SQL queries against the database."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://github.com/opencats/OpenCATS/security/advisories/GHSA-gmpc-j6h7-vw74","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/opencats-sql-injection-in-datagrid-filter-handling-for-tags-column","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-10190","sourceIdentifier":"cna@vuldb.com","published":"2026-05-31T16:16:41.387","lastModified":"2026-06-01T17:16:40.917","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was found in Tenda W12 3.0.0.7(4763). This issue affects the function cgiSysWebTimeoutSet of the file /bin/httpd of the component Web Management Interface. The manipulation of the argument web_over_time results in denial of service. It is possible to launch the attack remotely. The exploit has been made public and could be used."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:N/A:C","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"COMPLETE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Secondary","description":[{"lang":"en","value":"CWE-404"}]}],"references":[{"url":"http://cdn2.v50to.cc/cgiSysWebTimeoutSet_dos.zip","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10190","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/820022","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367471","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367471/cti","source":"cna@vuldb.com"},{"url":"https://www.tenda.com.cn/","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/820022","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-8796","sourceIdentifier":"9b29abf9-4ab0-4765-b253-1875cd9b441e","published":"2026-05-31T20:16:30.813","lastModified":"2026-06-01T19:16:55.223","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input.\n\nIn Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path)."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","type":"Secondary","description":[{"lang":"en","value":"CWE-125"}]}],"references":[{"url":"https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3.patch","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"https://metacpan.org/release/YVES/Sereal-Decoder-5.005/changes","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"http://www.openwall.com/lists/oss-security/2026/06/01/1","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2026-48210","sourceIdentifier":"security@otrs.com","published":"2026-05-31T22:16:55.133","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend\n\nThis issue affects OTRS 2026.3.1"}],"metrics":{"cvssMetricV31":[{"source":"security@otrs.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":3.6}]},"weaknesses":[{"source":"security@otrs.com","type":"Secondary","description":[{"lang":"en","value":"CWE-200"},{"lang":"en","value":"CWE-269"}]}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-09/","source":"security@otrs.com"}]}},{"cve":{"id":"CVE-2026-20452","sourceIdentifier":"security@mediatek.com","published":"2026-06-01T04:16:21.753","lastModified":"2026-06-01T18:12:11.313","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In wlan AP driver, there is a possible memory corruption due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00480138; Issue ID: MSV-6295."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.0,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.1,"impactScore":5.9}]},"weaknesses":[{"source":"security@mediatek.com","type":"Secondary","description":[{"lang":"en","value":"CWE-122"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6890_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"BB9AC17B-5ED8-4B58-A7A0-B146DD1DD244"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6890:-:*:*:*:*:*:*:*","matchCriteriaId":"171D1C08-F055-44C0-913C-AA2B73AF5B72"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7615_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"209D0B1B-C27E-429E-ABC0-894E105814D1"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7615:-:*:*:*:*:*:*:*","matchCriteriaId":"05748BB1-0D48-4097-932E-E8E2E574FD8D"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7915_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"E6C54AA5-6C50-4223-B433-4C14AD4E96A3"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7915:-:*:*:*:*:*:*:*","matchCriteriaId":"3AB22996-9C22-4B6C-9E94-E4C055D16335"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7916_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"5318B13A-DB70-4017-AB82-2C7F5144FCFF"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7916:-:*:*:*:*:*:*:*","matchCriteriaId":"DD5AA441-5381-4179-89EB-1642120F72B4"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7981_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"D70F8D77-FDEC-4AAE-B22C-4F05ED880C10"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7981:-:*:*:*:*:*:*:*","matchCriteriaId":"490CD97B-021F-4350-AEE7-A2FA866D5889"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7986_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"8798F3AE-A468-49B0-AE1D-6F1E41C76085"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7986:-:*:*:*:*:*:*:*","matchCriteriaId":"40A9E917-4B34-403F-B512-09EEBEA46811"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7990_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"E58E5724-B753-4E78-A5F3-4B9023A15637"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7990:-:*:*:*:*:*:*:*","matchCriteriaId":"4901B2A5-B0C8-4A0C-AC17-87D469744817"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7992_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"8CB6DB8C-E756-4FAE-ADCC-CFE91C7C735E"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7992:-:*:*:*:*:*:*:*","matchCriteriaId":"50D01D7D-A88D-471D-A23A-42AF4DF82952"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7993_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"F389E2A1-CE3A-4826-A248-A9BCEF3088F4"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7993:-:*:*:*:*:*:*:*","matchCriteriaId":"76653163-7627-4C63-A5E2-6277C0EFE23E"}]}]}],"references":[{"url":"https://corp.mediatek.com/product-security-bulletin/June-2026","source":"security@mediatek.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-20453","sourceIdentifier":"security@mediatek.com","published":"2026-06-01T04:16:21.900","lastModified":"2026-06-01T18:11:48.047","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In geniezone, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10886526; Issue ID: MSV-6791."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":6.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":0.8,"impactScore":5.9}]},"weaknesses":[{"source":"security@mediatek.com","type":"Secondary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6739_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"14B94ECB-CAD4-499C-8959-1713FC5CE423"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6739:-:*:*:*:*:*:*:*","matchCriteriaId":"7FA8A390-9F52-4CF3-9B45-936CE3E2B828"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6761_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"2493FB05-7723-4CDD-AC2A-8B21C4285436"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6761:-:*:*:*:*:*:*:*","matchCriteriaId":"F726F486-A86F-4215-AD93-7A07A071844A"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6765_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"43327018-578C-4997-81B9-6DBD3679E40C"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6765:-:*:*:*:*:*:*:*","matchCriteriaId":"43E779F6-F0A0-4153-9A1D-B715C3A2F80E"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6768_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"16EF9082-FC9B-4790-A79D-AA62C62E4B88"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6768:-:*:*:*:*:*:*:*","matchCriteriaId":"06CD97E1-8A76-48B4-9780-9698EF5A960F"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6781_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"23F92B7C-A5A3-4F32-B4BF-CBE706D79702"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6781:-:*:*:*:*:*:*:*","matchCriteriaId":"C4EEE021-6B2A-47A0-AC6B-55525A40D718"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6789_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"524AB96D-4C15-47A6-B276-6B873796E8F3"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6789:-:*:*:*:*:*:*:*","matchCriteriaId":"8B9B0D82-82C1-4A77-A016-329B99C45F49"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6835_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"00B1D726-8183-4667-B46D-18EF110EA9D9"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6835:-:*:*:*:*:*:*:*","matchCriteriaId":"19A63103-C708-48EC-B44D-5E465A6B79C5"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6853_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"3EAA5C86-701B-4116-8A63-EB89B3DC2B93"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6853:-:*:*:*:*:*:*:*","matchCriteriaId":"366F1912-756B-443E-9962-224937DD7DFB"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6855_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"E997ED4F-33F3-4508-9B12-99DBA0D845B2"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6855:-:*:*:*:*:*:*:*","matchCriteriaId":"89AFEE24-7AAD-4EDB-8C3E-EDBA3240730A"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6877_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"07F67D59-75F0-4056-BCCE-F7888912CAB3"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6877:-:*:*:*:*:*:*:*","matchCriteriaId":"7CA9352F-E9BD-4656-9B7C-4AFEE2C78E58"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6878_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"207954E6-D413-4762-9F4A-3A147CFB4FE2"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6878:-:*:*:*:*:*:*:*","matchCriteriaId":"855A8046-34ED-4891-ACE5-76AB10AC8D53"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6879_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"502901D0-8B2D-449A-A2D6-E8914D5D4239"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6879:-:*:*:*:*:*:*:*","matchCriteriaId":"704BE5CE-AE08-4432-A8B0-4C8BD62148AD"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6883_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"22321E12-7EB8-46B7-ABB6-23ACC1436EFD"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6883:-:*:*:*:*:*:*:*","matchCriteriaId":"15E2EC3F-9FB3-488B-B1C1-2793A416C755"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6885_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"8A6E25F4-C394-4830-8EC3-2AF0563F5032"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6885:-:*:*:*:*:*:*:*","matchCriteriaId":"DD64413C-C774-4C4F-9551-89E1AA9469EE"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6886_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"E10F9AFE-9F99-4B91-BF26-49E035FC8079"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6886:-:*:*:*:*:*:*:*","matchCriteriaId":"AF3E2B84-DAFE-4E11-B23B-026F719475F5"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6889_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"CD17D854-2394-483D-B8E2-FDA1BC837DAD"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6889:-:*:*:*:*:*:*:*","matchCriteriaId":"3B787DC3-8E5A-4968-B20B-37B6257FAAE2"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6893_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"0A272644-3BC4-438B-BAC0-DDF164BF4097"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6893:-:*:*:*:*:*:*:*","matchCriteriaId":"213B5C7F-D965-4312-9CDF-4F06FA77D401"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6895_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"110CBA4A-26A6-4E4E-A0C6-35FA02A6D4AF"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6895:-:*:*:*:*:*:*:*","matchCriteriaId":"E0CA45C9-7BFE-4C93-B2AF-B86501F763AB"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6897_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"A04EA650-730F-4E5D-A0E0-90570CACDD5E"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6897:-:*:*:*:*:*:*:*","matchCriteriaId":"2A7D8055-F4B6-41EE-A078-11D56285AB66"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6899_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"BEBA484A-EC07-4D3D-80CD-BDE9E7807F71"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6899:-:*:*:*:*:*:*:*","matchCriteriaId":"C6E9F80F-9AC9-41E0-BB14-9DB6F14B62CD"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6983_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"967E956F-07B4-4957-9C84-DDB5C38E5E69"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6983:-:*:*:*:*:*:*:*","matchCriteriaId":"EB6B9A26-F8A1-4322-AA4E-CDF8F7D99000"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6985_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"CA30A145-D98E-4DA7-84C7-377402951190"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6985:-:*:*:*:*:*:*:*","matchCriteriaId":"EA72CCD1-DEA2-48EB-8781-04CFDD41AAEE"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6989_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"E495B8EB-C9B5-4F32-AEE2-D2C41C0B292B"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6989:-:*:*:*:*:*:*:*","matchCriteriaId":"AD7DE6B2-66D9-4A3E-B15F-D56505559255"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6991_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"D9DD2119-39E8-4A9C-8E2A-8FB7F92A1001"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6991:-:*:*:*:*:*:*:*","matchCriteriaId":"CBBB30DF-E963-4940-B742-F6801F68C3FC"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8673_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"84687740-E3E8-4E57-8652-7C13C68E9C81"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8673:-:*:*:*:*:*:*:*","matchCriteriaId":"152F6606-FA23-4530-AA07-419866B74CB3"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8765_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"8101C877-8499-4B45-9478-17A6A242E1B3"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8765:-:*:*:*:*:*:*:*","matchCriteriaId":"3AACF35D-27E0-49AF-A667-13585C8B8071"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8766_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"215862D7-BF3D-4955-BCFF-48778190EEB5"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8766:-:*:*:*:*:*:*:*","matchCriteriaId":"CE45F606-2E75-48BC-9D1B-99D504974CBF"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8768_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"303069C6-F031-4176-9465-46F4134BB423"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8768:-:*:*:*:*:*:*:*","matchCriteriaId":"1CC6E254-11A9-49CE-83FE-6DAC23E7D7AA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8781_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"7E2280E5-F903-4541-8404-9F789CEFF172"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8781:-:*:*:*:*:*:*:*","matchCriteriaId":"533284E5-C3AF-48D3-A287-993099DB2E41"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8786_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"88A514F4-3EAF-45FB-8736-4A015E4DEB4E"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8786:-:*:*:*:*:*:*:*","matchCriteriaId":"9D2D5F91-6AAB-4516-AD01-5C60F58BA4A6"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8788_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"CD62F681-A2D1-4A8B-B087-7835ED500D69"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8788:-:*:*:*:*:*:*:*","matchCriteriaId":"FE10C121-F2AD-43D2-8FF9-A6C197858220"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8791t_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"6D15A887-AC6B-4458-8355-8505742F4FC2"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8791t:-:*:*:*:*:*:*:*","matchCriteriaId":"1BB05B1D-77C9-4E42-91AD-9F087413DC20"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8793_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"42C2F52D-C49C-4AFF-B6FA-FFA82EF96142"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8793:-:*:*:*:*:*:*:*","matchCriteriaId":"2FBD3487-F8CE-406C-8BD7-DD57FF8CD60B"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8797_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"20E2FBC8-3C13-4663-8BFF-AA6B66F3F260"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8797:-:*:*:*:*:*:*:*","matchCriteriaId":"2B469BF4-5961-42E9-814B-1BE06D182E45"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8798_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"C91FB79A-E095-40BB-8141-240D69CAB131"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8798:-:*:*:*:*:*:*:*","matchCriteriaId":"637CAAD2-DCC0-4F81-B781-5D0536844CA8"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8910_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"A05E635E-9559-4899-A7BA-A74EB6501D1C"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8910:-:*:*:*:*:*:*:*","matchCriteriaId":"8C81BC81-1358-4005-8D35-92428D052A65"}]}]}],"references":[{"url":"https://corp.mediatek.com/product-security-bulletin/June-2026","source":"security@mediatek.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-20454","sourceIdentifier":"security@mediatek.com","published":"2026-06-01T04:16:22.033","lastModified":"2026-06-01T18:09:44.583","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In geniezone, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10873936; Issue ID: MSV-6786."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":0.5,"impactScore":5.9}]},"weaknesses":[{"source":"security@mediatek.com","type":"Secondary","description":[{"lang":"en","value":"CWE-367"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6739_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"14B94ECB-CAD4-499C-8959-1713FC5CE423"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6739:-:*:*:*:*:*:*:*","matchCriteriaId":"7FA8A390-9F52-4CF3-9B45-936CE3E2B828"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6761_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"2493FB05-7723-4CDD-AC2A-8B21C4285436"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6761:-:*:*:*:*:*:*:*","matchCriteriaId":"F726F486-A86F-4215-AD93-7A07A071844A"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6765_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"43327018-578C-4997-81B9-6DBD3679E40C"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6765:-:*:*:*:*:*:*:*","matchCriteriaId":"43E779F6-F0A0-4153-9A1D-B715C3A2F80E"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6768_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"16EF9082-FC9B-4790-A79D-AA62C62E4B88"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6768:-:*:*:*:*:*:*:*","matchCriteriaId":"06CD97E1-8A76-48B4-9780-9698EF5A960F"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6781_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"23F92B7C-A5A3-4F32-B4BF-CBE706D79702"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6781:-:*:*:*:*:*:*:*","matchCriteriaId":"C4EEE021-6B2A-47A0-AC6B-55525A40D718"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6789_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"524AB96D-4C15-47A6-B276-6B873796E8F3"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6789:-:*:*:*:*:*:*:*","matchCriteriaId":"8B9B0D82-82C1-4A77-A016-329B99C45F49"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6835_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"00B1D726-8183-4667-B46D-18EF110EA9D9"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6835:-:*:*:*:*:*:*:*","matchCriteriaId":"19A63103-C708-48EC-B44D-5E465A6B79C5"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6853_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"3EAA5C86-701B-4116-8A63-EB89B3DC2B93"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6853:-:*:*:*:*:*:*:*","matchCriteriaId":"366F1912-756B-443E-9962-224937DD7DFB"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6855_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"E997ED4F-33F3-4508-9B12-99DBA0D845B2"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6855:-:*:*:*:*:*:*:*","matchCriteriaId":"89AFEE24-7AAD-4EDB-8C3E-EDBA3240730A"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6877_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"07F67D59-75F0-4056-BCCE-F7888912CAB3"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6877:-:*:*:*:*:*:*:*","matchCriteriaId":"7CA9352F-E9BD-4656-9B7C-4AFEE2C78E58"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6878_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"207954E6-D413-4762-9F4A-3A147CFB4FE2"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6878:-:*:*:*:*:*:*:*","matchCriteriaId":"855A8046-34ED-4891-ACE5-76AB10AC8D53"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6879_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"502901D0-8B2D-449A-A2D6-E8914D5D4239"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6879:-:*:*:*:*:*:*:*","matchCriteriaId":"704BE5CE-AE08-4432-A8B0-4C8BD62148AD"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6883_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"22321E12-7EB8-46B7-ABB6-23ACC1436EFD"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6883:-:*:*:*:*:*:*:*","matchCriteriaId":"15E2EC3F-9FB3-488B-B1C1-2793A416C755"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6885_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"8A6E25F4-C394-4830-8EC3-2AF0563F5032"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6885:-:*:*:*:*:*:*:*","matchCriteriaId":"DD64413C-C774-4C4F-9551-89E1AA9469EE"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6886_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"E10F9AFE-9F99-4B91-BF26-49E035FC8079"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6886:-:*:*:*:*:*:*:*","matchCriteriaId":"AF3E2B84-DAFE-4E11-B23B-026F719475F5"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6889_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"CD17D854-2394-483D-B8E2-FDA1BC837DAD"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6889:-:*:*:*:*:*:*:*","matchCriteriaId":"3B787DC3-8E5A-4968-B20B-37B6257FAAE2"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6893_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"0A272644-3BC4-438B-BAC0-DDF164BF4097"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6893:-:*:*:*:*:*:*:*","matchCriteriaId":"213B5C7F-D965-4312-9CDF-4F06FA77D401"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6895_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"110CBA4A-26A6-4E4E-A0C6-35FA02A6D4AF"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6895:-:*:*:*:*:*:*:*","matchCriteriaId":"E0CA45C9-7BFE-4C93-B2AF-B86501F763AB"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6897_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"A04EA650-730F-4E5D-A0E0-90570CACDD5E"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6897:-:*:*:*:*:*:*:*","matchCriteriaId":"2A7D8055-F4B6-41EE-A078-11D56285AB66"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6899_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"BEBA484A-EC07-4D3D-80CD-BDE9E7807F71"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6899:-:*:*:*:*:*:*:*","matchCriteriaId":"C6E9F80F-9AC9-41E0-BB14-9DB6F14B62CD"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6983_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"967E956F-07B4-4957-9C84-DDB5C38E5E69"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6983:-:*:*:*:*:*:*:*","matchCriteriaId":"EB6B9A26-F8A1-4322-AA4E-CDF8F7D99000"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6985_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"CA30A145-D98E-4DA7-84C7-377402951190"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6985:-:*:*:*:*:*:*:*","matchCriteriaId":"EA72CCD1-DEA2-48EB-8781-04CFDD41AAEE"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6989_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"E495B8EB-C9B5-4F32-AEE2-D2C41C0B292B"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6989:-:*:*:*:*:*:*:*","matchCriteriaId":"AD7DE6B2-66D9-4A3E-B15F-D56505559255"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6991_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"D9DD2119-39E8-4A9C-8E2A-8FB7F92A1001"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6991:-:*:*:*:*:*:*:*","matchCriteriaId":"CBBB30DF-E963-4940-B742-F6801F68C3FC"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8673_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"84687740-E3E8-4E57-8652-7C13C68E9C81"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8673:-:*:*:*:*:*:*:*","matchCriteriaId":"152F6606-FA23-4530-AA07-419866B74CB3"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8765_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"8101C877-8499-4B45-9478-17A6A242E1B3"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8765:-:*:*:*:*:*:*:*","matchCriteriaId":"3AACF35D-27E0-49AF-A667-13585C8B8071"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8766_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"215862D7-BF3D-4955-BCFF-48778190EEB5"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8766:-:*:*:*:*:*:*:*","matchCriteriaId":"CE45F606-2E75-48BC-9D1B-99D504974CBF"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8768_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"303069C6-F031-4176-9465-46F4134BB423"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8768:-:*:*:*:*:*:*:*","matchCriteriaId":"1CC6E254-11A9-49CE-83FE-6DAC23E7D7AA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8781_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"7E2280E5-F903-4541-8404-9F789CEFF172"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8781:-:*:*:*:*:*:*:*","matchCriteriaId":"533284E5-C3AF-48D3-A287-993099DB2E41"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8786_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"88A514F4-3EAF-45FB-8736-4A015E4DEB4E"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8786:-:*:*:*:*:*:*:*","matchCriteriaId":"9D2D5F91-6AAB-4516-AD01-5C60F58BA4A6"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8788_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"CD62F681-A2D1-4A8B-B087-7835ED500D69"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8788:-:*:*:*:*:*:*:*","matchCriteriaId":"FE10C121-F2AD-43D2-8FF9-A6C197858220"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8791t_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"6D15A887-AC6B-4458-8355-8505742F4FC2"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8791t:-:*:*:*:*:*:*:*","matchCriteriaId":"1BB05B1D-77C9-4E42-91AD-9F087413DC20"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8793_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"42C2F52D-C49C-4AFF-B6FA-FFA82EF96142"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8793:-:*:*:*:*:*:*:*","matchCriteriaId":"2FBD3487-F8CE-406C-8BD7-DD57FF8CD60B"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8797_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"20E2FBC8-3C13-4663-8BFF-AA6B66F3F260"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8797:-:*:*:*:*:*:*:*","matchCriteriaId":"2B469BF4-5961-42E9-814B-1BE06D182E45"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8798_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"C91FB79A-E095-40BB-8141-240D69CAB131"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8798:-:*:*:*:*:*:*:*","matchCriteriaId":"637CAAD2-DCC0-4F81-B781-5D0536844CA8"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8910_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"A05E635E-9559-4899-A7BA-A74EB6501D1C"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8910:-:*:*:*:*:*:*:*","matchCriteriaId":"8C81BC81-1358-4005-8D35-92428D052A65"}]}]}],"references":[{"url":"https://corp.mediatek.com/product-security-bulletin/June-2026","source":"security@mediatek.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-20455","sourceIdentifier":"security@mediatek.com","published":"2026-06-01T04:16:22.163","lastModified":"2026-06-01T17:56:37.953","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In geniezone, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10873936; Issue ID: MSV-6784."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"security@mediatek.com","type":"Secondary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6739_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"14B94ECB-CAD4-499C-8959-1713FC5CE423"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6739:-:*:*:*:*:*:*:*","matchCriteriaId":"7FA8A390-9F52-4CF3-9B45-936CE3E2B828"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6761_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"2493FB05-7723-4CDD-AC2A-8B21C4285436"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6761:-:*:*:*:*:*:*:*","matchCriteriaId":"F726F486-A86F-4215-AD93-7A07A071844A"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6765_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"43327018-578C-4997-81B9-6DBD3679E40C"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6765:-:*:*:*:*:*:*:*","matchCriteriaId":"43E779F6-F0A0-4153-9A1D-B715C3A2F80E"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6768_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"16EF9082-FC9B-4790-A79D-AA62C62E4B88"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6768:-:*:*:*:*:*:*:*","matchCriteriaId":"06CD97E1-8A76-48B4-9780-9698EF5A960F"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6781_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"23F92B7C-A5A3-4F32-B4BF-CBE706D79702"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6781:-:*:*:*:*:*:*:*","matchCriteriaId":"C4EEE021-6B2A-47A0-AC6B-55525A40D718"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6789_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"524AB96D-4C15-47A6-B276-6B873796E8F3"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6789:-:*:*:*:*:*:*:*","matchCriteriaId":"8B9B0D82-82C1-4A77-A016-329B99C45F49"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6835_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"00B1D726-8183-4667-B46D-18EF110EA9D9"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6835:-:*:*:*:*:*:*:*","matchCriteriaId":"19A63103-C708-48EC-B44D-5E465A6B79C5"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6853_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"3EAA5C86-701B-4116-8A63-EB89B3DC2B93"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6853:-:*:*:*:*:*:*:*","matchCriteriaId":"366F1912-756B-443E-9962-224937DD7DFB"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6855_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"E997ED4F-33F3-4508-9B12-99DBA0D845B2"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6855:-:*:*:*:*:*:*:*","matchCriteriaId":"89AFEE24-7AAD-4EDB-8C3E-EDBA3240730A"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6877_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"07F67D59-75F0-4056-BCCE-F7888912CAB3"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6877:-:*:*:*:*:*:*:*","matchCriteriaId":"7CA9352F-E9BD-4656-9B7C-4AFEE2C78E58"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6878_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"207954E6-D413-4762-9F4A-3A147CFB4FE2"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6878:-:*:*:*:*:*:*:*","matchCriteriaId":"855A8046-34ED-4891-ACE5-76AB10AC8D53"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6879_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"502901D0-8B2D-449A-A2D6-E8914D5D4239"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6879:-:*:*:*:*:*:*:*","matchCriteriaId":"704BE5CE-AE08-4432-A8B0-4C8BD62148AD"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6883_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"22321E12-7EB8-46B7-ABB6-23ACC1436EFD"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6883:-:*:*:*:*:*:*:*","matchCriteriaId":"15E2EC3F-9FB3-488B-B1C1-2793A416C755"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6885_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"8A6E25F4-C394-4830-8EC3-2AF0563F5032"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6885:-:*:*:*:*:*:*:*","matchCriteriaId":"DD64413C-C774-4C4F-9551-89E1AA9469EE"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6886_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"E10F9AFE-9F99-4B91-BF26-49E035FC8079"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6886:-:*:*:*:*:*:*:*","matchCriteriaId":"AF3E2B84-DAFE-4E11-B23B-026F719475F5"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6889_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"CD17D854-2394-483D-B8E2-FDA1BC837DAD"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6889:-:*:*:*:*:*:*:*","matchCriteriaId":"3B787DC3-8E5A-4968-B20B-37B6257FAAE2"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6893_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"0A272644-3BC4-438B-BAC0-DDF164BF4097"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6893:-:*:*:*:*:*:*:*","matchCriteriaId":"213B5C7F-D965-4312-9CDF-4F06FA77D401"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6895_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"110CBA4A-26A6-4E4E-A0C6-35FA02A6D4AF"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6895:-:*:*:*:*:*:*:*","matchCriteriaId":"E0CA45C9-7BFE-4C93-B2AF-B86501F763AB"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6897_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"A04EA650-730F-4E5D-A0E0-90570CACDD5E"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6897:-:*:*:*:*:*:*:*","matchCriteriaId":"2A7D8055-F4B6-41EE-A078-11D56285AB66"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6899_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"BEBA484A-EC07-4D3D-80CD-BDE9E7807F71"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6899:-:*:*:*:*:*:*:*","matchCriteriaId":"C6E9F80F-9AC9-41E0-BB14-9DB6F14B62CD"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6983_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"967E956F-07B4-4957-9C84-DDB5C38E5E69"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6983:-:*:*:*:*:*:*:*","matchCriteriaId":"EB6B9A26-F8A1-4322-AA4E-CDF8F7D99000"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6985_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"CA30A145-D98E-4DA7-84C7-377402951190"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6985:-:*:*:*:*:*:*:*","matchCriteriaId":"EA72CCD1-DEA2-48EB-8781-04CFDD41AAEE"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6989_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"E495B8EB-C9B5-4F32-AEE2-D2C41C0B292B"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6989:-:*:*:*:*:*:*:*","matchCriteriaId":"AD7DE6B2-66D9-4A3E-B15F-D56505559255"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt6991_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"D9DD2119-39E8-4A9C-8E2A-8FB7F92A1001"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt6991:-:*:*:*:*:*:*:*","matchCriteriaId":"CBBB30DF-E963-4940-B742-F6801F68C3FC"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8673_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"84687740-E3E8-4E57-8652-7C13C68E9C81"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8673:-:*:*:*:*:*:*:*","matchCriteriaId":"152F6606-FA23-4530-AA07-419866B74CB3"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8765_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"8101C877-8499-4B45-9478-17A6A242E1B3"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8765:-:*:*:*:*:*:*:*","matchCriteriaId":"3AACF35D-27E0-49AF-A667-13585C8B8071"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8766_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"215862D7-BF3D-4955-BCFF-48778190EEB5"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8766:-:*:*:*:*:*:*:*","matchCriteriaId":"CE45F606-2E75-48BC-9D1B-99D504974CBF"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8768_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"303069C6-F031-4176-9465-46F4134BB423"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8768:-:*:*:*:*:*:*:*","matchCriteriaId":"1CC6E254-11A9-49CE-83FE-6DAC23E7D7AA"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8781_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"7E2280E5-F903-4541-8404-9F789CEFF172"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8781:-:*:*:*:*:*:*:*","matchCriteriaId":"533284E5-C3AF-48D3-A287-993099DB2E41"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8786_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"88A514F4-3EAF-45FB-8736-4A015E4DEB4E"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8786:-:*:*:*:*:*:*:*","matchCriteriaId":"9D2D5F91-6AAB-4516-AD01-5C60F58BA4A6"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8788_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"CD62F681-A2D1-4A8B-B087-7835ED500D69"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8788:-:*:*:*:*:*:*:*","matchCriteriaId":"FE10C121-F2AD-43D2-8FF9-A6C197858220"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8791t_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"6D15A887-AC6B-4458-8355-8505742F4FC2"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8791t:-:*:*:*:*:*:*:*","matchCriteriaId":"1BB05B1D-77C9-4E42-91AD-9F087413DC20"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8793_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"42C2F52D-C49C-4AFF-B6FA-FFA82EF96142"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8793:-:*:*:*:*:*:*:*","matchCriteriaId":"2FBD3487-F8CE-406C-8BD7-DD57FF8CD60B"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8797_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"20E2FBC8-3C13-4663-8BFF-AA6B66F3F260"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8797:-:*:*:*:*:*:*:*","matchCriteriaId":"2B469BF4-5961-42E9-814B-1BE06D182E45"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8798_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"C91FB79A-E095-40BB-8141-240D69CAB131"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8798:-:*:*:*:*:*:*:*","matchCriteriaId":"637CAAD2-DCC0-4F81-B781-5D0536844CA8"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt8910_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"A05E635E-9559-4899-A7BA-A74EB6501D1C"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt8910:-:*:*:*:*:*:*:*","matchCriteriaId":"8C81BC81-1358-4005-8D35-92428D052A65"}]}]}],"references":[{"url":"https://corp.mediatek.com/product-security-bulletin/June-2026","source":"security@mediatek.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-20456","sourceIdentifier":"security@mediatek.com","published":"2026-06-01T04:16:22.283","lastModified":"2026-06-01T17:54:59.503","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In wlan STA driver, there is a possible system crash due to a missing bounds check. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00480851; Issue ID: MSV-6338."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"security@mediatek.com","type":"Secondary","description":[{"lang":"en","value":"CWE-787"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7902_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"C88EAF30-A899-478B-BF4A-9DC61E1177B4"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7902:-:*:*:*:*:*:*:*","matchCriteriaId":"91DEA745-47A8-43F1-A1B2-F53F651A99EF"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7920_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"DB438952-6B4D-454A-AC2C-0FFA759FAAF1"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7920:-:*:*:*:*:*:*:*","matchCriteriaId":"140DAC08-96E9-47D3-BC2E-65E999DCFD50"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7921_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"FDF9ABD6-2AEF-43FF-A3B9-C4AF11E7C4CC"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7921:-:*:*:*:*:*:*:*","matchCriteriaId":"32AFEA0A-FFE2-4EA9-8B51-7E3E75DE65CC"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7922_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"FC8D3E58-DC77-4EF8-94F5-D7C12E4CE1C1"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7922:-:*:*:*:*:*:*:*","matchCriteriaId":"EA2A6813-7138-441E-A9E4-FF62FCBD797A"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7925_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"47E74656-3DD4-4A34-8E81-77CB5E4AB253"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7925:-:*:*:*:*:*:*:*","matchCriteriaId":"27CFC9DF-2F4C-469A-8A19-A260B1134CFE"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:mediatek:mt7927_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"D8B57DE7-C20E-46DE-889A-41CC10059C72"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:mediatek:mt7927:-:*:*:*:*:*:*:*","matchCriteriaId":"05525018-AFE0-415C-A71C-A77922C7D637"}]}]}],"references":[{"url":"https://corp.mediatek.com/product-security-bulletin/June-2026","source":"security@mediatek.com","tags":["Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-48187","sourceIdentifier":"security@otrs.com","published":"2026-06-01T04:16:22.410","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"An uncontrolled allocation of resources without limits or throttling in the e-mail handling in OTRS allows excessive allocation which may lead to the abortion of the webserver.This issue affects OTRS:\n\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X\n\nPlease note that ((OTRS)) Community Edition 6.x, OTRS 7.x and products based on the ((OTRS)) Community Edition also very likely to be affected"}],"metrics":{"cvssMetricV31":[{"source":"security@otrs.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.1,"impactScore":3.6}]},"weaknesses":[{"source":"security@otrs.com","type":"Secondary","description":[{"lang":"en","value":"CWE-400"},{"lang":"en","value":"CWE-770"}]}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-06/","source":"security@otrs.com"}]}},{"cve":{"id":"CVE-2026-48188","sourceIdentifier":"security@otrs.com","published":"2026-06-01T04:16:22.583","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X\n * (OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected"}],"metrics":{"cvssMetricV31":[{"source":"security@otrs.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"security@otrs.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-02/","source":"security@otrs.com"}]}},{"cve":{"id":"CVE-2026-48189","sourceIdentifier":"security@otrs.com","published":"2026-06-01T04:16:22.723","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X"}],"metrics":{"cvssMetricV31":[{"source":"security@otrs.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":3.6}]},"weaknesses":[{"source":"security@otrs.com","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-03/","source":"security@otrs.com"}]}},{"cve":{"id":"CVE-2026-48190","sourceIdentifier":"security@otrs.com","published":"2026-06-01T04:16:22.857","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X"}],"metrics":{"cvssMetricV31":[{"source":"security@otrs.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":1.4}]},"weaknesses":[{"source":"security@otrs.com","type":"Secondary","description":[{"lang":"en","value":"CWE-276"}]}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-04/","source":"security@otrs.com"}]}},{"cve":{"id":"CVE-2026-48191","sourceIdentifier":"security@otrs.com","published":"2026-06-01T04:16:22.983","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them.\n\nThis issue affects OTRS with STORM modules: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X"}],"metrics":{"cvssMetricV31":[{"source":"security@otrs.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":1.4}]},"weaknesses":[{"source":"security@otrs.com","type":"Secondary","description":[{"lang":"en","value":"CWE-276"}]}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-05/","source":"security@otrs.com"}]}},{"cve":{"id":"CVE-2026-48208","sourceIdentifier":"security@otrs.com","published":"2026-06-01T04:16:23.123","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without JavaScript execution and is not mitigated by the configured Content Security Policy (CSP).\n\nThis issue affects OTRS:\n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X\n\nPlease note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected"}],"metrics":{"cvssMetricV31":[{"source":"security@otrs.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security@otrs.com","type":"Secondary","description":[{"lang":"en","value":"CWE-400"},{"lang":"en","value":"CWE-791"}]}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-07/","source":"security@otrs.com"}]}},{"cve":{"id":"CVE-2026-48209","sourceIdentifier":"security@otrs.com","published":"2026-06-01T04:16:23.257","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened.\n\nThis issue affects OTRS:\n\n * 7.0.x\n\nPlease note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected"}],"metrics":{"cvssMetricV31":[{"source":"security@otrs.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2}]},"weaknesses":[{"source":"security@otrs.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"},{"lang":"en","value":"CWE-116"}]}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-08/","source":"security@otrs.com"}]}},{"cve":{"id":"CVE-2026-45192","sourceIdentifier":"security@apache.org","published":"2026-06-01T08:16:20.567","lastModified":"2026-06-01T17:08:11.913","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) — for example, official Slack-provider credential field names were returned in plaintext. Affects deployments that store credentials in Connection `extra` blobs and grant Connection-read access to multiple users. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can store sensitive credential values in a secret-backend rather than inlined into the Connection's `extra` field."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*","versionEndExcluding":"3.2.2","matchCriteriaId":"0893C3AA-26A4-4682-A36C-05E719EB2943"}]}]}],"references":[{"url":"https://github.com/apache/airflow/pull/66673","source":"security@apache.org","tags":["Issue Tracking","Patch"]},{"url":"https://lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5ljqd9crdd","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/06/01/3","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-10517","sourceIdentifier":"secalert@redhat.com","published":"2026-06-01T09:16:16.447","lastModified":"2026-06-01T16:57:45.130","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in Clair. The fetcher component makes outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without IP or scheme filtering. When PSK authentication is not configured (opt-in, not enforced by default), an unauthenticated attacker can submit a manifest with a URI pointing to internal services or cloud metadata endpoints. The SSRF is reflective for non-200 responses, leaking up to 256 bytes of error body content via CheckResponse error messages. Operator-managed Red Hat Quay deployments auto-configure PSK and are not exposed to the unauthenticated attack vector."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N","baseScore":5.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-10517","source":"secalert@redhat.com"}]}},{"cve":{"id":"CVE-2026-27788","sourceIdentifier":"vultures@jpcert.or.jp","published":"2026-06-01T09:16:16.590","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Incorrect permission assignment for critical resource issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege."}],"metrics":{"cvssMetricV40":[{"source":"vultures@jpcert.or.jp","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV30":[{"source":"vultures@jpcert.or.jp","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"vultures@jpcert.or.jp","type":"Primary","description":[{"lang":"en","value":"CWE-732"}]}],"references":[{"url":"https://jvn.jp/en/jp/JVN67883085/","source":"vultures@jpcert.or.jp"},{"url":"https://www.fsastech.com/ja-jp/resources/security/2026/0529.html","source":"vultures@jpcert.or.jp"}]}},{"cve":{"id":"CVE-2026-32325","sourceIdentifier":"vultures@jpcert.or.jp","published":"2026-06-01T09:16:16.767","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Privilege chaining issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege."}],"metrics":{"cvssMetricV40":[{"source":"vultures@jpcert.or.jp","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV30":[{"source":"vultures@jpcert.or.jp","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"vultures@jpcert.or.jp","type":"Primary","description":[{"lang":"en","value":"CWE-268"}]}],"references":[{"url":"https://jvn.jp/en/jp/JVN67883085/","source":"vultures@jpcert.or.jp"},{"url":"https://www.fsastech.com/ja-jp/resources/security/2026/0529.html","source":"vultures@jpcert.or.jp"}]}},{"cve":{"id":"CVE-2026-40543","sourceIdentifier":"cvd@cert.pl","published":"2026-06-01T09:16:17.013","lastModified":"2026-06-01T16:37:15.140","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional sensitive information.\n\nThis issue affects SOPlanning version 1.55 and below."}],"metrics":{"cvssMetricV40":[{"source":"cvd@cert.pl","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"cvd@cert.pl","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://cert.pl/en/posts/2026/06/CVE-2026-40543","source":"cvd@cert.pl"},{"url":"https://www.soplanning.org/en/","source":"cvd@cert.pl"}]}},{"cve":{"id":"CVE-2026-40544","sourceIdentifier":"cvd@cert.pl","published":"2026-06-01T09:16:17.163","lastModified":"2026-06-01T16:37:15.140","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"SOPlanning is vulnerable to Stored Cross-Site Scripting (XSS) via /process/upload_backup endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code is executed in the victim’s browser when a user clicks the Edit button for the malicious backup.\n\nThis issue affects SOPlanning version 1.55 and below."}],"metrics":{"cvssMetricV40":[{"source":"cvd@cert.pl","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"cvd@cert.pl","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://cert.pl/en/posts/2026/06/CVE-2026-40543","source":"cvd@cert.pl"},{"url":"https://www.soplanning.org/en/","source":"cvd@cert.pl"}]}},{"cve":{"id":"CVE-2026-40545","sourceIdentifier":"cvd@cert.pl","published":"2026-06-01T09:16:17.287","lastModified":"2026-06-01T16:37:15.140","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"SOPlanning is vulnerable to Reflected XSS via the taches parameter. An attacker can craft a malicious URL which, when opened by authenticated victim, results in arbitrary JavaScript execution in the victim’s browser.\n\nThis issue affects SOPlanning version 1.55 and below."}],"metrics":{"cvssMetricV40":[{"source":"cvd@cert.pl","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"cvd@cert.pl","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://cert.pl/en/posts/2026/06/CVE-2026-40543","source":"cvd@cert.pl"},{"url":"https://www.soplanning.org/en/","source":"cvd@cert.pl"}]}},{"cve":{"id":"CVE-2026-40546","sourceIdentifier":"cvd@cert.pl","published":"2026-06-01T09:16:17.400","lastModified":"2026-06-01T16:37:15.140","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"SOPlanning is vulnerable to SQL Injection across multiple endpoints and parameters. Attacker with low privileges can inject arbitrary SQL commands, potentially gaining full control over the database.\n\nThis issue affects SOPlanning version 1.55 and below."}],"metrics":{"cvssMetricV40":[{"source":"cvd@cert.pl","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"cvd@cert.pl","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://cert.pl/en/posts/2026/06/CVE-2026-40543","source":"cvd@cert.pl"},{"url":"https://www.soplanning.org/en/","source":"cvd@cert.pl"}]}},{"cve":{"id":"CVE-2026-40547","sourceIdentifier":"cvd@cert.pl","published":"2026-06-01T09:16:17.513","lastModified":"2026-06-01T16:37:15.140","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"SOPlanning is vulnerable to Path Traversal in backup endpoints. Authenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow reading and executing files previously added through the backup functionality. Critically, due to CVE-2026-40543 (Missing Authorization), any backup file can be read by any (unauthorized) user.\n\nThis issue affects SOPlanning version 1.55 and below."}],"metrics":{"cvssMetricV40":[{"source":"cvd@cert.pl","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"cvd@cert.pl","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://cert.pl/en/posts/2026/06/CVE-2026-40543","source":"cvd@cert.pl"},{"url":"https://www.soplanning.org/en/","source":"cvd@cert.pl"}]}},{"cve":{"id":"CVE-2026-40548","sourceIdentifier":"cvd@cert.pl","published":"2026-06-01T09:16:17.647","lastModified":"2026-06-01T16:37:15.140","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"SOPlanning does not verify uploaded file extension. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file, which is extracted on the server. When combined with CVE-2026-40547 (Path Traversal), the malicious file (e.g., a PHP script) can be placed in a web-accessible location and executed via the browser.\n\nThis issue affects SOPlanning version 1.55 and below."}],"metrics":{"cvssMetricV40":[{"source":"cvd@cert.pl","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"cvd@cert.pl","type":"Primary","description":[{"lang":"en","value":"CWE-434"}]}],"references":[{"url":"https://cert.pl/en/posts/2026/06/CVE-2026-40543","source":"cvd@cert.pl"},{"url":"https://www.soplanning.org/en/","source":"cvd@cert.pl"}]}},{"cve":{"id":"CVE-2026-40549","sourceIdentifier":"cvd@cert.pl","published":"2026-06-01T09:16:17.777","lastModified":"2026-06-01T16:37:15.140","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"SOPlanning is vulnerable to Cross‑Site Request Forgery (CSRF) in groupe_save create, modify and delete endpoints. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged GET or POST request to the application.\n\nThis issue affects SOPlanning version 1.55 and below."}],"metrics":{"cvssMetricV40":[{"source":"cvd@cert.pl","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"cvd@cert.pl","type":"Primary","description":[{"lang":"en","value":"CWE-352"}]}],"references":[{"url":"https://cert.pl/en/posts/2026/06/CVE-2026-40543","source":"cvd@cert.pl"},{"url":"https://www.soplanning.org/en/","source":"cvd@cert.pl"}]}},{"cve":{"id":"CVE-2026-40963","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:18.123","lastModified":"2026-06-01T17:06:48.227","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":3.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":1.4}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-285"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.2.2","matchCriteriaId":"386C9448-B31E-4094-9935-5FDA9DB550B0"}]}]}],"references":[{"url":"https://github.com/apache/airflow/pull/65342","source":"security@apache.org","tags":["Issue Tracking","Patch"]},{"url":"https://lists.apache.org/thread/s907bhsksc37m59f0loqjcp1ryobrr60","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/31/3","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-41017","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:18.343","lastModified":"2026-06-01T17:08:40.923","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default cloud-native topology) would have the user's session JWT replayed over any cleartext HTTP request to the same host. A network-positioned attacker (Wi-Fi MITM, hostile LAN, captive-portal proxy) could induce a logged-in user's browser to issue an HTTP request to the deployment's hostname and capture the JWT cookie out of that request, then replay it against the authenticated API. Affects deployments where the Airflow API server is reached through a TLS-terminating proxy and the cookie's secure-by-default protection is load-bearing for session integrity. Users are advised to upgrade to `apache-airflow` 3.2.2 or later."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-614"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.2.2","matchCriteriaId":"386C9448-B31E-4094-9935-5FDA9DB550B0"}]}]}],"references":[{"url":"https://github.com/apache/airflow/pull/65348","source":"security@apache.org","tags":["Issue Tracking","Patch"]},{"url":"https://lists.apache.org/thread/9jx0sk49c1250zflx0q3clc717qgjdch","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/31/6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-42253","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:18.673","lastModified":"2026-06-01T17:06:34.850","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.\n\nThe MessageServlet in the ActiveMQ web console API copies every JMS message\nproperty into an HTTP response header without any validation. This can allow overwriting and injecting security headers by setting them on JMS messages that are returned by the servlet.\n\nThis issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ Web: before 5.19.7, from 6.0.0 before 6.2.6.\n\nUsers are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue. The MessageServlet has now been deprecated and disabled by default."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionEndExcluding":"5.19.7","matchCriteriaId":"793E68E6-9024-4518-B062-42B2DE5BB555"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.2.6","matchCriteriaId":"FFF44DB9-1850-4B5F-AD0F-55CB5219AB22"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*","versionEndExcluding":"5.19.7","matchCriteriaId":"F12E08BD-3094-4096-8162-B98B0004B5AF"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq_web:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.2.6","matchCriteriaId":"FAFD6F1A-7E2E-4611-A84F-BA7A28E555D2"}]}]}],"references":[{"url":"https://lists.apache.org/thread/j9vmlc410ht5f28fc98gx75jcbq62j00","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/31/17","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-42358","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:18.790","lastModified":"2026-06-01T17:09:10.077","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nested item before checking the sensitive key name. An authenticated UI/API user with Variable read permission could harvest plaintext secret values stored under sensitive keys nested deep enough to exceed the masker's depth cap. Affects deployments that store sensitive values inside deeply-nested JSON Variables. This is a residual gap in the fix for CVE-2026-32690 (which covered shallower nesting via `max_depth=1`); the depth-limit boundary itself was not raised, so the same key-name bypass pattern reappears beyond the recursion cap. Users who already upgraded for CVE-2026-32690 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the deep-nesting path."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security@apache.org","type":"Primary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*","versionEndExcluding":"3.2.2","matchCriteriaId":"0893C3AA-26A4-4682-A36C-05E719EB2943"}]}]}],"references":[{"url":"https://github.com/apache/airflow/pull/65912","source":"security@apache.org","tags":["Issue Tracking","Patch"]},{"url":"https://lists.apache.org/thread/33635mv3zjb75wn5453c5yf9trs8x2om","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-42359","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:18.907","lastModified":"2026-06-01T17:16:59.437","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoint already validated against `FORBIDDEN_XCOM_KEYS`. The endpoint also accepted serialized payload shapes the triggerer's deserializer treats as code; combined, this allowed RCE on the triggerer when the affected task next deferred. Affects deployments where untrusted users have XCom write permission on Dags that defer to the triggerer. This is a fix-bypass of CVE-2026-33858: PR #64148 added the `FORBIDDEN_XCOM_KEYS` validator only on the POST/set path; the PATCH path was not covered. Users who already upgraded for CVE-2026-33858 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the PATCH-path bypass."}],"metrics":{},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]}],"references":[{"url":"https://github.com/apache/airflow/pull/65915","source":"security@apache.org"},{"url":"https://lists.apache.org/thread/g8dqykpf1p90tysq8tln4qtkqwb1038s","source":"security@apache.org"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-33858","source":"security@apache.org"}]}},{"cve":{"id":"CVE-2026-42360","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:19.033","lastModified":"2026-06-01T17:06:22.257","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*","versionEndExcluding":"3.2.2","matchCriteriaId":"0893C3AA-26A4-4682-A36C-05E719EB2943"}]}]}],"references":[{"url":"https://github.com/apache/airflow/pull/65906","source":"security@apache.org","tags":["Issue Tracking","Patch"]},{"url":"https://lists.apache.org/thread/obj79bpxnl7r5olz1gsn0g94y88glnl4","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]}]}},{"cve":{"id":"CVE-2026-42588","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:19.137","lastModified":"2026-06-01T17:06:00.667","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.\n\nApache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including\nBrokerService.addNetworkConnector(String).\n\nAn authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the \"masterslave:// \" URL which can allow loading a Spring XML application context using ResourceXmlApplicationContext.\nBecause Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec().\nThis issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.\n\nUsers are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-94"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionEndExcluding":"5.19.7","matchCriteriaId":"793E68E6-9024-4518-B062-42B2DE5BB555"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.2.6","matchCriteriaId":"FFF44DB9-1850-4B5F-AD0F-55CB5219AB22"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*","versionEndExcluding":"5.19.7","matchCriteriaId":"FE27E832-0E65-4D05-A2EE-271152799E96"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.2.6","matchCriteriaId":"94F0DB6E-BEF4-4BEB-92F5-3A7B65172CC2"}]}]}],"references":[{"url":"https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6xcs45xm","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/31/18","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-44825","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:19.267","lastModified":"2026-06-01T18:30:18.067","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. \n\nAs an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords.\nThe future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.\n\nNot affected:\n * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth\n * Clusters where template users have been assigned strong passwords after bootstrap"}],"metrics":{"cvssMetricV31":[{"source":"security@apache.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-798"},{"lang":"en","value":"CWE-1188"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*","versionStartIncluding":"9.4.0","versionEndIncluding":"9.10.1","matchCriteriaId":"A3AD8B90-4676-4179-B497-6DA0F4CA6D57"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:solr:10.0.0:*:*:*:*:*:*:*","matchCriteriaId":"3DFFDA22-2A21-432B-96C2-97D430B2D79F"}]}]}],"references":[{"url":"https://lists.apache.org/thread/5xg6xr99glocp3zsg9ht2zlbwlrst7ch","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/29/6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-45426","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:19.583","lastModified":"2026-06-01T18:25:06.940","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's `str.lstrip()` to the requested path segment when verifying the JWT's `sub` claim. `str.lstrip()` strips any of a *set* of characters from the left (not a prefix), so a JWT issued for a Dag named e.g. `dag_a` would authorize log access to any other Dag whose name began with any subset of the characters `{d, a, g, _}` (e.g. `dag_attacker`, `aaaa_target`, `_dag_secret`). Such an authenticated worker could enumerate and read worker logs of other Dags whose names happened to share that character-class prefix, leaking task output and error traces beyond the documented per-Dag isolation boundary. Affects deployments relying on per-Dag log-access scoping (multi-team, shared-executor, shared-worker topologies). Users are advised to upgrade to `apache-airflow` 3.2.2 or later."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":3.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":1.4}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.2.2","matchCriteriaId":"386C9448-B31E-4094-9935-5FDA9DB550B0"}]}]}],"references":[{"url":"https://github.com/apache/airflow/pull/66749","source":"security@apache.org","tags":["Issue Tracking","Patch"]},{"url":"https://lists.apache.org/thread/hz1q7vg65vq2h4fobv5ww8tp257fbqj9","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/31/13","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-45505","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:19.700","lastModified":"2026-06-01T17:09:40.713","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.\n\n\nNon-parenthesized discovery wrappers such as `masterslave:vm://...,...`\nand `static:vm://...` incorrectly pass validation allowing bypass of fix in CVE-2026-34197. \n\nOriginal description from CVE-2026-34197.\n\nApache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery UR that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). \nThis issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.\n\nUsers are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-94"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionEndExcluding":"5.19.7","matchCriteriaId":"793E68E6-9024-4518-B062-42B2DE5BB555"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.2.6","matchCriteriaId":"FFF44DB9-1850-4B5F-AD0F-55CB5219AB22"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*","versionEndExcluding":"5.19.7","matchCriteriaId":"FE27E832-0E65-4D05-A2EE-271152799E96"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.2.6","matchCriteriaId":"94F0DB6E-BEF4-4BEB-92F5-3A7B65172CC2"}]}]}],"references":[{"url":"https://lists.apache.org/thread/7n97nddyw96w6ykldjv1h40jx86xdo0w","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34197","source":"security@apache.org","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-46605","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:19.827","lastModified":"2026-06-01T17:07:51.933","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions.\n\nThis issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.\n\nUsers are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-285"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionEndExcluding":"5.19.7","matchCriteriaId":"793E68E6-9024-4518-B062-42B2DE5BB555"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.2.6","matchCriteriaId":"FFF44DB9-1850-4B5F-AD0F-55CB5219AB22"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*","versionEndExcluding":"5.19.7","matchCriteriaId":"FE27E832-0E65-4D05-A2EE-271152799E96"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.2.6","matchCriteriaId":"94F0DB6E-BEF4-4BEB-92F5-3A7B65172CC2"}]}]}],"references":[{"url":"https://lists.apache.org/thread/l4lxgr2s73g9pb218f180psfyskf8ldm","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/31/20","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-46764","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:20.073","lastModified":"2026-06-01T18:24:44.903","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with audit-log read permission for one Dag could retrieve audit-log entries for any other Dag by guessing or enumerating the numeric event log ID. Affects deployments that rely on per-Dag audit-log scoping. Users are advised to upgrade to `apache-airflow` 3.2.2 or later."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security@apache.org","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*","versionEndExcluding":"3.2.2","matchCriteriaId":"0893C3AA-26A4-4682-A36C-05E719EB2943"}]}]}],"references":[{"url":"https://github.com/apache/airflow/pull/67112","source":"security@apache.org","tags":["Issue Tracking","Patch"]},{"url":"https://lists.apache.org/thread/ctrbj7q3m86g4qxmo9ponojgmzrcoqpv","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/31/14","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-48827","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:20.307","lastModified":"2026-06-01T17:08:05.960","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory.\n\n\n\n\nApplications are affected if they use org.apache.sshd:sshd-git. Applications not using sshd-git are not affected.\n\n\n\n\nUsers are advised to upgrade affected applications to Apche MINA SSHD 2.18.0, which fixes the issue.\n\n\n\n\nThe issue also is present in the pre-release milestones 3.0.0-M1 to 3.0.0-M3 for a new upcoming new major version 3.0.0. Again, applications are affected only if they use sshd-git. Upgrade affected applications to 3.0.0-M4.\n\n\n\n\nWe would like to point out that a professional git server should not rely solely on file system layout and permissions, but should implement additional security controls to govern access to git repositories and operations allowed on particular git repositories."}],"metrics":{"cvssMetricV31":[{"source":"security@apache.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:mina_sshd:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.18.0","matchCriteriaId":"F5EB0B4D-9C31-4A5F-A476-B57D6C805FFB"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:mina_sshd:3.0.0:m1:*:*:*:*:*:*","matchCriteriaId":"32435A6F-3BD6-4AAB-93B1-0B1514419A50"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:mina_sshd:3.0.0:m2:*:*:*:*:*:*","matchCriteriaId":"0E399FD6-9A33-4F78-AFCE-F46C7BBC56F1"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:mina_sshd:3.0.0:m3:*:*:*:*:*:*","matchCriteriaId":"13419EBE-E6B4-4895-BF6C-FC910076CC7A"}]}]}],"references":[{"url":"https://lists.apache.org/thread/910kq9ghm6js0k1yhhbrdm9sf5tqq9c9","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/30/1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-49157","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:20.427","lastModified":"2026-06-01T17:09:59.100","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Incorrect Default Permissions vulnerability in Apache ActiveMQ.\n\nThis issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.\n\nThe default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.\n\nUsers are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-276"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionEndExcluding":"5.19.7","matchCriteriaId":"793E68E6-9024-4518-B062-42B2DE5BB555"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.2.6","matchCriteriaId":"FFF44DB9-1850-4B5F-AD0F-55CB5219AB22"}]}]}],"references":[{"url":"https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/31/21","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-49270","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:20.650","lastModified":"2026-06-01T17:09:45.710","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.\n\nBrokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durable topic subscriptions in the broker, including client identifiers, subscription names, topic destinations, and JMS selector expressions, by sending a BrokerInfo command. The broker incorrectly responds without first ensuring the connection is authenticated.\nThis issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6.\n\nUsers are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-1230"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionEndExcluding":"5.19.7","matchCriteriaId":"793E68E6-9024-4518-B062-42B2DE5BB555"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.2.6","matchCriteriaId":"FFF44DB9-1850-4B5F-AD0F-55CB5219AB22"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*","versionEndExcluding":"5.19.7","matchCriteriaId":"FE27E832-0E65-4D05-A2EE-271152799E96"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.2.6","matchCriteriaId":"94F0DB6E-BEF4-4BEB-92F5-3A7B65172CC2"}]}]}],"references":[{"url":"https://lists.apache.org/thread/k3233c1x506z3w7x4z0dqvd86d4v2fr2","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/31/22","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-49361","sourceIdentifier":"security@apache.org","published":"2026-06-01T09:16:20.880","lastModified":"2026-06-01T18:24:06.450","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service.\n\nThis issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0.\n\nUsers are recommended to upgrade to version 0.9.1, which fixes the issue."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-400"},{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:fluss:*:*:*:*:*:*:*:*","versionStartIncluding":"0.8.0","versionEndExcluding":"0.9.1","matchCriteriaId":"934071BF-644A-4E67-96EB-82996C2A0BD8"}]}]}],"references":[{"url":"https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhsok373","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2026/05/30/5","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}},{"cve":{"id":"CVE-2026-7858","sourceIdentifier":"3DS.Information-Security@3ds.com","published":"2026-06-01T09:16:20.990","lastModified":"2026-06-01T17:57:39.180","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x could lead to an unauthenticated remote code execution."}],"metrics":{"cvssMetricV31":[{"source":"3DS.Information-Security@3ds.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"3DS.Information-Security@3ds.com","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]}],"references":[{"url":"https://www.3ds.com/trust-center/security/security-advisories/cve-2026-7858","source":"3DS.Information-Security@3ds.com"}]}},{"cve":{"id":"CVE-2026-9024","sourceIdentifier":"3DS.Information-Security@3ds.com","published":"2026-06-01T09:16:21.413","lastModified":"2026-06-01T17:57:39.180","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x could allow an attacker to execute arbitrary script code in user's browser session."}],"metrics":{"cvssMetricV31":[{"source":"3DS.Information-Security@3ds.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":5.8}]},"weaknesses":[{"source":"3DS.Information-Security@3ds.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://www.3ds.com/trust-center/security/security-advisories/cve-2026-9024","source":"3DS.Information-Security@3ds.com"}]}},{"cve":{"id":"CVE-2026-25599","sourceIdentifier":"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158","published":"2026-06-01T11:16:24.643","lastModified":"2026-06-01T18:02:29.343","vulnStatus":"Awaiting Analysis","cveTags":[{"sourceIdentifier":"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158","tags":["unsupported-when-assigned"]}],"descriptions":[{"lang":"en","value":"Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices communicating with the Orca server over an \nunencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an\n attacker to impersonate a legitimate device and inject malicious \npayloads. This enables the insertion of harmful code directly\n into the Orca user portal, potentially compromising user accounts, \nexposing sensitive information, and allowing further unauthorized \nactions within the portal."}],"metrics":{"cvssMetricV31":[{"source":"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}]},"weaknesses":[{"source":"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158","type":"Secondary","description":[{"lang":"en","value":"CWE-79"},{"lang":"en","value":"CWE-306"},{"lang":"en","value":"CWE-319"}]}],"references":[{"url":"https://www.cert.si/en/cve-2026-25599/","source":"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158"}]}},{"cve":{"id":"CVE-2026-25600","sourceIdentifier":"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158","published":"2026-06-01T11:16:24.793","lastModified":"2026-06-01T18:02:29.343","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"The PDBM application relies on a static, hard‑coded secret embedded \nin the PDBM.exe executable. This secret is used by the application’s \nencryption routines, including the function responsible for decrypting \ncredentials stored in the product’s configuration file. Because the \nsecret is constant across installations, any attacker with sufficient \nlocal privileges can extract it from the binary. Once obtained, the secret allows the attacker to decrypt the stored \npassword and authenticate as the user defined in the configuration file.\n In the affected version, this user account is configured with \nadministrative privileges, granting full access to PDBM’s management \ninterface and its underlying operational functions."}],"metrics":{"cvssMetricV31":[{"source":"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":0.5,"impactScore":5.9}]},"weaknesses":[{"source":"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158","type":"Secondary","description":[{"lang":"en","value":"CWE-798"}]}],"references":[{"url":"https://www.cert.si/en/cve-2026-25600/","source":"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158"}]}},{"cve":{"id":"CVE-2026-10532","sourceIdentifier":"vulnerability@ncsc.ch","published":"2026-06-01T13:16:30.340","lastModified":"2026-06-01T18:16:02.273","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection, albeit heavily restricted.\n\nMore precisely, an attacker able to influence serialized data sent to \nSimpleSocketServer or SimpleSSLSocketServer can instantiate Proxy objects.\n\n\nAlthough deserialization is heavily restricted by HardenedObjectInputStream and no \npractical way to achieve remote code execution or significant privilege \nescalation has been identified, this issue constitutes a bypass of the \nintended security restrictions.\n\n\n\nThis issue affects logback: through 1.5.33 inclusive."}],"metrics":{"cvssMetricV40":[{"source":"vulnerability@ncsc.ch","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Green","baseScore":2.9,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"GREEN"}}]},"weaknesses":[{"source":"vulnerability@ncsc.ch","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]}],"references":[{"url":"https://logback.qos.ch/news.html#1.5.34","source":"vulnerability@ncsc.ch"}]}},{"cve":{"id":"CVE-2026-34193","sourceIdentifier":"367425dc-4d06-4041-9650-c2dc6aaa27ce","published":"2026-06-01T13:16:31.460","lastModified":"2026-06-01T17:07:57.203","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Kernel software installed and running inside a Guest/Host VM may post improper commands to the GPU Firmware to trigger a write of data outside the intended GPU memory.\n\n\n\nA logic error in the address translation allowed a compromised Host (Kernel) to perform arbitrary writes to firmware memory."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"367425dc-4d06-4041-9650-c2dc6aaa27ce","type":"Secondary","description":[{"lang":"en","value":"CWE-823"}]}],"references":[{"url":"https://www.imaginationtech.com/gpu-driver-vulnerabilities/","source":"367425dc-4d06-4041-9650-c2dc6aaa27ce"}]}},{"cve":{"id":"CVE-2026-9308","sourceIdentifier":"security@mozilla.org","published":"2026-06-01T13:16:33.523","lastModified":"2026-06-01T17:06:59.370","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. This vulnerability was fixed in Firefox for iOS 151.2."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=2039422","source":"security@mozilla.org"},{"url":"https://www.mozilla.org/security/advisories/mfsa2026-53/","source":"security@mozilla.org"}]}},{"cve":{"id":"CVE-2026-9309","sourceIdentifier":"security@mozilla.org","published":"2026-06-01T13:16:33.623","lastModified":"2026-06-01T17:06:59.370","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in arbitrary JavaScript execution in an internal origin. This vulnerability was fixed in Firefox for iOS 151.2."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=2036573","source":"security@mozilla.org"},{"url":"https://www.mozilla.org/security/advisories/mfsa2026-53/","source":"security@mozilla.org"}]}},{"cve":{"id":"CVE-2024-40646","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T15:16:28.130","lastModified":"2026-06-01T18:53:42.563","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Vertex is a management tool for PT (Private Tracker) users to manage streaming and watching videos. Versions prior to commit fbde301b97986d5913fc4bc95f5445750d282e11 are vulnerable to path traversal. Users should upgrade to a version containing commit fbde301b97986d5913fc4bc95f5445750d282e11 to receive a patch."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":4.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://github.com/vertex-app/vertex/commit/fbde301b97986d5913fc4bc95f5445750d282e11","source":"security-advisories@github.com"},{"url":"https://github.com/vertex-app/vertex/security/advisories/GHSA-92j5-qc36-23rr","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2025-55664","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T15:16:28.297","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A heap buffer overflow in the m2tsdmx_send_packet function (filters/dmx_m2ts.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-122"}]}],"references":[{"url":"https://github.com/gpac/gpac/commit/9bd6a72c9efc0513dfd33b87498afc7658dabd26","source":"cve@mitre.org"},{"url":"https://github.com/gpac/gpac/issues/3310","source":"cve@mitre.org"},{"url":"https://infosec.exchange/@sigdevel/116659245751279377","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2025-60481","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T15:16:28.420","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A NULL pointer dereference in the gf_odf_ac4_cfg_dsi_v1 function (/odf/descriptors.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"references":[{"url":"https://github.com/gpac/gpac/commit/e02d1fd24cdc26acb1b236ab38b3832cffcae21b","source":"cve@mitre.org"},{"url":"https://github.com/gpac/gpac/issues/3296","source":"cve@mitre.org"},{"url":"https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/45/README.md","source":"cve@mitre.org"},{"url":"https://infosec.exchange/@sigdevel/116659159345966316","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2025-60483","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T15:16:28.540","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"references":[{"url":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695","source":"cve@mitre.org"},{"url":"https://github.com/gpac/gpac/issues/3302","source":"cve@mitre.org"},{"url":"https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/49/README.md","source":"cve@mitre.org"},{"url":"https://infosec.exchange/@sigdevel/116659111520602254","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2025-60485","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T15:16:28.643","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A segmentation violation in the gf_isom_apple_set_tag_ex function (/isomedia/isom_write.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"references":[{"url":"https://github.com/gpac/gpac/commit/4860a1a6f128ccc9ae37b4b738d22029f9672457","source":"cve@mitre.org"},{"url":"https://github.com/gpac/gpac/issues/3323","source":"cve@mitre.org"},{"url":"https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/52/README.md","source":"cve@mitre.org"},{"url":"https://infosec.exchange/@sigdevel/116662498332150083","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2025-60486","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T15:16:28.753","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A heap use-after-free in the dasher_process function (/filters/dasher.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 file."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"references":[{"url":"https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b","source":"cve@mitre.org"},{"url":"https://github.com/gpac/gpac/issues/3314","source":"cve@mitre.org"},{"url":"https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/53/README.md","source":"cve@mitre.org"},{"url":"https://infosec.exchange/@sigdevel/116662544397024289","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2025-60495","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T15:16:28.860","lastModified":"2026-06-01T18:16:02.273","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-476"}]}],"references":[{"url":"https://github.com/gpac/gpac/commit/9beed3c0a2f38505c745e5376234e7ed66e8e0b1","source":"cve@mitre.org"},{"url":"https://github.com/gpac/gpac/issues/3335","source":"cve@mitre.org"},{"url":"https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/66/README.md","source":"cve@mitre.org"},{"url":"https://infosec.exchange/@sigdevel/116659058320692913","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-0826","sourceIdentifier":"hp-security-alert@hp.com","published":"2026-06-01T15:16:29.043","lastModified":"2026-06-01T17:07:57.203","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In certain scenarios when the admin has enabled Interactive Connectivity Establishment (ICE), a buffer overflow could enable\n remote code execution on Poly Voice products on the Linux platform."}],"metrics":{"cvssMetricV40":[{"source":"hp-security-alert@hp.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.2,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"hp-security-alert@hp.com","type":"Secondary","description":[{"lang":"en","value":"CWE-121"}]}],"references":[{"url":"https://support.hp.com/us-en/document/ish_15052661-15052687-16/hpsbpy04083","source":"hp-security-alert@hp.com"}]}},{"cve":{"id":"CVE-2026-10259","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T15:16:31.947","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A security vulnerability has been detected in H3C Magic B0 up to 100R002. The affected element is the function SetMobileAPInfoById of the file /goform/aspForm. Such manipulation of the argument param leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:C/I:C/A:C","baseScore":9.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":8.0,"impactScore":10.0,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-119"},{"lang":"en","value":"CWE-121"}]}],"references":[{"url":"https://github.com/666324/H3C-Magic-B0-vuln","source":"cna@vuldb.com"},{"url":"https://github.com/666324/H3C-Magic-B0-vuln/tree/main/H3C-Magic%20B0-vuln","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10259","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/824402","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367539","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367539/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10260","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T15:16:32.127","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was detected in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /admin/jobs-admins/delete-jobs.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-74"},{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://codeastro.com/","source":"cna@vuldb.com"},{"url":"https://github.com/6Justdododo6/CVE/issues/18","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10260","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/824873","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367540","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367540/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10261","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T15:16:32.350","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw has been found in CodeAstro Online Job Portal 1.0. This affects an unknown function of the file /users/application_status.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-74"},{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://codeastro.com/","source":"cna@vuldb.com"},{"url":"https://github.com/6Justdododo6/CVE/issues/19","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10261","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/824874","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367541","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367541/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10262","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T15:16:32.510","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability has been found in code-projects Real State Services 1.0. This impacts an unknown function of the file /loginuser.php of the component Login. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-74"},{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://code-projects.org/","source":"cna@vuldb.com"},{"url":"https://github.com/6Justdododo6/CVE/issues/20","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10262","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/824877","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367542","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367542/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10263","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T15:16:32.670","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was found in SourceCodester Computer Repair Shop Management System up to 1.0. Affected is an unknown function of the file /admin/products/manage_product.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-74"},{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://github.com/gxcyyjy/CVE/issues/4","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10263","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/824919","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367543","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367543/cti","source":"cna@vuldb.com"},{"url":"https://www.sourcecodester.com/","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10264","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T15:16:32.830","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was determined in lharries whatsapp-mcp 0.0.1. Affected by this vulnerability is the function SendMessageRequest of the file whatsapp-bridge/main.go of the component Send API Endpoint. This manipulation of the argument mediaPath causes path traversal. The exploit has been publicly disclosed and may be utilized. Patch name: 6657cdceadd361e8fbe824afe9d00b4504009a5d. It is recommended to apply a patch to fix this issue."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.0,"baseSeverity":"LOW","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":1.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:A/AC:L/Au:S/C:P/I:N/A:N","baseScore":2.7,"accessVector":"ADJACENT_NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":5.1,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://github.com/BenGedi/whatsapp-mcp/commit/6657cdceadd361e8fbe824afe9d00b4504009a5d","source":"cna@vuldb.com"},{"url":"https://github.com/BenGedi/whatsapp-mcp/pull/1","source":"cna@vuldb.com"},{"url":"https://github.com/lharries/whatsapp-mcp/","source":"cna@vuldb.com"},{"url":"https://github.com/lharries/whatsapp-mcp/issues/241","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10264","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/824924","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367544","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367544/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10265","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T15:16:33.010","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was identified in itsourcecode Content Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/edit_topic.php. Such manipulation of the argument topic_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-74"},{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://github.com/Mr-Elymas/cve_submit/issues/2","source":"cna@vuldb.com"},{"url":"https://itsourcecode.com/","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10265","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/824948","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367545","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367545/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10267","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T15:16:33.203","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A security flaw has been discovered in janet-lang janet up to 1.41.0. This affects the function doframe of the file src/core/debug.c. Performing a manipulation results in out-of-bounds read. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named ed17dd2c5913a23fb1107251e44a9410a3c30cf5."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":1.9,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":3.3,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":1.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:L/AC:L/Au:S/C:P/I:N/A:N","baseScore":1.7,"accessVector":"LOCAL","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":3.1,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-119"},{"lang":"en","value":"CWE-125"}]}],"references":[{"url":"https://github.com/biniamf/pocs/tree/main/janet-debug-janet-doframe-env-data-oobread","source":"cna@vuldb.com"},{"url":"https://github.com/janet-lang/janet/","source":"cna@vuldb.com"},{"url":"https://github.com/janet-lang/janet/commit/ed17dd2c5913a23fb1107251e44a9410a3c30cf5","source":"cna@vuldb.com"},{"url":"https://github.com/janet-lang/janet/issues/1743","source":"cna@vuldb.com"},{"url":"https://github.com/janet-lang/janet/issues/1743#issuecomment-4322129448","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10267","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825072","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367546","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367546/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10533","sourceIdentifier":"secalert@redhat.com","published":"2026-06-01T15:16:33.443","lastModified":"2026-06-01T16:57:45.130","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace can exploit this to generate a large volume of events that accumulate in etcd, causing API server performance degradation across the cluster."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.1,"impactScore":1.4}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Primary","description":[{"lang":"en","value":"CWE-770"}]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-10533","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2483727","source":"secalert@redhat.com"}]}},{"cve":{"id":"CVE-2026-37220","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T15:16:34.163","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 crashes when an SCTP association is closed before an E2_SETUP_REQUEST is sent. The near-RT RIC assumes a mapping between SCTP association and E2 node always exists in the cleanup path and enforces this via assert(). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by simply completing an SCTP handshake and immediately disconnecting, without sending any E2AP message."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-617"}]}],"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37220.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-37221","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T15:16:34.273","lastModified":"2026-06-01T18:09:03.137","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 crashes when receiving a RIC_SUBSCRIPTION_RESPONSE with an unknown ric_id that has no corresponding pending event. The near-RT RIC uses assert() to enforce the existence of a pending event during response processing. A remote unauthenticated attacker can send a forged RIC_SUBSCRIPTION_RESPONSE to the near-RT RIC (port 36421) to cause SIGABRT in Debug builds or NULL pointer dereference (SIGSEGV) in Release builds."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-617"}]}],"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37221.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-42251","sourceIdentifier":"cvd@cert.pl","published":"2026-06-01T15:16:35.060","lastModified":"2026-06-01T16:37:15.140","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Use of hard-coded credentials in KS-SOMED allowed an unauthorized attacker access to FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update.\n\nThis issue affects KS-SOMED with modules: KSPLUPDFTP.exe up to 30.00.00.056 and ANEKSKLIENT.EXE up to 29.00.02.026\n\nBeside removing the hard-coded credentials from the code and changing the update process, access granted by previously exposed credentials was limited to read-only."}],"metrics":{"cvssMetricV40":[{"source":"cvd@cert.pl","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"cvd@cert.pl","type":"Primary","description":[{"lang":"en","value":"CWE-798"}]}],"references":[{"url":"https://cert.pl/posts/2026/06/CVE-2026-1958","source":"cvd@cert.pl"},{"url":"https://kamsoft.pl/ks-somed/","source":"cvd@cert.pl"}]}},{"cve":{"id":"CVE-2026-42680","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T15:16:35.733","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation.\n\nThis issue affects Contest Gallery Pro: from n/a through 29.0.1."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-266"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/contest-gallery-pro/vulnerability/wordpress-contest-gallery-pro-plugin-29-0-1-privilege-escalation-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-42681","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T15:16:35.873","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in E2Pdf.Com e2pdf allows Reflected XSS.\n\nThis issue affects e2pdf: from n/a through 1.32.14."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.7}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/e2pdf/vulnerability/wordpress-e2pdf-plugin-1-32-14-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-42682","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T15:16:36.003","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects wpForo Forum: from n/a through 3.0.6."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/wpforo/vulnerability/wordpress-wpforo-forum-plugin-3-0-6-broken-access-control-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-42683","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T15:16:36.127","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows DOM-Based XSS.\n\nThis issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.8."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.7}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-48559","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-06-01T15:16:37.843","lastModified":"2026-06-01T16:55:20.100","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Lightweight Music Server (LMS) though 3.76.0 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript by embedding malicious HTML in media file metadata tags such as GENRE, ARTIST, or ALBUM. Attackers can introduce a crafted media file into the victim's library, causing the payload to be saved during library scanning and executed automatically in the web interface due to tag content being rendered using Wt::TextFormat::UnsafeXHTML without sanitization in src/lms/ui/Utils.cpp."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://github.com/epoupon/lms/issues/844","source":"disclosure@vulncheck.com"},{"url":"https://github.com/epoupon/lms/milestone/94","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/lightweight-music-server-stored-xss-via-media-file-metadata-tags","source":"disclosure@vulncheck.com"},{"url":"https://www.zeroscience.mk/#/advisories/ZSL-2026-5987","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-48839","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T15:16:38.010","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS.\n\nThis issue affects WP Statistics: from n/a through 14.16.6."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.7}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/wp-statistics/vulnerability/wordpress-wp-statistics-plugin-14-16-6-cross-site-scripting-xss-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-48865","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T15:16:38.150","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress allows Reflected XSS.\n\nThis issue affects LearnPress: from n/a through 4.3.6."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.7}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/learnpress/vulnerability/wordpress-learnpress-plugin-4-3-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-48866","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T15:16:38.273","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Rocketgenius Inc. Gravity Forms allows Path Traversal.\n\nThis issue affects Gravity Forms: from n/a through 2.10.0.1."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6.0}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/gravityforms/vulnerability/wordpress-gravity-forms-plugin-2-10-0-1-arbitrary-file-deletion-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-48879","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T15:16:38.390","lastModified":"2026-06-01T16:41:55.090","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation.\n\nThis issue affects AIWU: from n/a through 1.4.17."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-266"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/ai-copilot-content-generator/vulnerability/wordpress-aiwu-plugin-1-4-17-privilege-escalation-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-8931","sourceIdentifier":"incident@nbu.gov.sk","published":"2026-06-01T15:16:39.220","lastModified":"2026-06-01T18:09:48.420","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A critical Remote Code Execution (RCE) vulnerability exists in Disig Web Signer versions 2.0.3 through 2.5.3."}],"metrics":{"cvssMetricV40":[{"source":"incident@nbu.gov.sk","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://download.disigcdn.sk/cdn/products/websigner2/changelog.en.txt","source":"incident@nbu.gov.sk"},{"url":"https://download.disigcdn.sk/cdn/products/websigner2/changelog.sk.txt","source":"incident@nbu.gov.sk"},{"url":"https://qesportal.sk/Portal/en/Info/News#websigner255","source":"incident@nbu.gov.sk"},{"url":"https://qesportal.sk/Portal/sk/Info/News#websigner255","source":"incident@nbu.gov.sk"},{"url":"https://www.disig.sk/en/news/important-update-of-the-web-signer-application/","source":"incident@nbu.gov.sk"},{"url":"https://www.disig.sk/sk/aktuality/dolezita-aktualizacia-aplikacie-web-signer/","source":"incident@nbu.gov.sk"}]}},{"cve":{"id":"CVE-2022-4991","sourceIdentifier":"cret@cert.org","published":"2026-06-01T17:16:23.143","lastModified":"2026-06-01T18:02:29.343","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges."}],"metrics":{},"references":[{"url":"https://www.kb.cert.org/vuls/id/730007","source":"cret@cert.org"}]}},{"cve":{"id":"CVE-2026-10118","sourceIdentifier":"secalert@redhat.com","published":"2026-06-01T17:16:39.500","lastModified":"2026-06-01T18:12:56.073","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Primary","description":[{"lang":"en","value":"CWE-190"}]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-10118","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460428","source":"secalert@redhat.com"},{"url":"https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715","source":"secalert@redhat.com"}]}},{"cve":{"id":"CVE-2026-10268","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T17:16:42.897","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A weakness has been identified in janet-lang janet up to 1.41.0. This vulnerability affects the function unmarshal_one_fiber of the file src/core/marsh.c. Executing a manipulation can lead to integer overflow. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. This patch is called d9b1d711ea1fde52ac73a82088b512a3e17bad0d. A patch should be applied to remediate this issue."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":1.9,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","baseScore":3.3,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":1.8,"impactScore":1.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:L/AC:L/Au:S/C:N/I:N/A:P","baseScore":1.7,"accessVector":"LOCAL","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL"},"baseSeverity":"LOW","exploitabilityScore":3.1,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-189"},{"lang":"en","value":"CWE-190"}]}],"references":[{"url":"https://github.com/biniamf/pocs/tree/main/janet-marsh-unmarshal-intovf","source":"cna@vuldb.com"},{"url":"https://github.com/janet-lang/janet/","source":"cna@vuldb.com"},{"url":"https://github.com/janet-lang/janet/commit/d9b1d711ea1fde52ac73a82088b512a3e17bad0d","source":"cna@vuldb.com"},{"url":"https://github.com/janet-lang/janet/issues/1744","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10268","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825075","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367547","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367547/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10269","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T17:16:43.097","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-266"},{"lang":"en","value":"CWE-285"}]}],"references":[{"url":"https://github.com/decolua/9router/","source":"cna@vuldb.com"},{"url":"https://github.com/decolua/9router/commit/428e2c045cb9c0eb8080e8b580471a9c2eaa95ca","source":"cna@vuldb.com"},{"url":"https://github.com/decolua/9router/issues/742","source":"cna@vuldb.com"},{"url":"https://github.com/decolua/9router/releases/tag/v0.4.1","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10269","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825188","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367548","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367548/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10270","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T17:16:43.280","lastModified":"2026-06-01T17:57:23.310","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was detected in D-Link DI-7001 MINI up to 19.09.19A1. Impacted is the function sprintf of the file /httpd_debug.asp of the component API. The manipulation of the argument Time results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:C/I:C/A:C","baseScore":9.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":8.0,"impactScore":10.0,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-119"},{"lang":"en","value":"CWE-121"}]}],"references":[{"url":"https://github.com/666324/dlink-DI-7001MINI-8G-vuln","source":"cna@vuldb.com"},{"url":"https://github.com/666324/dlink-DI-7001MINI-8G-vuln/tree/main/dlink-DI-7001MINI-8G-vuln","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10270","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825198","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367549","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367549/cti","source":"cna@vuldb.com"},{"url":"https://www.dlink.com/","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10271","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T17:16:43.500","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The affected element is an unknown function of the file admin/ of the component Admin Endpoint. This manipulation of the argument uid causes execution after redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. Multiple endpoints are affected. The project was informed of the problem early through an issue report but has not responded yet."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-698"},{"lang":"en","value":"CWE-705"}]}],"references":[{"url":"https://github.com/a4m4/Student-Management-System--PHP-/issues/2","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10271","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825224","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367550","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367550/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10272","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T17:16:43.700","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the file admin/deleteform.php. Such manipulation of the argument sid leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":2.5}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:P","baseScore":6.4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":10.0,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-266"},{"lang":"en","value":"CWE-285"}]}],"references":[{"url":"https://github.com/a4m4/Student-Management-System--PHP-/issues/3","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10272","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825241","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367551","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367551/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10273","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T17:16:43.883","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was found in php-censor up to 2.1.6. This affects an unknown function of the file src/Model/Build/GitBuild.php of the component Webhook Endpoint. Performing a manipulation of the argument commitId results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named cd68d102601320bd319d590b75f7652e66f0685f. It is recommended to apply a patch to fix this issue."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-77"},{"lang":"en","value":"CWE-78"}]}],"references":[{"url":"https://github.com/php-censor/php-censor/","source":"cna@vuldb.com"},{"url":"https://github.com/php-censor/php-censor/commit/cd68d102601320bd319d590b75f7652e66f0685f","source":"cna@vuldb.com"},{"url":"https://github.com/php-censor/php-censor/issues/442","source":"cna@vuldb.com"},{"url":"https://github.com/php-censor/php-censor/pull/441","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10273","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825315","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367552","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367552/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10274","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T17:16:44.070","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was determined in indrasishbanerjee aem-mcp-server up to b5f833aef9b5dfd17a5991b3b18a8a11edbdc583. This impacts the function getAssetMetadata of the file src/mcp-server.ts of the component Axios Request Flow. Executing a manipulation of the argument assetPath can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/indrasishbanerjee/aem-mcp-server/","source":"cna@vuldb.com"},{"url":"https://github.com/indrasishbanerjee/aem-mcp-server/issues/3","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10274","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825401","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367553","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367553/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10275","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T17:16:44.247","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw has been found in OpenSC up to 0.26.1. This affects the function test_kpgen_certwrite of the file src/tools/pkcs11-tool.c of the component pkcs11-tool Key Generation Module. This manipulation causes buffer overflow. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been published and may be used. Patch name: 814f745b3b6d100295f65f1935edd33d520d33ab. It is recommended to apply a patch to fix this issue."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":1.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.6,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:H/Au:N/C:P/I:P/A:P","baseScore":5.1,"accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":4.9,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-119"},{"lang":"en","value":"CWE-120"}]}],"references":[{"url":"https://github.com/OpenSC/OpenSC/","source":"cna@vuldb.com"},{"url":"https://github.com/OpenSC/OpenSC/commit/814f745b3b6d100295f65f1935edd33d520d33ab","source":"cna@vuldb.com"},{"url":"https://github.com/OpenSC/OpenSC/issues/3682","source":"cna@vuldb.com"},{"url":"https://github.com/OpenSC/OpenSC/pull/3684","source":"cna@vuldb.com"},{"url":"https://pan.baidu.com/s/1nrZPKDz2eAcCpsaFiIRlrg","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10275","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825403","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367568","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367568/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-37222","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T17:16:58.527","lastModified":"2026-06-01T19:16:32.917","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 uses hardcoded assertions to validate Information Element (IE) counts in decoded E2AP messages. A remote unauthenticated attacker can send a valid E2AP PDU containing an unexpected number of IEs (e.g., an E2setupRequest with extra optional fields) to crash the near-RT RIC (port 36421) or iApp (port 36422) via SIGABRT. The code asserts exact IE counts rather than validating against protocol-specified ranges."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-617"}]}],"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37222.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-37223","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T17:16:58.647","lastModified":"2026-06-01T21:16:42.180","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 contains a reachable assertion in the iApp message dispatcher. The dispatcher validates incoming E2AP messages against a 9-entry whitelist using assert(). A remote unauthenticated attacker can send any decodable E2AP PDU with a message type not in the whitelist to crash the iApp process (port 36422) via SIGABRT. Since iApp and the near-RT RIC share one process, this terminates the entire RIC service and disconnects all E2 Nodes and xApps."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-617"}]}],"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37223.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-37224","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T17:16:58.760","lastModified":"2026-06-01T21:16:42.347","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 crashes when receiving a duplicate E2_SETUP_REQUEST from the same or spoofed E2 Node. The iApp registry enforces node ID uniqueness via assert() rather than graceful rejection. A remote unauthenticated attacker can crash the iApp process (port 36421) by sending two E2_SETUP_REQUESTs with the same E2 node configuration, triggering SIGABRT."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-617"}]}],"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37224.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-37225","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T17:16:58.880","lastModified":"2026-06-01T21:16:42.500","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the iApp process (port 36422) via SIGABRT by exploiting this cross-layer validation mismatch."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-617"}]}],"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37225.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-37227","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T17:16:58.993","lastModified":"2026-06-01T21:16:42.667","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 contains reachable assert(0) calls in stub message handlers for whitelisted but unimplemented E2AP message types in the near-RT RIC. A remote unauthenticated attacker can send a decodable E2AP PDU of such a type (e.g., E2nodeConfigurationUpdate) to crash the near-RT RIC process (port 36421) via SIGABRT. The message passes whitelist validation but triggers an unconditional assertion in the handler."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-617"}]}],"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37227.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-38950","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T17:16:59.257","lastModified":"2026-06-01T21:16:43.150","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load() with unrestricted deserialization."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]}],"references":[{"url":"https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md","source":"cve@mitre.org"},{"url":"https://github.com/esa/AnomalyMatch/pull/9","source":"cve@mitre.org"},{"url":"https://imlabs.info/research/security_advisory_esa_anomaly_match_unsafe_deserialization_cve_2026_38950_ivan_markovic_052026.html","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-42671","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T17:16:59.540","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Missing Authorization vulnerability in Paolo GeoDirectory allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects GeoDirectory: from n/a through 2.8.157."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":2.5}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/geodirectory/vulnerability/wordpress-geodirectory-plugin-2-8-157-broken-access-control-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-42672","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T17:16:59.667","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection.\n\nThis issue affects WP Directory Kit: from n/a through 1.5.1."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":4.7}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/wpdirectorykit/vulnerability/wordpress-wp-directory-kit-plugin-1-5-1-sql-injection-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-42673","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T17:16:59.793","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data.\n\nThis issue affects Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity: from n/a through 3.3.6."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-201"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/logtivity/vulnerability/wordpress-activity-logs-user-activity-tracking-multisite-activity-log-from-logtivity-plugin-3-3-6-sensitive-data-exposure-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-42674","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T17:16:59.917","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding.\n\nThis issue affects Advanced Access Manager: from n/a through 7.1.0."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-290"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/advanced-access-manager/vulnerability/wordpress-advanced-access-manager-plugin-7-1-0-bypass-vulnerability-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-42675","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T17:17:00.043","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Missing Authorization vulnerability in Themefic Hydra Booking allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects Hydra Booking: from n/a through 1.1.41."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-41-broken-access-control-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-42676","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T17:17:00.163","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred allows Stored XSS.\n\nThis issue affects myCred: from n/a through 3.0.4."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.3,"impactScore":3.7}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/mycred/vulnerability/wordpress-mycred-plugin-3-0-4-cross-site-scripting-xss-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-42677","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T17:17:00.290","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Missing Authorization vulnerability in Ben Balter WP Document Revisions allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects WP Document Revisions: from n/a before 4.0.0."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/wp-document-revisions/vulnerability/wordpress-wp-document-revisions-plugin-3-8-1-broken-access-control-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-42678","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T17:17:00.413","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liquid Web / StellarWP GiveWP allows DOM-Based XSS.\n\nThis issue affects GiveWP: from n/a through 4.14.5."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.7}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/give/vulnerability/wordpress-givewp-plugin-4-14-5-cross-site-scripting-xss-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-42679","sourceIdentifier":"audit@patchstack.com","published":"2026-06-01T17:17:00.550","lastModified":"2026-06-01T17:57:16.380","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mamunur Rashid Classified Listing allows Path Traversal.\n\nThis issue affects Classified Listing: from n/a through 5.3.8."}],"metrics":{"cvssMetricV31":[{"source":"audit@patchstack.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"audit@patchstack.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://patchstack.com/database/wordpress/plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-5-3-8-arbitrary-file-download-vulnerability?_s_id=cve","source":"audit@patchstack.com"}]}},{"cve":{"id":"CVE-2026-44211","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:07.617","lastModified":"2026-06-01T19:16:48.127","vulnStatus":"Undergoing Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. In versions 2.13.0 and prior, there is a cross-origin WebSocket hijack vulnerability in Cline Kanban servers. At time of publication, there are no publicly available patches."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-306"},{"lang":"en","value":"CWE-1385"}]}],"references":[{"url":"https://github.com/cline/cline/security/advisories/GHSA-5c57-rqjx-35g2","source":"security-advisories@github.com"},{"url":"https://github.com/cline/cline/security/advisories/GHSA-5c57-rqjx-35g2","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-44740","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:08.277","lastModified":"2026-06-01T18:53:33.870","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-674"},{"lang":"en","value":"CWE-835"}]}],"references":[{"url":"https://github.com/go-git/go-billy/releases/tag/v5.9.0","source":"security-advisories@github.com"},{"url":"https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1","source":"security-advisories@github.com"},{"url":"https://github.com/go-git/go-billy/security/advisories/GHSA-m3xc-h892-ggx6","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45131","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:08.450","lastModified":"2026-06-01T18:14:29.087","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens without requiring maintainer approval. This issue has been patched via commit fcf9302."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N","baseScore":10.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.8}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://github.com/CloudPirates-io/helm-charts/commit/fcf930211604652aec15085895b6457bc8b73b54","source":"security-advisories@github.com"},{"url":"https://github.com/CloudPirates-io/helm-charts/security/advisories/GHSA-c47r-c7gw-cvph","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45132","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:08.640","lastModified":"2026-06-01T18:14:29.087","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (generate-schema.yaml) exposes sensitive credentials (Personal Access Token and SSH signing key) to fork-controlled code due to unsafe checkout and credential handling practices. This issue has been patched via commit fcf9302."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N","baseScore":10.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.8}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://github.com/CloudPirates-io/helm-charts/commit/fcf930211604652aec15085895b6457bc8b73b54","source":"security-advisories@github.com"},{"url":"https://github.com/CloudPirates-io/helm-charts/security/advisories/GHSA-r874-j8fr-x2pj","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45153","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:08.860","lastModified":"2026-06-01T18:14:29.087","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N","baseScore":4.6,"baseSeverity":"MEDIUM","attackVector":"PHYSICAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":0.4,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"}]}],"references":[{"url":"https://github.com/nextcloud/android/pull/16896","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2w7v-5299-3hw5","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3625210","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45154","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:09.013","lastModified":"2026-06-01T18:14:29.087","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This issue has been patched in version 4.3.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N","baseScore":2.6,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"}]}],"references":[{"url":"https://github.com/nextcloud/collectives/pull/2432","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8mpv-ggq8-hf3w","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3521434","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45155","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:09.150","lastModified":"2026-06-01T18:14:29.087","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N","baseScore":2.6,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"references":[{"url":"https://github.com/nextcloud/circles/pull/2401","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xpgv-grf9-gm7x","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3511998","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45156","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:09.283","lastModified":"2026-06-01T18:14:29.087","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qqgv-fqwp-mjpp","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/user_oidc/pull/1285","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3489490","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45157","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:09.420","lastModified":"2026-06-01T18:14:29.087","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see temporary part files during on going uploads. It is recommended that the Nextcloud Server is upgraded to 32.0.9 or 33.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9 or 33.0.3"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-45pj-p7x7-4mhc","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/server/pull/59780","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3483708","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45159","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:09.550","lastModified":"2026-06-01T18:14:29.087","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"references":[{"url":"https://github.com/nextcloud/end_to_end_encryption/pull/1395","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p3qw-7gwx-wg24","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3304830","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45264","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:09.690","lastModified":"2026-06-01T18:14:29.087","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patched in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"}]}],"references":[{"url":"https://github.com/nextcloud/groupfolders/pull/4361","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wx2x-822r-rvmf","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3540673","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45266","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:09.827","lastModified":"2026-06-01T18:14:29.087","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x75r-65hm-cw35","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/spreed/pull/17577","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3636758","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45267","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:09.963","lastModified":"2026-06-01T18:14:29.087","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been patched in version 5.2.6."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-200"},{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://github.com/nextcloud/forms/pull/3269","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4gh-f8x6-m55f","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3628817","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45701","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T17:17:11.017","lastModified":"2026-06-01T18:16:02.273","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Sulu is an open-source PHP content management system based on the Symfony framework. Prior to versions 2.6.23 and 3.0.6, the password reset tokenand API key generation uses a weak cryptographical hash algorithm. This issue has been patched in versions 2.6.23 and 3.0.6."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-327"}]}],"references":[{"url":"https://github.com/sulu/sulu/releases/tag/2.6.23","source":"security-advisories@github.com"},{"url":"https://github.com/sulu/sulu/releases/tag/3.0.6","source":"security-advisories@github.com"},{"url":"https://github.com/sulu/sulu/security/advisories/GHSA-7fv8-6pp7-6h85","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-46243","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-06-01T17:17:34.173","lastModified":"2026-06-01T21:16:46.090","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: reject userspace cifs.spnego descriptions\n\ncifs.spnego key descriptions contain authority-bearing fields such as\npid, uid, creduid, and upcall_target that cifs.upcall treats as\nkernel-originating inputs. However, userspace can also create keys of\nthis type through request_key(2) or add_key(2), allowing those fields to\nbe supplied without CIFS origin.\n\nOnly accept cifs.spnego descriptions while CIFS is using its private\nspnego_cred to request the key."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"references":[{"url":"https://git.kernel.org/stable/c/0aece6685fc80a8de492688ca2315fb86ec379c7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/2035acfb17221729b1b8ac335e941868a04ca079","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/3da1fdf4efbc490041eb4f836bf596201203f8f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/7713bd320ed4fc3d08a227cd8e41242219a16981","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/91f89c1d83e80417629791fcef6af8140d7d01c8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/9544559e59438a4b609b2fdfa0763d8360572824","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/a3bbda6502a9398b816fa2e71c9a3f955f58013d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/cf20038657d6d4974349556a34e08fe0490bebbc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"http://www.openwall.com/lists/oss-security/2026/06/01/6","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://github.com/manizada/CIFSwitch","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}},{"cve":{"id":"CVE-2026-8501","sourceIdentifier":"cret@cert.org","published":"2026-06-01T17:17:35.513","lastModified":"2026-06-01T21:16:47.610","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-782"}]}],"references":[{"url":"https://kb.cert.org/vuls/id/158530","source":"cret@cert.org"},{"url":"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules","source":"cret@cert.org"},{"url":"https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language","source":"cret@cert.org"},{"url":"https://www.kb.cert.org/vuls/id/158530","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2026-8643","sourceIdentifier":"cna@python.org","published":"2026-06-01T17:17:35.770","lastModified":"2026-06-01T21:16:47.773","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory."}],"metrics":{"cvssMetricV40":[{"source":"cna@python.org","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.1,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"references":[{"url":"https://github.com/pypa/pip/pull/14000","source":"cna@python.org"},{"url":"https://mail.python.org/archives/list/security-announce@python.org/thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/","source":"cna@python.org"},{"url":"http://www.openwall.com/lists/oss-security/2026/06/01/5","source":"af854a3a-2127-422b-91ae-364da2661108"}]}},{"cve":{"id":"CVE-2024-52011","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:18.977","lastModified":"2026-06-01T19:16:18.977","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-77"}]}],"references":[{"url":"https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e","source":"security-advisories@github.com"},{"url":"https://github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-0072","sourceIdentifier":"security@android.com","published":"2026-06-01T19:16:19.337","lastModified":"2026-06-01T19:16:19.337","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}],"metrics":{"cvssMetricV40":[{"source":"security@android.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":10.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security@android.com","type":"Secondary","description":[{"lang":"en","value":"CWE-285"}]}],"references":[{"url":"https://source.android.com/docs/security/bulletin/xr/2026/2026-06-01","source":"security@android.com"}]}},{"cve":{"id":"CVE-2026-10276","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T19:16:20.027","lastModified":"2026-06-01T19:16:20.027","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability has been found in hekmon8 Jenkins-server-mcp 0.1.0. This vulnerability affects the function jobPath of the file src/index.ts of the component get_build_status/get_build_log/trigger_build. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/hekmon8/Jenkins-server-mcp/","source":"cna@vuldb.com"},{"url":"https://github.com/hekmon8/Jenkins-server-mcp/issues/4","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10276","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825412","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367569","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367569/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10277","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T19:16:20.240","lastModified":"2026-06-01T19:16:20.240","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was found in j3k0 mcp-google-workspace up to 831790e7d5c2663325733d9f5579cc339a267c4c. This issue affects the function saveToDisk of the file src/tools/gmail.ts of the component MCP Gmail Tool. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 89c091ecf8b9f9c7291d1af0b1966e271f86551c. It is suggested to install a patch to address this issue."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-266"},{"lang":"en","value":"CWE-284"}]}],"references":[{"url":"https://github.com/j3k0/mcp-google-workspace/","source":"cna@vuldb.com"},{"url":"https://github.com/j3k0/mcp-google-workspace/commit/89c091ecf8b9f9c7291d1af0b1966e271f86551c","source":"cna@vuldb.com"},{"url":"https://github.com/j3k0/mcp-google-workspace/issues/19","source":"cna@vuldb.com"},{"url":"https://github.com/j3k0/mcp-google-workspace/pull/22","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10277","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825416","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367570","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367570/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10278","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T19:16:20.440","lastModified":"2026-06-01T19:16:20.440","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was determined in ishayoyo excel-mcp up to 1.0.2. Impacted is an unknown function of the file src/index.ts of the component read_file/write_file. Executing a manipulation of the argument filePath/outputPath can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://github.com/ishayoyo/excel-mcp/","source":"cna@vuldb.com"},{"url":"https://github.com/ishayoyo/excel-mcp/issues/6","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10278","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825418","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367571","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367571/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10279","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T19:16:20.613","lastModified":"2026-06-01T19:16:20.613","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was identified in hiraishikentaro wezterm-mcp 0.1.0. The affected element is an unknown function of the file src/wezterm_executor.ts of the component switch_pane/write_to_specific_pane. The manipulation of the argument request.params.arguments.pane_id leads to os command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-77"},{"lang":"en","value":"CWE-78"}]}],"references":[{"url":"https://github.com/hiraishikentaro/wezterm-mcp/","source":"cna@vuldb.com"},{"url":"https://github.com/hiraishikentaro/wezterm-mcp/issues/7","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10279","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825419","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367572","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367572/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10280","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T19:16:20.860","lastModified":"2026-06-01T19:16:20.860","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A security flaw has been discovered in horizon921 mcpilot 0.1.0. The impacted element is an unknown function of the file client/src/app/api/mcp/call/route.ts of the component MCP API Call Endpoint. The manipulation of the argument serverBaseUrl results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/horizon921/mcpilot/","source":"cna@vuldb.com"},{"url":"https://github.com/horizon921/mcpilot/issues/1","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10280","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825426","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367573","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367573/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10281","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T19:16:21.187","lastModified":"2026-06-01T19:16:21.187","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.5.6 mitigates this issue. Patch name: d0b02a800aa0689d9428cc4cc170e0b6589fb2c3. The affected component should be upgraded."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"},{"lang":"en","value":"CWE-306"}]}],"references":[{"url":"https://github.com/Enderfga/claw-orchestrator/","source":"cna@vuldb.com"},{"url":"https://github.com/Enderfga/claw-orchestrator/commit/d0b02a800aa0689d9428cc4cc170e0b6589fb2c3","source":"cna@vuldb.com"},{"url":"https://github.com/Enderfga/claw-orchestrator/issues/61","source":"cna@vuldb.com"},{"url":"https://github.com/Enderfga/claw-orchestrator/releases/tag/v3.5.6","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10281","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825429","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367574","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367574/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10282","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T19:16:21.370","lastModified":"2026-06-01T19:16:21.370","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to resolve this issue."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","baseScore":4.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-266"},{"lang":"en","value":"CWE-285"}]}],"references":[{"url":"https://github.com/Bottelet/DaybydayCRM/","source":"cna@vuldb.com"},{"url":"https://github.com/Bottelet/DaybydayCRM/issues/347","source":"cna@vuldb.com"},{"url":"https://github.com/Bottelet/DaybydayCRM/pull/362","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10282","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825439","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825440","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367575","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367575/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10283","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T19:16:21.547","lastModified":"2026-06-01T19:16:21.547","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to fix this issue."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"},{"lang":"en","value":"CWE-306"}]}],"references":[{"url":"https://github.com/Bottelet/DaybydayCRM/","source":"cna@vuldb.com"},{"url":"https://github.com/Bottelet/DaybydayCRM/issues/348","source":"cna@vuldb.com"},{"url":"https://github.com/Bottelet/DaybydayCRM/pull/363","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10283","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825442","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825443","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367576","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367576/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-22872","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:21.943","lastModified":"2026-06-01T19:16:21.943","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version 0.13.0, tenant administrators can leverage the Controller's elevated privileges to create cluster-scoped resources (such as ClusterRole and ValidatingWebhookConfiguration) that they cannot create directly, achieving cross-tenant privilege escalation and cluster-level attacks. The attack vector has a few limiting factors. This attack requires Tenant Owner privileges and requires Capsule Controller running with cluster-admin privileges (default configuration). Additionally, some clusters may have additional admission controllers blocking malicious resources. Version 0.13.0 patches this issue."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-863"}]}],"references":[{"url":"https://github.com/projectcapsule/capsule/releases/tag/v0.13.0","source":"security-advisories@github.com"},{"url":"https://github.com/projectcapsule/capsule/security/advisories/GHSA-qjjm-7j9w-pw72","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-23638","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:22.140","lastModified":"2026-06-01T19:16:22.140","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-639"}]}],"references":[{"url":"https://github.com/kiteworks/security-advisories/security/advisories/GHSA-8wmh-mg2h-hf46","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-30963","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:22.780","lastModified":"2026-06-01T19:16:22.780","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Capsule is a multi-tenancy and policy-based framework for Kubernetes. To defend against namespace hijacking achieved through update/patch operations on namespaces, Capsule uses a webhook to validate update requests targeting namespaces. However, in Kubernetes, the namespace/finalize and namespace/status subresource APIs can also modify various fields of a namespace, including the metadata field. Prior to version 0.13.0, the webhook does not define interception rules for these subresources. As a result, if a tenant administrator has permission to modify namespace/status or namespace/finalize, they can successfully perform namespace hijacking. Version 0.13.0 fixes the issue. Another mitigation is to add two subresources (namespaces and snamespaces/status with namespace/finalize within it) to the resources list in the ValidatingWebhookConfiguration rules."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L","baseScore":3.9,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":0.5,"impactScore":3.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-20"}]}],"references":[{"url":"https://github.com/projectcapsule/capsule/releases/tag/v0.13.0","source":"security-advisories@github.com"},{"url":"https://github.com/projectcapsule/capsule/security/advisories/GHSA-2ww6-hf35-mfjm","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-37226","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T19:16:33.080","lastModified":"2026-06-01T19:16:33.080","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node. The lookup function returns NULL, which is enforced by assert() in Debug builds (SIGABRT) and dereferenced in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the iApp process (port 36422) by sending a subscription request with an arbitrary global_e2_node_id."}],"metrics":{},"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37226.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-37228","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T19:16:33.187","lastModified":"2026-06-01T19:16:33.187","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c). The function allocates a fixed 32KB receive buffer and enforces assert(rc < len) on the sctp_recvmsg() return value. A remote unauthenticated attacker can send a single SCTP message with payload >= 32,768 bytes to crash the near-RT RIC, iApp, E2 Agent, or xApp process via SIGABRT. No valid E2AP PDU is required. All four SCTP endpoint types (ports 36421 and 36422) share this vulnerable code path. In Release builds (NDEBUG), the stripped assertion leads to a signed-to-unsigned integer overflow and potential out-of-bounds read."}],"metrics":{},"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37228.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-37229","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T19:16:33.293","lastModified":"2026-06-01T19:16:33.293","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 contains a reachable assertion in e2ap_create_pdu() triggered when ASN.1 PER decoding fails. A remote unauthenticated attacker can send any non-PER byte sequence (e.g., a single 0x00 byte) over SCTP to the near-RT RIC (port 36421) or iApp (port 36422) to crash the process via SIGABRT. The assertion is reached before any protocol-level validation occurs. All three E2AP protocol versions (v1.01, v2.03, v3.01) are affected."}],"metrics":{},"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37229.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-37230","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T19:16:33.410","lastModified":"2026-06-01T19:16:33.410","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value."}],"metrics":{},"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37230.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-37231","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T19:16:33.517","lastModified":"2026-06-01T19:16:33.517","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 uses a uint16_t counter for xapp_id assignment but stores the value in uint32_t message fields. After 65,530+ E42_SETUP_REQUESTs, the 16-bit counter wraps around and produces duplicate xapp_ids. The iApp (port 36422) crashes when attempting to register a duplicate ID in its internal data structure. A remote attacker can trigger this by repeatedly connecting and requesting new xApp registrations."}],"metrics":{},"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37231.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-37232","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T19:16:33.623","lastModified":"2026-06-01T19:16:33.623","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"An issue was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) in the E2SM-KPM RAN Function's PRB utilization metric calculation. The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c (lines 182 and 197) compute PRB usage percentages by dividing by the difference of two consecutive total_prb_aggregate samples without checking for zero. When a malicious xApp sends a high volume of E42_RIC_SUBSCRIPTION_REQUESTs via the FlexRIC iApp (port 36422/SCTP), the E2 Agent generates KPM Indication reports at high frequency. If two consecutive sampling intervals yield identical PRB aggregate values, the divisor becomes zero, triggering SIGFPE and crashing the entire 5G base station process (nr-softmodem). This results in complete 5G cell service interruption for all connected UEs. No authentication is required."}],"metrics":{},"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37232.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/oai/openairinterface5g","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-37233","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T19:16:33.743","lastModified":"2026-06-01T19:16:33.743","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism. The equality function eq_xapp_ric_gen_id() in src/ric/iApp/xapp_ric_id.c compares m0->xapp_id against itself (m0->xapp_id) instead of the other argument (m1->xapp_id), effectively ignoring the xApp identity dimension. A malicious xApp connected to the iApp (port 36422) can delete any other xApp's subscriptions by sending an E42_RIC_SUBSCRIPTION_DELETE_REQUEST with a matching ric_gen_id. This breaks multi-tenant isolation in any deployment with multiple xApps sharing the same RIC."}],"metrics":{},"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37233.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-37235","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T19:16:33.850","lastModified":"2026-06-01T19:16:33.850","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp by specifying their xapp_id in requests sent to the iApp (port 36422), causing responses to be misrouted to the victim xApp. This can crash the victim xApp, the RIC, or the iApp itself through state inconsistencies in the red-black tree data structure."}],"metrics":{},"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37235.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-40989","sourceIdentifier":"security@vmware.com","published":"2026-06-01T19:16:39.583","lastModified":"2026-06-01T19:16:39.583","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Under infinite recursion in the routing layer, request-handling can cause OOM error.\n\nAffected Spring Products and Versions:\nSpring Cloud Function 3.2.x: versions prior to 3.2.16\nSpring Cloud Function 4.1.x: versions prior to 4.1.10\nSpring Cloud Function 4.2.x: versions prior to 4.2.6\nSpring Cloud Function 4.3.x: versions prior to 4.3.3\nSpring Cloud Function 5.0.x: versions prior to 5.0.2\nOlder, unsupported versions are also affected."}],"metrics":{"cvssMetricV31":[{"source":"security@vmware.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"PHYSICAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":0.5,"impactScore":4.7}]},"weaknesses":[{"source":"security@vmware.com","type":"Secondary","description":[{"lang":"en","value":"CWE-674"}]}],"references":[{"url":"https://spring.io/security/cve-2026-40989","source":"security@vmware.com"}]}},{"cve":{"id":"CVE-2026-40990","sourceIdentifier":"security@vmware.com","published":"2026-06-01T19:16:39.750","lastModified":"2026-06-01T19:16:39.750","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"OOM error is possible while attempting to add infinite amount of functions to Function Registry.\n\nAffected Spring Products and Versions:\nSpring Cloud Function 3.2.x: versions prior to 3.2.16\nSpring Cloud Function 4.1.x: versions prior to 4.1.10\nSpring Cloud Function 4.2.x: versions prior to 4.2.6\nSpring Cloud Function 4.3.x: versions prior to 4.3.3\nSpring Cloud Function 5.0.x: versions prior to 5.0.2\nOlder, unsupported versions are also affected."}],"metrics":{"cvssMetricV31":[{"source":"security@vmware.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"PHYSICAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":0.5,"impactScore":4.7}]},"weaknesses":[{"source":"security@vmware.com","type":"Secondary","description":[{"lang":"en","value":"CWE-770"}]}],"references":[{"url":"https://spring.io/security/cve-2026-40990","source":"security@vmware.com"}]}},{"cve":{"id":"CVE-2026-41013","sourceIdentifier":"security@vmware.com","published":"2026-06-01T19:16:39.887","lastModified":"2026-06-01T21:16:43.947","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant Diego cells.\n\nAffected versions:\nsmb-volume-release: All versions prior to v3.60.0\nCF Deployment: All versions prior to v56.0.0"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security@vmware.com","type":"Secondary","description":[{"lang":"en","value":"CWE-88"}]}],"references":[{"url":"https://www.cloudfoundry.org/blog/cve-2026-41013-tenant-controlled-comma-smuggles-arbitrary-cifs-mount-options/","source":"security@vmware.com"}]}},{"cve":{"id":"CVE-2026-43623","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-06-01T19:16:46.723","lastModified":"2026-06-01T19:16:46.723","vulnStatus":"Received","cveTags":[{"sourceIdentifier":"disclosure@vulncheck.com","tags":["unsupported-when-assigned"]}],"descriptions":[{"lang":"en","value":"microtar through 0.1.0 contains a stack-based buffer overflow vulnerability in the raw_to_header() function in src/microtar.c that allows attackers to corrupt adjacent stack memory by supplying a crafted TAR archive with non-null-terminated name or linkname fields. The function uses strcpy() to copy 100-byte ustar format fields that lack null terminators, causing writes of up to 355 bytes into a 100-byte destination buffer when mtar_open(), mtar_find(), or mtar_read_header() process attacker-supplied TAR archives."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-121"}]}],"references":[{"url":"https://github.com/rxi/microtar/issues/28","source":"disclosure@vulncheck.com"},{"url":"https://github.com/rxi/microtar/issues/29","source":"disclosure@vulncheck.com"},{"url":"https://github.com/rxi/microtar/issues/30","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/microtar-stack-based-buffer-overflow-via-raw-to-header","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-43624","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-06-01T19:16:46.960","lastModified":"2026-06-01T19:16:46.960","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized user-supplied project names directly to os.path.join() without validating the resulting path stays within the intended base directory. Attackers can supply absolute path arguments such as /tmp/EVIL to override the base directory entirely and create arbitrary directories with attacker-controlled JSON content at any filesystem path writable by the server process."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://github.com/SWivid/F5-TTS/commit/2f53ded68e5f69e248ceb200a51ef4d1dc647936","source":"disclosure@vulncheck.com"},{"url":"https://github.com/SWivid/F5-TTS/issues/1293","source":"disclosure@vulncheck.com"},{"url":"https://github.com/SWivid/F5-TTS/pull/1294","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/f5-tts-path-traversal-via-finetune-gradio-py-create-data-project","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-43625","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-06-01T19:16:47.813","lastModified":"2026-06-01T19:16:47.813","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers can position themselves on the network path to receive cleartext HTTP requests carrying imported session cookies when a provider-controlled redirect target issues a redirect to a cleartext HTTP endpoint within the same provider domain."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-319"}]}],"references":[{"url":"https://github.com/steipete/CodexBar/commit/cdd7e347c1cf616615f18aa2ac52ba2ec9cab332","source":"disclosure@vulncheck.com"},{"url":"https://github.com/steipete/CodexBar/pull/1226","source":"disclosure@vulncheck.com"},{"url":"https://github.com/steipete/CodexBar/releases/tag/v0.32.0","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/codexbar-session-cookie-exposure-via-http-redirect","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-43958","sourceIdentifier":"secalert@redhat.com","published":"2026-06-01T19:16:47.970","lastModified":"2026-06-01T19:16:47.970","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in rrdcached, a component of rrdtool. A local attacker with access to a rrdcached socket can exploit a stack-based buffer overflow by sending an oversized CREATE request. This vulnerability can lead to a denial of service by crashing the daemon or potentially allow for arbitrary code execution, impacting the integrity and confidentiality of data."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Primary","description":[{"lang":"en","value":"CWE-121"}]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-43958","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460932","source":"secalert@redhat.com"}]}},{"cve":{"id":"CVE-2026-45275","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:49.517","lastModified":"2026-06-01T19:16:49.517","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, a privilege escalation vulnerability exists in the Approval app that allows a user without sharing permissions to force the system to share a file with approvers. This results in an authorization bypass and privilege escalation, allowing unauthorized distribution of restricted files. This issue has been patched in version 2.7.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-285"}]}],"references":[{"url":"https://github.com/nextcloud/approval/pull/392","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v8q8-w6c3-3gv9","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3593780","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45277","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:49.677","lastModified":"2026-06-01T19:16:49.677","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":3.3,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-200"}]}],"references":[{"url":"https://github.com/nextcloud/approval/pull/356","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h7gm-vgxr-9hcw","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3475210","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45278","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:49.823","lastModified":"2026-06-01T19:16:49.823","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","baseScore":3.3,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-601"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8wjr-5cg8-4w73","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/user_oidc/pull/1273","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3464925","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45279","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:49.980","lastModified":"2026-06-01T19:16:49.980","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on unix permissions) into their own Nextcloud directory via a path traversal. It is recommended that the Nextcloud Server is upgraded to 32.0.4, 31.0.14. It is recommended that the Nextcloud Enterprise Server is upgraded to 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, 28.0.14.15"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N","baseScore":4.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":0.7,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j33j-qph5-4wch","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/server/pull/57414/files","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3468140","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45281","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:50.193","lastModified":"2026-06-01T19:16:50.193","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hrrv-mp25-26vv","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/server/pull/59962","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3545964","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45282","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:50.370","lastModified":"2026-06-01T19:16:50.370","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared directly, as the attacker only needs to know a documentId they own, apart of the mentioned share token. For shared folders the attacker has to know or guess a documentId of a file that is included inside the folder, making it much harder to exploit. The attacker can only extract an attachments, but not the file shared file or folder itself. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35fx-69q6-xpjr","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/text/pull/8499","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3577244","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45283","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:50.523","lastModified":"2026-06-01T19:16:50.523","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users' client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"}]}],"references":[{"url":"https://github.com/nextcloud/files_lock/pull/1007","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4chh-6mhf-p4jj","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3301553#","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45284","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:50.670","lastModified":"2026-06-01T19:16:50.670","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L","baseScore":4.6,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.2,"impactScore":3.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-79xf-ffj8-96fm","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/user_oidc/pull/1340","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3554696","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45285","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:50.807","lastModified":"2026-06-01T19:16:50.807","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a Nextcloud account), the system automatically creates a public link for that external member. This public link is not displayed in the share section of the folder, so the folder owner has no knowledge of its existence. It is sent via email to the external member. It grants the same permissions (read, write, delete, reshare, download) as the Team’s access. An attacker who receives or intercepts this link can access, modify, delete, reshare, and download all data in the shared folder without any further authentication. The folder owner cannot see or revoke the link through the normal sharing interface. This issue has been patched in versions 32.0.9 and 33.0.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://github.com/nextcloud/circles/pull/2454","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r3xh-x86g-hw4m","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3625932","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45286","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:50.957","lastModified":"2026-06-01T19:16:50.957","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-200"}]}],"references":[{"url":"https://github.com/nextcloud/calendar/issues/7971","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/calendar/pull/8197","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r697-74m9-gvf2","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3540663","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45302","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:51.113","lastModified":"2026-06-01T19:16:51.113","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-1321"}]}],"references":[{"url":"https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792","source":"security-advisories@github.com"},{"url":"https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1","source":"security-advisories@github.com"},{"url":"https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45543","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:51.707","lastModified":"2026-06-01T19:16:51.707","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the affected form. The scope is limited to uploaded files for forms where that user previously had results access. This issue has been patched in version 5.2.7."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-552"}]}],"references":[{"url":"https://github.com/nextcloud/forms/pull/3291","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q4fw-6jf8-5vhh","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3617352","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45544","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:51.873","lastModified":"2026-06-01T19:16:51.873","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From version 0.8.0 to before version 1.0.4, the view filter criteria is exposed to users with read-only permissions in Nextcloud Tables. This issue has been patched in versions 1.0.4 and 2.0.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-1230"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vvxm-6jjp-m9mp","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/tables/pull/2312","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3483753","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45545","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:52.020","lastModified":"2026-06-01T19:16:52.020","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it is possible to break out of the length limitation. The attacker could use this to extract information from the database, or modify data. This issue has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":5.8}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x43f-gmgh-vvjj","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/tables/pull/2309","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3462991","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45690","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:52.507","lastModified":"2026-06-01T19:16:52.507","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jgcj-v42r-9922","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/server/pull/59758","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3639301","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45691","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:52.673","lastModified":"2026-06-01T19:16:52.673","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mp6x-g55j-w9jw","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/server/pull/59758","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3573399","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45722","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:52.840","lastModified":"2026-06-01T19:16:52.840","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to normal SQL injections, the ORDER BY is limited to extracting a single bit of information per request or to make the database wait for a given time. This issue has been patched in versions 0.9.7 and 1.0.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5h2w-c7px-hp4j","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/tables/pull/2186","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3446689","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45727","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:53.003","lastModified":"2026-06-01T19:16:53.003","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"CloakBrowser is a tool to bypass bot detection tests. Prior to version 0.3.28, the cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion. Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed. This issue has been patched in version 0.3.28."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://github.com/CloakHQ/CloakBrowser/security/advisories/GHSA-mf33-gv72-w2h5","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45729","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:53.170","lastModified":"2026-06-01T19:16:53.170","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Thor Vector Graphics (ThorVG) is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run() allows any caller that passes untrusted SVG data to Picture::load() to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"references":[{"url":"https://github.com/thorvg/thorvg/commit/159f44fd5e3d2eea1b3a70689a894e657e2bb079","source":"security-advisories@github.com"},{"url":"https://github.com/thorvg/thorvg/pull/4387","source":"security-advisories@github.com"},{"url":"https://github.com/thorvg/thorvg/releases/tag/v1.0.5","source":"security-advisories@github.com"},{"url":"https://github.com/thorvg/thorvg/security/advisories/GHSA-f863-8ghq-7h64","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-45810","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T19:16:53.357","lastModified":"2026-06-01T19:16:53.357","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":4.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"references":[{"url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-285v-p9x9-cjhj","source":"security-advisories@github.com"},{"url":"https://github.com/nextcloud/server/pull/56982","source":"security-advisories@github.com"},{"url":"https://hackerone.com/reports/3425534","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-47294","sourceIdentifier":"secure@microsoft.com","published":"2026-06-01T19:16:53.897","lastModified":"2026-06-01T19:16:53.897","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network."}],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","baseScore":8.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.1,"impactScore":5.9}]},"weaknesses":[{"source":"secure@microsoft.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47294","source":"secure@microsoft.com"}]}},{"cve":{"id":"CVE-2026-49121","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-06-01T19:16:54.180","lastModified":"2026-06-01T19:16:54.180","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.2,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"references":[{"url":"https://github.com/ROCm/aiter/issues/3076","source":"disclosure@vulncheck.com"},{"url":"https://github.com/ROCm/aiter/pull/3170","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/ai-tensor-engine-for-rocm-aiter-unauthenticated-rce-via-messagequeue-recv-pickle-deserialization","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-7770","sourceIdentifier":"psirt@us.ibm.com","published":"2026-06-01T19:16:54.773","lastModified":"2026-06-01T19:16:54.773","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"IBM i Access Family 1.1.5.0 through 1.1.9.12 IBM i Access Client Solutions (ACS) is vulnerable to remote code execution when configured to listen for requests from IBM i Navigator."}],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"psirt@us.ibm.com","type":"Primary","description":[{"lang":"en","value":"CWE-74"}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7274214","source":"psirt@us.ibm.com"}]}},{"cve":{"id":"CVE-2026-8644","sourceIdentifier":"psirt@us.ibm.com","published":"2026-06-01T19:16:55.097","lastModified":"2026-06-01T19:16:55.097","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing."}],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"psirt@us.ibm.com","type":"Primary","description":[{"lang":"en","value":"CWE-290"}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7274740","source":"psirt@us.ibm.com"}]}},{"cve":{"id":"CVE-2026-9311","sourceIdentifier":"psirt@us.ibm.com","published":"2026-06-01T19:16:55.537","lastModified":"2026-06-01T19:16:55.537","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to remote code execution caused by the bypass of security controls."}],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":9.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":6.0}]},"weaknesses":[{"source":"psirt@us.ibm.com","type":"Primary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7274733","source":"psirt@us.ibm.com"}]}},{"cve":{"id":"CVE-2026-9319","sourceIdentifier":"psirt@us.ibm.com","published":"2026-06-01T19:16:55.680","lastModified":"2026-06-01T19:16:55.680","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security."}],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":9.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":6.0}]},"weaknesses":[{"source":"psirt@us.ibm.com","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7274738","source":"psirt@us.ibm.com"}]}},{"cve":{"id":"CVE-2026-9330","sourceIdentifier":"psirt@us.ibm.com","published":"2026-06-01T19:16:55.813","lastModified":"2026-06-01T19:16:55.813","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"IBM WebSphere Application Server 9.0, and 8.5 is affected by an improper validation of user-supplied data during deserialization using the SAML Web Single Sign-On component. This could result in remote code execution via a crafted HTTP request when combined with a suitable gadget chain."}],"metrics":{"cvssMetricV31":[{"source":"psirt@us.ibm.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":6.0}]},"weaknesses":[{"source":"psirt@us.ibm.com","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7274733","source":"psirt@us.ibm.com"}]}},{"cve":{"id":"CVE-2026-9614","sourceIdentifier":"3c1d8aa1-5a33-4ea4-8992-aadd6440af75","published":"2026-06-01T19:16:55.940","lastModified":"2026-06-01T19:16:55.940","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access."}],"metrics":{"cvssMetricV31":[{"source":"3c1d8aa1-5a33-4ea4-8992-aadd6440af75","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"3c1d8aa1-5a33-4ea4-8992-aadd6440af75","type":"Primary","description":[{"lang":"en","value":"CWE-284"}]}],"references":[{"url":"https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-9614","source":"3c1d8aa1-5a33-4ea4-8992-aadd6440af75"}]}},{"cve":{"id":"CVE-2021-46747","sourceIdentifier":"psirt@amd.com","published":"2026-06-01T21:16:23.103","lastModified":"2026-06-01T21:16:23.103","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Insufficient granularity of access control in ASP (AMD Secure Processor) may allow an attacker with an untrusted user space application to map sensitive SMN (System Management Network) apertures leading to a potential escalation of privileges."}],"metrics":{"cvssMetricV40":[{"source":"psirt@amd.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"psirt@amd.com","type":"Secondary","description":[{"lang":"en","value":"CWE-1220"}]}],"references":[{"url":"https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html","source":"psirt@amd.com"},{"url":"https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html","source":"psirt@amd.com"}]}},{"cve":{"id":"CVE-2025-70099","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T21:16:24.187","lastModified":"2026-06-01T21:16:24.187","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A NULL pointer dereference in the ext4_dir_en_get_name_len function in include/ext4_dir.h of lwext4 1.0.0 allows attackers to cause a denial of service by supplying a specially crafted EXT4 filesystem image with malformed directory entries. During directory iteration, the code may fail to validate the directory entry pointer before accessing the name_len field, resulting in a segmentation fault. This affects versions based on (or equivalent to) the 2016-era codebase (1.0.0)."}],"metrics":{},"references":[{"url":"https://github.com/gkostka/lwext4/issues/89","source":"cve@mitre.org"},{"url":"https://github.com/sigdevel/pocs/blob/main/res/lwext4/1/sig11_2_1_lwext4_ext4_dir_h_126","source":"cve@mitre.org"},{"url":"https://infosec.exchange/@sigdevel/116668939725424227","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-10284","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T21:16:25.130","lastModified":"2026-06-01T21:16:25.130","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":2.5}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:P/A:P","baseScore":5.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-266"},{"lang":"en","value":"CWE-285"}]}],"references":[{"url":"https://github.com/devaslanphp/project-management/","source":"cna@vuldb.com"},{"url":"https://github.com/devaslanphp/project-management/issues/140","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10284","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825473","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367577","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367577/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10285","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T21:16:25.310","lastModified":"2026-06-01T21:16:25.310","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":2.5}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:P/A:P","baseScore":5.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-266"},{"lang":"en","value":"CWE-285"}]}],"references":[{"url":"https://github.com/devaslanphp/project-management/","source":"cna@vuldb.com"},{"url":"https://github.com/devaslanphp/project-management/issues/141","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10285","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825475","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367578","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367578/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10286","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T21:16:25.480","lastModified":"2026-06-01T21:16:25.480","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was found in CodeAstro Payroll System 1.0. This affects an unknown part of the file /home_employee.php. The manipulation of the argument emp_id results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-74"},{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://codeastro.com/","source":"cna@vuldb.com"},{"url":"https://github.com/yihaofuweng/cve/issues/65","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10286","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825566","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367579","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367579/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10287","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T21:16:25.640","lastModified":"2026-06-01T21:16:25.640","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was determined in SourceCodester SEO Meta Tag Extractor 1.0. This vulnerability affects the function get_headers of the file /index.php. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://hackmd.io/@Kq4PsjnpQ5WfoMt8ho48LA/By9GXDkyGe","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10287","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825641","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367580","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367580/cti","source":"cna@vuldb.com"},{"url":"https://www.sourcecodester.com/","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10288","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T21:16:25.797","lastModified":"2026-06-01T21:16:25.797","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability was identified in code-projects Hotel and Tourism Reservation System 1.0. This issue affects the function password_verify of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Password leads to improper authentication. It is possible to launch the attack remotely. The exploit is publicly available and might be used."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"}]}],"references":[{"url":"https://code-projects.org/","source":"cna@vuldb.com"},{"url":"https://github.com/Xmyronn/Hotel-and-Tourism-Reservation-System---Authentication-Bypass.git","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10288","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825786","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367581","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367581/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-10289","sourceIdentifier":"cna@vuldb.com","published":"2026-06-01T21:16:25.960","lastModified":"2026-06-01T21:16:25.960","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A security flaw has been discovered in code-projects Hotel and Tourism Reservation System 1.0. Impacted is an unknown function of the file /ht/tour.php. Performing a manipulation of the argument name /email /people /number results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks."}],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","baseScore":5.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":10.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cna@vuldb.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"},{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://code-projects.org/","source":"cna@vuldb.com"},{"url":"https://github.com/Xmyronn/Hotel-and-Tourism-Reservation-System---Stored-XSS.git","source":"cna@vuldb.com"},{"url":"https://vuldb.com/cve/CVE-2026-10289","source":"cna@vuldb.com"},{"url":"https://vuldb.com/submit/825934","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367582","source":"cna@vuldb.com"},{"url":"https://vuldb.com/vuln/367582/cti","source":"cna@vuldb.com"}]}},{"cve":{"id":"CVE-2026-24751","sourceIdentifier":"security-advisories@github.com","published":"2026-06-01T21:16:26.950","lastModified":"2026-06-01T21:16:26.950","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://github.com/kiteworks/security-advisories/security/advisories/GHSA-xp8m-wmmp-f947","source":"security-advisories@github.com"}]}},{"cve":{"id":"CVE-2026-37234","sourceIdentifier":"cve@mitre.org","published":"2026-06-01T21:16:42.823","lastModified":"2026-06-01T21:16:42.823","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"FlexRIC v2.0.0 allows a single SCTP connection to bind multiple xapp_ids by sending multiple E42_SETUP_REQUESTs. On disconnect, only the first registered xapp_id's resources are cleaned up; subsequent xapp_ids and their subscriptions remain as stale entries. A remote attacker can exploit this to leak subscription state in the iApp, potentially causing resource exhaustion or state corruption over time."}],"metrics":{},"references":[{"url":"https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37234.md","source":"cve@mitre.org"},{"url":"https://gitlab.eurecom.fr/mosaic5g/flexric","source":"cve@mitre.org"}]}},{"cve":{"id":"CVE-2026-49134","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-06-01T21:16:46.353","lastModified":"2026-06-01T21:16:46.353","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"CodexBar prior to 0.32.0 contains a privilege escalation vulnerability in the CLI installer that allows local attackers to execute arbitrary commands as root by exploiting a race condition in temporary file handling. The installer creates a temporary file with mktemp, writes a privileged shell payload into it, and executes it with administrator privileges via bash, allowing a same-user local process to rewrite the installer body before the administrator prompt is approved, causing attacker-controlled commands to run as root."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-377"}]}],"references":[{"url":"https://github.com/steipete/CodexBar/commit/dbc944d46cd4cf7877d1ca47c44556fe573b46e8","source":"disclosure@vulncheck.com"},{"url":"https://github.com/steipete/CodexBar/pull/1222","source":"disclosure@vulncheck.com"},{"url":"https://github.com/steipete/CodexBar/releases/tag/v0.32.0","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/codexbar-privilege-escalation-via-cli-installer-temp-file","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-49135","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-06-01T21:16:46.497","lastModified":"2026-06-01T21:16:46.497","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the same host can read the App Store Connect API key written to a fixed path, pre-create files or symbolic links at predictable locations to redirect writes to attacker-controlled destinations, or tamper with notarization archives before submission."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":5.2}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-59"},{"lang":"en","value":"CWE-377"}]}],"references":[{"url":"https://github.com/steipete/CodexBar/commit/e7d932616508cee43ea9bcc63c269b14698de655","source":"disclosure@vulncheck.com"},{"url":"https://github.com/steipete/CodexBar/pull/1228","source":"disclosure@vulncheck.com"},{"url":"https://github.com/steipete/CodexBar/releases/tag/v0.32.0","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/codexbar-insecure-temporary-file-handling-in-notarization-workflow","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-49136","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-06-01T21:16:46.627","lastModified":"2026-06-01T21:16:46.627","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Banana Slides through 0.4.0, patched in commit e8bc490, contains a path traversal vulnerability in the generate_image() function within the AI service backend that allows unauthenticated attackers to read arbitrary image-format files outside the intended uploads directory by exploiting an incomplete path prefix check using os.path.startswith() without a trailing separator. Attackers can supply crafted markdown image references in user-controlled page descriptions that resolve to sibling directories whose names share the uploads folder prefix, bypassing the directory confinement check and causing the application to read files from unintended locations via PIL Image.open()."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://github.com/Anionex/banana-slides/commit/e8bc490ec8b4b657e07dc3ab4e94fbedcaade421","source":"disclosure@vulncheck.com"},{"url":"https://github.com/Anionex/banana-slides/issues/429","source":"disclosure@vulncheck.com"},{"url":"https://github.com/Anionex/banana-slides/pull/430","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/banana-slides-path-traversal-via-generate-image-in-ai-service-py","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-49138","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-06-01T21:16:46.760","lastModified":"2026-06-01T21:16:46.760","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the web_fetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the automatic HTTP redirect following behavior in the httpx library to bypass initial URL validation and cause the runtime to send outbound requests to internal hosts before final resolved URL validation is applied."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":1.4}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/HKUDS/nanobot/commit/545294c62c0947da40eb5b65288aaf02b5fdf632","source":"disclosure@vulncheck.com"},{"url":"https://github.com/HKUDS/nanobot/pull/3928","source":"disclosure@vulncheck.com"},{"url":"https://github.com/HKUDS/nanobot/releases/tag/v0.2.1","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/nanobot-ssrf-via-web-fetch-tool-redirect-following","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-49139","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-06-01T21:16:46.913","lastModified":"2026-06-01T21:16:46.913","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the stored conversation reference by sending a crafted inbound activity to the Teams webhook, causing subsequent bot replies to transmit token-bearing Authorization header requests to an attacker-controlled host."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":7.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"references":[{"url":"https://github.com/HKUDS/nanobot/commit/232df45126bcf0f8fccd123d73714f202c8e8612","source":"disclosure@vulncheck.com"},{"url":"https://github.com/HKUDS/nanobot/pull/4047","source":"disclosure@vulncheck.com"},{"url":"https://github.com/HKUDS/nanobot/releases/tag/v0.2.1","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/nanobot-ssrf-via-microsoft-teams-channel-serviceurl-poisoning","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-49140","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-06-01T21:16:47.070","lastModified":"2026-06-01T21:16:47.070","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"Nanobot prior to version 0.2.1 contains a denial of service vulnerability in the Matrix channel media download handler that allows authenticated room members to exhaust process memory and bandwidth by sending media events with missing or invalid size metadata. Attackers can send multiple concurrent Matrix media events with omitted or invalid declared sizes to trigger simultaneous large media downloads that fully materialize response bodies before post-download rejection, consuming process resources until service degradation occurs."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-770"}]}],"references":[{"url":"https://github.com/HKUDS/nanobot/commit/1d4000560dfff1acb83f5c5ca8ef3ab1f092bd14","source":"disclosure@vulncheck.com"},{"url":"https://github.com/HKUDS/nanobot/pull/4106","source":"disclosure@vulncheck.com"},{"url":"https://github.com/HKUDS/nanobot/releases/tag/v0.2.1","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/nanobot-denial-of-service-via-matrix-media-download-handler","source":"disclosure@vulncheck.com"}]}},{"cve":{"id":"CVE-2026-49433","sourceIdentifier":"9119a7d8-5eab-497f-8521-727c672e3725","published":"2026-06-01T21:16:47.203","lastModified":"2026-06-01T21:16:47.203","vulnStatus":"Received","cveTags":[{"sourceIdentifier":"9119a7d8-5eab-497f-8521-727c672e3725","tags":["exclusively-hosted-service"]}],"descriptions":[{"lang":"en","value":"The DeepAI endpoint 'https://api.deepai.org/change_user_email' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20."}],"metrics":{"cvssMetricV40":[{"source":"9119a7d8-5eab-497f-8521-727c672e3725","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"9119a7d8-5eab-497f-8521-727c672e3725","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.6,"impactScore":3.4}]},"weaknesses":[{"source":"9119a7d8-5eab-497f-8521-727c672e3725","type":"Secondary","description":[{"lang":"en","value":"CWE-352"}]}],"references":[{"url":"https://deepai.org/","source":"9119a7d8-5eab-497f-8521-727c672e3725"},{"url":"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-152-01.json","source":"9119a7d8-5eab-497f-8521-727c672e3725"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-49433","source":"9119a7d8-5eab-497f-8521-727c672e3725"}]}},{"cve":{"id":"CVE-2026-5419","sourceIdentifier":"secalert@redhat.com","published":"2026-06-01T21:16:47.480","lastModified":"2026-06-01T21:16:47.480","vulnStatus":"Received","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Primary","description":[{"lang":"en","value":"CWE-208"}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:20613","source":"secalert@redhat.com"},{"url":"https://access.redhat.com/security/cve/CVE-2026-5419","source":"secalert@redhat.com"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467686","source":"secalert@redhat.com"}]}}]}