Marcus Updateinfo to OVAL Converter5.52026-06-19T04:51:59CVE-2006-10002SUSE Liberty Linux 10
XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes.
A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl's read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes.
ImportantCVE-2006-10002 at SUSECVE-2006-10002 at NVDSUSE bug 1259901SUSE bug 1262588CVE-2006-10003SUSE Liberty Linux 10
XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack.
In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer.
The bug can be observed when parsing an XML file with very deep element nesting
ImportantCVE-2006-10003 at SUSECVE-2006-10003 at NVDSUSE bug 1259902SUSE bug 1262588CVE-2018-17828SUSE Liberty Linux 10
Directory traversal vulnerability in ZZIPlib 0.13.69 allows attackers to overwrite arbitrary files via a .. (dot dot) in a zip file, because of the function unzzip_cat in the bins/unzzipcat-mem.c file.
ModerateCVE-2018-17828 at SUSECVE-2018-17828 at NVDSUSE bug 1110687CVE-2023-52356SUSE Liberty Linux 10
A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.
ModerateCVE-2023-52356 at SUSECVE-2023-52356 at NVDSUSE bug 1219213CVE-2023-52969SUSE Liberty Linux 10
MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, and 11.0 through 11.0.* can sometimes crash with an empty backtrace log. This may be related to make_aggr_tables_info and optimize_stage2.
ModerateCVE-2023-52969 at SUSECVE-2023-52969 at NVDSUSE bug 1239150CVE-2023-52970SUSE Liberty Linux 10
MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, 11.0 through 11.0.*, and 11.1 through 11.4.* crashes in Item_direct_view_ref::derived_field_transformer_for_where.
ModerateCVE-2023-52970 at SUSECVE-2023-52970 at NVDSUSE bug 1239151CVE-2023-52971SUSE Liberty Linux 10
MariaDB Server 10.10 through 10.11.* and 11.0 through 11.4.* crashes in JOIN::fix_all_splittings_in_plan.
ModerateCVE-2023-52971 at SUSECVE-2023-52971 at NVDSUSE bug 1249219CVE-2023-53034SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and
size. This would make xlate_pos negative.
[ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000
[ 23.734158] ================================================================================
[ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7
[ 23.734418] shift exponent -1 is negative
Ensuring xlate_pos is a positive or zero before BIT.
ModerateCVE-2023-53034 at SUSECVE-2023-53034 at NVDSUSE bug 1241341CVE-2024-11235SUSE Liberty Linux 10
In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.
ModerateCVE-2024-11235 at SUSECVE-2024-11235 at NVDSUSE bug 1239666CVE-2024-11692SUSE Liberty Linux 10
An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
CriticalCVE-2024-11692 at SUSECVE-2024-11692 at NVDSUSE bug 1233695CVE-2024-11694SUSE Liberty Linux 10
Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18.
CriticalCVE-2024-11694 at SUSECVE-2024-11694 at NVDSUSE bug 1233695CVE-2024-11695SUSE Liberty Linux 10
A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
CriticalCVE-2024-11695 at SUSECVE-2024-11695 at NVDSUSE bug 1233695CVE-2024-11696SUSE Liberty Linux 10
The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, the enforcement of signature validation for unrelated add-ons may have been bypassed. Signature validation in this context is used to ensure that third-party applications on the user's computer have not tampered with the user's extensions, limiting the impact of this issue. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
CriticalCVE-2024-11696 at SUSECVE-2024-11696 at NVDSUSE bug 1233695CVE-2024-11697SUSE Liberty Linux 10
When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
CriticalCVE-2024-11697 at SUSECVE-2024-11697 at NVDSUSE bug 1233695CVE-2024-11699SUSE Liberty Linux 10
Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
CriticalCVE-2024-11699 at SUSECVE-2024-11699 at NVDSUSE bug 1233695CVE-2024-12084SUSE Liberty Linux 10
A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.
CriticalCVE-2024-12084 at SUSECVE-2024-12084 at NVDSUSE bug 1233760SUSE bug 1234100CVE-2024-28956SUSE Liberty Linux 10
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
ModerateCVE-2024-28956 at SUSECVE-2024-28956 at NVDSUSE bug 1242006SUSE bug 1243123CVE-2024-33655SUSE Liberty Linux 10
The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue.
ModerateCVE-2024-33655 at SUSECVE-2024-33655 at NVDSUSE bug 1224102CVE-2024-36350SUSE Liberty Linux 10
A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.
ModerateCVE-2024-36350 at SUSECVE-2024-36350 at NVDSUSE bug 1238896CVE-2024-36357SUSE Liberty Linux 10
A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.
ModerateCVE-2024-36357 at SUSECVE-2024-36357 at NVDSUSE bug 1238896CVE-2024-40896SUSE Liberty Linux 10
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
ImportantCVE-2024-40896 at SUSECVE-2024-40896 at NVDSUSE bug 1234812CVE-2024-47081SUSE Liberty Linux 10
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.
ModerateCVE-2024-47081 at SUSECVE-2024-47081 at NVDSUSE bug 1244039CVE-2024-49570SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/tracing: Fix a potential TP_printk UAF
The commit
afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format")
exposes potential UAFs in the xe_bo_move trace event.
Fix those by avoiding dereferencing the
xe_mem_type_to_name[] array at TP_printk time.
Since some code refactoring has taken place, explicit backporting may
be needed for kernels older than 6.10.
ModerateCVE-2024-49570 at SUSECVE-2024-49570 at NVDSUSE bug 1238782CVE-2024-50349SUSE Liberty Linux 10
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.
ModerateCVE-2024-50349 at SUSECVE-2024-50349 at NVDSUSE bug 1235600CVE-2024-52006SUSE Liberty Linux 10
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.
ModerateCVE-2024-52006 at SUSECVE-2024-52006 at NVDSUSE bug 1235601CVE-2024-52332SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
igb: Fix potential invalid memory access in igb_init_module()
The pci_register_driver() can fail and when this happened, the dca_notifier
needs to be unregistered, otherwise the dca_notifier can be called when
igb fails to install, resulting to invalid memory access.
ModerateCVE-2024-52332 at SUSECVE-2024-52332 at NVDSUSE bug 1235700CVE-2024-53147SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
exfat: fix out-of-bounds access of directory entries
In the case of the directory size is greater than or equal to
the cluster size, if start_clu becomes an EOF cluster(an invalid
cluster) due to file system corruption, then the directory entry
where ei->hint_femp.eidx hint is outside the directory, resulting
in an out-of-bounds access, which may cause further file system
corruption.
This commit adds a check for start_clu, if it is an invalid cluster,
the file or directory will be treated as empty.
ModerateCVE-2024-53147 at SUSECVE-2024-53147 at NVDSUSE bug 1234857CVE-2024-53216SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
nfsd: release svc_expkey/svc_export with rcu_work
The last reference for `cache_head` can be reduced to zero in `c_show`
and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently,
`svc_export_put` and `expkey_put` will be invoked, leading to two
issues:
1. The `svc_export_put` will directly free ex_uuid. However,
`e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can
trigger a use-after-free issue, shown below.
==================================================================
BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd]
Read of size 1 at addr ff11000010fdc120 by task cat/870
CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.1-2.fc37 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x53/0x70
print_address_description.constprop.0+0x2c/0x3a0
print_report+0xb9/0x280
kasan_report+0xae/0xe0
svc_export_show+0x362/0x430 [nfsd]
c_show+0x161/0x390 [sunrpc]
seq_read_iter+0x589/0x770
seq_read+0x1e5/0x270
proc_reg_read+0xe1/0x140
vfs_read+0x125/0x530
ksys_read+0xc1/0x160
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Allocated by task 830:
kasan_save_stack+0x20/0x40
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
__kmalloc_node_track_caller_noprof+0x1bc/0x400
kmemdup_noprof+0x22/0x50
svc_export_parse+0x8a9/0xb80 [nfsd]
cache_do_downcall+0x71/0xa0 [sunrpc]
cache_write_procfs+0x8e/0xd0 [sunrpc]
proc_reg_write+0xe1/0x140
vfs_write+0x1a5/0x6d0
ksys_write+0xc1/0x160
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 868:
kasan_save_stack+0x20/0x40
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x37/0x50
kfree+0xf3/0x3e0
svc_export_put+0x87/0xb0 [nfsd]
cache_purge+0x17f/0x1f0 [sunrpc]
nfsd_destroy_serv+0x226/0x2d0 [nfsd]
nfsd_svc+0x125/0x1e0 [nfsd]
write_threads+0x16a/0x2a0 [nfsd]
nfsctl_transaction_write+0x74/0xa0 [nfsd]
vfs_write+0x1a5/0x6d0
ksys_write+0xc1/0x160
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`.
However, `svc_export_put`/`expkey_put` will call path_put, which
subsequently triggers a sleeping operation due to the following
`dput`.
=============================
WARNING: suspicious RCU usage
5.10.0-dirty #141 Not tainted
-----------------------------
...
Call Trace:
dump_stack+0x9a/0xd0
___might_sleep+0x231/0x240
dput+0x39/0x600
path_put+0x1b/0x30
svc_export_put+0x17/0x80
e_show+0x1c9/0x200
seq_read_iter+0x63f/0x7c0
seq_read+0x226/0x2d0
vfs_read+0x113/0x2c0
ksys_read+0xc9/0x170
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Fix these issues by using `rcu_work` to help release
`svc_expkey`/`svc_export`. This approach allows for an asynchronous
context to invoke `path_put` and also facilitates the freeing of
`uuid/exp/key` after an RCU grace period.
ModerateCVE-2024-53216 at SUSECVE-2024-53216 at NVDSUSE bug 1235003CVE-2024-53222SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
zram: fix NULL pointer in comp_algorithm_show()
LTP reported a NULL pointer dereference as followed:
CPU: 7 UID: 0 PID: 5995 Comm: cat Kdump: loaded Not tainted 6.12.0-rc6+ #3
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __pi_strcmp+0x24/0x140
lr : zcomp_available_show+0x60/0x100 [zram]
sp : ffff800088b93b90
x29: ffff800088b93b90 x28: 0000000000000001 x27: 0000000000400cc0
x26: 0000000000000ffe x25: ffff80007b3e2388 x24: 0000000000000000
x23: ffff80007b3e2390 x22: ffff0004041a9000 x21: ffff80007b3e2900
x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: ffff80007b3e2900 x9 : ffff80007b3cb280
x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000040 x4 : 0000000000000000 x3 : 00656c722d6f7a6c
x2 : 0000000000000000 x1 : ffff80007b3e2900 x0 : 0000000000000000
Call trace:
__pi_strcmp+0x24/0x140
comp_algorithm_show+0x40/0x70 [zram]
dev_attr_show+0x28/0x80
sysfs_kf_seq_show+0x90/0x140
kernfs_seq_show+0x34/0x48
seq_read_iter+0x1d4/0x4e8
kernfs_fop_read_iter+0x40/0x58
new_sync_read+0x9c/0x168
vfs_read+0x1a8/0x1f8
ksys_read+0x74/0x108
__arm64_sys_read+0x24/0x38
invoke_syscall+0x50/0x120
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x38/0x138
el0t_64_sync_handler+0xc0/0xc8
el0t_64_sync+0x188/0x190
The zram->comp_algs[ZRAM_PRIMARY_COMP] can be NULL in zram_add() if
comp_algorithm_set() has not been called. User can access the zram device
by sysfs after device_add_disk(), so there is a time window to trigger the
NULL pointer dereference. Move it ahead device_add_disk() to make sure
when user can access the zram device, it is ready. comp_algorithm_set()
is protected by zram->init_lock in other places and no such problem.
ModerateCVE-2024-53222 at SUSECVE-2024-53222 at NVDSUSE bug 1234974CVE-2024-53241SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
x86/xen: don't do PV iret hypercall through hypercall page
Instead of jumping to the Xen hypercall page for doing the iret
hypercall, directly code the required sequence in xen-asm.S.
This is done in preparation of no longer using hypercall page at all,
as it has shown to cause problems with speculation mitigations.
This is part of XSA-466 / CVE-2024-53241.
ModerateCVE-2024-53241 at SUSECVE-2024-53241 at NVDSUSE bug 1234282CVE-2024-54456SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client()
name is char[64] where the size of clnt->cl_program->name remains
unknown. Invoking strcat() directly will also lead to potential buffer
overflow. Change them to strscpy() and strncat() to fix potential
issues.
ImportantCVE-2024-54456 at SUSECVE-2024-54456 at NVDSUSE bug 1239113CVE-2024-5564SUSE Liberty Linux 10
A vulnerability was found in libndp. This flaw allows a local malicious user to cause a buffer overflow in NetworkManager, triggered by sending a malformed IPv6 router advertisement packet. This issue occurred as libndp was not correctly validating the route length information.
ImportantCVE-2024-5564 at SUSECVE-2024-5564 at NVDSUSE bug 1225771CVE-2024-56171SUSE Liberty Linux 10
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.
ImportantCVE-2024-56171 at SUSECVE-2024-56171 at NVDSUSE bug 1237363CVE-2024-56433SUSE Liberty Linux 10
shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.
LowCVE-2024-56433 at SUSECVE-2024-56433 at NVDCVE-2024-56603SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net: af_can: do not leave a dangling sk pointer in can_create()
On error can_create() frees the allocated sk object, but sock_init_data()
has already attached it to the provided sock object. This will leave a
dangling sk pointer in the sock object and may cause use-after-free later.
ModerateCVE-2024-56603 at SUSECVE-2024-56603 at NVDSUSE bug 1235415CVE-2024-56645SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: j1939_session_new(): fix skb reference counting
Since j1939_session_skb_queue() does an extra skb_get() for each new
skb, do the same for the initial one in j1939_session_new() to avoid
refcount underflow.
[mkl: clean up commit message]
ImportantCVE-2024-56645 at SUSECVE-2024-56645 at NVDSUSE bug 1235134SUSE bug 1235135CVE-2024-56662SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl
Fix an issue detected by syzbot with KASAN:
BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/
core.c:416 [inline]
BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
drivers/acpi/nfit/core.c:459
The issue occurs in cmd_to_func when the call_pkg->nd_reserved2
array is accessed without verifying that call_pkg points to a buffer
that is appropriately sized as a struct nd_cmd_pkg. This can lead
to out-of-bounds access and undefined behavior if the buffer does not
have sufficient space.
To address this, a check was added in acpi_nfit_ctl() to ensure that
buf is not NULL and that buf_len is less than sizeof(*call_pkg)
before accessing it. This ensures safe access to the members of
call_pkg, including the nd_reserved2 array.
ModerateCVE-2024-56662 at SUSECVE-2024-56662 at NVDSUSE bug 1235533CVE-2024-56675SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors
Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU
protection. But it is possible to attach a non-sleepable BPF program to a
uprobe, and non-sleepable BPF programs are freed via normal RCU (see
__bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal
RCU grace period does not imply a tasks-trace-RCU grace period.
Fix it by explicitly waiting for a tasks-trace-RCU grace period after
removing the attachment of a bpf_prog to a perf_event.
ModerateCVE-2024-56675 at SUSECVE-2024-56675 at NVDSUSE bug 1235555CVE-2024-56690SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY
Since commit 8f4f68e788c3 ("crypto: pcrypt - Fix hungtask for
PADATA_RESET"), the pcrypt encryption and decryption operations return
-EAGAIN when the CPU goes online or offline. In alg_test(), a WARN is
generated when pcrypt_aead_decrypt() or pcrypt_aead_encrypt() returns
-EAGAIN, the unnecessary panic will occur when panic_on_warn set 1.
Fix this issue by calling crypto layer directly without parallelization
in that case.
ModerateCVE-2024-56690 at SUSECVE-2024-56690 at NVDSUSE bug 1235428CVE-2024-57901SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found
by syzbot.
Rework vlan_get_protocol_dgram() to not touch skb at all,
so that it can be used from many cpus on the same skb.
Add a const qualifier to skb argument.
[1]
skbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:206 !
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]
RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216
Code: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
RSP: 0018:ffffc900038d7638 EFLAGS: 00010282
RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60
R10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140
R13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011
FS: 00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
skb_push+0xe5/0x100 net/core/skbuff.c:2636
vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585
packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552
sock_recvmsg_nosec net/socket.c:1033 [inline]
sock_recvmsg+0x22f/0x280 net/socket.c:1055
____sys_recvmsg+0x1c6/0x480 net/socket.c:2803
___sys_recvmsg net/socket.c:2845 [inline]
do_recvmmsg+0x426/0xab0 net/socket.c:2940
__sys_recvmmsg net/socket.c:3014 [inline]
__do_sys_recvmmsg net/socket.c:3037 [inline]
__se_sys_recvmmsg net/socket.c:3030 [inline]
__x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
ImportantCVE-2024-57901 at SUSECVE-2024-57901 at NVDSUSE bug 1235900CVE-2024-57902SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
af_packet: fix vlan_get_tci() vs MSG_PEEK
Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found
by syzbot.
Rework vlan_get_tci() to not touch skb at all,
so that it can be used from many cpus on the same skb.
Add a const qualifier to skb argument.
[1]
skbuff: skb_under_panic: text:ffffffff8a8da482 len:32 put:14 head:ffff88807a1d5800 data:ffff88807a1d5810 tail:0x14 end:0x140 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:206 !
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 5880 Comm: syz-executor172 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]
RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216
Code: 0b 8d 48 c7 c6 9e 6c 26 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 3a 5a 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
RSP: 0018:ffffc90003baf5b8 EFLAGS: 00010286
RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 8565c1eec37aa000
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff88802616fb50 R08: ffffffff817f0a4c R09: 1ffff92000775e50
R10: dffffc0000000000 R11: fffff52000775e51 R12: 0000000000000140
R13: ffff88807a1d5800 R14: ffff88807a1d5810 R15: 0000000000000014
FS: 00007fa03261f6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd65753000 CR3: 0000000031720000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
skb_push+0xe5/0x100 net/core/skbuff.c:2636
vlan_get_tci+0x272/0x550 net/packet/af_packet.c:565
packet_recvmsg+0x13c9/0x1ef0 net/packet/af_packet.c:3616
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg+0x22f/0x280 net/socket.c:1066
____sys_recvmsg+0x1c6/0x480 net/socket.c:2814
___sys_recvmsg net/socket.c:2856 [inline]
do_recvmmsg+0x426/0xab0 net/socket.c:2951
__sys_recvmmsg net/socket.c:3025 [inline]
__do_sys_recvmmsg net/socket.c:3048 [inline]
__se_sys_recvmmsg net/socket.c:3041 [inline]
__x64_sys_recvmmsg+0x199/0x250 net/socket.c:3041
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
ImportantCVE-2024-57902 at SUSECVE-2024-57902 at NVDSUSE bug 1235950CVE-2024-57941SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix the (non-)cancellation of copy when cache is temporarily disabled
When the caching for a cookie is temporarily disabled (e.g. due to a DIO
write on that file), future copying to the cache for that file is disabled
until all fds open on that file are closed. However, if netfslib is using
the deprecated PG_private_2 method (such as is currently used by ceph), and
decides it wants to copy to the cache, netfs_advance_write() will just bail
at the first check seeing that the cache stream is unavailable, and
indicate that it dealt with all the content.
This means that we have no subrequests to provide notifications to drive
the state machine or even to pin the request and the request just gets
discarded, leaving the folios with PG_private_2 set.
Fix this by jumping directly to cancel the request if the cache is not
available. That way, we don't remove mark3 from the folio_queue list and
netfs_pgpriv2_cancel() will clean up the folios.
This was found by running the generic/013 xfstest against ceph with an
active cache and the "-o fsc" option passed to ceph. That would usually
hang
ModerateCVE-2024-57941 at SUSECVE-2024-57941 at NVDSUSE bug 1236228CVE-2024-57942SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix ceph copy to cache on write-begin
At the end of netfs_unlock_read_folio() in which folios are marked
appropriately for copying to the cache (either with by being marked dirty
and having their private data set or by having PG_private_2 set) and then
unlocked, the folio_queue struct has the entry pointing to the folio
cleared. This presents a problem for netfs_pgpriv2_write_to_the_cache(),
which is used to write folios marked with PG_private_2 to the cache as it
expects to be able to trawl the folio_queue list thereafter to find the
relevant folios, leading to a hang.
Fix this by not clearing the folio_queue entry if we're going to do the
deprecated copy-to-cache. The clearance will be done instead as the folios
are written to the cache.
This can be reproduced by starting cachefiles, mounting a ceph filesystem
with "-o fsc" and writing to it.
ModerateCVE-2024-57942 at SUSECVE-2024-57942 at NVDSUSE bug 1236229CVE-2024-57977SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
memcg: fix soft lockup in the OOM process
A soft lockup issue was found in the product with about 56,000 tasks were
in the OOM cgroup, it was traversing them when the soft lockup was
triggered.
watchdog: BUG: soft lockup - CPU#2 stuck for 23s! [VM Thread:1503066]
CPU: 2 PID: 1503066 Comm: VM Thread Kdump: loaded Tainted: G
Hardware name: Huawei Cloud OpenStack Nova, BIOS
RIP: 0010:console_unlock+0x343/0x540
RSP: 0000:ffffb751447db9a0 EFLAGS: 00000247 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffffffff
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000247
RBP: ffffffffafc71f90 R08: 0000000000000000 R09: 0000000000000040
R10: 0000000000000080 R11: 0000000000000000 R12: ffffffffafc74bd0
R13: ffffffffaf60a220 R14: 0000000000000247 R15: 0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2fe6ad91f0 CR3: 00000004b2076003 CR4: 0000000000360ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
vprintk_emit+0x193/0x280
printk+0x52/0x6e
dump_task+0x114/0x130
mem_cgroup_scan_tasks+0x76/0x100
dump_header+0x1fe/0x210
oom_kill_process+0xd1/0x100
out_of_memory+0x125/0x570
mem_cgroup_out_of_memory+0xb5/0xd0
try_charge+0x720/0x770
mem_cgroup_try_charge+0x86/0x180
mem_cgroup_try_charge_delay+0x1c/0x40
do_anonymous_page+0xb5/0x390
handle_mm_fault+0xc4/0x1f0
This is because thousands of processes are in the OOM cgroup, it takes a
long time to traverse all of them. As a result, this lead to soft lockup
in the OOM process.
To fix this issue, call 'cond_resched' in the 'mem_cgroup_scan_tasks'
function per 1000 iterations. For global OOM, call
'touch_softlockup_watchdog' per 1000 iterations to avoid this issue.
ModerateCVE-2024-57977 at SUSECVE-2024-57977 at NVDSUSE bug 1238520CVE-2024-57981SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Fix NULL pointer dereference on certain command aborts
If a command is queued to the final usable TRB of a ring segment, the
enqueue pointer is advanced to the subsequent link TRB and no further.
If the command is later aborted, when the abort completion is handled
the dequeue pointer is advanced to the first TRB of the next segment.
If no further commands are queued, xhci_handle_stopped_cmd_ring() sees
the ring pointers unequal and assumes that there is a pending command,
so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.
Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell
ring likely is unnecessary too, but it's harmless. Leave it alone.
This is probably Bug 219532, but no confirmation has been received.
The issue has been independently reproduced and confirmed fixed using
a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.
Everything continued working normally after several prevented crashes.
ModerateCVE-2024-57981 at SUSECVE-2024-57981 at NVDSUSE bug 1237912CVE-2024-57984SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
i3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition
In dw_i3c_common_probe, &master->hj_work is bound with
dw_i3c_hj_work. And dw_i3c_master_irq_handler can call
dw_i3c_master_irq_handle_ibis function to start the work.
If we remove the module which will call dw_i3c_common_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:
CPU0 CPU1
| dw_i3c_hj_work
dw_i3c_common_remove |
i3c_master_unregister(&master->base) |
device_unregister(&master->dev) |
device_release |
//free master->base |
| i3c_master_do_daa(&master->base)
| //use master->base
Fix it by ensuring that the work is canceled before proceeding with
the cleanup in dw_i3c_common_remove.
ModerateCVE-2024-57984 at SUSECVE-2024-57984 at NVDSUSE bug 1237909SUSE bug 1240391CVE-2024-57986SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections
A report in 2019 by the syzbot fuzzer was found to be connected to two
errors in the HID core associated with Resolution Multipliers. One of
the errors was fixed by commit ea427a222d8b ("HID: core: Fix deadloop
in hid_apply_multiplier."), but the other has not been fixed.
This error arises because hid_apply_multipler() assumes that every
Resolution Multiplier control is contained in a Logical Collection,
i.e., there's no way the routine can ever set multiplier_collection to
NULL. This is in spite of the fact that the function starts with a
big comment saying:
* "The Resolution Multiplier control must be contained in the same
* Logical Collection as the control(s) to which it is to be applied.
...
* If no Logical Collection is
* defined, the Resolution Multiplier is associated with all
* controls in the report."
* HID Usage Table, v1.12, Section 4.3.1, p30
*
* Thus, search from the current collection upwards until we find a
* logical collection...
The comment and the code overlook the possibility that none of the
collections found may be a Logical Collection.
The fix is to set the multiplier_collection pointer to NULL if the
collection found isn't a Logical Collection.
ModerateCVE-2024-57986 at SUSECVE-2024-57986 at NVDSUSE bug 1237907CVE-2024-57987SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btrtl: check for NULL in btrtl_setup_realtek()
If insert an USB dongle which chip is not maintained in ic_id_table, it
will hit the NULL point accessed. Add a null point check to avoid the
Kernel Oops.
ModerateCVE-2024-57987 at SUSECVE-2024-57987 at NVDSUSE bug 1237905CVE-2024-57988SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btbcm: Fix NULL deref in btbcm_get_board_name()
devm_kstrdup() can return a NULL pointer on failure,but this
returned value in btbcm_get_board_name() is not checked.
Add NULL check in btbcm_get_board_name(), to handle kernel NULL
pointer dereference error.
ModerateCVE-2024-57988 at SUSECVE-2024-57988 at NVDSUSE bug 1237910CVE-2024-57989SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7925: fix NULL deref check in mt7925_change_vif_links
In mt7925_change_vif_links() devm_kzalloc() may return NULL but this
returned value is not checked.
ModerateCVE-2024-57989 at SUSECVE-2024-57989 at NVDSUSE bug 1237899CVE-2024-57995SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev()
In ath12k_mac_assign_vif_to_vdev(), if arvif is created on a different
radio, it gets deleted from that radio through a call to
ath12k_mac_unassign_link_vif(). This action frees the arvif pointer.
Subsequently, there is a check involving arvif, which will result in a
read-after-free scenario.
Fix this by moving this check after arvif is again assigned via call to
ath12k_mac_assign_link_vif().
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
ModerateCVE-2024-57995 at SUSECVE-2024-57995 at NVDSUSE bug 1237895CVE-2024-58004SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
media: intel/ipu6: remove cpu latency qos request on error
Fix cpu latency qos list corruption like below. It happens when
we do not remove cpu latency request on error path and free
corresponding memory.
[ 30.634378] l7 kernel: list_add corruption. prev->next should be next (ffffffff9645e960), but was 0000000100100001. (prev=ffff8e9e877e20a8).
[ 30.634388] l7 kernel: WARNING: CPU: 2 PID: 2008 at lib/list_debug.c:32 __list_add_valid_or_report+0x83/0xa0
<snip>
[ 30.634640] l7 kernel: Call Trace:
[ 30.634650] l7 kernel: <TASK>
[ 30.634659] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0
[ 30.634669] l7 kernel: ? __warn.cold+0x93/0xf6
[ 30.634678] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0
[ 30.634690] l7 kernel: ? report_bug+0xff/0x140
[ 30.634702] l7 kernel: ? handle_bug+0x58/0x90
[ 30.634712] l7 kernel: ? exc_invalid_op+0x17/0x70
[ 30.634723] l7 kernel: ? asm_exc_invalid_op+0x1a/0x20
[ 30.634733] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0
[ 30.634742] l7 kernel: plist_add+0xdd/0x140
[ 30.634754] l7 kernel: pm_qos_update_target+0xa0/0x1f0
[ 30.634764] l7 kernel: cpu_latency_qos_update_request+0x61/0xc0
[ 30.634773] l7 kernel: intel_dp_aux_xfer+0x4c7/0x6e0 [i915 1f824655ed04687c2b0d23dbce759fa785f6d033]
ModerateCVE-2024-58004 at SUSECVE-2024-58004 at NVDSUSE bug 1238508CVE-2024-58005SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
tpm: Change to kvalloc() in eventlog/acpi.c
The following failure was reported on HPE ProLiant D320:
[ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0)
[ 10.848132][ T1] ------------[ cut here ]------------
[ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330
[ 10.862827][ T1] Modules linked in:
[ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375
[ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024
[ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330
[ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1
[ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246
[ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000
[ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0
The above transcript shows that ACPI pointed a 16 MiB buffer for the log
events because RSI maps to the 'order' parameter of __alloc_pages_noprof().
Address the bug by moving from devm_kmalloc() to devm_add_action() and
kvmalloc() and devm_add_action().
ModerateCVE-2024-58005 at SUSECVE-2024-58005 at NVDSUSE bug 1237873CVE-2024-58006SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar()
In commit 4284c88fff0e ("PCI: designware-ep: Allow pci_epc_set_bar() update
inbound map address") set_bar() was modified to support dynamically
changing the backing physical address of a BAR that was already configured.
This means that set_bar() can be called twice, without ever calling
clear_bar() (as calling clear_bar() would clear the BAR's PCI address
assigned by the host).
This can only be done if the new BAR size/flags does not differ from the
existing BAR configuration. Add these missing checks.
If we allow set_bar() to set e.g. a new BAR size that differs from the
existing BAR size, the new address translation range will be smaller than
the BAR size already determined by the host, which would mean that a read
past the new BAR size would pass the iATU untranslated, which could allow
the host to read memory not belonging to the new struct pci_epf_bar.
While at it, add comments which clarifies the support for dynamically
changing the physical address of a BAR. (Which was also missing.)
ModerateCVE-2024-58006 at SUSECVE-2024-58006 at NVDSUSE bug 1238772CVE-2024-58012SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params
Each cpu DAI should associate with a widget. However, the topology might
not create the right number of DAI widgets for aggregated amps. And it
will cause NULL pointer deference.
Check that the DAI widget associated with the CPU DAI is valid to prevent
NULL pointer deference due to missing DAI widgets in topologies with
aggregated amps.
ModerateCVE-2024-58012 at SUSECVE-2024-58012 at NVDSUSE bug 1239104CVE-2024-58013SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync
This fixes the following crash:
==================================================================
BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543
Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961
CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543
hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 16026:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296
remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568
hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712
hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:726
sock_write_iter+0x2d7/0x3f0 net/socket.c:1147
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0xaeb/0xd30 fs/read_write.c:679
ksys_write+0x18f/0x2b0 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 16022:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2338 [inline]
slab_free mm/slub.c:4598 [inline]
kfree+0x196/0x420 mm/slub.c:4746
mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
__mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550
hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208
hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]
hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508
sock_do_ioctl+0x158/0x460 net/socket.c:1209
sock_ioctl+0x626/0x8e0 net/socket.c:1328
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
ImportantCVE-2024-58013 at SUSECVE-2024-58013 at NVDSUSE bug 1239095SUSE bug 1239096CVE-2024-58014SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()
In 'wlc_phy_iqcal_gainparams_nphy()', add gain range check to WARN()
instead of possible out-of-bounds 'tbl_iqcal_gainparams_nphy' access.
Compile tested only.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
ImportantCVE-2024-58014 at SUSECVE-2024-58014 at NVDSUSE bug 1239109SUSE bug 1239110CVE-2024-58015SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Fix for out-of bound access error
Selfgen stats are placed in a buffer using print_array_to_buf_index() function.
Array length parameter passed to the function is too big, resulting in possible
out-of bound memory error.
Decreasing buffer size by one fixes faulty upper bound of passed array.
Discovered in coverity scan, CID 1600742 and CID 1600758
ModerateCVE-2024-58015 at SUSECVE-2024-58015 at NVDSUSE bug 1238995CVE-2024-58020SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: Add NULL check in mt_input_configured
devm_kasprintf() can return a NULL pointer on failure,but this
returned value in mt_input_configured() is not checked.
Add NULL check in mt_input_configured(), to handle kernel NULL
pointer dereference error.
ModerateCVE-2024-58020 at SUSECVE-2024-58020 at NVDSUSE bug 1239346CVE-2024-58057SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
idpf: convert workqueues to unbound
When a workqueue is created with `WQ_UNBOUND`, its work items are
served by special worker-pools, whose host workers are not bound to
any specific CPU. In the default configuration (i.e. when
`queue_delayed_work` and friends do not specify which CPU to run the
work item on), `WQ_UNBOUND` allows the work item to be executed on any
CPU in the same node of the CPU it was enqueued on. While this
solution potentially sacrifices locality, it avoids contention with
other processes that might dominate the CPU time of the processor the
work item was scheduled on.
This is not just a theoretical problem: in a particular scenario
misconfigured process was hogging most of the time from CPU0, leaving
less than 0.5% of its CPU time to the kworker. The IDPF workqueues
that were using the kworker on CPU0 suffered large completion delays
as a result, causing performance degradation, timeouts and eventual
system crash.
* I have also run a manual test to gauge the performance
improvement. The test consists of an antagonist process
(`./stress --cpu 2`) consuming as much of CPU 0 as possible. This
process is run under `taskset 01` to bind it to CPU0, and its
priority is changed with `chrt -pQ 9900 10000 ${pid}` and
`renice -n -20 ${pid}` after start.
Then, the IDPF driver is forced to prefer CPU0 by editing all calls
to `queue_delayed_work`, `mod_delayed_work`, etc... to use CPU 0.
Finally, `ktraces` for the workqueue events are collected.
Without the current patch, the antagonist process can force
arbitrary delays between `workqueue_queue_work` and
`workqueue_execute_start`, that in my tests were as high as
`30ms`. With the current patch applied, the workqueue can be
migrated to another unloaded CPU in the same node, and, keeping
everything else equal, the maximum delay I could see was `6us`.
ModerateCVE-2024-58057 at SUSECVE-2024-58057 at NVDSUSE bug 1238969CVE-2024-58061SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: prohibit deactivating all links
In the internal API this calls this is a WARN_ON, but that
should remain since internally we want to know about bugs
that may cause this. Prevent deactivating all links in the
debugfs write directly.
ModerateCVE-2024-58061 at SUSECVE-2024-58061 at NVDSUSE bug 1238973CVE-2024-58069SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read
The nvmem interface supports variable buffer sizes, while the regmap
interface operates with fixed-size storage. If an nvmem client uses a
buffer size less than 4 bytes, regmap_read will write out of bounds
as it expects the buffer to point at an unsigned int.
Fix this by using an intermediary unsigned int to hold the value.
ModerateCVE-2024-58069 at SUSECVE-2024-58069 at NVDSUSE bug 1238978CVE-2024-58072SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtlwifi: remove unused check_buddy_priv
Commit 2461c7d60f9f ("rtlwifi: Update header file") introduced a global
list of private data structures.
Later on, commit 26634c4b1868 ("rtlwifi Modify existing bits to match
vendor version 2013.02.07") started adding the private data to that list at
probe time and added a hook, check_buddy_priv to find the private data from
a similar device.
However, that function was never used.
Besides, though there is a lock for that list, it is never used. And when
the probe fails, the private data is never removed from the list. This
would cause a second probe to access freed memory.
Remove the unused hook, structures and members, which will prevent the
potential race condition on the list and its corruption during a second
probe when probe fails.
ModerateCVE-2024-58072 at SUSECVE-2024-58072 at NVDSUSE bug 1238964CVE-2024-58075SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
crypto: tegra - do not transfer req when tegra init fails
The tegra_cmac_init or tegra_sha_init function may return an error when
memory is exhausted. It should not transfer the request when they return
an error.
ModerateCVE-2024-58075 at SUSECVE-2024-58075 at NVDSUSE bug 1238976CVE-2024-58077SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback
commit 1f5664351410 ("ASoC: lower "no backend DAIs enabled for ... Port"
log severity") ignores -EINVAL error message on common soc_pcm_ret().
It is used from many functions, ignoring -EINVAL is over-kill.
The reason why -EINVAL was ignored was it really should only be used
upon invalid parameters coming from userspace and in that case we don't
want to log an error since we do not want to give userspace a way to do
a denial-of-service attack on the syslog / diskspace.
So don't use soc_pcm_ret() on .prepare callback is better idea.
ModerateCVE-2024-58077 at SUSECVE-2024-58077 at NVDSUSE bug 1239090CVE-2024-58088SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix deadlock when freeing cgroup storage
The following commit
bc235cdb423a ("bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]")
first introduced deadlock prevention for fentry/fexit programs attaching
on bpf_task_storage helpers. That commit also employed the logic in map
free path in its v6 version.
Later bpf_cgrp_storage was first introduced in
c4bcfb38a95e ("bpf: Implement cgroup storage available to non-cgroup-attached bpf progs")
which faces the same issue as bpf_task_storage, instead of its busy
counter, NULL was passed to bpf_local_storage_map_free() which opened
a window to cause deadlock:
<TASK>
(acquiring local_storage->lock)
_raw_spin_lock_irqsave+0x3d/0x50
bpf_local_storage_update+0xd1/0x460
bpf_cgrp_storage_get+0x109/0x130
bpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170
? __bpf_prog_enter_recur+0x16/0x80
bpf_trampoline_6442485186+0x43/0xa4
cgroup_storage_ptr+0x9/0x20
(holding local_storage->lock)
bpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160
bpf_selem_unlink_storage+0x6f/0x110
bpf_local_storage_map_free+0xa2/0x110
bpf_map_free_deferred+0x5b/0x90
process_one_work+0x17c/0x390
worker_thread+0x251/0x360
kthread+0xd2/0x100
ret_from_fork+0x34/0x50
ret_from_fork_asm+0x1a/0x30
</TASK>
Progs:
- A: SEC("fentry/cgroup_storage_ptr")
- cgid (BPF_MAP_TYPE_HASH)
Record the id of the cgroup the current task belonging
to in this hash map, using the address of the cgroup
as the map key.
- cgrpa (BPF_MAP_TYPE_CGRP_STORAGE)
If current task is a kworker, lookup the above hash
map using function parameter @owner as the key to get
its corresponding cgroup id which is then used to get
a trusted pointer to the cgroup through
bpf_cgroup_from_id(). This trusted pointer can then
be passed to bpf_cgrp_storage_get() to finally trigger
the deadlock issue.
- B: SEC("tp_btf/sys_enter")
- cgrpb (BPF_MAP_TYPE_CGRP_STORAGE)
The only purpose of this prog is to fill Prog A's
hash map by calling bpf_cgrp_storage_get() for as
many userspace tasks as possible.
Steps to reproduce:
- Run A;
- while (true) { Run B; Destroy B; }
Fix this issue by passing its busy counter to the free procedure so
it can be properly incremented before storage/smap locking.
ModerateCVE-2024-58088 at SUSECVE-2024-58088 at NVDSUSE bug 1239510CVE-2025-10158SUSE Liberty Linux 10
A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The
malicious
rsync client requires at least read access to the remote rsync module in order to trigger the issue.
ModerateCVE-2025-10158 at SUSECVE-2025-10158 at NVDSUSE bug 1254441CVE-2025-10527SUSE Liberty Linux 10
Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
ImportantCVE-2025-10527 at SUSECVE-2025-10527 at NVDSUSE bug 1249391CVE-2025-10528SUSE Liberty Linux 10
Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
ImportantCVE-2025-10528 at SUSECVE-2025-10528 at NVDSUSE bug 1249391CVE-2025-10529SUSE Liberty Linux 10
Same-origin policy bypass in the Layout component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
ImportantCVE-2025-10529 at SUSECVE-2025-10529 at NVDSUSE bug 1249391CVE-2025-10532SUSE Liberty Linux 10
Incorrect boundary conditions in the JavaScript: GC component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
ImportantCVE-2025-10532 at SUSECVE-2025-10532 at NVDSUSE bug 1249391CVE-2025-10533SUSE Liberty Linux 10
Integer overflow in the SVG component. This vulnerability was fixed in Firefox 143, Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
ImportantCVE-2025-10533 at SUSECVE-2025-10533 at NVDSUSE bug 1249391CVE-2025-10536SUSE Liberty Linux 10
Information disclosure in the Networking: Cache component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
ImportantCVE-2025-10536 at SUSECVE-2025-10536 at NVDSUSE bug 1249391CVE-2025-10537SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
ImportantCVE-2025-10537 at SUSECVE-2025-10537 at NVDSUSE bug 1249391CVE-2025-10728SUSE Liberty Linux 10
When the module renders a Svg file that contains a <pattern> element, it might end up rendering it recursively leading to stack overflow DoS
ImportantCVE-2025-10728 at SUSECVE-2025-10728 at NVDSUSE bug 1250993CVE-2025-10729SUSE Liberty Linux 10
The module will parse a <pattern> node which is not a child of a structural node. The node will be deleted after creation but might be accessed later leading to a use after free.
ImportantCVE-2025-10729 at SUSECVE-2025-10729 at NVDSUSE bug 1250994CVE-2025-11082SUSE Liberty Linux 10
A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with "[f]ixed for 2.46".
LowCVE-2025-11082 at SUSECVE-2025-11082 at NVDSUSE bug 1254442CVE-2025-11083SUSE Liberty Linux 10
A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with "[f]ixed for 2.46".
ModerateCVE-2025-11083 at SUSECVE-2025-11083 at NVDSUSE bug 1250632CVE-2025-11187SUSE Liberty Linux 10
Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation
which can trigger a stack-based buffer overflow, invalid pointer or NULL
pointer dereference during MAC verification.
Impact summary: The stack buffer overflow or NULL pointer dereference may
cause a crash leading to Denial of Service for an application that parses
untrusted PKCS#12 files. The buffer overflow may also potentially enable
code execution depending on platform mitigations.
When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2
salt and keylength parameters from the file are used without validation.
If the value of keylength exceeds the size of the fixed stack buffer used
for the derived key (64 bytes), the key derivation will overflow the buffer.
The overflow length is attacker-controlled. Also, if the salt parameter is
not an OCTET STRING type this can lead to invalid or NULL pointer
dereference.
Exploiting this issue requires a user or application to process
a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted
PKCS#12 files in applications as they are usually used to store private
keys which are trusted by definition. For this reason the issue was assessed
as Moderate severity.
The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as
PKCS#12 processing is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue.
OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do
not support PBMAC1 in PKCS#12.
ImportantCVE-2025-11187 at SUSECVE-2025-11187 at NVDSUSE bug 1256829SUSE bug 1256878CVE-2025-11230SUSE Liberty Linux 10
Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.
ModerateCVE-2025-11230 at SUSECVE-2025-11230 at NVDSUSE bug 1250983CVE-2025-11232SUSE Liberty Linux 10
To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9.-]"; "hostname-char-replacement" must be empty (the default); and "ddns-qualifying-suffix" must *NOT* be empty (the default is empty). DDNS updates do not need to be enabled for this issue to manifest. A client that sends certain option content would then cause kea-dhcp4 to exit unexpectedly.
This issue affects Kea versions 3.0.1 through 3.0.1 and 3.1.1 through 3.1.2.
ImportantCVE-2025-11232 at SUSECVE-2025-11232 at NVDSUSE bug 1252863CVE-2025-11234SUSE Liberty Linux 10
A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.
ImportantCVE-2025-11234 at SUSECVE-2025-11234 at NVDSUSE bug 1250984CVE-2025-11277SUSE Liberty Linux 10
A weakness has been identified in Open Asset Import Library Assimp 6.0.2. This affects the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing a manipulation can lead to heap-based buffer overflow. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks.
ModerateCVE-2025-11277 at SUSECVE-2025-11277 at NVDSUSE bug 1251019CVE-2025-11411SUSE Liberty Linux 10
NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies, further mitigating the possible poison effect.
ModerateCVE-2025-11411 at SUSECVE-2025-11411 at NVDSUSE bug 1252525SUSE bug 1265588CVE-2025-11561SUSE Liberty Linux 10
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.
ImportantCVE-2025-11561 at SUSECVE-2025-11561 at NVDSUSE bug 1251827CVE-2025-11568SUSE Liberty Linux 10
A data corruption vulnerability has been identified in the luksmeta utility when used with the LUKS1 disk encryption format. An attacker with the necessary permissions can exploit this flaw by writing a large amount of metadata to an encrypted device. The utility fails to correctly validate the available space, causing the metadata to overwrite and corrupt the user's encrypted data. This action leads to a permanent loss of the stored information. Devices using the LUKS formats other than LUKS1 are not affected by this issue.
ModerateCVE-2025-11568 at SUSECVE-2025-11568 at NVDSUSE bug 1252112CVE-2025-12084SUSE Liberty Linux 10
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
ModerateCVE-2025-12084 at SUSECVE-2025-12084 at NVDSUSE bug 1254997CVE-2025-12105SUSE Liberty Linux 10
A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition.
ImportantCVE-2025-12105 at SUSECVE-2025-12105 at NVDSUSE bug 1252555CVE-2025-1217SUSE Liberty Linux 10
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.
ImportantCVE-2025-1217 at SUSECVE-2025-1217 at NVDSUSE bug 1239664CVE-2025-1219SUSE Liberty Linux 10
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
ModerateCVE-2025-1219 at SUSECVE-2025-1219 at NVDSUSE bug 1239667CVE-2025-12801SUSE Liberty Linux 10
A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the
privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.
ModerateCVE-2025-12801 at SUSECVE-2025-12801 at NVDSUSE bug 1259204CVE-2025-12817SUSE Liberty Linux 10
Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
ModerateCVE-2025-12817 at SUSECVE-2025-12817 at NVDSUSE bug 1253332CVE-2025-12818SUSE Liberty Linux 10
Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
ImportantCVE-2025-12818 at SUSECVE-2025-12818 at NVDSUSE bug 1253333CVE-2025-13012SUSE Liberty Linux 10
Race condition in the Graphics component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
ImportantCVE-2025-13012 at SUSECVE-2025-13012 at NVDSUSE bug 1253188CVE-2025-13013SUSE Liberty Linux 10
Mitigation bypass in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
ImportantCVE-2025-13013 at SUSECVE-2025-13013 at NVDSUSE bug 1253188CVE-2025-13014SUSE Liberty Linux 10
Use-after-free in the Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
ImportantCVE-2025-13014 at SUSECVE-2025-13014 at NVDSUSE bug 1253188CVE-2025-13015SUSE Liberty Linux 10
Spoofing issue in Firefox. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, and Firefox ESR 115.30.
ImportantCVE-2025-13015 at SUSECVE-2025-13015 at NVDSUSE bug 1253188CVE-2025-13016SUSE Liberty Linux 10
Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
ImportantCVE-2025-13016 at SUSECVE-2025-13016 at NVDSUSE bug 1253188CVE-2025-13017SUSE Liberty Linux 10
Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
ImportantCVE-2025-13017 at SUSECVE-2025-13017 at NVDSUSE bug 1253188CVE-2025-13018SUSE Liberty Linux 10
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
ImportantCVE-2025-13018 at SUSECVE-2025-13018 at NVDSUSE bug 1253188CVE-2025-13019SUSE Liberty Linux 10
Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
ImportantCVE-2025-13019 at SUSECVE-2025-13019 at NVDSUSE bug 1253188CVE-2025-13020SUSE Liberty Linux 10
Use-after-free in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
ImportantCVE-2025-13020 at SUSECVE-2025-13020 at NVDSUSE bug 1253188CVE-2025-13465SUSE Liberty Linux 10
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
ImportantCVE-2025-13465 at SUSECVE-2025-13465 at NVDSUSE bug 1257321CVE-2025-13499SUSE Liberty Linux 10
Kafka dissector crash in Wireshark 4.6.0 and 4.4.0 to 4.4.10 allows denial of service
ModerateCVE-2025-13499 at SUSECVE-2025-13499 at NVDSUSE bug 1254108CVE-2025-13601SUSE Liberty Linux 10
A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.
ImportantCVE-2025-13601 at SUSECVE-2025-13601 at NVDSUSE bug 1254297CVE-2025-13609SUSE Liberty Linux 10
A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.
CriticalCVE-2025-13609 at SUSECVE-2025-13609 at NVDSUSE bug 1254199CVE-2025-13699SUSE Liberty Linux 10
MariaDB mariadb-dump Utility Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MariaDB. Interaction with the mariadb-dump utility is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the handling of view names. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27000.
ImportantCVE-2025-13699 at SUSECVE-2025-13699 at NVDSUSE bug 1254313CVE-2025-13836SUSE Liberty Linux 10
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.
ModerateCVE-2025-13836 at SUSECVE-2025-13836 at NVDSUSE bug 1254400CVE-2025-13837SUSE Liberty Linux 10
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
ModerateCVE-2025-13837 at SUSECVE-2025-13837 at NVDSUSE bug 1254401CVE-2025-14087SUSE Liberty Linux 10
A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.
ImportantCVE-2025-14087 at SUSECVE-2025-14087 at NVDSUSE bug 1254662CVE-2025-14104SUSE Liberty Linux 10
A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.
ModerateCVE-2025-14104 at SUSECVE-2025-14104 at NVDSUSE bug 1254666CVE-2025-14177SUSE Liberty Linux 10
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
LowCVE-2025-14177 at SUSECVE-2025-14177 at NVDSUSE bug 1255710CVE-2025-14178SUSE Liberty Linux 10
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
ModerateCVE-2025-14178 at SUSECVE-2025-14178 at NVDSUSE bug 1255711CVE-2025-14180SUSE Liberty Linux 10
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
ModerateCVE-2025-14180 at SUSECVE-2025-14180 at NVDSUSE bug 1255712CVE-2025-14242SUSE Liberty Linux 10
A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.
ModerateCVE-2025-14242 at SUSECVE-2025-14242 at NVDSUSE bug 1256700CVE-2025-14321SUSE Liberty Linux 10
Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
ImportantCVE-2025-14321 at SUSECVE-2025-14321 at NVDSUSE bug 1254551CVE-2025-14322SUSE Liberty Linux 10
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
ImportantCVE-2025-14322 at SUSECVE-2025-14322 at NVDSUSE bug 1254551CVE-2025-14323SUSE Liberty Linux 10
Privilege escalation in the DOM: Notifications component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
ImportantCVE-2025-14323 at SUSECVE-2025-14323 at NVDSUSE bug 1254551CVE-2025-14324SUSE Liberty Linux 10
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
ImportantCVE-2025-14324 at SUSECVE-2025-14324 at NVDSUSE bug 1254551CVE-2025-14325SUSE Liberty Linux 10
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
ImportantCVE-2025-14325 at SUSECVE-2025-14325 at NVDSUSE bug 1254551CVE-2025-14327SUSE Liberty Linux 10
Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7.
ImportantCVE-2025-14327 at SUSECVE-2025-14327 at NVDSUSE bug 1254551CVE-2025-14328SUSE Liberty Linux 10
Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
ImportantCVE-2025-14328 at SUSECVE-2025-14328 at NVDSUSE bug 1254551CVE-2025-14329SUSE Liberty Linux 10
Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
ImportantCVE-2025-14329 at SUSECVE-2025-14329 at NVDSUSE bug 1254551CVE-2025-14330SUSE Liberty Linux 10
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
ImportantCVE-2025-14330 at SUSECVE-2025-14330 at NVDSUSE bug 1254551CVE-2025-14331SUSE Liberty Linux 10
Same-origin policy bypass in the Request Handling component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
ImportantCVE-2025-14331 at SUSECVE-2025-14331 at NVDSUSE bug 1254551CVE-2025-14333SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
ImportantCVE-2025-14333 at SUSECVE-2025-14333 at NVDSUSE bug 1254551CVE-2025-14512SUSE Liberty Linux 10
A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.
ModerateCVE-2025-14512 at SUSECVE-2025-14512 at NVDSUSE bug 1254878CVE-2025-14523SUSE Liberty Linux 10
A flaw in libsoup's HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.
ImportantCVE-2025-14523 at SUSECVE-2025-14523 at NVDSUSE bug 1254876CVE-2025-14576SUSE Liberty Linux 10
Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.
ImportantCVE-2025-14576 at SUSECVE-2025-14576 at NVDSUSE bug 1264555CVE-2025-14831SUSE Liberty Linux 10
A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).
ModerateCVE-2025-14831 at SUSECVE-2025-14831 at NVDSUSE bug 1257960CVE-2025-14905SUSE Liberty Linux 10
A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).
ImportantCVE-2025-14905 at SUSECVE-2025-14905 at NVDSUSE bug 1258727SUSE bug 1268047SUSE bug 1268115SUSE bug 1268298CVE-2025-15269SUSE Liberty Linux 10
FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of SFD files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28564.
ImportantCVE-2025-15269 at SUSECVE-2025-15269 at NVDSUSE bug 1256032CVE-2025-15270SUSE Liberty Linux 10
FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28563.
ImportantCVE-2025-15270 at SUSECVE-2025-15270 at NVDSUSE bug 1256031CVE-2025-15275SUSE Liberty Linux 10
FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28543.
ImportantCVE-2025-15275 at SUSECVE-2025-15275 at NVDSUSE bug 1256025CVE-2025-15279SUSE Liberty Linux 10
FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of pixels within BMP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27517.
ImportantCVE-2025-15279 at SUSECVE-2025-15279 at NVDSUSE bug 1256013CVE-2025-15282SUSE Liberty Linux 10
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
ModerateCVE-2025-15282 at SUSECVE-2025-15282 at NVDSUSE bug 1257046CVE-2025-15284SUSE Liberty Linux 10
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
Summary
The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations.
Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=valueconsumes one parameter slot. The severity has been reduced accordingly.
Details
The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2).
Vulnerable code (lib/parse.js:159-162):
if (root === '[]' && options.parseArrays) {
obj = utils.combine([], leaf); // No arrayLimit check
}
Working code (lib/parse.js:175):
else if (index <= options.arrayLimit) { // Limit checked here
obj = [];
obj[index] = leaf;
}
The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
PoC
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length); // Output: 6 (should be max 5)
Note on parameterLimit interaction: The original advisory's "DoS demonstration" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.
Impact
Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.
ModerateCVE-2025-15284 at SUSECVE-2025-15284 at NVDCVE-2025-15366SUSE Liberty Linux 10
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
ModerateCVE-2025-15366 at SUSECVE-2025-15366 at NVDSUSE bug 1257044CVE-2025-15367SUSE Liberty Linux 10
The poplib module, when passed a user-controlled command, can have
additional commands injected using newlines. Mitigation rejects commands
containing control characters.
ModerateCVE-2025-15367 at SUSECVE-2025-15367 at NVDSUSE bug 1257041CVE-2025-15467SUSE Liberty Linux 10
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with
maliciously crafted AEAD parameters can trigger a stack buffer overflow.
Impact summary: A stack buffer overflow may lead to a crash, causing Denial
of Service, or potentially remote code execution.
When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as
AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is
copied into a fixed-size stack buffer without verifying that its length fits
the destination. An attacker can supply a crafted CMS message with an
oversized IV, causing a stack-based out-of-bounds write before any
authentication or tag verification occurs.
Applications and services that parse untrusted CMS or PKCS#7 content using
AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable.
Because the overflow occurs prior to authentication, no valid key material
is required to trigger it. While exploitability to remote code execution
depends on platform and toolchain mitigations, the stack-based write
primitive represents a severe risk.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the CMS implementation is outside the OpenSSL FIPS module
boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CriticalCVE-2025-15467 at SUSECVE-2025-15467 at NVDSUSE bug 1256830SUSE bug 1256876CVE-2025-15468SUSE Liberty Linux 10
Issue summary: If an application using the SSL_CIPHER_find() function in
a QUIC protocol client or server receives an unknown cipher suite from
the peer, a NULL dereference occurs.
Impact summary: A NULL pointer dereference leads to abnormal termination of
the running process causing Denial of Service.
Some applications call SSL_CIPHER_find() from the client_hello_cb callback
on the cipher ID received from the peer. If this is done with an SSL object
implementing the QUIC protocol, NULL pointer dereference will happen if
the examined cipher ID is unknown or unsupported.
As it is not very common to call this function in applications using the QUIC
protocol and the worst outcome is Denial of Service, the issue was assessed
as Low severity.
The vulnerable code was introduced in the 3.2 version with the addition
of the QUIC protocol support.
The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,
as the QUIC implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.
OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.
ImportantCVE-2025-15468 at SUSECVE-2025-15468 at NVDSUSE bug 1256831SUSE bug 1256880CVE-2025-15469SUSE Liberty Linux 10
Issue summary: The 'openssl dgst' command-line tool silently truncates input
data to 16MB when using one-shot signing algorithms and reports success instead
of an error.
Impact summary: A user signing or verifying files larger than 16MB with
one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire
file is authenticated while trailing data beyond 16MB remains unauthenticated.
When the 'openssl dgst' command is used with algorithms that only support
one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input
is buffered with a 16MB limit. If the input exceeds this limit, the tool
silently truncates to the first 16MB and continues without signaling an error,
contrary to what the documentation states. This creates an integrity gap where
trailing bytes can be modified without detection if both signing and
verification are performed using the same affected codepath.
The issue affects only the command-line tool behavior. Verifiers that process
the full message using library APIs will reject the signature, so the risk
primarily affects workflows that both sign and verify with the affected
'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and
library users are unaffected.
The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the
command-line tools are outside the OpenSSL FIPS module boundary.
OpenSSL 3.5 and 3.6 are vulnerable to this issue.
OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.
ModerateCVE-2025-15469 at SUSECVE-2025-15469 at NVDSUSE bug 1256832CVE-2025-1734SUSE Liberty Linux 10
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
ModerateCVE-2025-1734 at SUSECVE-2025-1734 at NVDSUSE bug 1239668CVE-2025-1736SUSE Liberty Linux 10
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
ImportantCVE-2025-1736 at SUSECVE-2025-1736 at NVDSUSE bug 1239670CVE-2025-1861SUSE Liberty Linux 10
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
ModerateCVE-2025-1861 at SUSECVE-2025-1861 at NVDSUSE bug 1239669CVE-2025-21574SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-21574 at SUSECVE-2025-21574 at NVDCVE-2025-21575SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-21575 at SUSECVE-2025-21575 at NVDCVE-2025-21577SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-21577 at SUSECVE-2025-21577 at NVDCVE-2025-21579SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-21579 at SUSECVE-2025-21579 at NVDCVE-2025-21580SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-21580 at SUSECVE-2025-21580 at NVDCVE-2025-21581SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-21581 at SUSECVE-2025-21581 at NVDCVE-2025-21584SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-21584 at SUSECVE-2025-21584 at NVDCVE-2025-21585SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-21585 at SUSECVE-2025-21585 at NVDCVE-2025-21588SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-21588 at SUSECVE-2025-21588 at NVDCVE-2025-21633SUSE Liberty Linux 10
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
ImportantCVE-2025-21633 at SUSECVE-2025-21633 at NVDSUSE bug 1236108CVE-2025-21647SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
sched: sch_cake: add bounds checks to host bulk flow fairness counts
Even though we fixed a logic error in the commit cited below, syzbot
still managed to trigger an underflow of the per-host bulk flow
counters, leading to an out of bounds memory access.
To avoid any such logic errors causing out of bounds memory accesses,
this commit factors out all accesses to the per-host bulk flow counters
to a series of helpers that perform bounds-checking before any
increments and decrements. This also has the benefit of improving
readability by moving the conditional checks for the flow mode into
these helpers, instead of having them spread out throughout the
code (which was the cause of the original logic error).
As part of this change, the flow quantum calculation is consolidated
into a helper function, which means that the dithering applied to the
ost load scaling is now applied both in the DRR rotation and when a
sparse flow's quantum is first initiated. The only user-visible effect
of this is that the maximum packet size that can be sent while a flow
stays sparse will now vary with +/- one byte in some cases. This should
not make a noticeable difference in practice, and thus it's not worth
complicating the code to preserve the old behaviour.
ImportantCVE-2025-21647 at SUSECVE-2025-21647 at NVDSUSE bug 1236133SUSE bug 1236134CVE-2025-21652SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ipvlan: Fix use-after-free in ipvlan_get_iflink().
syzbot presented an use-after-free report [0] regarding ipvlan and
linkwatch.
ipvlan does not hold a refcnt of the lower device unlike vlan and
macvlan.
If the linkwatch work is triggered for the ipvlan dev, the lower dev
might have already been freed, resulting in UAF of ipvlan->phy_dev in
ipvlan_get_iflink().
We can delay the lower dev unregistration like vlan and macvlan by
holding the lower dev's refcnt in dev->netdev_ops->ndo_init() and
releasing it in dev->priv_destructor().
Jakub pointed out calling .ndo_XXX after unregister_netdevice() has
returned is error prone and suggested [1] addressing this UAF in the
core by taking commit 750e51603395 ("net: avoid potential UAF in
default_operstate()") further.
Let's assume unregistering devices DOWN and use RCU protection in
default_operstate() not to race with the device unregistration.
[0]:
BUG: KASAN: slab-use-after-free in ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353
Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944
CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47
Hardware name: linux,dummy-virt (DT)
Workqueue: events_unbound linkwatch_event
Call trace:
show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x16c/0x6f0 mm/kasan/report.c:489
kasan_report+0xc0/0x120 mm/kasan/report.c:602
__asan_report_load4_noabort+0x20/0x30 mm/kasan/report_generic.c:380
ipvlan_get_iflink+0x84/0x88 drivers/net/ipvlan/ipvlan_main.c:353
dev_get_iflink+0x7c/0xd8 net/core/dev.c:674
default_operstate net/core/link_watch.c:45 [inline]
rfc2863_policy+0x144/0x360 net/core/link_watch.c:72
linkwatch_do_dev+0x60/0x228 net/core/link_watch.c:175
__linkwatch_run_queue+0x2f4/0x5b8 net/core/link_watch.c:239
linkwatch_event+0x64/0xa8 net/core/link_watch.c:282
process_one_work+0x700/0x1398 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x8c4/0xe10 kernel/workqueue.c:3391
kthread+0x2b0/0x360 kernel/kthread.c:389
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862
Allocated by task 9303:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x68 mm/kasan/common.c:68
kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4283 [inline]
__kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4289
__kvmalloc_node_noprof+0x9c/0x230 mm/util.c:650
alloc_netdev_mqs+0xb4/0x1118 net/core/dev.c:11209
rtnl_create_link+0x2b8/0xb60 net/core/rtnetlink.c:3595
rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3771
__rtnl_newlink net/core/rtnetlink.c:3896 [inline]
rtnl_newlink+0x122c/0x15c0 net/core/rtnetlink.c:4011
rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6901
netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2542
rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6928
netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]
netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1347
netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1891
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg net/socket.c:726 [inline]
__sys_sendto+0x2ec/0x438 net/socket.c:2197
__do_sys_sendto net/socket.c:2204 [inline]
__se_sys_sendto net/socket.c:2200 [inline]
__arm64_sys_sendto+0xe4/0x110 net/socket.c:2200
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151
el
---truncated---
ModerateCVE-2025-21652 at SUSECVE-2025-21652 at NVDSUSE bug 1236160CVE-2025-21655SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period
io_eventfd_do_signal() is invoked from an RCU callback, but when
dropping the reference to the io_ev_fd, it calls io_eventfd_free()
directly if the refcount drops to zero. This isn't correct, as any
potential freeing of the io_ev_fd should be deferred another RCU grace
period.
Just call io_eventfd_put() rather than open-code the dec-and-test and
free, which will correctly defer it another RCU grace period.
ModerateCVE-2025-21655 at SUSECVE-2025-21655 at NVDSUSE bug 1236163CVE-2025-21671SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
zram: fix potential UAF of zram table
If zram_meta_alloc failed early, it frees allocated zram->table without
setting it NULL. Which will potentially cause zram_meta_free to access
the table if user reset an failed and uninitialized device.
ModerateCVE-2025-21671 at SUSECVE-2025-21671 at NVDSUSE bug 1236692CVE-2025-21680SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
pktgen: Avoid out-of-bounds access in get_imix_entries
Passing a sufficient amount of imix entries leads to invalid access to the
pkt_dev->imix_entries array because of the incorrect boundary check.
UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24
index 20 is out of range for type 'imix_pkt [20]'
CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<TASK>
dump_stack_lvl lib/dump_stack.c:117
__ubsan_handle_out_of_bounds lib/ubsan.c:429
get_imix_entries net/core/pktgen.c:874
pktgen_if_write net/core/pktgen.c:1063
pde_write fs/proc/inode.c:334
proc_reg_write fs/proc/inode.c:346
vfs_write fs/read_write.c:593
ksys_write fs/read_write.c:644
do_syscall_64 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130
Found by Linux Verification Center (linuxtesting.org) with SVACE.
[ fp: allow to fill the array completely; minor changelog cleanup ]
ImportantCVE-2025-21680 at SUSECVE-2025-21680 at NVDSUSE bug 1236700SUSE bug 1236701CVE-2025-21691SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
cachestat: fix page cache statistics permission checking
When the 'cachestat()' system call was added in commit cf264e1329fb
("cachestat: implement cachestat syscall"), it was meant to be a much
more convenient (and performant) version of mincore() that didn't need
mapping things into the user virtual address space in order to work.
But it ended up missing the "check for writability or ownership" fix for
mincore(), done in commit 134fca9063ad ("mm/mincore.c: make mincore()
more conservative").
This just adds equivalent logic to 'cachestat()', modified for the file
context (rather than vma).
ModerateCVE-2025-21691 at SUSECVE-2025-21691 at NVDSUSE bug 1237026CVE-2025-21693SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mm: zswap: properly synchronize freeing resources during CPU hotunplug
In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout. However, since neither preemption nor migration are disabled,
it is possible that the operation continues on a different CPU.
If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as some of the resources attached to the acomp_ctx
are freed during hotunplug in zswap_cpu_comp_dead() (i.e.
acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp).
The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure the
CPU cannot go away from under us. Preemption cannot be disabled with the
crypto_acomp API as a sleepable context is needed.
Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating
and freeing resources with compression/decompression paths. Make sure
that acomp_ctx.req is NULL when the resources are freed. In the
compression/decompression paths, check if acomp_ctx.req is NULL after
acquiring the mutex (meaning the CPU was offlined) and retry on the new
CPU.
The initialization of acomp_ctx.mutex is moved from the CPU hotplug
callback to the pool initialization where it belongs (where the mutex is
allocated). In addition to adding clarity, this makes sure that CPU
hotplug cannot reinitialize a mutex that is already locked by
compression/decompression.
Previously a fix was attempted by holding cpus_read_lock() [1]. This
would have caused a potential deadlock as it is possible for code already
holding the lock to fall into reclaim and enter zswap (causing a
deadlock). A fix was also attempted using SRCU for synchronization, but
Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug
notifiers [2].
Alternative fixes that were considered/attempted and could have worked:
- Refcounting the per-CPU acomp_ctx. This involves complexity in
handling the race between the refcount dropping to zero in
zswap_[de]compress() and the refcount being re-initialized when the
CPU is onlined.
- Disabling migration before getting the per-CPU acomp_ctx [3], but
that's discouraged and is a much bigger hammer than needed, and could
result in subtle performance issues.
[1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/
[2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/
[3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/
[yosryahmed@google.com: remove comment]
ImportantCVE-2025-21693 at SUSECVE-2025-21693 at NVDSUSE bug 1237029SUSE bug 1237047CVE-2025-21696SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mm: clear uffd-wp PTE/PMD state on mremap()
When mremap()ing a memory region previously registered with userfaultfd as
write-protected but without UFFD_FEATURE_EVENT_REMAP, an inconsistency in
flag clearing leads to a mismatch between the vma flags (which have
uffd-wp cleared) and the pte/pmd flags (which do not have uffd-wp
cleared). This mismatch causes a subsequent mprotect(PROT_WRITE) to
trigger a warning in page_table_check_pte_flags() due to setting the pte
to writable while uffd-wp is still set.
Fix this by always explicitly clearing the uffd-wp pte/pmd flags on any
such mremap() so that the values are consistent with the existing clearing
of VM_UFFD_WP. Be careful to clear the logical flag regardless of its
physical form; a PTE bit, a swap PTE bit, or a PTE marker. Cover PTE,
huge PMD and hugetlb paths.
ModerateCVE-2025-21696 at SUSECVE-2025-21696 at NVDSUSE bug 1237111CVE-2025-21702SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
pfifo_tail_enqueue: Drop new packet when sch->limit == 0
Expected behaviour:
In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a
packet in scheduler's queue and decrease scheduler's qlen by one.
Then, pfifo_tail_enqueue() enqueue new packet and increase
scheduler's qlen by one. Finally, pfifo_tail_enqueue() return
`NET_XMIT_CN` status code.
Weird behaviour:
In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a
scheduler that has no packet, the 'drop a packet' step will do nothing.
This means the scheduler's qlen still has value equal 0.
Then, we continue to enqueue new packet and increase scheduler's qlen by
one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by
one and return `NET_XMIT_CN` status code.
The problem is:
Let's say we have two qdiscs: Qdisc_A and Qdisc_B.
- Qdisc_A's type must have '->graft()' function to create parent/child relationship.
Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.
- Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.
- Qdisc_B is configured to have `sch->limit == 0`.
- Qdisc_A is configured to route the enqueued's packet to Qdisc_B.
Enqueue packet through Qdisc_A will lead to:
- hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)
- Qdisc_B->q.qlen += 1
- pfifo_tail_enqueue() return `NET_XMIT_CN`
- hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.
The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.
Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem.
This violate the design where parent's qlen should equal to the sum of its childrens'qlen.
Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.
ImportantCVE-2025-21702 at SUSECVE-2025-21702 at NVDSUSE bug 1237312SUSE bug 1245797CVE-2025-21726SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
padata: avoid UAF for reorder_work
Although the previous patch can avoid ps and ps UAF for _do_serial, it
can not avoid potential UAF issue for reorder_work. This issue can
happen just as below:
crypto_request crypto_request crypto_del_alg
padata_do_serial
...
padata_reorder
// processes all remaining
// requests then breaks
while (1) {
if (!padata)
break;
...
}
padata_do_serial
// new request added
list_add
// sees the new request
queue_work(reorder_work)
padata_reorder
queue_work_on(squeue->work)
...
<kworker context>
padata_serial_worker
// completes new request,
// no more outstanding
// requests
crypto_del_alg
// free pd
<kworker context>
invoke_padata_reorder
// UAF of pd
To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work'
into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.
ImportantCVE-2025-21726 at SUSECVE-2025-21726 at NVDSUSE bug 1238865SUSE bug 1240837CVE-2025-21727SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
padata: fix UAF in padata_reorder
A bug was found when run ltp test:
BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0
Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206
CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+
Workqueue: pdecrypt_parallel padata_parallel_worker
Call Trace:
<TASK>
dump_stack_lvl+0x32/0x50
print_address_description.constprop.0+0x6b/0x3d0
print_report+0xdd/0x2c0
kasan_report+0xa5/0xd0
padata_find_next+0x29/0x1a0
padata_reorder+0x131/0x220
padata_parallel_worker+0x3d/0xc0
process_one_work+0x2ec/0x5a0
If 'mdelay(10)' is added before calling 'padata_find_next' in the
'padata_reorder' function, this issue could be reproduced easily with
ltp test (pcrypt_aead01).
This can be explained as bellow:
pcrypt_aead_encrypt
...
padata_do_parallel
refcount_inc(&pd->refcnt); // add refcnt
...
padata_do_serial
padata_reorder // pd
while (1) {
padata_find_next(pd, true); // using pd
queue_work_on
...
padata_serial_worker crypto_del_alg
padata_put_pd_cnt // sub refcnt
padata_free_shell
padata_put_pd(ps->pd);
// pd is freed
// loop again, but pd is freed
// call padata_find_next, UAF
}
In the padata_reorder function, when it loops in 'while', if the alg is
deleted, the refcnt may be decreased to 0 before entering
'padata_find_next', which leads to UAF.
As mentioned in [1], do_serial is supposed to be called with BHs disabled
and always happen under RCU protection, to address this issue, add
synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls
to finish.
[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/
[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/
ModerateCVE-2025-21727 at SUSECVE-2025-21727 at NVDSUSE bug 1237876CVE-2025-21732SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error
This patch addresses a race condition for an ODP MR that can result in a
CQE with an error on the UMR QP.
During the __mlx5_ib_dereg_mr() flow, the following sequence of calls
occurs:
mlx5_revoke_mr()
mlx5r_umr_revoke_mr()
mlx5r_umr_post_send_wait()
At this point, the lkey is freed from the hardware's perspective.
However, concurrently, mlx5_ib_invalidate_range() might be triggered by
another task attempting to invalidate a range for the same freed lkey.
This task will:
- Acquire the umem_odp->umem_mutex lock.
- Call mlx5r_umr_update_xlt() on the UMR QP.
- Since the lkey has already been freed, this can lead to a CQE error,
causing the UMR QP to enter an error state [1].
To resolve this race condition, the umem_odp->umem_mutex lock is now also
acquired as part of the mlx5_revoke_mr() scope. Upon successful revoke,
we set umem_odp->private which points to that MR to NULL, preventing any
further invalidation attempts on its lkey.
[1] From dmesg:
infiniband rocep8s0f0: dump_cqe:277:(pid 0): WC error: 6, Message: memory bind operation error
cqe_dump: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
cqe_dump: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
cqe_dump: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
cqe_dump: 00000030: 00 00 00 00 08 00 78 06 25 00 11 b9 00 0e dd d2
WARNING: CPU: 15 PID: 1506 at drivers/infiniband/hw/mlx5/umr.c:394 mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]
Modules linked in: ip6table_mangle ip6table_natip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core
CPU: 15 UID: 0 PID: 1506 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1626
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]
[..]
Call Trace:
<TASK>
mlx5r_umr_update_xlt+0x23c/0x3e0 [mlx5_ib]
mlx5_ib_invalidate_range+0x2e1/0x330 [mlx5_ib]
__mmu_notifier_invalidate_range_start+0x1e1/0x240
zap_page_range_single+0xf1/0x1a0
madvise_vma_behavior+0x677/0x6e0
do_madvise+0x1a2/0x4b0
__x64_sys_madvise+0x25/0x30
do_syscall_64+0x6b/0x140
entry_SYSCALL_64_after_hwframe+0x76/0x7e
ModerateCVE-2025-21732 at SUSECVE-2025-21732 at NVDSUSE bug 1237877CVE-2025-21738SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ata: libata-sff: Ensure that we cannot write outside the allocated buffer
reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len
set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to
ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to
write outside the allocated buffer, overwriting random memory.
While a ATA device is supposed to abort a ATA_NOP command, there does seem
to be a bug either in libata-sff or QEMU, where either this status is not
set, or the status is cleared before read by ata_sff_hsm_move().
Anyway, that is most likely a separate bug.
Looking at __atapi_pio_bytes(), it already has a safety check to ensure
that __atapi_pio_bytes() cannot write outside the allocated buffer.
Add a similar check to ata_pio_sector(), such that also ata_pio_sector()
cannot write outside the allocated buffer.
ImportantCVE-2025-21738 at SUSECVE-2025-21738 at NVDSUSE bug 1238917SUSE bug 1257118CVE-2025-21741SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
usbnet: ipheth: fix DPE OoB read
Fix an out-of-bounds DPE read, limit the number of processed DPEs to
the amount that fits into the fixed-size NDP16 header.
ModerateCVE-2025-21741 at SUSECVE-2025-21741 at NVDSUSE bug 1238767CVE-2025-21742SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
usbnet: ipheth: use static NDP16 location in URB
Original code allowed for the start of NDP16 to be anywhere within the
URB based on the `wNdpIndex` value in NTH16. Only the start position of
NDP16 was checked, so it was possible for even the fixed-length part
of NDP16 to extend past the end of URB, leading to an out-of-bounds
read.
On iOS devices, the NDP16 header always directly follows NTH16. Rely on
and check for this specific format.
This, along with NCM-specific minimal URB length check that already
exists, will ensure that the fixed-length part of NDP16 plus a set
amount of DPEs fit within the URB.
Note that this commit alone does not fully address the OoB read.
The limit on the amount of DPEs needs to be enforced separately.
ModerateCVE-2025-21742 at SUSECVE-2025-21742 at NVDSUSE bug 1238771CVE-2025-21743SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
usbnet: ipheth: fix possible overflow in DPE length check
Originally, it was possible for the DPE length check to overflow if
wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB
read.
Move the wDatagramIndex term to the other side of the inequality.
An existing condition ensures that wDatagramIndex < urb->actual_length.
ModerateCVE-2025-21743 at SUSECVE-2025-21743 at NVDSUSE bug 1238781CVE-2025-21750SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Check the return value of of_property_read_string_index()
Somewhen between 6.10 and 6.11 the driver started to crash on my
MacBookPro14,3. The property doesn't exist and 'tmp' remains
uninitialized, so we pass a random pointer to devm_kstrdup().
The crash I am getting looks like this:
BUG: unable to handle page fault for address: 00007f033c669379
PF: supervisor read access in kernel mode
PF: error_code(0x0001) - permissions violation
PGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025
Oops: Oops: 0001 [#1] SMP PTI
CPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1
Hardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024
RIP: 0010:strlen+0x4/0x30
Code: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <80> 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc
RSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202
RAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001
RDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379
RBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a
R10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8
R13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30
FS: 00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x149/0x4c0
? raw_spin_rq_lock_nested+0xe/0x20
? sched_balance_newidle+0x22b/0x3c0
? update_load_avg+0x78/0x770
? exc_page_fault+0x6f/0x150
? asm_exc_page_fault+0x26/0x30
? __pfx_pci_conf1_write+0x10/0x10
? strlen+0x4/0x30
devm_kstrdup+0x25/0x70
brcmf_of_probe+0x273/0x350 [brcmfmac]
ModerateCVE-2025-21750 at SUSECVE-2025-21750 at NVDSUSE bug 1238905CVE-2025-21761SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
ovs_vport_cmd_fill_info() can be called without RTNL or RCU.
Use RCU protection and dev_net_rcu() to avoid potential UAF.
ModerateCVE-2025-21761 at SUSECVE-2025-21761 at NVDSUSE bug 1238775CVE-2025-21765SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ipv6: use RCU protection in ip6_default_advmss()
ip6_default_advmss() needs rcu protection to make
sure the net structure it reads does not disappear.
ModerateCVE-2025-21765 at SUSECVE-2025-21765 at NVDSUSE bug 1237906CVE-2025-21771SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
sched_ext: Fix incorrect autogroup migration detection
scx_move_task() is called from sched_move_task() and tells the BPF scheduler
that cgroup migration is being committed. sched_move_task() is used by both
cgroup and autogroup migrations and scx_move_task() tried to filter out
autogroup migrations by testing the destination cgroup and PF_EXITING but
this is not enough. In fact, without explicitly tagging the thread which is
doing the cgroup migration, there is no good way to tell apart
scx_move_task() invocations for racing migration to the root cgroup and an
autogroup migration.
This led to scx_move_task() incorrectly ignoring a migration from non-root
cgroup to an autogroup of the root cgroup triggering the following warning:
WARNING: CPU: 7 PID: 1 at kernel/sched/ext.c:3725 scx_cgroup_can_attach+0x196/0x340
...
Call Trace:
<TASK>
cgroup_migrate_execute+0x5b1/0x700
cgroup_attach_task+0x296/0x400
__cgroup_procs_write+0x128/0x140
cgroup_procs_write+0x17/0x30
kernfs_fop_write_iter+0x141/0x1f0
vfs_write+0x31d/0x4a0
__x64_sys_write+0x72/0xf0
do_syscall_64+0x82/0x160
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fix it by adding an argument to sched_move_task() that indicates whether the
moving is for a cgroup or autogroup migration. After the change,
scx_move_task() is called only for cgroup migrations and renamed to
scx_cgroup_move_task().
ModerateCVE-2025-21771 at SUSECVE-2025-21771 at NVDSUSE bug 1238752CVE-2025-21777SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Validate the persistent meta data subbuf array
The meta data for a mapped ring buffer contains an array of indexes of all
the subbuffers. The first entry is the reader page, and the rest of the
entries lay out the order of the subbuffers in how the ring buffer link
list is to be created.
The validator currently makes sure that all the entries are within the
range of 0 and nr_subbufs. But it does not check if there are any
duplicates.
While working on the ring buffer, I corrupted this array, where I added
duplicates. The validator did not catch it and created the ring buffer
link list on top of it. Luckily, the corruption was only that the reader
page was also in the writer path and only presented corrupted data but did
not crash the kernel. But if there were duplicates in the writer side,
then it could corrupt the ring buffer link list and cause a crash.
Create a bitmask array with the size of the number of subbuffers. Then
clear it. When walking through the subbuf array checking to see if the
entries are within the range, test if its bit is already set in the
subbuf_mask. If it is, then there is duplicates and fail the validation.
If not, set the corresponding bit and continue.
ModerateCVE-2025-21777 at SUSECVE-2025-21777 at NVDSUSE bug 1238764CVE-2025-21785SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
The loop that detects/populates cache information already has a bounds
check on the array size but does not account for cache levels with
separate data/instructions cache. Fix this by incrementing the index
for any populated leaf (instead of any populated level).
ImportantCVE-2025-21785 at SUSECVE-2025-21785 at NVDSUSE bug 1238747SUSE bug 1239076SUSE bug 1240745CVE-2025-21786SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
workqueue: Put the pwq after detaching the rescuer from the pool
The commit 68f83057b913("workqueue: Reap workers via kthread_stop() and
remove detach_completion") adds code to reap the normal workers but
mistakenly does not handle the rescuer and also removes the code waiting
for the rescuer in put_unbound_pool(), which caused a use-after-free bug
reported by Cheung Wall.
To avoid the use-after-free bug, the pool's reference must be held until
the detachment is complete. Therefore, move the code that puts the pwq
after detaching the rescuer from the pool.
ModerateCVE-2025-21786 at SUSECVE-2025-21786 at NVDSUSE bug 1238505CVE-2025-21790SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
vxlan: check vxlan_vnigroup_init() return value
vxlan_init() must check vxlan_vnigroup_init() success
otherwise a crash happens later, spotted by syzbot.
Oops: general protection fault, probably for non-canonical address 0xdffffc000000002c: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000160-0x0000000000000167]
CPU: 0 UID: 0 PID: 7313 Comm: syz-executor147 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:vxlan_vnigroup_uninit+0x89/0x500 drivers/net/vxlan/vxlan_vnifilter.c:912
Code: 00 48 8b 44 24 08 4c 8b b0 98 41 00 00 49 8d 86 60 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4d 04 00 00 49 8b 86 60 01 00 00 48 ba 00 00 00
RSP: 0018:ffffc9000cc1eea8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff8672effb
RDX: 000000000000002c RSI: ffffffff8672ecb9 RDI: ffff8880461b4f18
RBP: ffff8880461b4ef4 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000020000
R13: ffff8880461b0d80 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007fecfa95d6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fecfa95cfb8 CR3: 000000004472c000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
vxlan_uninit+0x1ab/0x200 drivers/net/vxlan/vxlan_core.c:2942
unregister_netdevice_many_notify+0x12d6/0x1f30 net/core/dev.c:11824
unregister_netdevice_many net/core/dev.c:11866 [inline]
unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11736
register_netdevice+0x1829/0x1eb0 net/core/dev.c:10901
__vxlan_dev_create+0x7c6/0xa30 drivers/net/vxlan/vxlan_core.c:3981
vxlan_newlink+0xd1/0x130 drivers/net/vxlan/vxlan_core.c:4407
rtnl_newlink_create net/core/rtnetlink.c:3795 [inline]
__rtnl_newlink net/core/rtnetlink.c:3906 [inline]
ModerateCVE-2025-21790 at SUSECVE-2025-21790 at NVDSUSE bug 1238753CVE-2025-21791SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
vrf: use RCU protection in l3mdev_l3_out()
l3mdev_l3_out() can be called without RCU being held:
raw_sendmsg()
ip_push_pending_frames()
ip_send_skb()
ip_local_out()
__ip_local_out()
l3mdev_ip_out()
Add rcu_read_lock() / rcu_read_unlock() pair to avoid
a potential UAF.
ImportantCVE-2025-21791 at SUSECVE-2025-21791 at NVDSUSE bug 1238512SUSE bug 1240744CVE-2025-21795SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
NFSD: fix hang in nfsd4_shutdown_callback
If nfs4_client is in courtesy state then there is no point to send
the callback. This causes nfsd4_shutdown_callback to hang since
cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP
notifies NFSD that the connection was dropped.
This patch modifies nfsd4_run_cb_work to skip the RPC call if
nfs4_client is in courtesy state.
ModerateCVE-2025-21795 at SUSECVE-2025-21795 at NVDSUSE bug 1238759CVE-2025-21796SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
nfsd: clear acl_access/acl_default after releasing them
If getting acl_default fails, acl_access and acl_default will be released
simultaneously. However, acl_access will still retain a pointer pointing
to the released posix_acl, which will trigger a WARNING in
nfs3svc_release_getacl like this:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28
refcount_warn_saturate+0xb5/0x170
Modules linked in:
CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted
6.12.0-rc6-00079-g04ae226af01f-dirty #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.1-2.fc37 04/01/2014
RIP: 0010:refcount_warn_saturate+0xb5/0x170
Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75
e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f> 0b eb
cd 0f b6 1d 8a3
RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380
RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56
R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001
R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0
FS: 0000000000000000(0000) GS:ffff88871ed00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? refcount_warn_saturate+0xb5/0x170
? __warn+0xa5/0x140
? refcount_warn_saturate+0xb5/0x170
? report_bug+0x1b1/0x1e0
? handle_bug+0x53/0xa0
? exc_invalid_op+0x17/0x40
? asm_exc_invalid_op+0x1a/0x20
? tick_nohz_tick_stopped+0x1e/0x40
? refcount_warn_saturate+0xb5/0x170
? refcount_warn_saturate+0xb5/0x170
nfs3svc_release_getacl+0xc9/0xe0
svc_process_common+0x5db/0xb60
? __pfx_svc_process_common+0x10/0x10
? __rcu_read_unlock+0x69/0xa0
? __pfx_nfsd_dispatch+0x10/0x10
? svc_xprt_received+0xa1/0x120
? xdr_init_decode+0x11d/0x190
svc_process+0x2a7/0x330
svc_handle_xprt+0x69d/0x940
svc_recv+0x180/0x2d0
nfsd+0x168/0x200
? __pfx_nfsd+0x10/0x10
kthread+0x1a2/0x1e0
? kthread+0xf4/0x1e0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x34/0x60
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...
Clear acl_access/acl_default after posix_acl_release is called to prevent
UAF from being triggered.
ModerateCVE-2025-21796 at SUSECVE-2025-21796 at NVDSUSE bug 1238716CVE-2025-21826SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: reject mismatching sum of field_len with set key length
The field length description provides the length of each separated key
field in the concatenation, each field gets rounded up to 32-bits to
calculate the pipapo rule width from pipapo_init(). The set key length
provides the total size of the key aligned to 32-bits.
Register-based arithmetics still allows for combining mismatching set
key length and field length description, eg. set key length 10 and field
description [ 5, 4 ] leading to pipapo width of 12.
ModerateCVE-2025-21826 at SUSECVE-2025-21826 at NVDSUSE bug 1238968CVE-2025-21828SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: don't flush non-uploaded STAs
If STA state is pre-moved to AUTHORIZED (such as in IBSS
scenarios) and insertion fails, the station is freed.
In this case, the driver never knew about the station,
so trying to flush it is unexpected and may crash.
Check if the sta was uploaded to the driver before and
fix this.
ModerateCVE-2025-21828 at SUSECVE-2025-21828 at NVDSUSE bug 1238958CVE-2025-21837SUSE Liberty Linux 10
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
ModerateCVE-2025-21837 at SUSECVE-2025-21837 at NVDSUSE bug 1239064CVE-2025-21844SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
smb: client: Add check for next_buffer in receive_encrypted_standard()
Add check for the return value of cifs_buf_get() and cifs_small_buf_get()
in receive_encrypted_standard() to prevent null pointer dereference.
ModerateCVE-2025-21844 at SUSECVE-2025-21844 at NVDSUSE bug 1239512CVE-2025-21846SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
acct: perform last write from workqueue
In [1] it was reported that the acct(2) system call can be used to
trigger NULL deref in cases where it is set to write to a file that
triggers an internal lookup. This can e.g., happen when pointing acc(2)
to /sys/power/resume. At the point the where the write to this file
happens the calling task has already exited and called exit_fs(). A
lookup will thus trigger a NULL-deref when accessing current->fs.
Reorganize the code so that the the final write happens from the
workqueue but with the caller's credentials. This preserves the
(strange) permission model and has almost no regression risk.
This api should stop to exist though.
ModerateCVE-2025-21846 at SUSECVE-2025-21846 at NVDSUSE bug 1239508CVE-2025-21847SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()
The nullity of sps->cstream should be checked similarly as it is done in
sof_set_stream_data_offset() function.
Assuming that it is not NULL if sps->stream is NULL is incorrect and can
lead to NULL pointer dereference.
ModerateCVE-2025-21847 at SUSECVE-2025-21847 at NVDSUSE bug 1239471CVE-2025-21851SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix softlockup in arena_map_free on 64k page kernel
On an aarch64 kernel with CONFIG_PAGE_SIZE_64KB=y,
arena_htab tests cause a segmentation fault and soft lockup.
The same failure is not observed with 4k pages on aarch64.
It turns out arena_map_free() is calling
apply_to_existing_page_range() with the address returned by
bpf_arena_get_kern_vm_start(). If this address is not page-aligned
the code ends up calling apply_to_pte_range() with that unaligned
address causing soft lockup.
Fix it by round up GUARD_SZ to PAGE_SIZE << 1 so that the
division by 2 in bpf_arena_get_kern_vm_start() returns
a page-aligned value.
ModerateCVE-2025-21851 at SUSECVE-2025-21851 at NVDSUSE bug 1239480CVE-2025-21853SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
bpf: avoid holding freeze_mutex during mmap operation
We use map->freeze_mutex to prevent races between map_freeze() and
memory mapping BPF map contents with writable permissions. The way we
naively do this means we'll hold freeze_mutex for entire duration of all
the mm and VMA manipulations, which is completely unnecessary. This can
potentially also lead to deadlocks, as reported by syzbot in [0].
So, instead, hold freeze_mutex only during writeability checks, bump
(proactively) "write active" count for the map, unlock the mutex and
proceed with mmap logic. And only if something went wrong during mmap
logic, then undo that "write active" counter increment.
[0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/
ModerateCVE-2025-21853 at SUSECVE-2025-21853 at NVDSUSE bug 1239476CVE-2025-21855SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: Don't reference skb after sending to VIOS
Previously, after successfully flushing the xmit buffer to VIOS,
the tx_bytes stat was incremented by the length of the skb.
It is invalid to access the skb memory after sending the buffer to
the VIOS because, at any point after sending, the VIOS can trigger
an interrupt to free this memory. A race between reading skb->len
and freeing the skb is possible (especially during LPM) and will
result in use-after-free:
==================================================================
BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
Read of size 4 at addr c00000024eb48a70 by task hxecom/14495
<...>
Call Trace:
[c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)
[c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0
[c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8
[c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0
[c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]
[c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358
<...>
Freed by task 0:
kasan_save_stack+0x34/0x68
kasan_save_track+0x2c/0x50
kasan_save_free_info+0x64/0x108
__kasan_mempool_poison_object+0x148/0x2d4
napi_skb_cache_put+0x5c/0x194
net_tx_action+0x154/0x5b8
handle_softirqs+0x20c/0x60c
do_softirq_own_stack+0x6c/0x88
<...>
The buggy address belongs to the object at c00000024eb48a00 which
belongs to the cache skbuff_head_cache of size 224
==================================================================
ModerateCVE-2025-21855 at SUSECVE-2025-21855 at NVDSUSE bug 1239484CVE-2025-21857SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_api: fix error handling causing NULL dereference
tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can
return 1 if the allocation succeeded after wrapping. This was treated as
an error, with value 1 returned to caller tcf_exts_init_ex() which sets
exts->actions to NULL and returns 1 to caller fl_change().
fl_change() treats err == 1 as success, calling tcf_exts_validate_ex()
which calls tcf_action_init() with exts->actions as argument, where it
is dereferenced.
Example trace:
BUG: kernel NULL pointer dereference, address: 0000000000000000
CPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1
RIP: 0010:tcf_action_init+0x1f8/0x2c0
Call Trace:
tcf_action_init+0x1f8/0x2c0
tcf_exts_validate_ex+0x175/0x190
fl_change+0x537/0x1120 [cls_flower]
ModerateCVE-2025-21857 at SUSECVE-2025-21857 at NVDSUSE bug 1239478CVE-2025-21861SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()
If migration succeeded, we called
folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the
old to the new folio. This will set memcg_data of the old folio to 0.
Similarly, if migration failed, memcg_data of the dst folio is left unset.
If we call folio_putback_lru() on such folios (memcg_data == 0), we will
add the folio to be freed to the LRU, making memcg code unhappy. Running
the hmm selftests:
# ./hmm-tests
...
# RUN hmm.hmm_device_private.migrate ...
[ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00
[ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff)
[ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9
[ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000
[ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled())
[ 102.087230][T14893] ------------[ cut here ]------------
[ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.090478][T14893] Modules linked in:
[ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151
[ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
[ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.096104][T14893] Code: ...
[ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293
[ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426
[ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880
[ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
[ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8
[ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000
[ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000
[ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0
[ 102.113478][T14893] PKRU: 55555554
[ 102.114172][T14893] Call Trace:
[ 102.114805][T14893] <TASK>
[ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.116547][T14893] ? __warn.cold+0x110/0x210
[ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.118667][T14893] ? report_bug+0x1b9/0x320
[ 102.119571][T14893] ? handle_bug+0x54/0x90
[ 102.120494][T14893] ? exc_invalid_op+0x17/0x50
[ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20
[ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0
[ 102.123506][T14893] ? dump_page+0x4f/0x60
[ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
[ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200
[ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10
[ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720
[ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10
[ 102.129550][T14893] folio_putback_lru+0x16/0x80
[ 102.130564][T14893] migrate_device_finalize+0x9b/0x530
[ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0
[ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80
Likely, nothing else goes wrong: putting the last folio reference will
remove the folio from the LRU again. So besides memcg complaining, adding
the folio to be freed to the LRU is just an unnecessary step.
The new flow resembles what we have in migrate_folio_move(): add the dst
to the lru, rem
---truncated---
ModerateCVE-2025-21861 at SUSECVE-2025-21861 at NVDSUSE bug 1239483CVE-2025-21863SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
io_uring: prevent opcode speculation
sqe->opcode is used for different tables, make sure we santitise it
against speculations.
ModerateCVE-2025-21863 at SUSECVE-2025-21863 at NVDSUSE bug 1239475CVE-2025-21864SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
tcp: drop secpath at the same time as we currently drop dst
Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while
running tests that boil down to:
- create a pair of netns
- run a basic TCP test over ipcomp6
- delete the pair of netns
The xfrm_state found on spi_byaddr was not deleted at the time we
delete the netns, because we still have a reference on it. This
lingering reference comes from a secpath (which holds a ref on the
xfrm_state), which is still attached to an skb. This skb is not
leaked, it ends up on sk_receive_queue and then gets defer-free'd by
skb_attempt_defer_free.
The problem happens when we defer freeing an skb (push it on one CPU's
defer_list), and don't flush that list before the netns is deleted. In
that case, we still have a reference on the xfrm_state that we don't
expect at this point.
We already drop the skb's dst in the TCP receive path when it's no
longer needed, so let's also drop the secpath. At this point,
tcp_filter has already called into the LSM hooks that may require the
secpath, so it should not be needed anymore. However, in some of those
places, the MPTCP extension has just been attached to the skb, so we
cannot simply drop all extensions.
ModerateCVE-2025-21864 at SUSECVE-2025-21864 at NVDSUSE bug 1239482CVE-2025-21902SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
acpi: typec: ucsi: Introduce a ->poll_cci method
For the ACPI backend of UCSI the UCSI "registers" are just a memory copy
of the register values in an opregion. The ACPI implementation in the
BIOS ensures that the opregion contents are synced to the embedded
controller and it ensures that the registers (in particular CCI) are
synced back to the opregion on notifications. While there is an ACPI call
that syncs the actual registers to the opregion there is rarely a need to
do this and on some ACPI implementations it actually breaks in various
interesting ways.
The only reason to force a sync from the embedded controller is to poll
CCI while notifications are disabled. Only the ucsi core knows if this
is the case and guessing based on the current command is suboptimal, i.e.
leading to the following spurious assertion splat:
WARNING: CPU: 3 PID: 76 at drivers/usb/typec/ucsi/ucsi.c:1388 ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi]
CPU: 3 UID: 0 PID: 76 Comm: kworker/3:0 Not tainted 6.12.11-200.fc41.x86_64 #1
Hardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN45WW 03/17/2023
Workqueue: events_long ucsi_init_work [typec_ucsi]
RIP: 0010:ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi]
Call Trace:
<TASK>
ucsi_init_work+0x3c/0xac0 [typec_ucsi]
process_one_work+0x179/0x330
worker_thread+0x252/0x390
kthread+0xd2/0x100
ret_from_fork+0x34/0x50
ret_from_fork_asm+0x1a/0x30
</TASK>
Thus introduce a ->poll_cci() method that works like ->read_cci() with an
additional forced sync and document that this should be used when polling
with notifications disabled. For all other backends that presumably don't
have this issue use the same implementation for both methods.
ModerateCVE-2025-21902 at SUSECVE-2025-21902 at NVDSUSE bug 1240599CVE-2025-21931SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio
Commit b15c87263a69 ("hwpoison, memory_hotplug: allow hwpoisoned pages to
be offlined) add page poison checks in do_migrate_range in order to make
offline hwpoisoned page possible by introducing isolate_lru_page and
try_to_unmap for hwpoisoned page. However folio lock must be held before
calling try_to_unmap. Add it to fix this problem.
Warning will be produced if folio is not locked during unmap:
------------[ cut here ]------------
kernel BUG at ./include/linux/swapops.h:400!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 4 UID: 0 PID: 411 Comm: bash Tainted: G W 6.13.0-rc1-00016-g3c434c7ee82a-dirty #41
Tainted: [W]=WARN
Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : try_to_unmap_one+0xb08/0xd3c
lr : try_to_unmap_one+0x3dc/0xd3c
Call trace:
try_to_unmap_one+0xb08/0xd3c (P)
try_to_unmap_one+0x3dc/0xd3c (L)
rmap_walk_anon+0xdc/0x1f8
rmap_walk+0x3c/0x58
try_to_unmap+0x88/0x90
unmap_poisoned_folio+0x30/0xa8
do_migrate_range+0x4a0/0x568
offline_pages+0x5a4/0x670
memory_block_action+0x17c/0x374
memory_subsys_offline+0x3c/0x78
device_offline+0xa4/0xd0
state_store+0x8c/0xf0
dev_attr_store+0x18/0x2c
sysfs_kf_write+0x44/0x54
kernfs_fop_write_iter+0x118/0x1a8
vfs_write+0x3a8/0x4bc
ksys_write+0x6c/0xf8
__arm64_sys_write+0x1c/0x28
invoke_syscall+0x44/0x100
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x30/0xd0
el0t_64_sync_handler+0xc8/0xcc
el0t_64_sync+0x198/0x19c
Code: f9407be0 b5fff320 d4210000 17ffff97 (d4210000)
---[ end trace 0000000000000000 ]---
ModerateCVE-2025-21931 at SUSECVE-2025-21931 at NVDSUSE bug 1240709CVE-2025-21954SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netmem: prevent TX of unreadable skbs
Currently on stable trees we have support for netmem/devmem RX but not
TX. It is not safe to forward/redirect an RX unreadable netmem packet
into the device's TX path, as the device may call dma-mapping APIs on
dma addrs that should not be passed to it.
Fix this by preventing the xmit of unreadable skbs.
Tested by configuring tc redirect:
sudo tc qdisc add dev eth1 ingress
sudo tc filter add dev eth1 ingress protocol ip prio 1 flower ip_proto \
tcp src_ip 192.168.1.12 action mirred egress redirect dev eth1
Before, I see unreadable skbs in the driver's TX path passed to dma
mapping APIs.
After, I don't see unreadable skbs in the driver's TX path passed to dma
mapping APIs.
ModerateCVE-2025-21954 at SUSECVE-2025-21954 at NVDSUSE bug 1240734CVE-2025-21976SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
fbdev: hyperv_fb: Allow graceful removal of framebuffer
When a Hyper-V framebuffer device is unbind, hyperv_fb driver tries to
release the framebuffer forcefully. If this framebuffer is in use it
produce the following WARN and hence this framebuffer is never released.
[ 44.111220] WARNING: CPU: 35 PID: 1882 at drivers/video/fbdev/core/fb_info.c:70 framebuffer_release+0x2c/0x40
< snip >
[ 44.111289] Call Trace:
[ 44.111290] <TASK>
[ 44.111291] ? show_regs+0x6c/0x80
[ 44.111295] ? __warn+0x8d/0x150
[ 44.111298] ? framebuffer_release+0x2c/0x40
[ 44.111300] ? report_bug+0x182/0x1b0
[ 44.111303] ? handle_bug+0x6e/0xb0
[ 44.111306] ? exc_invalid_op+0x18/0x80
[ 44.111308] ? asm_exc_invalid_op+0x1b/0x20
[ 44.111311] ? framebuffer_release+0x2c/0x40
[ 44.111313] ? hvfb_remove+0x86/0xa0 [hyperv_fb]
[ 44.111315] vmbus_remove+0x24/0x40 [hv_vmbus]
[ 44.111323] device_remove+0x40/0x80
[ 44.111325] device_release_driver_internal+0x20b/0x270
[ 44.111327] ? bus_find_device+0xb3/0xf0
Fix this by moving the release of framebuffer and assosiated memory
to fb_ops.fb_destroy function, so that framebuffer framework handles
it gracefully.
While we fix this, also replace manual registrations/unregistration of
framebuffer with devm_register_framebuffer.
ModerateCVE-2025-21976 at SUSECVE-2025-21976 at NVDSUSE bug 1241145CVE-2025-22025SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
nfsd: put dl_stid if fail to queue dl_recall
Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we
increment the reference count of dl_stid.
We expect that after the corresponding work_struct is processed, the
reference count of dl_stid will be decremented through the callback
function nfsd4_cb_recall_release.
However, if the call to nfsd4_run_cb fails, the incremented reference
count of dl_stid will not be decremented correspondingly, leading to the
following nfs4_stid leak:
unreferenced object 0xffff88812067b578 (size 344):
comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s)
hex dump (first 32 bytes):
01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........
00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N..
backtrace:
kmem_cache_alloc+0x4b9/0x700
nfsd4_process_open1+0x34/0x300
nfsd4_open+0x2d1/0x9d0
nfsd4_proc_compound+0x7a2/0xe30
nfsd_dispatch+0x241/0x3e0
svc_process_common+0x5d3/0xcc0
svc_process+0x2a3/0x320
nfsd+0x180/0x2e0
kthread+0x199/0x1d0
ret_from_fork+0x30/0x50
ret_from_fork_asm+0x1b/0x30
unreferenced object 0xffff8881499f4d28 (size 368):
comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I....
30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... .......
backtrace:
kmem_cache_alloc+0x4b9/0x700
nfs4_alloc_stid+0x29/0x210
alloc_init_deleg+0x92/0x2e0
nfs4_set_delegation+0x284/0xc00
nfs4_open_delegation+0x216/0x3f0
nfsd4_process_open2+0x2b3/0xee0
nfsd4_open+0x770/0x9d0
nfsd4_proc_compound+0x7a2/0xe30
nfsd_dispatch+0x241/0x3e0
svc_process_common+0x5d3/0xcc0
svc_process+0x2a3/0x320
nfsd+0x180/0x2e0
kthread+0x199/0x1d0
ret_from_fork+0x30/0x50
ret_from_fork_asm+0x1b/0x30
Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if
fail to queue dl_recall.
ModerateCVE-2025-22025 at SUSECVE-2025-22025 at NVDSUSE bug 1241361CVE-2025-22056SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_tunnel: fix geneve_opt type confusion addition
When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the
parsing logic should place every geneve_opt structure one by one
compactly. Hence, when deciding the next geneve_opt position, the
pointer addition should be in units of char *.
However, the current implementation erroneously does type conversion
before the addition, which will lead to heap out-of-bounds write.
[ 6.989857] ==================================================================
[ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70
[ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178
[ 6.991162]
[ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1
[ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 6.992281] Call Trace:
[ 6.992423] <TASK>
[ 6.992586] dump_stack_lvl+0x44/0x5c
[ 6.992801] print_report+0x184/0x4be
[ 6.993790] kasan_report+0xc5/0x100
[ 6.994252] kasan_check_range+0xf3/0x1a0
[ 6.994486] memcpy+0x38/0x60
[ 6.994692] nft_tunnel_obj_init+0x977/0xa70
[ 6.995677] nft_obj_init+0x10c/0x1b0
[ 6.995891] nf_tables_newobj+0x585/0x950
[ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020
[ 6.998997] nfnetlink_rcv+0x1df/0x220
[ 6.999537] netlink_unicast+0x395/0x530
[ 7.000771] netlink_sendmsg+0x3d0/0x6d0
[ 7.001462] __sock_sendmsg+0x99/0xa0
[ 7.001707] ____sys_sendmsg+0x409/0x450
[ 7.002391] ___sys_sendmsg+0xfd/0x170
[ 7.003145] __sys_sendmsg+0xea/0x170
[ 7.004359] do_syscall_64+0x5e/0x90
[ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 7.006127] RIP: 0033:0x7ec756d4e407
[ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
[ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407
[ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003
[ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000
[ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8
Fix this bug with correct pointer addition and conversion in parse
and dump code.
ModerateCVE-2025-22056 at SUSECVE-2025-22056 at NVDSUSE bug 1241525CVE-2025-22068SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ublk: make sure ubq->canceling is set when queue is frozen
Now ublk driver depends on `ubq->canceling` for deciding if the request
can be dispatched via uring_cmd & io_uring_cmd_complete_in_task().
Once ubq->canceling is set, the uring_cmd can be done via ublk_cancel_cmd()
and io_uring_cmd_done().
So set ubq->canceling when queue is frozen, this way makes sure that the
flag can be observed from ublk_queue_rq() reliably, and avoids
use-after-free on uring_cmd.
ModerateCVE-2025-22068 at SUSECVE-2025-22068 at NVDSUSE bug 1241411CVE-2025-22086SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
When cur_qp isn't NULL, in order to avoid fetching the QP from
the radix tree again we check if the next cqe QP is identical to
the one we already have.
The bug however is that we are checking if the QP is identical by
checking the QP number inside the CQE against the QP number inside the
mlx5_ib_qp, but that's wrong since the QP number from the CQE is from
FW so it should be matched against mlx5_core_qp which is our FW QP
number.
Otherwise we could use the wrong QP when handling a CQE which could
cause the kernel trace below.
This issue is mainly noticeable over QPs 0 & 1, since for now they are
the only QPs in our driver whereas the QP number inside mlx5_ib_qp
doesn't match the QP number inside mlx5_core_qp.
BUG: kernel NULL pointer dereference, address: 0000000000000012
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP
CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]
Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21
RSP: 0018:ffff88810511bd60 EFLAGS: 00010046
RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a
RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000
R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0
FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0
Call Trace:
<TASK>
? __die+0x20/0x60
? page_fault_oops+0x150/0x3e0
? exc_page_fault+0x74/0x130
? asm_exc_page_fault+0x22/0x30
? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]
__ib_process_cq+0x5a/0x150 [ib_core]
ib_cq_poll_work+0x31/0x90 [ib_core]
process_one_work+0x169/0x320
worker_thread+0x288/0x3a0
? work_busy+0xb0/0xb0
kthread+0xd7/0x1f0
? kthreads_online_cpu+0x130/0x130
? kthreads_online_cpu+0x130/0x130
ret_from_fork+0x2d/0x50
? kthreads_online_cpu+0x130/0x130
ret_from_fork_asm+0x11/0x20
</TASK>
ModerateCVE-2025-22086 at SUSECVE-2025-22086 at NVDSUSE bug 1241458CVE-2025-22089SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Don't expose hw_counters outside of init net namespace
Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs
attributes") accidentally almost exposed hw counters to non-init net
namespaces. It didn't expose them fully, as an attempt to read any of
those counters leads to a crash like this one:
[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028
[42021.814463] #PF: supervisor read access in kernel mode
[42021.819549] #PF: error_code(0x0000) - not-present page
[42021.824636] PGD 0 P4D 0
[42021.827145] Oops: 0000 [#1] SMP PTI
[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX
[42021.841697] Hardware name: XXX
[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]
[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48
[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287
[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000
[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0
[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000
[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530
[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000
[42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000
[42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0
[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[42021.949324] Call Trace:
[42021.951756] <TASK>
[42021.953842] [<ffffffff86c58674>] ? show_regs+0x64/0x70
[42021.959030] [<ffffffff86c58468>] ? __die+0x78/0xc0
[42021.963874] [<ffffffff86c9ef75>] ? page_fault_oops+0x2b5/0x3b0
[42021.969749] [<ffffffff87674b92>] ? exc_page_fault+0x1a2/0x3c0
[42021.975549] [<ffffffff87801326>] ? asm_exc_page_fault+0x26/0x30
[42021.981517] [<ffffffffc0775680>] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]
[42021.988482] [<ffffffffc077564e>] ? hw_stat_device_show+0x1e/0x40 [ib_core]
[42021.995438] [<ffffffff86ac7f8e>] dev_attr_show+0x1e/0x50
[42022.000803] [<ffffffff86a3eeb1>] sysfs_kf_seq_show+0x81/0xe0
[42022.006508] [<ffffffff86a11134>] seq_read_iter+0xf4/0x410
[42022.011954] [<ffffffff869f4b2e>] vfs_read+0x16e/0x2f0
[42022.017058] [<ffffffff869f50ee>] ksys_read+0x6e/0xe0
[42022.022073] [<ffffffff8766f1ca>] do_syscall_64+0x6a/0xa0
[42022.027441] [<ffffffff8780013b>] entry_SYSCALL_64_after_hwframe+0x78/0xe2
The problem can be reproduced using the following steps:
ip netns add foo
ip netns exec foo bash
cat /sys/class/infiniband/mlx4_0/hw_counters/*
The panic occurs because of casting the device pointer into an
ib_device pointer using container_of() in hw_stat_device_show() is
wrong and leads to a memory corruption.
However the real problem is that hw counters should never been exposed
outside of the non-init net namespace.
Fix this by saving the index of the corresponding attribute group
(it might be 1 or 2 depending on the presence of driver-specific
attributes) and zeroing the pointer to hw_counters group for compat
devices during the initialization.
With this fix applied hw_counters are not available in a non-init
net namespace:
find /sys/class/infiniband/mlx4_0/ -name hw_counters
/sys/class/infiniband/mlx4_0/ports/1/hw_counters
/sys/class/infiniband/mlx4_0/ports/2/hw_counters
/sys/class/infiniband/mlx4_0/hw_counters
ip netns add foo
ip netns exec foo bash
find /sys/class/infiniband/mlx4_0/ -name hw_counters
ModerateCVE-2025-22089 at SUSECVE-2025-22089 at NVDSUSE bug 1241538CVE-2025-22092SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
PCI: Fix NULL dereference in SR-IOV VF creation error path
Clean up when virtfn setup fails to prevent NULL pointer dereference
during device removal. The kernel oops below occurred due to incorrect
error handling flow when pci_setup_device() fails.
Add pci_iov_scan_device(), which handles virtfn allocation and setup and
cleans up if pci_setup_device() fails, so pci_iov_add_virtfn() doesn't need
to call pci_stop_and_remove_bus_device(). This prevents accessing
partially initialized virtfn devices during removal.
BUG: kernel NULL pointer dereference, address: 00000000000000d0
RIP: 0010:device_del+0x3d/0x3d0
Call Trace:
pci_remove_bus_device+0x7c/0x100
pci_iov_add_virtfn+0xfa/0x200
sriov_enable+0x208/0x420
mlx5_core_sriov_configure+0x6a/0x160 [mlx5_core]
sriov_numvfs_store+0xae/0x1a0
[bhelgaas: commit log, return ERR_PTR(-ENOMEM) directly]
ModerateCVE-2025-22092 at SUSECVE-2025-22092 at NVDSUSE bug 1241446CVE-2025-22105SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
bonding: check xdp prog when set bond mode
Following operations can trigger a warning[1]:
ip netns add ns1
ip netns exec ns1 ip link add bond0 type bond mode balance-rr
ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp
ip netns exec ns1 ip link set bond0 type bond mode broadcast
ip netns del ns1
When delete the namespace, dev_xdp_uninstall() is called to remove xdp
program on bond dev, and bond_xdp_set() will check the bond mode. If bond
mode is changed after attaching xdp program, the warning may occur.
Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode
with xdp program attached is not good. Add check for xdp program when set
bond mode.
[1]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930
Modules linked in:
CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930
Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...
RSP: 0018:ffffc90000063d80 EFLAGS: 00000282
RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff
RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48
RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb
R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8
R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000
FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0
Call Trace:
<TASK>
? __warn+0x83/0x130
? unregister_netdevice_many_notify+0x8d9/0x930
? report_bug+0x18e/0x1a0
? handle_bug+0x54/0x90
? exc_invalid_op+0x18/0x70
? asm_exc_invalid_op+0x1a/0x20
? unregister_netdevice_many_notify+0x8d9/0x930
? bond_net_exit_batch_rtnl+0x5c/0x90
cleanup_net+0x237/0x3d0
process_one_work+0x163/0x390
worker_thread+0x293/0x3b0
? __pfx_worker_thread+0x10/0x10
kthread+0xec/0x1e0
? __pfx_kthread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2f/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
---[ end trace 0000000000000000 ]---
ModerateCVE-2025-22105 at SUSECVE-2025-22105 at NVDSUSE bug 1241548CVE-2025-22111SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to
br_ioctl_call(), which causes unnecessary RTNL dance and the splat
below [0] under RTNL pressure.
Let's say Thread A is trying to detach a device from a bridge and
Thread B is trying to remove the bridge.
In dev_ioctl(), Thread A bumps the bridge device's refcnt by
netdev_hold() and releases RTNL because the following br_ioctl_call()
also re-acquires RTNL.
In the race window, Thread B could acquire RTNL and try to remove
the bridge device. Then, rtnl_unlock() by Thread B will release RTNL
and wait for netdev_put() by Thread A.
Thread A, however, must hold RTNL after the unlock in dev_ifsioc(),
which may take long under RTNL pressure, resulting in the splat by
Thread B.
Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)
---------------------- ----------------------
sock_ioctl sock_ioctl
`- sock_do_ioctl `- br_ioctl_call
`- dev_ioctl `- br_ioctl_stub
|- rtnl_lock |
|- dev_ifsioc '
' |- dev = __dev_get_by_name(...)
|- netdev_hold(dev, ...) .
/ |- rtnl_unlock ------. |
| |- br_ioctl_call `---> |- rtnl_lock
Race | | `- br_ioctl_stub |- br_del_bridge
Window | | | |- dev = __dev_get_by_name(...)
| | | May take long | `- br_dev_delete(dev, ...)
| | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)
| | | | `- rtnl_unlock
\ | |- rtnl_lock <-' `- netdev_run_todo
| |- ... `- netdev_run_todo
| `- rtnl_unlock |- __rtnl_unlock
| |- netdev_wait_allrefs_any
|- netdev_put(dev, ...) <----------------'
Wait refcnt decrement
and log splat below
To avoid blocking SIOCBRDELBR unnecessarily, let's not call
dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.
In the dev_ioctl() path, we do the following:
1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()
2. Check CAP_NET_ADMIN in dev_ioctl()
3. Call dev_load() in dev_ioctl()
4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()
3. can be done by request_module() in br_ioctl_call(), so we move
1., 2., and 4. to br_ioctl_stub().
Note that 2. is also checked later in add_del_if(), but it's better
performed before RTNL.
SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since
the pre-git era, and there seems to be no specific reason to process
them there.
[0]:
unregister_netdevice: waiting for wpan3 to become free. Usage count = 2
ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at
__netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]
netdev_hold include/linux/netdevice.h:4311 [inline]
dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624
dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826
sock_do_ioctl+0x1ca/0x260 net/socket.c:1213
sock_ioctl+0x23a/0x6c0 net/socket.c:1318
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
ModerateCVE-2025-22111 at SUSECVE-2025-22111 at NVDSUSE bug 1241572CVE-2025-22116SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
idpf: check error for register_netdev() on init
Current init logic ignores the error code from register_netdev(),
which will cause WARN_ON() on attempt to unregister it, if there was one,
and there is no info for the user that the creation of the netdev failed.
WARNING: CPU: 89 PID: 6902 at net/core/dev.c:11512 unregister_netdevice_many_notify+0x211/0x1a10
...
[ 3707.563641] unregister_netdev+0x1c/0x30
[ 3707.563656] idpf_vport_dealloc+0x5cf/0xce0 [idpf]
[ 3707.563684] idpf_deinit_task+0xef/0x160 [idpf]
[ 3707.563712] idpf_vc_core_deinit+0x84/0x320 [idpf]
[ 3707.563739] idpf_remove+0xbf/0x780 [idpf]
[ 3707.563769] pci_device_remove+0xab/0x1e0
[ 3707.563786] device_release_driver_internal+0x371/0x530
[ 3707.563803] driver_detach+0xbf/0x180
[ 3707.563816] bus_remove_driver+0x11b/0x2a0
[ 3707.563829] pci_unregister_driver+0x2a/0x250
Introduce an error check and log the vport number and error code.
On removal make sure to check VPORT_REG_NETDEV flag prior to calling
unregister and free on the netdev.
Add local variables for idx, vport_config and netdev for readability.
ModerateCVE-2025-22116 at SUSECVE-2025-22116 at NVDSUSE bug 1241459CVE-2025-22119SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: init wiphy_work before allocating rfkill fails
syzbort reported a uninitialize wiphy_work_lock in cfg80211_dev_free. [1]
After rfkill allocation fails, the wiphy release process will be performed,
which will cause cfg80211_dev_free to access the uninitialized wiphy_work
related data.
Move the initialization of wiphy_work to before rfkill initialization to
avoid this issue.
[1]
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 0 UID: 0 PID: 5935 Comm: syz-executor550 Not tainted 6.14.0-rc6-syzkaller-00103-g4003c9e78778 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
assign_lock_key kernel/locking/lockdep.c:983 [inline]
register_lock_class+0xc39/0x1240 kernel/locking/lockdep.c:1297
__lock_acquire+0x135/0x3c40 kernel/locking/lockdep.c:5103
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5851
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
cfg80211_dev_free+0x30/0x3d0 net/wireless/core.c:1196
device_release+0xa1/0x240 drivers/base/core.c:2568
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e4/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3774
wiphy_free net/wireless/core.c:1224 [inline]
wiphy_new_nm+0x1c1f/0x2160 net/wireless/core.c:562
ieee80211_alloc_hw_nm+0x1b7a/0x2260 net/mac80211/main.c:835
mac80211_hwsim_new_radio+0x1d6/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5185
hwsim_new_radio_nl+0xb42/0x12b0 drivers/net/wireless/virtual/mac80211_hwsim.c:6242
genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2533
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1338
netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1882
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:733 [inline]
____sys_sendmsg+0xaaf/0xc90 net/socket.c:2573
___sys_sendmsg+0x135/0x1e0 net/socket.c:2627
__sys_sendmsg+0x16e/0x220 net/socket.c:2659
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
Close: https://syzkaller.appspot.com/bug?extid=aaf0488c83d1d5f4f029
ImportantCVE-2025-22119 at SUSECVE-2025-22119 at NVDSUSE bug 1241576SUSE bug 1241577CVE-2025-22122SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
block: fix adding folio to bio
>4GB folio is possible on some ARCHs, such as aarch64, 16GB hugepage
is supported, then 'offset' of folio can't be held in 'unsigned int',
cause warning in bio_add_folio_nofail() and IO failure.
Fix it by adjusting 'page' & trimming 'offset' so that `->bi_offset` won't
be overflow, and folio can be added to bio successfully.
ModerateCVE-2025-22122 at SUSECVE-2025-22122 at NVDSUSE bug 1241594CVE-2025-22871SUSE Liberty Linux 10
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
ModerateCVE-2025-22871 at SUSECVE-2025-22871 at NVDSUSE bug 1240550CVE-2025-2296SUSE Liberty Linux 10
EDK2 contains a vulnerability in BIOS where an attacker may cause “ Improper Input Validation” by local access. Successful exploitation of this vulnerability could alter control flow in unexpected ways, potentially allowing arbitrary command execution and impacting Confidentiality, Integrity, and Availability.
ModerateCVE-2025-2296 at SUSECVE-2025-2296 at NVDSUSE bug 1254668CVE-2025-23129SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path
If a shared IRQ is used by the driver due to platform limitation, then the
IRQ affinity hint is set right after the allocation of IRQ vectors in
ath11k_pci_alloc_msi(). This does no harm unless one of the functions
requesting the IRQ fails and attempt to free the IRQ. This results in the
below warning:
WARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c
Call trace:
free_irq+0x278/0x29c
ath11k_pcic_free_irq+0x70/0x10c [ath11k]
ath11k_pci_probe+0x800/0x820 [ath11k_pci]
local_pci_probe+0x40/0xbc
The warning is due to not clearing the affinity hint before freeing the
IRQs.
So to fix this issue, clear the IRQ affinity hint before calling
ath11k_pcic_free_irq() in the error path. The affinity will be cleared once
again further down the error path due to code organization, but that does
no harm.
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1
ModerateCVE-2025-23129 at SUSECVE-2025-23129 at NVDSUSE bug 1241599CVE-2025-24294SUSE Liberty Linux 10
The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.
An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.
This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
ModerateCVE-2025-24294 at SUSECVE-2025-24294 at NVDSUSE bug 1246430CVE-2025-24928SUSE Liberty Linux 10
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.
ModerateCVE-2025-24928 at SUSECVE-2025-24928 at NVDSUSE bug 1237370CVE-2025-25186SUSE Liberty Linux 10
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time while the client is connected, a malicious server can send can send highly compressed `uid-set` data which is automatically read by the client's receiver thread. The response parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges. Versions 0.3.8, 0.4.19, 0.5.6, and higher fix this issue. Additional details for proper configuration of fixed versions and backward compatibility are available in the GitHub Security Advisory.
ModerateCVE-2025-25186 at SUSECVE-2025-25186 at NVDSUSE bug 1237051CVE-2025-26625SUSE Liberty Linux 10
Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.
ImportantCVE-2025-26625 at SUSECVE-2025-26625 at NVDSUSE bug 1252259CVE-2025-27151SUSE Liberty Linux 10
Redis is an open source, in-memory database that persists on disk. In versions starting from 7.0.0 to before 8.0.2, a stack-based buffer overflow exists in redis-check-aof due to the use of memcpy with strlen(filepath) when copying a user-supplied file path into a fixed-size stack buffer. This allows an attacker to overflow the stack and potentially achieve code execution. This issue has been patched in version 8.0.2.
ModerateCVE-2025-27151 at SUSECVE-2025-27151 at NVDSUSE bug 1243804CVE-2025-27219SUSE Liberty Linux 10
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.
ModerateCVE-2025-27219 at SUSECVE-2025-27219 at NVDSUSE bug 1237804CVE-2025-27221SUSE Liberty Linux 10
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
ModerateCVE-2025-27221 at SUSECVE-2025-27221 at NVDSUSE bug 1237805CVE-2025-27516SUSE Liberty Linux 10
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.
ModerateCVE-2025-27516 at SUSECVE-2025-27516 at NVDSUSE bug 1238879CVE-2025-27613SUSE Liberty Linux 10
Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
ModerateCVE-2025-27613 at SUSECVE-2025-27613 at NVDSUSE bug 1245938CVE-2025-27614SUSE Liberty Linux 10
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
ImportantCVE-2025-27614 at SUSECVE-2025-27614 at NVDSUSE bug 1245939CVE-2025-27832SUSE Liberty Linux 10
An issue was discovered in Artifex Ghostscript before 10.05.0. The NPDL device has a Compression buffer overflow for contrib/japanese/gdevnpdl.c.
ImportantCVE-2025-27832 at SUSECVE-2025-27832 at NVDSUSE bug 1240077CVE-2025-30681SUSE Liberty Linux 10
Unknown.
LowCVE-2025-30681 at SUSECVE-2025-30681 at NVDCVE-2025-30682SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30682 at SUSECVE-2025-30682 at NVDCVE-2025-30683SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30683 at SUSECVE-2025-30683 at NVDCVE-2025-30684SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30684 at SUSECVE-2025-30684 at NVDCVE-2025-30685SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30685 at SUSECVE-2025-30685 at NVDCVE-2025-30687SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30687 at SUSECVE-2025-30687 at NVDCVE-2025-30688SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30688 at SUSECVE-2025-30688 at NVDCVE-2025-30689SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30689 at SUSECVE-2025-30689 at NVDCVE-2025-30693SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30693 at SUSECVE-2025-30693 at NVDSUSE bug 1249213CVE-2025-30695SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30695 at SUSECVE-2025-30695 at NVDCVE-2025-30696SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30696 at SUSECVE-2025-30696 at NVDCVE-2025-30699SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30699 at SUSECVE-2025-30699 at NVDCVE-2025-30703SUSE Liberty Linux 10
Unknown.
LowCVE-2025-30703 at SUSECVE-2025-30703 at NVDCVE-2025-30704SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30704 at SUSECVE-2025-30704 at NVDCVE-2025-30705SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30705 at SUSECVE-2025-30705 at NVDCVE-2025-30715SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30715 at SUSECVE-2025-30715 at NVDCVE-2025-30721SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30721 at SUSECVE-2025-30721 at NVDCVE-2025-30722SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-30722 at SUSECVE-2025-30722 at NVDSUSE bug 1249212CVE-2025-30749SUSE Liberty Linux 10
Unknown.
ImportantCVE-2025-30749 at SUSECVE-2025-30749 at NVDSUSE bug 1246595CVE-2025-30754SUSE Liberty Linux 10
Unknown.
ImportantCVE-2025-30754 at SUSECVE-2025-30754 at NVDSUSE bug 1246595SUSE bug 1246598CVE-2025-31115SUSE Liberty Linux 10
XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.
ImportantCVE-2025-31115 at SUSECVE-2025-31115 at NVDSUSE bug 1240414CVE-2025-31651SUSE Liberty Linux 10
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
ImportantCVE-2025-31651 at SUSECVE-2025-31651 at NVDSUSE bug 1242009CVE-2025-32023SUSE Liberty Linux 10
Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.
ImportantCVE-2025-32023 at SUSECVE-2025-32023 at NVDSUSE bug 1246059CVE-2025-32049SUSE Liberty Linux 10
A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause libsoup to allocate memory and lead to a denial of service (DoS).
ImportantCVE-2025-32049 at SUSECVE-2025-32049 at NVDSUSE bug 1240751SUSE bug 1250562CVE-2025-32365SUSE Liberty Linux 10
Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.
ModerateCVE-2025-32365 at SUSECVE-2025-32365 at NVDSUSE bug 1240881CVE-2025-32414SUSE Liberty Linux 10
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
ModerateCVE-2025-32414 at SUSECVE-2025-32414 at NVDSUSE bug 1241551CVE-2025-32415SUSE Liberty Linux 10
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.
LowCVE-2025-32415 at SUSECVE-2025-32415 at NVDSUSE bug 1241453CVE-2025-32728SUSE Liberty Linux 10
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
ModerateCVE-2025-32728 at SUSECVE-2025-32728 at NVDSUSE bug 1241012CVE-2025-32907SUSE Liberty Linux 10
A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service.
ImportantCVE-2025-32907 at SUSECVE-2025-32907 at NVDSUSE bug 1241222CVE-2025-3576SUSE Liberty Linux 10
A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.
ModerateCVE-2025-3576 at SUSECVE-2025-3576 at NVDSUSE bug 1241218CVE-2025-37749SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net: ppp: Add bound checking for skb data on ppp_sync_txmung
Ensure we have enough data in linear buffer from skb before accessing
initial bytes. This prevents potential out-of-bounds accesses
when processing short packets.
When ppp_sync_txmung receives an incoming package with an empty
payload:
(remote) gef>> p *(struct pppoe_hdr *) (skb->head + skb->network_header)
$18 = {
type = 0x1,
ver = 0x1,
code = 0x0,
sid = 0x2,
length = 0x0,
tag = 0xffff8880371cdb96
}
from the skb struct (trimmed)
tail = 0x16,
end = 0x140,
head = 0xffff88803346f400 "4",
data = 0xffff88803346f416 ":\377",
truesize = 0x380,
len = 0x0,
data_len = 0x0,
mac_len = 0xe,
hdr_len = 0x0,
it is not safe to access data[2].
[pabeni@redhat.com: fixed subj typo]
ModerateCVE-2025-37749 at SUSECVE-2025-37749 at NVDSUSE bug 1242859CVE-2025-37819SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()
With ACPI in place, gicv2m_get_fwnode() is registered with the pci
subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime
during a PCI host bridge probe. But, the call back is wrongly marked as
__init, causing it to be freed, while being registered with the PCI
subsystem and could trigger:
Unable to handle kernel paging request at virtual address ffff8000816c0400
gicv2m_get_fwnode+0x0/0x58 (P)
pci_set_bus_msi_domain+0x74/0x88
pci_register_host_bridge+0x194/0x548
This is easily reproducible on a Juno board with ACPI boot.
Retain the function for later use.
ModerateCVE-2025-37819 at SUSECVE-2025-37819 at NVDSUSE bug 1242873CVE-2025-37821SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash
There is a code path in dequeue_entities() that can set the slice of a
sched_entity to U64_MAX, which sometimes results in a crash.
The offending case is when dequeue_entities() is called to dequeue a
delayed group entity, and then the entity's parent's dequeue is delayed.
In that case:
1. In the if (entity_is_task(se)) else block at the beginning of
dequeue_entities(), slice is set to
cfs_rq_min_slice(group_cfs_rq(se)). If the entity was delayed, then
it has no queued tasks, so cfs_rq_min_slice() returns U64_MAX.
2. The first for_each_sched_entity() loop dequeues the entity.
3. If the entity was its parent's only child, then the next iteration
tries to dequeue the parent.
4. If the parent's dequeue needs to be delayed, then it breaks from the
first for_each_sched_entity() loop _without updating slice_.
5. The second for_each_sched_entity() loop sets the parent's ->slice to
the saved slice, which is still U64_MAX.
This throws off subsequent calculations with potentially catastrophic
results. A manifestation we saw in production was:
6. In update_entity_lag(), se->slice is used to calculate limit, which
ends up as a huge negative number.
7. limit is used in se->vlag = clamp(vlag, -limit, limit). Because limit
is negative, vlag > limit, so se->vlag is set to the same huge
negative number.
8. In place_entity(), se->vlag is scaled, which overflows and results in
another huge (positive or negative) number.
9. The adjusted lag is subtracted from se->vruntime, which increases or
decreases se->vruntime by a huge number.
10. pick_eevdf() calls entity_eligible()/vruntime_eligible(), which
incorrectly returns false because the vruntime is so far from the
other vruntimes on the queue, causing the
(vruntime - cfs_rq->min_vruntime) * load calulation to overflow.
11. Nothing appears to be eligible, so pick_eevdf() returns NULL.
12. pick_next_entity() tries to dereference the return value of
pick_eevdf() and crashes.
Dumping the cfs_rq states from the core dumps with drgn showed tell-tale
huge vruntime ranges and bogus vlag values, and I also traced se->slice
being set to U64_MAX on live systems (which was usually "benign" since
the rest of the runqueue needed to be in a particular state to crash).
Fix it in dequeue_entities() by always setting slice from the first
non-empty cfs_rq.
ModerateCVE-2025-37821 at SUSECVE-2025-37821 at NVDSUSE bug 1242864CVE-2025-37849SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Tear down vGIC on failed vCPU creation
If kvm_arch_vcpu_create() fails to share the vCPU page with the
hypervisor, we propagate the error back to the ioctl but leave the
vGIC vCPU data initialised. Note only does this leak the corresponding
memory when the vCPU is destroyed but it can also lead to use-after-free
if the redistributor device handling tries to walk into the vCPU.
Add the missing cleanup to kvm_arch_vcpu_create(), ensuring that the
vGIC vCPU structures are destroyed on error.
ModerateCVE-2025-37849 at SUSECVE-2025-37849 at NVDSUSE bug 1243000CVE-2025-37994SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: displayport: Fix NULL pointer access
This patch ensures that the UCSI driver waits for all pending tasks in the
ucsi_displayport_work workqueue to finish executing before proceeding with
the partner removal.
ModerateCVE-2025-37994 at SUSECVE-2025-37994 at NVDSUSE bug 1243823CVE-2025-38012SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator
BPF programs may call next() and destroy() on BPF iterators even after new()
returns an error value (e.g. bpf_for_each() macro ignores error returns from
new()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized
state after an error return causing bpf_iter_scx_dsq_next() to dereference
garbage data. Make bpf_iter_scx_dsq_new() always clear $kit->dsq so that
next() and destroy() become noops.
ModerateCVE-2025-38012 at SUSECVE-2025-38012 at NVDSUSE bug 1244730CVE-2025-38013SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request
Make sure that n_channels is set after allocating the
struct cfg80211_registered_device::int_scan_req member. Seen with
syzkaller:
UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5
index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]')
This was missed in the initial conversions because I failed to locate
the allocation likely due to the "sizeof(void *)" not matching the
"channels" array type.
ModerateCVE-2025-38013 at SUSECVE-2025-38013 at NVDSUSE bug 1244731CVE-2025-38022SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
strlen+0x93/0xa0 lib/string.c:420
__fortify_strlen include/linux/fortify-string.h:268 [inline]
get_kobj_path_length lib/kobject.c:118 [inline]
kobject_get_path+0x3f/0x2a0 lib/kobject.c:158
kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545
ib_register_device drivers/infiniband/core/device.c:1472 [inline]
ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393
rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552
rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550
rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225
nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796
rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195
rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450
netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339
netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
____sys_sendmsg+0xa95/0xc70 net/socket.c:2566
___sys_sendmsg+0x134/0x1d0 net/socket.c:2620
__sys_sendmsg+0x16d/0x220 net/socket.c:2652
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
This problem is similar to the problem that the
commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name")
fixes.
The root cause is: the function ib_device_rename() renames the name with
lock. But in the function kobject_uevent(), this name is accessed without
lock protection at the same time.
The solution is to add the lock protection when this name is accessed in
the function kobject_uevent().
ModerateCVE-2025-38022 at SUSECVE-2025-38022 at NVDSUSE bug 1245003CVE-2025-38067SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
rseq: Fix segfault on registration when rseq_cs is non-zero
The rseq_cs field is documented as being set to 0 by user-space prior to
registration, however this is not currently enforced by the kernel. This
can result in a segfault on return to user-space if the value stored in
the rseq_cs field doesn't point to a valid struct rseq_cs.
The correct solution to this would be to fail the rseq registration when
the rseq_cs field is non-zero. However, some older versions of glibc
will reuse the rseq area of previous threads without clearing the
rseq_cs field and will also terminate the process if the rseq
registration fails in a secondary thread. This wasn't caught in testing
because in this case the leftover rseq_cs does point to a valid struct
rseq_cs.
What we can do is clear the rseq_cs field on registration when it's
non-zero which will prevent segfaults on registration and won't break
the glibc versions that reuse rseq areas on thread creation.
ModerateCVE-2025-38067 at SUSECVE-2025-38067 at NVDSUSE bug 1245213CVE-2025-38106SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()
syzbot reports:
BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60
Read of size 8 at addr ffff88810de2d2c8 by task a.out/304
CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary)
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x53/0x70
print_report+0xd0/0x670
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? getrusage+0x1109/0x1a60
kasan_report+0xce/0x100
? getrusage+0x1109/0x1a60
getrusage+0x1109/0x1a60
? __pfx_getrusage+0x10/0x10
__io_uring_show_fdinfo+0x9fe/0x1790
? ksys_read+0xf7/0x1c0
? do_syscall_64+0xa4/0x260
? vsnprintf+0x591/0x1100
? __pfx___io_uring_show_fdinfo+0x10/0x10
? __pfx_vsnprintf+0x10/0x10
? mutex_trylock+0xcf/0x130
? __pfx_mutex_trylock+0x10/0x10
? __pfx_show_fd_locks+0x10/0x10
? io_uring_show_fdinfo+0x57/0x80
io_uring_show_fdinfo+0x57/0x80
seq_show+0x38c/0x690
seq_read_iter+0x3f7/0x1180
? inode_set_ctime_current+0x160/0x4b0
seq_read+0x271/0x3e0
? __pfx_seq_read+0x10/0x10
? __pfx__raw_spin_lock+0x10/0x10
? __mark_inode_dirty+0x402/0x810
? selinux_file_permission+0x368/0x500
? file_update_time+0x10f/0x160
vfs_read+0x177/0xa40
? __pfx___handle_mm_fault+0x10/0x10
? __pfx_vfs_read+0x10/0x10
? mutex_lock+0x81/0xe0
? __pfx_mutex_lock+0x10/0x10
? fdget_pos+0x24d/0x4b0
ksys_read+0xf7/0x1c0
? __pfx_ksys_read+0x10/0x10
? do_user_addr_fault+0x43b/0x9c0
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0f74170fc9
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8
RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9
RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004
RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90
R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Allocated by task 298:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
__kasan_slab_alloc+0x6e/0x70
kmem_cache_alloc_node_noprof+0xe8/0x330
copy_process+0x376/0x5e00
create_io_thread+0xab/0xf0
io_sq_offload_create+0x9ed/0xf20
io_uring_setup+0x12b0/0x1cc0
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 22:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x37/0x50
kmem_cache_free+0xc4/0x360
rcu_core+0x5ff/0x19f0
handle_softirqs+0x18c/0x530
run_ksoftirqd+0x20/0x30
smpboot_thread_fn+0x287/0x6c0
kthread+0x30d/0x630
ret_from_fork+0xef/0x1a0
ret_from_fork_asm+0x1a/0x30
Last potentially related work creation:
kasan_save_stack+0x33/0x60
kasan_record_aux_stack+0x8c/0xa0
__call_rcu_common.constprop.0+0x68/0x940
__schedule+0xff2/0x2930
__cond_resched+0x4c/0x80
mutex_lock+0x5c/0xe0
io_uring_del_tctx_node+0xe1/0x2b0
io_uring_clean_tctx+0xb7/0x160
io_uring_cancel_generic+0x34e/0x760
do_exit+0x240/0x2350
do_group_exit+0xab/0x220
__x64_sys_exit_group+0x39/0x40
x64_sys_call+0x1243/0x1840
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88810de2cb00
which belongs to the cache task_struct of size 3712
The buggy address is located 1992 bytes inside of
freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980)
which is caused by the task_struct pointed to by sq->thread being
released while it is being used in the function
__io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre
relase or exit of sq->thread.
Fix this by assigning and looking up ->thread under RCU, and grabbing a
reference to the task_struct. This e
---truncated---
ModerateCVE-2025-38106 at SUSECVE-2025-38106 at NVDSUSE bug 1245664CVE-2025-38109SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix ECVF vports unload on shutdown flow
Fix shutdown flow UAF when a virtual function is created on the embedded
chip (ECVF) of a BlueField device. In such case the vport acl ingress
table is not properly destroyed.
ECVF functionality is independent of ecpf_vport_exists capability and
thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not
test it when enabling/disabling ECVF vports.
kernel log:
[] refcount_t: underflow; use-after-free.
[] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28
refcount_warn_saturate+0x124/0x220
----------------
[] Call trace:
[] refcount_warn_saturate+0x124/0x220
[] tree_put_node+0x164/0x1e0 [mlx5_core]
[] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core]
[] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core]
[] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core]
[] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core]
[] esw_vport_cleanup+0x64/0x90 [mlx5_core]
[] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core]
[] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core]
[] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core]
[] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core]
[] mlx5_sriov_detach+0x40/0x50 [mlx5_core]
[] mlx5_unload+0x40/0xc4 [mlx5_core]
[] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core]
[] mlx5_unload_one+0x3c/0x60 [mlx5_core]
[] shutdown+0x7c/0xa4 [mlx5_core]
[] pci_device_shutdown+0x3c/0xa0
[] device_shutdown+0x170/0x340
[] __do_sys_reboot+0x1f4/0x2a0
[] __arm64_sys_reboot+0x2c/0x40
[] invoke_syscall+0x78/0x100
[] el0_svc_common.constprop.0+0x54/0x184
[] do_el0_svc+0x30/0xac
[] el0_svc+0x48/0x160
[] el0t_64_sync_handler+0xa4/0x12c
[] el0t_64_sync+0x1a4/0x1a8
[] --[ end trace 9c4601d68c70030e ]---
ImportantCVE-2025-38109 at SUSECVE-2025-38109 at NVDSUSE bug 1245684SUSE bug 1245685CVE-2025-38116SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix uaf in ath12k_core_init()
When the execution of ath12k_core_hw_group_assign() or
ath12k_core_hw_group_create() fails, the registered notifier chain is not
unregistered properly. Its memory is freed after rmmod, which may trigger
to a use-after-free (UAF) issue if there is a subsequent access to this
notifier chain.
Fixes the issue by calling ath12k_core_panic_notifier_unregister() in
failure cases.
Call trace:
notifier_chain_register+0x4c/0x1f0 (P)
atomic_notifier_chain_register+0x38/0x68
ath12k_core_init+0x50/0x4e8 [ath12k]
ath12k_pci_probe+0x5f8/0xc28 [ath12k]
pci_device_probe+0xbc/0x1a8
really_probe+0xc8/0x3a0
__driver_probe_device+0x84/0x1b0
driver_probe_device+0x44/0x130
__driver_attach+0xcc/0x208
bus_for_each_dev+0x84/0x100
driver_attach+0x2c/0x40
bus_add_driver+0x130/0x260
driver_register+0x70/0x138
__pci_register_driver+0x68/0x80
ath12k_pci_init+0x30/0x68 [ath12k]
ath12k_init+0x28/0x78 [ath12k]
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
ImportantCVE-2025-38116 at SUSECVE-2025-38116 at NVDSUSE bug 1245692CVE-2025-38141SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
dm: fix dm_blk_report_zones
If dm_get_live_table() returned NULL, dm_put_live_table() was never
called. Also, it is possible that md->zone_revalidate_map will change
while calling this function. Only read it once, so that we are always
using the same value. Otherwise we might miss a call to
dm_put_live_table().
Finally, while md->zone_revalidate_map is set and a process is calling
blk_revalidate_disk_zones() to set up the zone append emulation
resources, it is possible that another process, perhaps triggered by
blkdev_report_zones_ioctl(), will call dm_blk_report_zones(). If
blk_revalidate_disk_zones() fails, these resources can be freed while
the other process is still using them, causing a use-after-free error.
blk_revalidate_disk_zones() will only ever be called when initially
setting up the zone append emulation resources, such as when setting up
a zoned dm-crypt table for the first time. Further table swaps will not
set md->zone_revalidate_map or call blk_revalidate_disk_zones().
However it must be called using the new table (referenced by
md->zone_revalidate_map) and the new queue limits while the DM device is
suspended. dm_blk_report_zones() needs some way to distinguish between a
call from blk_revalidate_disk_zones(), which must be allowed to use
md->zone_revalidate_map to access this not yet activated table, and all
other calls to dm_blk_report_zones(), which should not be allowed while
the device is suspended and cannot use md->zone_revalidate_map, since
the zone resources might be freed by the process currently calling
blk_revalidate_disk_zones().
Solve this by tracking the process that sets md->zone_revalidate_map in
dm_revalidate_zones() and only allowing that process to make use of it
in dm_blk_report_zones().
ImportantCVE-2025-38141 at SUSECVE-2025-38141 at NVDSUSE bug 1245715SUSE bug 1245716CVE-2025-38148SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net: phy: mscc: Fix memory leak when using one step timestamping
Fix memory leak when running one-step timestamping. When running
one-step sync timestamping, the HW is configured to insert the TX time
into the frame, so there is no reason to keep the skb anymore. As in
this case the HW will never generate an interrupt to say that the frame
was timestamped, then the frame will never released.
Fix this by freeing the frame in case of one-step timestamping.
ModerateCVE-2025-38148 at SUSECVE-2025-38148 at NVDSUSE bug 1245735CVE-2025-38172SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
erofs: avoid using multiple devices with different type
For multiple devices, both primary and extra devices should be the
same type. `erofs_init_device` has already guaranteed that if the
primary is a file-backed device, extra devices should also be
regular files.
However, if the primary is a block device while the extra device
is a file-backed device, `erofs_init_device` will get an ENOTBLK,
which is not treated as an error in `erofs_fc_get_tree`, and that
leads to an UAF:
erofs_fc_get_tree
get_tree_bdev_flags(erofs_fc_fill_super)
erofs_read_superblock
erofs_init_device // sbi->dif0 is not inited yet,
// return -ENOTBLK
deactivate_locked_super
free(sbi)
if (err is -ENOTBLK)
sbi->dif0.file = filp_open() // sbi UAF
So if -ENOTBLK is hitted in `erofs_init_device`, it means the
primary device must be a block device, and the extra device
is not a block device. The error can be converted to -EINVAL.
ModerateCVE-2025-38172 at SUSECVE-2025-38172 at NVDSUSE bug 1245787CVE-2025-38200SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix MMIO write access to an invalid page in i40e_clear_hw
When the device sends a specific input, an integer underflow can occur, leading
to MMIO write access to an invalid page.
Prevent the integer underflow by changing the type of related variables.
ModerateCVE-2025-38200 at SUSECVE-2025-38200 at NVDSUSE bug 1246045SUSE bug 1246046CVE-2025-38206SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
exfat: fix double free in delayed_free
The double free could happen in the following path.
exfat_create_upcase_table()
exfat_create_upcase_table() : return error
exfat_free_upcase_table() : free ->vol_utbl
exfat_load_default_upcase_table : return error
exfat_kill_sb()
delayed_free()
exfat_free_upcase_table() <--------- double free
This patch set ->vol_util as NULL after freeing it.
ImportantCVE-2025-38206 at SUSECVE-2025-38206 at NVDSUSE bug 1246073SUSE bug 1246075CVE-2025-38220SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ext4: only dirty folios when data journaling regular files
fstest generic/388 occasionally reproduces a crash that looks as
follows:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
Call Trace:
<TASK>
ext4_block_zero_page_range+0x30c/0x380 [ext4]
ext4_truncate+0x436/0x440 [ext4]
ext4_process_orphan+0x5d/0x110 [ext4]
ext4_orphan_cleanup+0x124/0x4f0 [ext4]
ext4_fill_super+0x262d/0x3110 [ext4]
get_tree_bdev_flags+0x132/0x1d0
vfs_get_tree+0x26/0xd0
vfs_cmd_create+0x59/0xe0
__do_sys_fsconfig+0x4ed/0x6b0
do_syscall_64+0x82/0x170
...
This occurs when processing a symlink inode from the orphan list. The
partial block zeroing code in the truncate path calls
ext4_dirty_journalled_data() -> folio_mark_dirty(). The latter calls
mapping->a_ops->dirty_folio(), but symlink inodes are not assigned an
a_ops vector in ext4, hence the crash.
To avoid this problem, update the ext4_dirty_journalled_data() helper to
only mark the folio dirty on regular files (for which a_ops is
assigned). This also matches the journaling logic in the ext4_symlink()
creation path, where ext4_handle_dirty_metadata() is called directly.
ModerateCVE-2025-38220 at SUSECVE-2025-38220 at NVDSUSE bug 1245966CVE-2025-38234SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
sched/rt: Fix race in push_rt_task
Overview
========
When a CPU chooses to call push_rt_task and picks a task to push to
another CPU's runqueue then it will call find_lock_lowest_rq method
which would take a double lock on both CPUs' runqueues. If one of the
locks aren't readily available, it may lead to dropping the current
runqueue lock and reacquiring both the locks at once. During this window
it is possible that the task is already migrated and is running on some
other CPU. These cases are already handled. However, if the task is
migrated and has already been executed and another CPU is now trying to
wake it up (ttwu) such that it is queued again on the runqeue
(on_rq is 1) and also if the task was run by the same CPU, then the
current checks will pass even though the task was migrated out and is no
longer in the pushable tasks list.
Crashes
=======
This bug resulted in quite a few flavors of crashes triggering kernel
panics with various crash signatures such as assert failures, page
faults, null pointer dereferences, and queue corruption errors all
coming from scheduler itself.
Some of the crashes:
-> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO)
Call Trace:
? __die_body+0x1a/0x60
? die+0x2a/0x50
? do_trap+0x85/0x100
? pick_next_task_rt+0x6e/0x1d0
? do_error_trap+0x64/0xa0
? pick_next_task_rt+0x6e/0x1d0
? exc_invalid_op+0x4c/0x60
? pick_next_task_rt+0x6e/0x1d0
? asm_exc_invalid_op+0x12/0x20
? pick_next_task_rt+0x6e/0x1d0
__schedule+0x5cb/0x790
? update_ts_time_stats+0x55/0x70
schedule_idle+0x1e/0x40
do_idle+0x15e/0x200
cpu_startup_entry+0x19/0x20
start_secondary+0x117/0x160
secondary_startup_64_no_verify+0xb0/0xbb
-> BUG: kernel NULL pointer dereference, address: 00000000000000c0
Call Trace:
? __die_body+0x1a/0x60
? no_context+0x183/0x350
? __warn+0x8a/0xe0
? exc_page_fault+0x3d6/0x520
? asm_exc_page_fault+0x1e/0x30
? pick_next_task_rt+0xb5/0x1d0
? pick_next_task_rt+0x8c/0x1d0
__schedule+0x583/0x7e0
? update_ts_time_stats+0x55/0x70
schedule_idle+0x1e/0x40
do_idle+0x15e/0x200
cpu_startup_entry+0x19/0x20
start_secondary+0x117/0x160
secondary_startup_64_no_verify+0xb0/0xbb
-> BUG: unable to handle page fault for address: ffff9464daea5900
kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p))
-> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running)
Call Trace:
? __die_body+0x1a/0x60
? die+0x2a/0x50
? do_trap+0x85/0x100
? dequeue_top_rt_rq+0xa2/0xb0
? do_error_trap+0x64/0xa0
? dequeue_top_rt_rq+0xa2/0xb0
? exc_invalid_op+0x4c/0x60
? dequeue_top_rt_rq+0xa2/0xb0
? asm_exc_invalid_op+0x12/0x20
? dequeue_top_rt_rq+0xa2/0xb0
dequeue_rt_entity+0x1f/0x70
dequeue_task_rt+0x2d/0x70
__schedule+0x1a8/0x7e0
? blk_finish_plug+0x25/0x40
schedule+0x3c/0xb0
futex_wait_queue_me+0xb6/0x120
futex_wait+0xd9/0x240
do_futex+0x344/0xa90
? get_mm_exe_file+0x30/0x60
? audit_exe_compare+0x58/0x70
? audit_filter_rules.constprop.26+0x65e/0x1220
__x64_sys_futex+0x148/0x1f0
do_syscall_64+0x30/0x80
entry_SYSCALL_64_after_hwframe+0x62/0xc7
-> BUG: unable to handle page fault for address: ffff8cf3608bc2c0
Call Trace:
? __die_body+0x1a/0x60
? no_context+0x183/0x350
? spurious_kernel_fault+0x171/0x1c0
? exc_page_fault+0x3b6/0x520
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? asm_exc_page_fault+0x1e/0x30
? _cond_resched+0x15/0x30
? futex_wait_queue_me+0xc8/0x120
? futex_wait+0xd9/0x240
? try_to_wake_up+0x1b8/0x490
? futex_wake+0x78/0x160
? do_futex+0xcd/0xa90
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? plist_del+0x6a/0xd0
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? dequeue_pushable_task+0x20/0x70
? __schedule+0x382/0x7e0
? asm_sysvec_reschedule_i
---truncated---
ModerateCVE-2025-38234 at SUSECVE-2025-38234 at NVDSUSE bug 1246057CVE-2025-38288SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels
Correct kernel call trace when calling smp_processor_id() when called in
preemptible kernels by using raw_smp_processor_id().
smp_processor_id() checks to see if preemption is disabled and if not,
issue an error message followed by a call to dump_stack().
Brief example of call trace:
kernel: check_preemption_disabled: 436 callbacks suppressed
kernel: BUG: using smp_processor_id() in preemptible [00000000]
code: kworker/u1025:0/2354
kernel: caller is pqi_scsi_queue_command+0x183/0x310 [smartpqi]
kernel: CPU: 129 PID: 2354 Comm: kworker/u1025:0
kernel: ...
kernel: Workqueue: writeback wb_workfn (flush-253:0)
kernel: Call Trace:
kernel: <TASK>
kernel: dump_stack_lvl+0x34/0x48
kernel: check_preemption_disabled+0xdd/0xe0
kernel: pqi_scsi_queue_command+0x183/0x310 [smartpqi]
kernel: ...
ModerateCVE-2025-38288 at SUSECVE-2025-38288 at NVDSUSE bug 1246286CVE-2025-38322SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/intel: Fix crash in icl_update_topdown_event()
The perf_fuzzer found a hard-lockup crash on a RaptorLake machine:
Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000
CPU: 23 UID: 0 PID: 0 Comm: swapper/23
Tainted: [W]=WARN
Hardware name: Dell Inc. Precision 9660/0VJ762
RIP: 0010:native_read_pmc+0x7/0x40
Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ...
RSP: 000:fffb03100273de8 EFLAGS: 00010046
....
Call Trace:
<TASK>
icl_update_topdown_event+0x165/0x190
? ktime_get+0x38/0xd0
intel_pmu_read_event+0xf9/0x210
__perf_event_read+0xf9/0x210
CPUs 16-23 are E-core CPUs that don't support the perf metrics feature.
The icl_update_topdown_event() should not be invoked on these CPUs.
It's a regression of commit:
f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read")
The bug introduced by that commit is that the is_topdown_event() function
is mistakenly used to replace the is_topdown_count() call to check if the
topdown functions for the perf metrics feature should be invoked.
Fix it.
ModerateCVE-2025-38322 at SUSECVE-2025-38322 at NVDSUSE bug 1246447CVE-2025-38329SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
firmware: cs_dsp: Fix OOB memory read access in KUnit test (wmfw info)
KASAN reported out of bounds access - cs_dsp_mock_wmfw_add_info(),
because the source string length was rounded up to the allocation size.
ModerateCVE-2025-38329 at SUSECVE-2025-38329 at NVDSUSE bug 1246369CVE-2025-38330SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
firmware: cs_dsp: Fix OOB memory read access in KUnit test (ctl cache)
KASAN reported out of bounds access - cs_dsp_ctl_cache_init_multiple_offsets().
The code uses mock_coeff_template.length_bytes (4 bytes) for register value
allocations. But later, this length is set to 8 bytes which causes
test code failures.
As fix, just remove the lenght override, keeping the original value 4
for all operations.
ModerateCVE-2025-38330 at SUSECVE-2025-38330 at NVDSUSE bug 1246368CVE-2025-38332SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Use memcpy() for BIOS version
The strlcat() with FORTIFY support is triggering a panic because it
thinks the target buffer will overflow although the correct target
buffer size is passed in.
Anyway, instead of memset() with 0 followed by a strlcat(), just use
memcpy() and ensure that the resulting buffer is NULL terminated.
BIOSVersion is only used for the lpfc_printf_log() which expects a
properly terminated string.
ModerateCVE-2025-38332 at SUSECVE-2025-38332 at NVDSUSE bug 1246375CVE-2025-38349SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
eventpoll: don't decrement ep refcount while still holding the ep mutex
Jann Horn points out that epoll is decrementing the ep refcount and then
doing a
mutex_unlock(&ep->mtx);
afterwards. That's very wrong, because it can lead to a use-after-free.
That pattern is actually fine for the very last reference, because the
code in question will delay the actual call to "ep_free(ep)" until after
it has unlocked the mutex.
But it's wrong for the much subtler "next to last" case when somebody
*else* may also be dropping their reference and free the ep while we're
still using the mutex.
Note that this is true even if that other user is also using the same ep
mutex: mutexes, unlike spinlocks, can not be used for object ownership,
even if they guarantee mutual exclusion.
A mutex "unlock" operation is not atomic, and as one user is still
accessing the mutex as part of unlocking it, another user can come in
and get the now released mutex and free the data structure while the
first user is still cleaning up.
See our mutex documentation in Documentation/locking/mutex-design.rst,
in particular the section [1] about semantics:
"mutex_unlock() may access the mutex structure even after it has
internally released the lock already - so it's not safe for
another context to acquire the mutex and assume that the
mutex_unlock() context is not using the structure anymore"
So if we drop our ep ref before the mutex unlock, but we weren't the
last one, we may then unlock the mutex, another user comes in, drops
_their_ reference and releases the 'ep' as it now has no users - all
while the mutex_unlock() is still accessing it.
Fix this by simply moving the ep refcount dropping to outside the mutex:
the refcount itself is atomic, and doesn't need mutex protection (that's
the whole _point_ of refcounts: unlike mutexes, they are inherently
about object lifetimes).
ModerateCVE-2025-38349 at SUSECVE-2025-38349 at NVDSUSE bug 1246777CVE-2025-38369SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using
Running IDXD workloads in a container with the /dev directory mounted can
trigger a call trace or even a kernel panic when the parent process of the
container is terminated.
This issue occurs because, under certain configurations, Docker does not
properly propagate the mount replica back to the original mount point.
In this case, when the user driver detaches, the WQ is destroyed but it
still calls destroy_workqueue() attempting to completes all pending work.
It's necessary to check wq->wq and skip the drain if it no longer exists.
ModerateCVE-2025-38369 at SUSECVE-2025-38369 at NVDSUSE bug 1247209CVE-2025-38383SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mm/vmalloc: fix data race in show_numa_info()
The following data-race was found in show_numa_info():
==================================================================
BUG: KCSAN: data-race in vmalloc_info_show / vmalloc_info_show
read to 0xffff88800971fe30 of 4 bytes by task 8289 on cpu 0:
show_numa_info mm/vmalloc.c:4936 [inline]
vmalloc_info_show+0x5a8/0x7e0 mm/vmalloc.c:5016
seq_read_iter+0x373/0xb40 fs/seq_file.c:230
proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299
....
write to 0xffff88800971fe30 of 4 bytes by task 8287 on cpu 1:
show_numa_info mm/vmalloc.c:4934 [inline]
vmalloc_info_show+0x38f/0x7e0 mm/vmalloc.c:5016
seq_read_iter+0x373/0xb40 fs/seq_file.c:230
proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299
....
value changed: 0x0000008f -> 0x00000000
==================================================================
According to this report,there is a read/write data-race because
m->private is accessible to multiple CPUs. To fix this, instead of
allocating the heap in proc_vmalloc_init() and passing the heap address to
m->private, vmalloc_info_show() should allocate the heap.
ModerateCVE-2025-38383 at SUSECVE-2025-38383 at NVDSUSE bug 1247250CVE-2025-38400SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.
syzbot reported a warning below [1] following a fault injection in
nfs_fs_proc_net_init(). [0]
When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed.
Later, rpc_proc_exit() tries to remove /proc/net/rpc, and the warning
is logged as the directory is not empty.
Let's handle the error of nfs_fs_proc_net_init() properly.
[0]:
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:123)
should_fail_ex (lib/fault-inject.c:73 lib/fault-inject.c:174)
should_failslab (mm/failslab.c:46)
kmem_cache_alloc_noprof (mm/slub.c:4178 mm/slub.c:4204)
__proc_create (fs/proc/generic.c:427)
proc_create_reg (fs/proc/generic.c:554)
proc_create_net_data (fs/proc/proc_net.c:120)
nfs_fs_proc_net_init (fs/nfs/client.c:1409)
nfs_net_init (fs/nfs/inode.c:2600)
ops_init (net/core/net_namespace.c:138)
setup_net (net/core/net_namespace.c:443)
copy_net_ns (net/core/net_namespace.c:576)
create_new_namespaces (kernel/nsproxy.c:110)
unshare_nsproxy_namespaces (kernel/nsproxy.c:218 (discriminator 4))
ksys_unshare (kernel/fork.c:3123)
__x64_sys_unshare (kernel/fork.c:3190)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
</TASK>
[1]:
remove_proc_entry: removing non-empty directory 'net/rpc', leaking at least 'nfs'
WARNING: CPU: 1 PID: 6120 at fs/proc/generic.c:727 remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727
Modules linked in:
CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727
Code: 3c 02 00 0f 85 85 00 00 00 48 8b 93 d8 00 00 00 4d 89 f0 4c 89 e9 48 c7 c6 40 ba a2 8b 48 c7 c7 60 b9 a2 8b e8 33 81 1d ff 90 <0f> 0b 90 90 e9 5f fe ff ff e8 04 69 5e ff 90 48 b8 00 00 00 00 00
RSP: 0018:ffffc90003637b08 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88805f534140 RCX: ffffffff817a92c8
RDX: ffff88807da99e00 RSI: ffffffff817a92d5 RDI: 0000000000000001
RBP: ffff888033431ac0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888033431a00
R13: ffff888033431ae4 R14: ffff888033184724 R15: dffffc0000000000
FS: 0000555580328500(0000) GS:ffff888124a62000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f71733743e0 CR3: 000000007f618000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sunrpc_exit_net+0x46/0x90 net/sunrpc/sunrpc_syms.c:76
ops_exit_list net/core/net_namespace.c:200 [inline]
ops_undo_list+0x2eb/0xab0 net/core/net_namespace.c:253
setup_net+0x2e1/0x510 net/core/net_namespace.c:457
copy_net_ns+0x2a6/0x5f0 net/core/net_namespace.c:574
create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:218
ksys_unshare+0x45b/0xa40 kernel/fork.c:3121
__do_sys_unshare kernel/fork.c:3192 [inline]
__se_sys_unshare kernel/fork.c:3190 [inline]
__x64_sys_unshare+0x31/0x40 kernel/fork.c:3190
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa1a6b8e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c
---truncated---
ModerateCVE-2025-38400 at SUSECVE-2025-38400 at NVDSUSE bug 1247123CVE-2025-38403SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
vsock/vmci: Clear the vmci transport packet properly when initializing it
In vmci_transport_packet_init memset the vmci_transport_packet before
populating the fields to avoid any uninitialised data being left in the
structure.
ModerateCVE-2025-38403 at SUSECVE-2025-38403 at NVDSUSE bug 1247141CVE-2025-38412SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks
After retrieving WMI data blocks in sysfs callbacks, check for the
validity of them before dereferencing their content.
ModerateCVE-2025-38412 at SUSECVE-2025-38412 at NVDSUSE bug 1247132CVE-2025-38415SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: check return result of sb_min_blocksize
Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug.
Syzkaller forks multiple processes which after mounting the Squashfs
filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000).
Now if this ioctl occurs at the same time another process is in the
process of mounting a Squashfs filesystem on /dev/loop0, the failure
occurs. When this happens the following code in squashfs_fill_super()
fails.
----
msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
msblk->devblksize_log2 = ffz(~msblk->devblksize);
----
sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0.
As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2
is set to 64.
This subsequently causes the
UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36
shift exponent 64 is too large for 64-bit type 'u64' (aka
'unsigned long long')
This commit adds a check for a 0 return by sb_min_blocksize().
ModerateCVE-2025-38415 at SUSECVE-2025-38415 at NVDSUSE bug 1247147CVE-2025-38438SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.
sof_pdata->tplg_filename can have address allocated by kstrdup()
and can be overwritten. Memory leak was detected with kmemleak:
unreferenced object 0xffff88812391ff60 (size 16):
comm "kworker/4:1", pid 161, jiffies 4294802931
hex dump (first 16 bytes):
73 6f 66 2d 68 64 61 2d 67 65 6e 65 72 69 63 00 sof-hda-generic.
backtrace (crc 4bf1675c):
__kmalloc_node_track_caller_noprof+0x49c/0x6b0
kstrdup+0x46/0xc0
hda_machine_select.cold+0x1de/0x12cf [snd_sof_intel_hda_generic]
sof_init_environment+0x16f/0xb50 [snd_sof]
sof_probe_continue+0x45/0x7c0 [snd_sof]
sof_probe_work+0x1e/0x40 [snd_sof]
process_one_work+0x894/0x14b0
worker_thread+0x5e5/0xfb0
kthread+0x39d/0x760
ret_from_fork+0x31/0x70
ret_from_fork_asm+0x1a/0x30
ModerateCVE-2025-38438 at SUSECVE-2025-38438 at NVDSUSE bug 1247157CVE-2025-38453SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU
syzbot reports that defer/local task_work adding via msg_ring can hit
a request that has been freed:
CPU: 1 UID: 0 PID: 19356 Comm: iou-wrk-19354 Not tainted 6.16.0-rc4-syzkaller-00108-g17bbde2e1716 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
io_req_local_work_add io_uring/io_uring.c:1184 [inline]
__io_req_task_work_add+0x589/0x950 io_uring/io_uring.c:1252
io_msg_remote_post io_uring/msg_ring.c:103 [inline]
io_msg_data_remote io_uring/msg_ring.c:133 [inline]
__io_msg_ring_data+0x820/0xaa0 io_uring/msg_ring.c:151
io_msg_ring_data io_uring/msg_ring.c:173 [inline]
io_msg_ring+0x134/0xa00 io_uring/msg_ring.c:314
__io_issue_sqe+0x17e/0x4b0 io_uring/io_uring.c:1739
io_issue_sqe+0x165/0xfd0 io_uring/io_uring.c:1762
io_wq_submit_work+0x6e9/0xb90 io_uring/io_uring.c:1874
io_worker_handle_work+0x7cd/0x1180 io_uring/io-wq.c:642
io_wq_worker+0x42f/0xeb0 io_uring/io-wq.c:696
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
which is supposed to be safe with how requests are allocated. But msg
ring requests alloc and free on their own, and hence must defer freeing
to a sane time.
Add an rcu_head and use kfree_rcu() in both spots where requests are
freed. Only the one in io_msg_tw_complete() is strictly required as it
has been visible on the other ring, but use it consistently in the other
spot as well.
This should not cause any other issues outside of KASAN rightfully
complaining about it.
ImportantCVE-2025-38453 at SUSECVE-2025-38453 at NVDSUSE bug 1247234SUSE bug 1247737CVE-2025-38468SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree
htb_lookup_leaf has a BUG_ON that can trigger with the following:
tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 htb rate 64bit
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2:1 handle 3: blackhole
ping -I lo -c1 -W0.001 127.0.0.1
The root cause is the following:
1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on
the selected leaf qdisc
2. netem_dequeue calls enqueue on the child qdisc
3. blackhole_enqueue drops the packet and returns a value that is not
just NET_XMIT_SUCCESS
4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and
since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate ->
htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase
5. As this is the only class in the selected hprio rbtree,
__rb_change_child in __rb_erase_augmented sets the rb_root pointer to
NULL
6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,
which causes htb_dequeue_tree to call htb_lookup_leaf with the same
hprio rbtree, and fail the BUG_ON
The function graph for this scenario is shown here:
0) | htb_enqueue() {
0) + 13.635 us | netem_enqueue();
0) 4.719 us | htb_activate_prios();
0) # 2249.199 us | }
0) | htb_dequeue() {
0) 2.355 us | htb_lookup_leaf();
0) | netem_dequeue() {
0) + 11.061 us | blackhole_enqueue();
0) | qdisc_tree_reduce_backlog() {
0) | qdisc_lookup_rcu() {
0) 1.873 us | qdisc_match_from_root();
0) 6.292 us | }
0) 1.894 us | htb_search();
0) | htb_qlen_notify() {
0) 2.655 us | htb_deactivate_prios();
0) 6.933 us | }
0) + 25.227 us | }
0) 1.983 us | blackhole_dequeue();
0) + 86.553 us | }
0) # 2932.761 us | qdisc_warn_nonwc();
0) | htb_lookup_leaf() {
0) | BUG_ON();
------------------------------------------
The full original bug report can be seen here [1].
We can fix this just by returning NULL instead of the BUG_ON,
as htb_dequeue_tree returns NULL when htb_lookup_leaf returns
NULL.
[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/
ModerateCVE-2025-38468 at SUSECVE-2025-38468 at NVDSUSE bug 1247437CVE-2025-38499SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
What we want is to verify there is that clone won't expose something
hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo"
may be a result of MNT_LOCKED on a child, but it may also come from
lacking admin rights in the userns of the namespace mount belongs to.
clone_private_mnt() checks the former, but not the latter.
There's a number of rather confusing CAP_SYS_ADMIN checks in various
userns during the mount, especially with the new mount API; they serve
different purposes and in case of clone_private_mnt() they usually,
but not always end up covering the missing check mentioned above.
ImportantCVE-2025-38499 at SUSECVE-2025-38499 at NVDSUSE bug 1247976SUSE bug 1248673CVE-2025-38568SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing
TCA_MQPRIO_TC_ENTRY_INDEX is validated using
NLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value
TC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack
write in the fp[] array, which only has room for 16 elements (0-15).
Fix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1.
ModerateCVE-2025-38568 at SUSECVE-2025-38568 at NVDSUSE bug 1248386CVE-2025-38653SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al
Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario.
It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF in
proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same
manner.
ModerateCVE-2025-38653 at SUSECVE-2025-38653 at NVDSUSE bug 1248630CVE-2025-38683SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
hv_netvsc: Fix panic during namespace deletion with VF
The existing code move the VF NIC to new namespace when NETDEV_REGISTER is
received on netvsc NIC. During deletion of the namespace,
default_device_exit_batch() >> default_device_exit_net() is called. When
netvsc NIC is moved back and registered to the default namespace, it
automatically brings VF NIC back to the default namespace. This will cause
the default_device_exit_net() >> for_each_netdev_safe loop unable to detect
the list end, and hit NULL ptr:
[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0
[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ 231.450246] #PF: supervisor read access in kernel mode
[ 231.450579] #PF: error_code(0x0000) - not-present page
[ 231.450916] PGD 17b8a8067 P4D 0
[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI
[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY
[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024
[ 231.452692] Workqueue: netns cleanup_net
[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0
[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00
[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246
[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb
[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564
[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000
[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340
[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340
[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000
[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0
[ 231.458434] Call Trace:
[ 231.458600] <TASK>
[ 231.458777] ops_undo_list+0x100/0x220
[ 231.459015] cleanup_net+0x1b8/0x300
[ 231.459285] process_one_work+0x184/0x340
To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid
changing the netdev list when default_device_exit_net() is using it.
ModerateCVE-2025-38683 at SUSECVE-2025-38683 at NVDSUSE bug 1249159CVE-2025-38703SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Make dma-fences compliant with the safe access rules
Xe can free some of the data pointed to by the dma-fences it exports. Most
notably the timeline name can get freed if userspace closes the associated
submit queue. At the same time the fence could have been exported to a
third party (for example a sync_fence fd) which will then cause an use-
after-free on subsequent access.
To make this safe we need to make the driver compliant with the newly
documented dma-fence rules. Driver has to ensure a RCU grace period
between signalling a fence and freeing any data pointed to by said fence.
For the timeline name we simply make the queue be freed via kfree_rcu and
for the shared lock associated with multiple queues we add a RCU grace
period before freeing the per GT structure holding the lock.
ImportantCVE-2025-38703 at SUSECVE-2025-38703 at NVDSUSE bug 1249193SUSE bug 1249763CVE-2025-38724SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
Lei Lu recently reported that nfsd4_setclientid_confirm() did not check
the return value from get_client_locked(). a SETCLIENTID_CONFIRM could
race with a confirmed client expiring and fail to get a reference. That
could later lead to a UAF.
Fix this by getting a reference early in the case where there is an
extant confirmed client. If that fails then treat it as if there were no
confirmed client found at all.
In the case where the unconfirmed client is expiring, just fail and
return the result from get_client_locked().
ModerateCVE-2025-38724 at SUSECVE-2025-38724 at NVDSUSE bug 1249169CVE-2025-38730SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
io_uring/net: commit partial buffers on retry
Ring provided buffers are potentially only valid within the single
execution context in which they were acquired. io_uring deals with this
and invalidates them on retry. But on the networking side, if
MSG_WAITALL is set, or if the socket is of the streaming type and too
little was processed, then it will hang on to the buffer rather than
recycle or commit it. This is problematic for two reasons:
1) If someone unregisters the provided buffer ring before a later retry,
then the req->buf_list will no longer be valid.
2) If multiple sockers are using the same buffer group, then multiple
receives can consume the same memory. This can cause data corruption
in the application, as either receive could land in the same
userspace buffer.
Fix this by disallowing partial retries from pinning a provided buffer
across multiple executions, if ring provided buffers are used.
ModerateCVE-2025-38730 at SUSECVE-2025-38730 at NVDSUSE bug 1249172CVE-2025-38731SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix vm_bind_ioctl double free bug
If the argument check during an array bind fails, the bind_ops are freed
twice as seen below. Fix this by setting bind_ops to NULL after freeing.
==================================================================
BUG: KASAN: double-free in xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]
Free of addr ffff88813bb9b800 by task xe_vm/14198
CPU: 5 UID: 0 PID: 14198 Comm: xe_vm Not tainted 6.16.0-xe-eudebug-cmanszew+ #520 PREEMPT(full)
Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR5 RVP, BIOS ADLPFWI1.R00.2411.A02.2110081023 10/08/2021
Call Trace:
<TASK>
dump_stack_lvl+0x82/0xd0
print_report+0xcb/0x610
? __virt_addr_valid+0x19a/0x300
? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]
kasan_report_invalid_free+0xc8/0xf0
? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]
? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]
check_slab_allocation+0x102/0x130
kfree+0x10d/0x440
? should_fail_ex+0x57/0x2f0
? xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]
xe_vm_bind_ioctl+0x1b2/0x21f0 [xe]
? __pfx_xe_vm_bind_ioctl+0x10/0x10 [xe]
? __lock_acquire+0xab9/0x27f0
? lock_acquire+0x165/0x300
? drm_dev_enter+0x53/0xe0 [drm]
? find_held_lock+0x2b/0x80
? drm_dev_exit+0x30/0x50 [drm]
? drm_ioctl_kernel+0x128/0x1c0 [drm]
drm_ioctl_kernel+0x128/0x1c0 [drm]
? __pfx_xe_vm_bind_ioctl+0x10/0x10 [xe]
? find_held_lock+0x2b/0x80
? __pfx_drm_ioctl_kernel+0x10/0x10 [drm]
? should_fail_ex+0x57/0x2f0
? __pfx_xe_vm_bind_ioctl+0x10/0x10 [xe]
drm_ioctl+0x352/0x620 [drm]
? __pfx_drm_ioctl+0x10/0x10 [drm]
? __pfx_rpm_resume+0x10/0x10
? do_raw_spin_lock+0x11a/0x1b0
? find_held_lock+0x2b/0x80
? __pm_runtime_resume+0x61/0xc0
? rcu_is_watching+0x20/0x50
? trace_irq_enable.constprop.0+0xac/0xe0
xe_drm_ioctl+0x91/0xc0 [xe]
__x64_sys_ioctl+0xb2/0x100
? rcu_is_watching+0x20/0x50
do_syscall_64+0x68/0x2e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fa9acb24ded
(cherry picked from commit a01b704527c28a2fd43a17a85f8996b75ec8492a)
ImportantCVE-2025-38731 at SUSECVE-2025-38731 at NVDSUSE bug 1249261CVE-2025-38737SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix oops due to uninitialised variable
Fix smb3_init_transform_rq() to initialise buffer to NULL before calling
netfs_alloc_folioq_buffer() as netfs assumes it can append to the buffer it
is given. Setting it to NULL means it should start a fresh buffer, but the
value is currently undefined.
ImportantCVE-2025-38737 at SUSECVE-2025-38737 at NVDSUSE bug 1249259SUSE bug 1249597CVE-2025-39697SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix a race when updating an existing write
After nfs_lock_and_join_requests() tests for whether the request is
still attached to the mapping, nothing prevents a call to
nfs_inode_remove_request() from succeeding until we actually lock the
page group.
The reason is that whoever called nfs_inode_remove_request() doesn't
necessarily have a lock on the page group head.
So in order to avoid races, let's take the page group lock earlier in
nfs_lock_and_join_requests(), and hold it across the removal of the
request in nfs_inode_remove_request().
ModerateCVE-2025-39697 at SUSECVE-2025-39697 at NVDSUSE bug 1249319CVE-2025-39718SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: Validate length in packet header before skb_put()
When receiving a vsock packet in the guest, only the virtqueue buffer
size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately,
virtio_vsock_skb_rx_put() uses the length from the packet header as the
length argument to skb_put(), potentially resulting in SKB overflow if
the host has gone wonky.
Validate the length as advertised by the packet header before calling
virtio_vsock_skb_rx_put().
ModerateCVE-2025-39718 at SUSECVE-2025-39718 at NVDSUSE bug 1249305CVE-2025-39727SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mm: swap: fix potential buffer overflow in setup_clusters()
In setup_swap_map(), we only ensure badpages are in range (0, last_page].
As maxpages might be < last_page, setup_clusters() will encounter a buffer
overflow when a badpage is >= maxpages.
Only call inc_cluster_info_page() for badpage which is < maxpages to fix
the issue.
ModerateCVE-2025-39727 at SUSECVE-2025-39727 at NVDSUSE bug 1249297CVE-2025-39730SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
The function needs to check the minimal filehandle length before it can
access the embedded filehandle.
ModerateCVE-2025-39730 at SUSECVE-2025-39730 at NVDSUSE bug 1249296CVE-2025-39751SUSE Liberty Linux 10
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
ModerateCVE-2025-39751 at SUSECVE-2025-39751 at NVDSUSE bug 1249538SUSE bug 1249539CVE-2025-39760SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
usb: core: config: Prevent OOB read in SS endpoint companion parsing
usb_parse_ss_endpoint_companion() checks descriptor type before length,
enabling a potentially odd read outside of the buffer size.
Fix this up by checking the size first before looking at any of the
fields in the descriptor.
ModerateCVE-2025-39760 at SUSECVE-2025-39760 at NVDSUSE bug 1249598CVE-2025-39766SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
The following setup can trigger a WARNING in htb_activate due to
the condition: !cl->leaf.q->q.qlen
tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 \
htb rate 64bit
tc qdisc add dev lo parent 1:1 handle f: \
cake memlimit 1b
ping -I lo -f -c1 -s64 -W0.001 127.0.0.1
This is because the low memlimit leads to a low buffer_limit, which
causes packet dropping. However, cake_enqueue still returns
NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an
empty child qdisc. We should return NET_XMIT_CN when packets are
dropped from the same tin and flow.
I do not believe return value of NET_XMIT_CN is necessary for packet
drops in the case of ack filtering, as that is meant to optimize
performance, not to signal congestion.
ModerateCVE-2025-39766 at SUSECVE-2025-39766 at NVDSUSE bug 1249510CVE-2025-39806SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
A malicious HID device can trigger a slab out-of-bounds during
mt_report_fixup() by passing in report descriptor smaller than
607 bytes. mt_report_fixup() attempts to patch byte offset 607
of the descriptor with 0x25 by first checking if byte offset
607 is 0x15 however it lacks bounds checks to verify if the
descriptor is big enough before conducting this check. Fix
this bug by ensuring the descriptor size is at least 608
bytes before accessing it.
Below is the KASAN splat after the out of bounds access happens:
[ 13.671954] ==================================================================
[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110
[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10
[ 13.673297]
[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3
[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04
[ 13.673297] Call Trace:
[ 13.673297] <TASK>
[ 13.673297] dump_stack_lvl+0x5f/0x80
[ 13.673297] print_report+0xd1/0x660
[ 13.673297] kasan_report+0xe5/0x120
[ 13.673297] __asan_report_load1_noabort+0x18/0x20
[ 13.673297] mt_report_fixup+0x103/0x110
[ 13.673297] hid_open_report+0x1ef/0x810
[ 13.673297] mt_probe+0x422/0x960
[ 13.673297] hid_device_probe+0x2e2/0x6f0
[ 13.673297] really_probe+0x1c6/0x6b0
[ 13.673297] __driver_probe_device+0x24f/0x310
[ 13.673297] driver_probe_device+0x4e/0x220
[ 13.673297] __device_attach_driver+0x169/0x320
[ 13.673297] bus_for_each_drv+0x11d/0x1b0
[ 13.673297] __device_attach+0x1b8/0x3e0
[ 13.673297] device_initial_probe+0x12/0x20
[ 13.673297] bus_probe_device+0x13d/0x180
[ 13.673297] device_add+0xe3a/0x1670
[ 13.673297] hid_add_device+0x31d/0xa40
[...]
ModerateCVE-2025-39806 at SUSECVE-2025-39806 at NVDSUSE bug 1249888CVE-2025-39818SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save
Improper use of secondary pointer (&dev->i2c_subip_regs) caused
kernel crash and out-of-bounds error:
BUG: KASAN: slab-out-of-bounds in _regmap_bulk_read+0x449/0x510
Write of size 4 at addr ffff888136005dc0 by task kworker/u33:5/5107
CPU: 3 UID: 0 PID: 5107 Comm: kworker/u33:5 Not tainted 6.16.0+ #3 PREEMPT(voluntary)
Workqueue: async async_run_entry_fn
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xa0
print_report+0xd1/0x660
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? kasan_complete_mode_report_info+0x26/0x200
kasan_report+0xe1/0x120
? _regmap_bulk_read+0x449/0x510
? _regmap_bulk_read+0x449/0x510
__asan_report_store4_noabort+0x17/0x30
_regmap_bulk_read+0x449/0x510
? __pfx__regmap_bulk_read+0x10/0x10
regmap_bulk_read+0x270/0x3d0
pio_complete+0x1ee/0x2c0 [intel_thc]
? __pfx_pio_complete+0x10/0x10 [intel_thc]
? __pfx_pio_wait+0x10/0x10 [intel_thc]
? regmap_update_bits_base+0x13b/0x1f0
thc_i2c_subip_pio_read+0x117/0x270 [intel_thc]
thc_i2c_subip_regs_save+0xc2/0x140 [intel_thc]
? __pfx_thc_i2c_subip_regs_save+0x10/0x10 [intel_thc]
[...]
The buggy address belongs to the object at ffff888136005d00
which belongs to the cache kmalloc-rnd-12-192 of size 192
The buggy address is located 0 bytes to the right of
allocated 192-byte region [ffff888136005d00, ffff888136005dc0)
Replaced with direct array indexing (&dev->i2c_subip_regs[i]) to ensure
safe memory access.
ModerateCVE-2025-39818 at SUSECVE-2025-39818 at NVDSUSE bug 1249903CVE-2025-39840SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
audit: fix out-of-bounds read in audit_compare_dname_path()
When a watch on dir=/ is combined with an fsnotify event for a
single-character name directly under / (e.g., creating /a), an
out-of-bounds read can occur in audit_compare_dname_path().
The helper parent_len() returns 1 for "/". In audit_compare_dname_path(),
when parentlen equals the full path length (1), the code sets p = path + 1
and pathlen = 1 - 1 = 0. The subsequent loop then dereferences
p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read.
Fix this by adding a pathlen > 0 check to the while loop condition
to prevent the out-of-bounds access.
[PM: subject tweak, sign-off email fixes]
ModerateCVE-2025-39840 at SUSECVE-2025-39840 at NVDSUSE bug 1250273CVE-2025-39843SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mm: slub: avoid wake up kswapd in set_track_prepare
set_track_prepare() can incur lock recursion.
The issue is that it is called from hrtimer_start_range_ns
holding the per_cpu(hrtimer_bases)[n].lock, but when enabled
CONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare,
and try to hold the per_cpu(hrtimer_bases)[n].lock.
Avoid deadlock caused by implicitly waking up kswapd by passing in
allocation flags, which do not contain __GFP_KSWAPD_RECLAIM in the
debug_objects_fill_pool() case. Inside stack depot they are processed by
gfp_nested_mask().
Since ___slab_alloc() has preemption disabled, we mask out
__GFP_DIRECT_RECLAIM from the flags there.
The oops looks something like:
BUG: spinlock recursion on CPU#3, swapper/3/0
lock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3
Hardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT)
Call trace:
spin_bug+0x0
_raw_spin_lock_irqsave+0x80
hrtimer_try_to_cancel+0x94
task_contending+0x10c
enqueue_dl_entity+0x2a4
dl_server_start+0x74
enqueue_task_fair+0x568
enqueue_task+0xac
do_activate_task+0x14c
ttwu_do_activate+0xcc
try_to_wake_up+0x6c8
default_wake_function+0x20
autoremove_wake_function+0x1c
__wake_up+0xac
wakeup_kswapd+0x19c
wake_all_kswapds+0x78
__alloc_pages_slowpath+0x1ac
__alloc_pages_noprof+0x298
stack_depot_save_flags+0x6b0
stack_depot_save+0x14
set_track_prepare+0x5c
___slab_alloc+0xccc
__kmalloc_cache_noprof+0x470
__set_page_owner+0x2bc
post_alloc_hook[jt]+0x1b8
prep_new_page+0x28
get_page_from_freelist+0x1edc
__alloc_pages_noprof+0x13c
alloc_slab_page+0x244
allocate_slab+0x7c
___slab_alloc+0x8e8
kmem_cache_alloc_noprof+0x450
debug_objects_fill_pool+0x22c
debug_object_activate+0x40
enqueue_hrtimer[jt]+0xdc
hrtimer_start_range_ns+0x5f8
...
ModerateCVE-2025-39843 at SUSECVE-2025-39843 at NVDSUSE bug 1250270CVE-2025-39849SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()
If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would
lead to memory corruption so add some bounds checking.
ModerateCVE-2025-39849 at SUSECVE-2025-39849 at NVDSUSE bug 1250266CVE-2025-39883SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory
When I did memory failure tests, below panic occurs:
page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))
kernel BUG at include/linux/page-flags.h:616!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Call Trace:
<TASK>
unpoison_memory+0x2f3/0x590
simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110
debugfs_attr_write+0x42/0x60
full_proxy_write+0x5b/0x80
vfs_write+0xd5/0x540
ksys_write+0x64/0xe0
do_syscall_64+0xb9/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f08f0314887
RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887
RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001
RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009
R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00
</TASK>
Modules linked in: hwpoison_inject
---[ end trace 0000000000000000 ]---
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---
The root cause is that unpoison_memory() tries to check the PG_HWPoison
flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is
triggered. This can be reproduced by below steps:
1.Offline memory block:
echo offline > /sys/devices/system/memory/memory12/state
2.Get offlined memory pfn:
page-types -b n -rlN
3.Write pfn to unpoison-pfn
echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn
This scenario can be identified by pfn_to_online_page() returning NULL.
And ZONE_DEVICE pages are never expected, so we can simply fail if
pfn_to_online_page() == NULL to fix the bug.
ModerateCVE-2025-39883 at SUSECVE-2025-39883 at NVDSUSE bug 1250376CVE-2025-39898SUSE Liberty Linux 10
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
ImportantCVE-2025-39898 at SUSECVE-2025-39898 at NVDSUSE bug 1247374SUSE bug 1250742SUSE bug 1250744SUSE bug 1253291CVE-2025-39905SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net: phylink: add lock for serializing concurrent pl->phydev writes with resolver
Currently phylink_resolve() protects itself against concurrent
phylink_bringup_phy() or phylink_disconnect_phy() calls which modify
pl->phydev by relying on pl->state_mutex.
The problem is that in phylink_resolve(), pl->state_mutex is in a lock
inversion state with pl->phydev->lock. So pl->phydev->lock needs to be
acquired prior to pl->state_mutex. But that requires dereferencing
pl->phydev in the first place, and without pl->state_mutex, that is
racy.
Hence the reason for the extra lock. Currently it is redundant, but it
will serve a functional purpose once mutex_lock(&phy->lock) will be
moved outside of the mutex_lock(&pl->state_mutex) section.
Another alternative considered would have been to let phylink_resolve()
acquire the rtnl_mutex, which is also held when phylink_bringup_phy()
and phylink_disconnect_phy() are called. But since phylink_disconnect_phy()
runs under rtnl_lock(), it would deadlock with phylink_resolve() when
calling flush_work(&pl->resolve). Additionally, it would have been
undesirable because it would have unnecessarily blocked many other call
paths as well in the entire kernel, so the smaller-scoped lock was
preferred.
LowCVE-2025-39905 at SUSECVE-2025-39905 at NVDSUSE bug 1250725CVE-2025-39918SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: fix linked list corruption
Never leave scheduled wcid entries on the temporary on-stack list
ModerateCVE-2025-39918 at SUSECVE-2025-39918 at NVDSUSE bug 1250729CVE-2025-39925SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: implement NETDEV_UNREGISTER notification handler
syzbot is reporting
unregister_netdevice: waiting for vcan0 to become free. Usage count = 2
problem, for j1939 protocol did not have NETDEV_UNREGISTER notification
handler for undoing changes made by j1939_sk_bind().
Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct
callback") expects that a call to j1939_priv_put() can be unconditionally
delayed until j1939_sk_sock_destruct() is called. But we need to call
j1939_priv_put() against an extra ref held by j1939_sk_bind() call
(as a part of undoing changes made by j1939_sk_bind()) as soon as
NETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()
is called via j1939_sk_release()). Otherwise, the extra ref on "struct
j1939_priv" held by j1939_sk_bind() call prevents "struct net_device" from
dropping the usage count to 1; making it impossible for
unregister_netdevice() to continue.
[mkl: remove space in front of label]
ModerateCVE-2025-39925 at SUSECVE-2025-39925 at NVDSUSE bug 1250736CVE-2025-39933SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
smb: client: let recv_done verify data_offset, data_length and remaining_data_length
This is inspired by the related server fixes.
ModerateCVE-2025-39933 at SUSECVE-2025-39933 at NVDSUSE bug 1251172CVE-2025-39966SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Fix race during abort for file descriptors
fput() doesn't actually call file_operations release() synchronously, it
puts the file on a work queue and it will be released eventually.
This is normally fine, except for iommufd the file and the iommufd_object
are tied to gether. The file has the object as it's private_data and holds
a users refcount, while the object is expected to remain alive as long as
the file is.
When the allocation of a new object aborts before installing the file it
will fput() the file and then go on to immediately kfree() the obj. This
causes a UAF once the workqueue completes the fput() and tries to
decrement the users refcount.
Fix this by putting the core code in charge of the file lifetime, and call
__fput_sync() during abort to ensure that release() is called before
kfree. __fput_sync() is a bit too tricky to open code in all the object
implementations. Instead the objects tell the core code where the file
pointer is and the core will take care of the life cycle.
If the object is successfully allocated then the file will hold a users
refcount and the iommufd_object cannot be destroyed.
It is worth noting that close(); ioctl(IOMMU_DESTROY); doesn't have an
issue because close() is already using a synchronous version of fput().
The UAF looks like this:
BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376
Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164
CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]
__refcount_dec include/linux/refcount.h:455 [inline]
refcount_dec include/linux/refcount.h:476 [inline]
iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376
__fput+0x402/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
ModerateCVE-2025-39966 at SUSECVE-2025-39966 at NVDSUSE bug 1252043CVE-2025-39971SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix idx validation in config queues msg
Ensure idx is within range of active/initialized TCs when iterating over
vf->ch[idx] in i40e_vc_config_queues_msg().
ModerateCVE-2025-39971 at SUSECVE-2025-39971 at NVDSUSE bug 1252052CVE-2025-39973SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
i40e: add validation for ring_len param
The `ring_len` parameter provided by the virtual function (VF)
is assigned directly to the hardware memory context (HMC) without
any validation.
To address this, introduce an upper boundary check for both Tx and Rx
queue lengths. The maximum number of descriptors supported by the
hardware is 8k-32.
Additionally, enforce alignment constraints: Tx rings must be a multiple
of 8, and Rx rings must be a multiple of 32.
ImportantCVE-2025-39973 at SUSECVE-2025-39973 at NVDSUSE bug 1247374SUSE bug 1252035SUSE bug 1252036CVE-2025-39979SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: fs, fix UAF in flow counter release
Fix a kernel trace [1] caused by releasing an HWS action of a local flow
counter in mlx5_cmd_hws_delete_fte(), where the HWS action refcount and
mutex were not initialized and the counter struct could already be freed
when deleting the rule.
Fix it by adding the missing initializations and adding refcount for the
local flow counter struct.
[1] Kernel log:
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x48
mlx5_fs_put_hws_action.part.0.cold+0x21/0x94 [mlx5_core]
mlx5_fc_put_hws_action+0x96/0xad [mlx5_core]
mlx5_fs_destroy_fs_actions+0x8b/0x152 [mlx5_core]
mlx5_cmd_hws_delete_fte+0x5a/0xa0 [mlx5_core]
del_hw_fte+0x1ce/0x260 [mlx5_core]
mlx5_del_flow_rules+0x12d/0x240 [mlx5_core]
? ttwu_queue_wakelist+0xf4/0x110
mlx5_ib_destroy_flow+0x103/0x1b0 [mlx5_ib]
uverbs_free_flow+0x20/0x50 [ib_uverbs]
destroy_hw_idr_uobject+0x1b/0x50 [ib_uverbs]
uverbs_destroy_uobject+0x34/0x1a0 [ib_uverbs]
uobj_destroy+0x3c/0x80 [ib_uverbs]
ib_uverbs_run_method+0x23e/0x360 [ib_uverbs]
? uverbs_finalize_object+0x60/0x60 [ib_uverbs]
ib_uverbs_cmd_verbs+0x14f/0x2c0 [ib_uverbs]
? do_tty_write+0x1a9/0x270
? file_tty_write.constprop.0+0x98/0xc0
? new_sync_write+0xfc/0x190
ib_uverbs_ioctl+0xd7/0x160 [ib_uverbs]
__x64_sys_ioctl+0x87/0xc0
do_syscall_64+0x59/0x90
ImportantCVE-2025-39979 at SUSECVE-2025-39979 at NVDSUSE bug 1252067SUSE bug 1252068CVE-2025-39981SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix possible UAFs
This attemps to fix possible UAFs caused by struct mgmt_pending being
freed while still being processed like in the following trace, in order
to fix mgmt_pending_valid is introduce and use to check if the
mgmt_pending hasn't been removed from the pending list, on the complete
callbacks it is used to check and in addtion remove the cmd from the list
while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd
is left on the list it can still be accessed and freed.
BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55
CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 12210:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
__add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247
add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:729
sock_write_iter+0x258/0x330 net/socket.c:1133
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 12221:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4648 [inline]
kfree+0x18e/0x440 mm/slub.c:4847
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
__mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444
hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290
hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526
sock_do_ioctl+0xd9/0x300 net/socket.c:1192
sock_ioctl+0x576/0x790 net/socket.c:1313
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf
---truncated---
ImportantCVE-2025-39981 at SUSECVE-2025-39981 at NVDSUSE bug 1252060SUSE bug 1252061CVE-2025-39982SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync
This fixes the following UFA in hci_acl_create_conn_sync where a
connection still pending is command submission (conn->state == BT_OPEN)
maybe freed, also since this also can happen with the likes of
hci_le_create_conn_sync fix it as well:
BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861
Write of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541
CPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci3 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 123736:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
__hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939
hci_conn_add_unset net/bluetooth/hci_conn.c:1051 [inline]
hci_connect_acl+0x16c/0x4e0 net/bluetooth/hci_conn.c:1634
pair_device+0x418/0xa70 net/bluetooth/mgmt.c:3556
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
sock_write_iter+0x258/0x330 net/socket.c:1131
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x54b/0xa90 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 103680:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x18e/0x440 mm/slub.c:4842
device_release+0x9c/0x1c0
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x22b/0x480 lib/kobject.c:737
hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]
hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173
hci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199
hci_event_func net/bluetooth/hci_event.c:7477 [inline]
hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/sour
---truncated---
ModerateCVE-2025-39982 at SUSECVE-2025-39982 at NVDSUSE bug 1252083CVE-2025-39983SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
This fixes the following UAF caused by not properly locking hdev when
processing HCI_EV_NUM_COMP_PKTS:
BUG: KASAN: slab-use-after-free in hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036
Read of size 4 at addr ffff8880740f0940 by task kworker/u11:0/54
CPU: 1 UID: 0 PID: 54 Comm: kworker/u11:0 Not tainted 6.16.0-rc7 #3 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci1 hci_rx_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036
hci_num_comp_pkts_evt+0x1c8/0xa50 net/bluetooth/hci_event.c:4404
hci_event_func net/bluetooth/hci_event.c:7477 [inline]
hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 54:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
__hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939
le_conn_complete_evt+0x3d6/0x1220 net/bluetooth/hci_event.c:5628
hci_le_enh_conn_complete_evt+0x189/0x470 net/bluetooth/hci_event.c:5794
hci_event_func net/bluetooth/hci_event.c:7474 [inline]
hci_event_packet+0x78c/0x1200 net/bluetooth/hci_event.c:7531
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245
Freed by task 9572:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x18e/0x440 mm/slub.c:4842
device_release+0x9c/0x1c0
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x22b/0x480 lib/kobject.c:737
hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]
hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173
hci_abort_conn_sync+0x5d1/0xdf0 net/bluetooth/hci_sync.c:5689
hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245
ModerateCVE-2025-39983 at SUSECVE-2025-39983 at NVDSUSE bug 1252080CVE-2025-39984SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net: tun: Update napi->skb after XDP process
The syzbot report a UAF issue:
BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline]
BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline]
BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758
Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079
CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
skb_reset_mac_header include/linux/skbuff.h:3150 [inline]
napi_frags_skb net/core/gro.c:723 [inline]
napi_gro_frags+0x6e/0x1030 net/core/gro.c:758
tun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Allocated by task 6079:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:330 [inline]
__kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558
kasan_mempool_unpoison_object include/linux/kasan.h:388 [inline]
napi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295
__alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657
napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811
napi_get_frags+0x69/0x140 net/core/gro.c:673
tun_napi_alloc_frags drivers/net/tun.c:1404 [inline]
tun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6079:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2422 [inline]
slab_free mm/slub.c:4695 [inline]
kmem_cache_free+0x18f/0x400 mm/slub.c:4797
skb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969
netif_skb_check_for_xdp net/core/dev.c:5390 [inline]
netif_receive_generic_xdp net/core/dev.c:5431 [inline]
do_xdp_generic+0x699/0x11a0 net/core/dev.c:5499
tun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
After commit e6d5dbdd20aa ("xdp: add multi-buff support for xdp running in
generic mode"), the original skb may be freed in skb_pp_cow_data() when
XDP program was attached, which was allocated in tun_napi_alloc_frags().
However, the napi->skb still point to the original skb, update it after
XDP process.
ModerateCVE-2025-39984 at SUSECVE-2025-39984 at NVDSUSE bug 1252081CVE-2025-40047SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
io_uring/waitid: always prune wait queue entry in io_waitid_wait()
For a successful return, always remove our entry from the wait queue
entry list. Previously this was skipped if a cancelation was in
progress, but this can race with another invocation of the wait queue
entry callback.
ModerateCVE-2025-40047 at SUSECVE-2025-40047 at NVDSUSE bug 1252790CVE-2025-40058SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Disallow dirty tracking if incoherent page walk
Dirty page tracking relies on the IOMMU atomically updating the dirty bit
in the paging-structure entry. For this operation to succeed, the paging-
structure memory must be coherent between the IOMMU and the CPU. In
another word, if the iommu page walk is incoherent, dirty page tracking
doesn't work.
The Intel VT-d specification, Section 3.10 "Snoop Behavior" states:
"Remapping hardware encountering the need to atomically update A/EA/D bits
in a paging-structure entry that is not snooped will result in a non-
recoverable fault."
To prevent an IOMMU from being incorrectly configured for dirty page
tracking when it is operating in an incoherent mode, mark SSADS as
supported only when both ecap_slads and ecap_smpwc are supported.
ModerateCVE-2025-40058 at SUSECVE-2025-40058 at NVDSUSE bug 1252854CVE-2025-40064SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
smc: Fix use-after-free in __pnet_find_base_ndev().
syzbot reported use-after-free of net_device in __pnet_find_base_ndev(),
which was called during connect(). [0]
smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes
down to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened
at __pnet_find_base_ndev() when the dev is first used.
This means dev had already been freed before acquiring RTNL in
pnet_find_base_ndev().
While dev is going away, dst->dev could be swapped with blackhole_netdev,
and the dev's refcnt by dst will be released.
We must hold dev's refcnt before calling smc_pnet_find_ism_resource().
Also, smc_pnet_find_roce_resource() has the same problem.
Let's use __sk_dst_get() and dst_dev_rcu() in the two functions.
[0]:
BUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
Read of size 1 at addr ffff888036bac33a by task syz.0.3632/18609
CPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]
smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]
smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154
smc_find_ism_device net/smc/af_smc.c:1030 [inline]
smc_find_proposal_devices net/smc/af_smc.c:1115 [inline]
__smc_connect+0x372/0x1890 net/smc/af_smc.c:1545
smc_connect+0x877/0xd90 net/smc/af_smc.c:1715
__sys_connect_file net/socket.c:2086 [inline]
__sys_connect+0x313/0x440 net/socket.c:2105
__do_sys_connect net/socket.c:2111 [inline]
__se_sys_connect net/socket.c:2108 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2108
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f47cbf8eba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9
RDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b
RBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000
raw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317
__kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348
__do_kmalloc_node mm/slub.c:4364 [inline]
__kvmalloc_node
---truncated---
ModerateCVE-2025-40064 at SUSECVE-2025-40064 at NVDSUSE bug 1252845CVE-2025-40096SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies
When adding dependencies with drm_sched_job_add_dependency(), that
function consumes the fence reference both on success and failure, so in
the latter case the dma_fence_put() on the error path (xarray failed to
expand) is a double free.
Interestingly this bug appears to have been present ever since
commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the code
back then looked like this:
drm_sched_job_add_implicit_dependencies():
...
for (i = 0; i < fence_count; i++) {
ret = drm_sched_job_add_dependency(job, fences[i]);
if (ret)
break;
}
for (; i < fence_count; i++)
dma_fence_put(fences[i]);
Which means for the failing 'i' the dma_fence_put was already a double
free. Possibly there were no users at that time, or the test cases were
insufficient to hit it.
The bug was then only noticed and fixed after
commit 9c2ba265352a ("drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2")
landed, with its fixup of
commit 4eaf02d6076c ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies").
At that point it was a slightly different flavour of a double free, which
commit 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder")
noticed and attempted to fix.
But it only moved the double free from happening inside the
drm_sched_job_add_dependency(), when releasing the reference not yet
obtained, to the caller, when releasing the reference already released by
the former in the failure case.
As such it is not easy to identify the right target for the fixes tag so
lets keep it simple and just continue the chain.
While fixing we also improve the comment and explain the reason for taking
the reference and not dropping it.
ModerateCVE-2025-40096 at SUSECVE-2025-40096 at NVDSUSE bug 1252902CVE-2025-40133SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().
mptcp_active_enable() is called from subflow_finish_connect(),
which is icsk->icsk_af_ops->sk_rx_dst_set() and it's not always
under RCU.
Using sk_dst_get(sk)->dev could trigger UAF.
Let's use __sk_dst_get() and dst_dev_rcu().
ModerateCVE-2025-40133 at SUSECVE-2025-40133 at NVDSUSE bug 1253328CVE-2025-40135SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ipv6: use RCU in ip6_xmit()
Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent
possible UAF.
ModerateCVE-2025-40135 at SUSECVE-2025-40135 at NVDSUSE bug 1253342CVE-2025-40141SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: ISO: Fix possible UAF on iso_conn_free
This attempt to fix similar issue to sco_conn_free where if the
conn->sk is not set to NULL may lead to UAF on iso_conn_free.
ModerateCVE-2025-40141 at SUSECVE-2025-40141 at NVDSUSE bug 1253352CVE-2025-40154SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
When an invalid value is passed via quirk option, currently
bytcr_rt5640 driver only shows an error message but leaves as is.
This may lead to unepxected results like OOB access.
This patch corrects the input mapping to the certain default value if
an invalid value is passed.
ModerateCVE-2025-40154 at SUSECVE-2025-40154 at NVDSUSE bug 1253431SUSE bug 1253432CVE-2025-40158SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ipv6: use RCU in ip6_output()
Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent
possible UAF.
We can remove rcu_read_lock()/rcu_read_unlock() pairs
from ip6_finish_output2().
ModerateCVE-2025-40158 at SUSECVE-2025-40158 at NVDSUSE bug 1253402CVE-2025-40168SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().
smc_clc_prfx_match() is called from smc_listen_work() and
not under RCU nor RTNL.
Using sk_dst_get(sk)->dev could trigger UAF.
Let's use __sk_dst_get() and dst_dev_rcu().
Note that the returned value of smc_clc_prfx_match() is not
used in the caller.
ModerateCVE-2025-40168 at SUSECVE-2025-40168 at NVDSUSE bug 1253427CVE-2025-40170SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net: use dst_dev_rcu() in sk_setup_caps()
Use RCU to protect accesses to dst->dev from sk_setup_caps()
and sk_dst_gso_max_size().
Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(),
and ip_dst_mtu_maybe_forward().
ip4_dst_hoplimit() can use dst_dev_net_rcu().
ModerateCVE-2025-40170 at SUSECVE-2025-40170 at NVDSUSE bug 1253413CVE-2025-40176SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
tls: wait for pending async decryptions if tls_strp_msg_hold fails
Async decryption calls tls_strp_msg_hold to create a clone of the
input skb to hold references to the memory it uses. If we fail to
allocate that clone, proceeding with async decryption can lead to
various issues (UAF on the skb, writing into userspace memory after
the recv() call has returned).
In this case, wait for all pending decryption requests.
ImportantCVE-2025-40176 at SUSECVE-2025-40176 at NVDSUSE bug 1253425SUSE bug 1254100CVE-2025-40185SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ice: ice_adapter: release xa entry on adapter allocation failure
When ice_adapter_new() fails, the reserved XArray entry created by
xa_insert() is not released. This causes subsequent insertions at
the same index to return -EBUSY, potentially leading to
NULL pointer dereferences.
Reorder the operations as suggested by Przemek Kitszel:
1. Check if adapter already exists (xa_load)
2. Reserve the XArray slot (xa_reserve)
3. Allocate the adapter (ice_adapter_new)
4. Store the adapter (xa_store)
ModerateCVE-2025-40185 at SUSECVE-2025-40185 at NVDSUSE bug 1253394CVE-2025-40240SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
sctp: avoid NULL dereference when chunk data buffer is missing
chunk->skb pointer is dereferenced in the if-block where it's supposed
to be NULL only.
chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list
instead and do it just before replacing chunk->skb. We're sure that
otherwise chunk->skb is non-NULL because of outer if() condition.
ModerateCVE-2025-40240 at SUSECVE-2025-40240 at NVDSUSE bug 1254869CVE-2025-40248SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
vsock: Ignore signal/timeout on connect() if already established
During connect(), acting on a signal/timeout by disconnecting an already
established socket leads to several issues:
1. connect() invoking vsock_transport_cancel_pkt() ->
virtio_transport_purge_skbs() may race with sendmsg() invoking
virtio_transport_get_credit(). This results in a permanently elevated
`vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.
2. connect() resetting a connected socket's state may race with socket
being placed in a sockmap. A disconnected socket remaining in a sockmap
breaks sockmap's assumptions. And gives rise to WARNs.
3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a
transport change/drop after TCP_ESTABLISHED. Which poses a problem for
any simultaneous sendmsg() or connect() and may result in a
use-after-free/null-ptr-deref.
Do not disconnect socket on signal/timeout. Keep the logic for unconnected
sockets: they don't linger, can't be placed in a sockmap, are rejected by
sendmsg().
[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/
[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/
[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
ModerateCVE-2025-40248 at SUSECVE-2025-40248 at NVDSUSE bug 1254864CVE-2025-40249SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
gpio: cdev: make sure the cdev fd is still active before emitting events
With the final call to fput() on a file descriptor, the release action
may be deferred and scheduled on a work queue. The reference count of
that descriptor is still zero and it must not be used. It's possible
that a GPIO change, we want to notify the user-space about, happens
AFTER the reference count on the file descriptor associated with the
character device went down to zero but BEFORE the .release() callback
was called from the workqueue and so BEFORE we unregistered from the
notifier.
Using the regular get_file() routine in this situation triggers the
following warning:
struct file::f_count incremented from zero; use-after-free condition present!
So use the get_file_active() variant that will return NULL on file
descriptors that have been or are being released.
ModerateCVE-2025-40249 at SUSECVE-2025-40249 at NVDSUSE bug 1254853CVE-2025-40251SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
The function devl_rate_nodes_destroy is documented to "Unset parent for
all rate objects". However, it was only calling the driver-specific
`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing
the parent's refcount, without actually setting the
`devlink_rate->parent` pointer to NULL.
This leaves a dangling pointer in the `devlink_rate` struct, which cause
refcount error in netdevsim[1] and mlx5[2]. In addition, this is
inconsistent with the behavior of `devlink_nl_rate_parent_node_set`,
where the parent pointer is correctly cleared.
This patch fixes the issue by explicitly setting `devlink_rate->parent`
to NULL after notifying the driver, thus fulfilling the function's
documented behavior for all rate objects.
[1]
repro steps:
echo 1 > /sys/bus/netdevsim/new_device
devlink dev eswitch set netdevsim/netdevsim1 mode switchdev
echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs
devlink port function rate add netdevsim/netdevsim1/test_node
devlink port function rate set netdevsim/netdevsim1/128 parent test_node
echo 1 > /sys/bus/netdevsim/del_device
dmesg:
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:refcount_warn_saturate+0x42/0xe0
Call Trace:
<TASK>
devl_rate_leaf_destroy+0x8d/0x90
__nsim_dev_port_del+0x6c/0x70 [netdevsim]
nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]
nsim_drv_remove+0x2b/0xb0 [netdevsim]
device_release_driver_internal+0x194/0x1f0
bus_remove_device+0xc6/0x130
device_del+0x159/0x3c0
device_unregister+0x1a/0x60
del_device_store+0x111/0x170 [netdevsim]
kernfs_fop_write_iter+0x12e/0x1e0
vfs_write+0x215/0x3d0
ksys_write+0x5f/0xd0
do_syscall_64+0x55/0x10f0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[2]
devlink dev eswitch set pci/0000:08:00.0 mode switchdev
devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000
devlink port function rate add pci/0000:08:00.0/group1
devlink port function rate set pci/0000:08:00.0/32768 parent group1
modprobe -r mlx5_ib mlx5_fwctl mlx5_core
dmesg:
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:refcount_warn_saturate+0x42/0xe0
Call Trace:
<TASK>
devl_rate_leaf_destroy+0x8d/0x90
mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]
mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]
mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]
mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]
notifier_call_chain+0x33/0xa0
blocking_notifier_call_chain+0x3b/0x50
mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]
mlx5_eswitch_disable+0x63/0x90 [mlx5_core]
mlx5_unload+0x1d/0x170 [mlx5_core]
mlx5_uninit_one+0xa2/0x130 [mlx5_core]
remove_one+0x78/0xd0 [mlx5_core]
pci_device_remove+0x39/0xa0
device_release_driver_internal+0x194/0x1f0
unbind_store+0x99/0xa0
kernfs_fop_write_iter+0x12e/0x1e0
vfs_write+0x215/0x3d0
ksys_write+0x5f/0xd0
do_syscall_64+0x53/0x1f0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
ModerateCVE-2025-40251 at SUSECVE-2025-40251 at NVDSUSE bug 1254856CVE-2025-40258SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix race condition in mptcp_schedule_work()
syzbot reported use-after-free in mptcp_schedule_work() [1]
Issue here is that mptcp_schedule_work() schedules a work,
then gets a refcount on sk->sk_refcnt if the work was scheduled.
This refcount will be released by mptcp_worker().
[A] if (schedule_work(...)) {
[B] sock_hold(sk);
return true;
}
Problem is that mptcp_worker() can run immediately and complete before [B]
We need instead :
sock_hold(sk);
if (schedule_work(...))
return true;
sock_put(sk);
[1]
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25
Call Trace:
<TASK>
__refcount_add include/linux/refcount.h:-1 [inline]
__refcount_inc include/linux/refcount.h:366 [inline]
refcount_inc include/linux/refcount.h:383 [inline]
sock_hold include/net/sock.h:816 [inline]
mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943
mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x648/0x970 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
handle_softirqs+0x22f/0x710 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
run_ktimerd+0xcf/0x190 kernel/softirq.c:1138
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
ImportantCVE-2025-40258 at SUSECVE-2025-40258 at NVDSUSE bug 1254843SUSE bug 1255053CVE-2025-40269SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
The PCM stream data in USB-audio driver is transferred over USB URB
packet buffers, and each packet size is determined dynamically. The
packet sizes are limited by some factors such as wMaxPacketSize USB
descriptor. OTOH, in the current code, the actually used packet sizes
are determined only by the rate and the PPS, which may be bigger than
the size limit above. This results in a buffer overflow, as reported
by syzbot.
Basically when the limit is smaller than the calculated packet size,
it implies that something is wrong, most likely a weird USB
descriptor. So the best option would be just to return an error at
the parameter setup time before doing any further operations.
This patch introduces such a sanity check, and returns -EINVAL when
the packet size is greater than maxpacksize. The comparison with
ep->packsize[1] alone should suffice since it's always equal or
greater than ep->packsize[0].
ModerateCVE-2025-40269 at SUSECVE-2025-40269 at NVDSUSE bug 1255035CVE-2025-40271SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
fs/proc: fix uaf in proc_readdir_de()
Pde is erased from subdir rbtree through rb_erase(), but not set the node
to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()
set the erased node to EMPTY, then pde_subdir_next() will return NULL to
avoid uaf access.
We found an uaf issue while using stress-ng testing, need to run testcase
getdent and tun in the same time. The steps of the issue is as follows:
1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current
pde is tun3;
2) in the [time windows] unregister netdevice tun3 and tun2, and erase
them from rbtree. erase tun3 first, and then erase tun2. the
pde(tun2) will be released to slab;
3) continue to getdent process, then pde_subdir_next() will return
pde(tun2) which is released, it will case uaf access.
CPU 0 | CPU 1
-------------------------------------------------------------------------
traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2
sys_getdents64() |
iterate_dir() |
proc_readdir() |
proc_readdir_de() | snmp6_unregister_dev()
pde_get(de); | proc_remove()
read_unlock(&proc_subdir_lock); | remove_proc_subtree()
| write_lock(&proc_subdir_lock);
[time window] | rb_erase(&root->subdir_node, &parent->subdir);
| write_unlock(&proc_subdir_lock);
read_lock(&proc_subdir_lock); |
next = pde_subdir_next(de); |
pde_put(de); |
de = next; //UAF |
rbtree of dev_snmp6
|
pde(tun3)
/ \
NULL pde(tun2)
ModerateCVE-2025-40271 at SUSECVE-2025-40271 at NVDSUSE bug 1255297CVE-2025-40277SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
This data originates from userspace and is used in buffer offset
calculations which could potentially overflow causing an out-of-bounds
access.
ModerateCVE-2025-40277 at SUSECVE-2025-40277 at NVDSUSE bug 1254894CVE-2025-40294SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
In the parse_adv_monitor_pattern() function, the value of
the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).
The size of the 'value' array in the mgmt_adv_pattern structure is 31.
If the value of 'pattern[i].length' is set in the user space
and exceeds 31, the 'patterns[i].value' array can be accessed
out of bound when copied.
Increasing the size of the 'value' array in
the 'mgmt_adv_pattern' structure will break the userspace.
Considering this, and to avoid OOB access revert the limits for 'offset'
and 'length' back to the value of HCI_MAX_AD_LENGTH.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
ModerateCVE-2025-40294 at SUSECVE-2025-40294 at NVDSUSE bug 1255181CVE-2025-40301SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: validate skb length for unknown CC opcode
In hci_cmd_complete_evt(), if the command complete event has an unknown
opcode, we assume the first byte of the remaining skb->data contains the
return status. However, parameter data has previously been pulled in
hci_event_func(), which may leave the skb empty. If so, using skb->data[0]
for the return status uses un-init memory.
The fix is to check skb->len before using skb->data.
ModerateCVE-2025-40301 at SUSECVE-2025-40301 at NVDSUSE bug 1255193CVE-2025-40304SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
Add bounds checking to prevent writes past framebuffer boundaries when
rendering text near screen edges. Return early if the Y position is off-screen
and clip image height to screen boundary. Break from the rendering loop if the
X position is off-screen. When clipping image width to fit the screen, update
the character count to match the clipped width to prevent buffer size
mismatches.
Without the character count update, bit_putcs_aligned and bit_putcs_unaligned
receive mismatched parameters where the buffer is allocated for the clipped
width but cnt reflects the original larger count, causing out-of-bounds writes.
ModerateCVE-2025-40304 at SUSECVE-2025-40304 at NVDSUSE bug 1255034CVE-2025-40318SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
hci_cmd_sync_dequeue_once() does lookup and then cancel
the entry under two separate lock sections. Meanwhile,
hci_cmd_sync_work() can also delete the same entry,
leading to double list_del() and "UAF".
Fix this by holding cmd_sync_work_lock across both
lookup and cancel, so that the entry cannot be removed
concurrently.
ModerateCVE-2025-40318 at SUSECVE-2025-40318 at NVDSUSE bug 1254798CVE-2025-40322SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
fbdev: bitblit: bound-check glyph index in bit_putcs*
bit_putcs_aligned()/unaligned() derived the glyph pointer from the
character value masked by 0xff/0x1ff, which may exceed the actual font's
glyph count and read past the end of the built-in font array.
Clamp the index to the actual glyph count before computing the address.
This fixes a global out-of-bounds read reported by syzbot.
ModerateCVE-2025-40322 at SUSECVE-2025-40322 at NVDSUSE bug 1255092CVE-2025-4035SUSE Liberty Linux 10
A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.
ModerateCVE-2025-4035 at SUSECVE-2025-4035 at NVDSUSE bug 1242062CVE-2025-40778SUSE Liberty Linux 10
Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.
ImportantCVE-2025-40778 at SUSECVE-2025-40778 at NVDSUSE bug 1252379CVE-2025-40780SUSE Liberty Linux 10
In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use.
This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.
ImportantCVE-2025-40780 at SUSECVE-2025-40780 at NVDSUSE bug 1252380CVE-2025-40909SUSE Liberty Linux 10
Perl threads have a working directory race condition where file operations may target unintended paths.
If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running.
This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit.
The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6
ModerateCVE-2025-40909 at SUSECVE-2025-40909 at NVDSUSE bug 1244079CVE-2025-4207SUSE Liberty Linux 10
Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.
ModerateCVE-2025-4207 at SUSECVE-2025-4207 at NVDSUSE bug 1242931CVE-2025-45582SUSE Liberty Linux 10
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.
ImportantCVE-2025-45582 at SUSECVE-2025-45582 at NVDSUSE bug 1246399SUSE bug 1265450SUSE bug 1266731SUSE bug 1267189CVE-2025-4673SUSE Liberty Linux 10
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
ModerateCVE-2025-4673 at SUSECVE-2025-4673 at NVDSUSE bug 1244156CVE-2025-4674SUSE Liberty Linux 10
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
ImportantCVE-2025-4674 at SUSECVE-2025-4674 at NVDSUSE bug 1246118CVE-2025-46817SUSE Liberty Linux 10
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
CriticalCVE-2025-46817 at SUSECVE-2025-46817 at NVDSUSE bug 1250995CVE-2025-46818SUSE Liberty Linux 10
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
CriticalCVE-2025-46818 at SUSECVE-2025-46818 at NVDSUSE bug 1250995CVE-2025-46819SUSE Liberty Linux 10
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
CriticalCVE-2025-46819 at SUSECVE-2025-46819 at NVDSUSE bug 1250995CVE-2025-46835SUSE Liberty Linux 10
Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
ModerateCVE-2025-46835 at SUSECVE-2025-46835 at NVDSUSE bug 1245942CVE-2025-47273SUSE Liberty Linux 10
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
ImportantCVE-2025-47273 at SUSECVE-2025-47273 at NVDSUSE bug 1243313CVE-2025-47287SUSE Liberty Linux 10
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.
ImportantCVE-2025-47287 at SUSECVE-2025-47287 at NVDSUSE bug 1243268CVE-2025-47906SUSE Liberty Linux 10
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
ModerateCVE-2025-47906 at SUSECVE-2025-47906 at NVDSUSE bug 1247719CVE-2025-47907SUSE Liberty Linux 10
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
ModerateCVE-2025-47907 at SUSECVE-2025-47907 at NVDSUSE bug 1247720CVE-2025-47913SUSE Liberty Linux 10
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
ImportantCVE-2025-47913 at SUSECVE-2025-47913 at NVDSUSE bug 1253506CVE-2025-48367SUSE Liberty Linux 10
Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.
ImportantCVE-2025-48367 at SUSECVE-2025-48367 at NVDSUSE bug 1246058CVE-2025-48384SUSE Liberty Linux 10
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
ImportantCVE-2025-48384 at SUSECVE-2025-48384 at NVDSUSE bug 1245943CVE-2025-48385SUSE Liberty Linux 10
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
ImportantCVE-2025-48385 at SUSECVE-2025-48385 at NVDSUSE bug 1245946CVE-2025-48964SUSE Liberty Linux 10
ping in iputils before 20250602 allows a denial of service (application error in adaptive ping mode or incorrect data collection) via a crafted ICMP Echo Reply packet, because a zero timestamp can lead to large intermediate values that have an integer overflow when squared during statistics calculations. NOTE: this issue exists because of an incomplete fix for CVE-2025-47268 (that fix was only about timestamp calculations, and it did not account for a specific scenario where the original timestamp in the ICMP payload is zero).
ModerateCVE-2025-48964 at SUSECVE-2025-48964 at NVDSUSE bug 1243772CVE-2025-4948SUSE Liberty Linux 10
A flaw was found in the soup_multipart_new_from_message() function of the libsoup HTTP library, which is commonly used by GNOME and other applications to handle web communications. The issue occurs when the library processes specially crafted multipart messages. Due to improper validation, an internal calculation can go wrong, leading to an integer underflow. This can cause the program to access invalid memory and crash. As a result, any application or server using libsoup could be forced to exit unexpectedly, creating a denial-of-service (DoS) risk.
ImportantCVE-2025-4948 at SUSECVE-2025-4948 at NVDSUSE bug 1243332SUSE bug 1250562CVE-2025-49844SUSE Liberty Linux 10
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
CriticalCVE-2025-49844 at SUSECVE-2025-49844 at NVDSUSE bug 1250995SUSE bug 1263583CVE-2025-50059SUSE Liberty Linux 10
Unknown.
ImportantCVE-2025-50059 at SUSECVE-2025-50059 at NVDSUSE bug 1246575SUSE bug 1246595CVE-2025-50077SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50077 at SUSECVE-2025-50077 at NVDCVE-2025-50078SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50078 at SUSECVE-2025-50078 at NVDCVE-2025-50079SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50079 at SUSECVE-2025-50079 at NVDCVE-2025-50080SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50080 at SUSECVE-2025-50080 at NVDCVE-2025-50081SUSE Liberty Linux 10
Unknown.
LowCVE-2025-50081 at SUSECVE-2025-50081 at NVDCVE-2025-50082SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50082 at SUSECVE-2025-50082 at NVDCVE-2025-50083SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50083 at SUSECVE-2025-50083 at NVDCVE-2025-50084SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50084 at SUSECVE-2025-50084 at NVDCVE-2025-50085SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50085 at SUSECVE-2025-50085 at NVDCVE-2025-50086SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50086 at SUSECVE-2025-50086 at NVDCVE-2025-50087SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50087 at SUSECVE-2025-50087 at NVDCVE-2025-50088SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50088 at SUSECVE-2025-50088 at NVDCVE-2025-50091SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50091 at SUSECVE-2025-50091 at NVDCVE-2025-50092SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50092 at SUSECVE-2025-50092 at NVDCVE-2025-50093SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50093 at SUSECVE-2025-50093 at NVDCVE-2025-50094SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50094 at SUSECVE-2025-50094 at NVDCVE-2025-50096SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50096 at SUSECVE-2025-50096 at NVDCVE-2025-50097SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50097 at SUSECVE-2025-50097 at NVDCVE-2025-50098SUSE Liberty Linux 10
Unknown.
LowCVE-2025-50098 at SUSECVE-2025-50098 at NVDCVE-2025-50099SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50099 at SUSECVE-2025-50099 at NVDCVE-2025-50100SUSE Liberty Linux 10
Unknown.
LowCVE-2025-50100 at SUSECVE-2025-50100 at NVDCVE-2025-50101SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50101 at SUSECVE-2025-50101 at NVDCVE-2025-50102SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-50102 at SUSECVE-2025-50102 at NVDCVE-2025-50104SUSE Liberty Linux 10
Unknown.
LowCVE-2025-50104 at SUSECVE-2025-50104 at NVDCVE-2025-50106SUSE Liberty Linux 10
Unknown.
ImportantCVE-2025-50106 at SUSECVE-2025-50106 at NVDSUSE bug 1246584SUSE bug 1246595CVE-2025-5024SUSE Liberty Linux 10
A flaw was found in gnome-remote-desktop. Once gnome-remote-desktop listens for RDP connections, an unauthenticated attacker can exhaust system resources and repeatedly crash the process. There may be a resource leak after many attacks, which will also result in gnome-remote-desktop no longer being able to open files even after it is restarted via systemd.
ModerateCVE-2025-5024 at SUSECVE-2025-5024 at NVDSUSE bug 1244053CVE-2025-5222SUSE Liberty Linux 10
A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
ImportantCVE-2025-5222 at SUSECVE-2025-5222 at NVDSUSE bug 1243721CVE-2025-5244SUSE Liberty Linux 10
A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.
ModerateCVE-2025-5244 at SUSECVE-2025-5244 at NVDSUSE bug 1243756CVE-2025-52881SUSE Liberty Linux 10
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.
ImportantCVE-2025-52881 at SUSECVE-2025-52881 at NVDSUSE bug 1252232SUSE bug 1255063CVE-2025-53040SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-53040 at SUSECVE-2025-53040 at NVDCVE-2025-53042SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-53042 at SUSECVE-2025-53042 at NVDCVE-2025-53044SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-53044 at SUSECVE-2025-53044 at NVDCVE-2025-53045SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-53045 at SUSECVE-2025-53045 at NVDCVE-2025-53053SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-53053 at SUSECVE-2025-53053 at NVDCVE-2025-53054SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-53054 at SUSECVE-2025-53054 at NVDCVE-2025-53057SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-53057 at SUSECVE-2025-53057 at NVDSUSE bug 1252414CVE-2025-53062SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-53062 at SUSECVE-2025-53062 at NVDCVE-2025-53066SUSE Liberty Linux 10
Unknown.
ImportantCVE-2025-53066 at SUSECVE-2025-53066 at NVDSUSE bug 1252417CVE-2025-53069SUSE Liberty Linux 10
Unknown.
ModerateCVE-2025-53069 at SUSECVE-2025-53069 at NVDCVE-2025-5318SUSE Liberty Linux 10
A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.
ModerateCVE-2025-5318 at SUSECVE-2025-5318 at NVDSUSE bug 1245311CVE-2025-53905SUSE Liberty Linux 10
Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim's tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.
ModerateCVE-2025-53905 at SUSECVE-2025-53905 at NVDSUSE bug 1246604CVE-2025-53906SUSE Liberty Linux 10
Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim's zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.
ModerateCVE-2025-53906 at SUSECVE-2025-53906 at NVDSUSE bug 1246602CVE-2025-54349SUSE Liberty Linux 10
In iperf before 3.19.1, iperf_auth.c has an off-by-one error and resultant heap-based buffer overflow.
ModerateCVE-2025-54349 at SUSECVE-2025-54349 at NVDSUSE bug 1247519CVE-2025-55130SUSE Liberty Linux 10
A flaw in Node.js's Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.
This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
ImportantCVE-2025-55130 at SUSECVE-2025-55130 at NVDSUSE bug 1256569CVE-2025-55131SUSE Liberty Linux 10
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
ImportantCVE-2025-55131 at SUSECVE-2025-55131 at NVDSUSE bug 1256570CVE-2025-55132SUSE Liberty Linux 10
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
LowCVE-2025-55132 at SUSECVE-2025-55132 at NVDSUSE bug 1256571CVE-2025-55247SUSE Liberty Linux 10
Unknown.
ImportantCVE-2025-55247 at SUSECVE-2025-55247 at NVDCVE-2025-55315SUSE Liberty Linux 10
Unknown.
CriticalCVE-2025-55315 at SUSECVE-2025-55315 at NVDCVE-2025-55752SUSE Liberty Linux 10
Relative Path Traversal vulnerability in Apache Tomcat.
The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
ImportantCVE-2025-55752 at SUSECVE-2025-55752 at NVDSUSE bug 1252753CVE-2025-55753SUSE Liberty Linux 10
An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds.
This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes the issue.
ModerateCVE-2025-55753 at SUSECVE-2025-55753 at NVDSUSE bug 1254511CVE-2025-58060SUSE Liberty Linux 10
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, when the `AuthType` is set to anything but `Basic`, if the request contains an `Authorization: Basic ...` header, the password is not checked. This results in authentication bypass. Any configuration that allows an `AuthType` that is not `Basic` is affected. Version 2.4.13 fixes the issue.
ImportantCVE-2025-58060 at SUSECVE-2025-58060 at NVDSUSE bug 1249049CVE-2025-58098SUSE Liberty Linux 10
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives.
This issue affects Apache HTTP Server before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes the issue.
ModerateCVE-2025-58098 at SUSECVE-2025-58098 at NVDSUSE bug 1254512CVE-2025-58183SUSE Liberty Linux 10
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.
ModerateCVE-2025-58183 at SUSECVE-2025-58183 at NVDSUSE bug 1251261CVE-2025-58364SUSE Liberty Linux 10
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, an unsafe deserialization and validation of printer attributes causes null dereference in the libcups library. This is a remote DoS vulnerability available in local subnet in default configurations. It can cause the cups & cups-browsed to crash, on all the machines in local network who are listening for printers (so by default for all regular linux machines). On systems where the vulnerability CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was not fixed, and the firewall on the machine does not reject incoming communication to IPP port, and the machine is set to be available to public internet, attack vector "Network" is possible. The current versions of CUPS and cups-browsed projects have the attack vector "Adjacent" in their default configurations. Version 2.4.13 contains a patch for CVE-2025-58364.
ModerateCVE-2025-58364 at SUSECVE-2025-58364 at NVDSUSE bug 1249128CVE-2025-58436SUSE Liberty Linux 10
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a client that connects to cupsd but sends slow messages, e.g. only one byte per second, delays cupsd as a whole, such that it becomes unusable by other clients. This issue has been patched in version 2.4.15.
ModerateCVE-2025-58436 at SUSECVE-2025-58436 at NVDSUSE bug 1244057CVE-2025-58767SUSE Liberty Linux 10
REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.
LowCVE-2025-58767 at SUSECVE-2025-58767 at NVDSUSE bug 1250016CVE-2025-59032SUSE Liberty Linux 10
ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.
ImportantCVE-2025-59032 at SUSECVE-2025-59032 at NVDSUSE bug 1260902CVE-2025-59088SUSE Liberty Linux 10
If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where
the "use_dns" setting is explicitly set to false are not affected.
ImportantCVE-2025-59088 at SUSECVE-2025-59088 at NVDCVE-2025-59089SUSE Liberty Linux 10
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new
buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response
header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
ModerateCVE-2025-59089 at SUSECVE-2025-59089 at NVDCVE-2025-5914SUSE Liberty Linux 10
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
ImportantCVE-2025-5914 at SUSECVE-2025-5914 at NVDSUSE bug 1244272CVE-2025-59375SUSE Liberty Linux 10
libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
ImportantCVE-2025-59375 at SUSECVE-2025-59375 at NVDSUSE bug 1249584CVE-2025-59465SUSE Liberty Linux 10
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:
```
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
```
ImportantCVE-2025-59465 at SUSECVE-2025-59465 at NVDSUSE bug 1256573CVE-2025-59466SUSE Liberty Linux 10
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
ModerateCVE-2025-59466 at SUSECVE-2025-59466 at NVDSUSE bug 1256574CVE-2025-5987SUSE Liberty Linux 10
A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes.
ModerateCVE-2025-5987 at SUSECVE-2025-5987 at NVDSUSE bug 1245317CVE-2025-6020SUSE Liberty Linux 10
A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
ImportantCVE-2025-6020 at SUSECVE-2025-6020 at NVDSUSE bug 1244509CVE-2025-6075SUSE Liberty Linux 10
If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment
variables.
LowCVE-2025-6075 at SUSECVE-2025-6075 at NVDSUSE bug 1252974CVE-2025-61594SUSE Liberty Linux 10
URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.
ImportantCVE-2025-61594 at SUSECVE-2025-61594 at NVDSUSE bug 1255833CVE-2025-61662SUSE Liberty Linux 10
A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.
ModerateCVE-2025-61662 at SUSECVE-2025-61662 at NVDSUSE bug 1252933CVE-2025-61726SUSE Liberty Linux 10
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
ModerateCVE-2025-61726 at SUSECVE-2025-61726 at NVDSUSE bug 1256817CVE-2025-61728SUSE Liberty Linux 10
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
ModerateCVE-2025-61728 at SUSECVE-2025-61728 at NVDSUSE bug 1256816CVE-2025-61729SUSE Liberty Linux 10
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
ImportantCVE-2025-61729 at SUSECVE-2025-61729 at NVDSUSE bug 1254431CVE-2025-61731SUSE Liberty Linux 10
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
ImportantCVE-2025-61731 at SUSECVE-2025-61731 at NVDSUSE bug 1256819CVE-2025-61732SUSE Liberty Linux 10
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CriticalCVE-2025-61732 at SUSECVE-2025-61732 at NVDSUSE bug 1257692CVE-2025-61748SUSE Liberty Linux 10
Unknown.
LowCVE-2025-61748 at SUSECVE-2025-61748 at NVDSUSE bug 1252418CVE-2025-6176SUSE Liberty Linux 10
Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.
ModerateCVE-2025-6176 at SUSECVE-2025-6176 at NVDSUSE bug 1252945SUSE bug 1268540CVE-2025-61795SUSE Liberty Linux 10
Improper Resource Shutdown or Release vulnerability in Apache Tomcat.
If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue.
ModerateCVE-2025-61795 at SUSECVE-2025-61795 at NVDSUSE bug 1252756CVE-2025-61915SUSE Liberty Linux 10
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a user in the lpadmin group can use the cups web ui to change the config and insert a malicious line. Then the cupsd process which runs as root will parse the new config and cause an out-of-bound write. This issue has been patched in version 2.4.15.
ModerateCVE-2025-61915 at SUSECVE-2025-61915 at NVDSUSE bug 1253783CVE-2025-61984SUSE Liberty Linux 10
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
ModerateCVE-2025-61984 at SUSECVE-2025-61984 at NVDSUSE bug 1251198CVE-2025-61985SUSE Liberty Linux 10
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
ModerateCVE-2025-61985 at SUSECVE-2025-61985 at NVDSUSE bug 1251199CVE-2025-62168SUSE Liberty Linux 10
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
ImportantCVE-2025-62168 at SUSECVE-2025-62168 at NVDSUSE bug 1252281CVE-2025-62229SUSE Liberty Linux 10
A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.
ImportantCVE-2025-62229 at SUSECVE-2025-62229 at NVDSUSE bug 1251958SUSE bug 1259834CVE-2025-62230SUSE Liberty Linux 10
A flaw was discovered in the X.Org X server's X Keyboard (Xkb) extension when handling client resource cleanup. The software frees certain data structures without properly detaching related resources, leading to a use-after-free condition. This can cause memory corruption or a crash when affected clients disconnect.
ImportantCVE-2025-62230 at SUSECVE-2025-62230 at NVDSUSE bug 1251959SUSE bug 1259834CVE-2025-62231SUSE Liberty Linux 10
A flaw was identified in the X.Org X server's X Keyboard (Xkb) extension where improper bounds checking in the XkbSetCompatMap() function can cause an unsigned short overflow. If an attacker sends specially crafted input data, the value calculation may overflow, leading to memory corruption or a crash.
ImportantCVE-2025-62231 at SUSECVE-2025-62231 at NVDSUSE bug 1251960SUSE bug 1259834CVE-2025-64720SUSE Liberty Linux 10
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha x 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
ModerateCVE-2025-64720 at SUSECVE-2025-64720 at NVDSUSE bug 1254159CVE-2025-65018SUSE Liberty Linux 10
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
ModerateCVE-2025-65018 at SUSECVE-2025-65018 at NVDSUSE bug 1254160CVE-2025-65082SUSE Liberty Linux 10
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
Users are recommended to upgrade to version 2.4.66 which fixes the issue.
ModerateCVE-2025-65082 at SUSECVE-2025-65082 at NVDSUSE bug 1254514CVE-2025-66199SUSE Liberty Linux 10
Issue summary: A TLS 1.3 connection using certificate compression can be
forced to allocate a large buffer before decompression without checking
against the configured certificate size limit.
Impact summary: An attacker can cause per-connection memory allocations of
up to approximately 22 MiB and extra CPU work, potentially leading to
service degradation or resource exhaustion (Denial of Service).
In affected configurations, the peer-supplied uncompressed certificate
length from a CompressedCertificate message is used to grow a heap buffer
prior to decompression. This length is not bounded by the max_cert_list
setting, which otherwise constrains certificate message sizes. An attacker
can exploit this to cause large per-connection allocations followed by
handshake failure. No memory corruption or information disclosure occurs.
This issue only affects builds where TLS 1.3 certificate compression is
compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression
algorithm (brotli, zlib, or zstd) is available, and where the compression
extension is negotiated. Both clients receiving a server CompressedCertificate
and servers in mutual TLS scenarios receiving a client CompressedCertificate
are affected. Servers that do not request client certificates are not
vulnerable to client-initiated attacks.
Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION
to disable receiving compressed certificates.
The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,
as the TLS implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.
OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.
ModerateCVE-2025-66199 at SUSECVE-2025-66199 at NVDSUSE bug 1256833CVE-2025-66200SUSE Liberty Linux 10
mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.
This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.
Users are recommended to upgrade to version 2.4.66, which fixes the issue.
ModerateCVE-2025-66200 at SUSECVE-2025-66200 at NVDSUSE bug 1254515CVE-2025-66293SUSE Liberty Linux 10
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
ImportantCVE-2025-66293 at SUSECVE-2025-66293 at NVDSUSE bug 1254480CVE-2025-66418SUSE Liberty Linux 10
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
ModerateCVE-2025-66418 at SUSECVE-2025-66418 at NVDSUSE bug 1254866CVE-2025-66471SUSE Liberty Linux 10
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.
ModerateCVE-2025-66471 at SUSECVE-2025-66471 at NVDSUSE bug 1254867SUSE bug 1262592SUSE bug 1264973SUSE bug 1268540CVE-2025-66614SUSE Liberty Linux 10
Improper Input Validation vulnerability.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.
Tomcat did not validate that the host name provided via the SNI
extension was the same as the host name provided in the HTTP host header
field. If Tomcat was configured with more than one virtual host and the
TLS configuration for one of those hosts did not require client
certificate authentication but another one did, it was possible for a
client to bypass the client certificate authentication by sending
different host names in the SNI extension and the HTTP host header field.
The vulnerability only applies if client certificate authentication is
only enforced at the Connector. It does not apply if client certificate
authentication is enforced at the web application.
Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.
ImportantCVE-2025-66614 at SUSECVE-2025-66614 at NVDSUSE bug 1258371CVE-2025-67268SUSE Liberty Linux 10
gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.
CriticalCVE-2025-67268 at SUSECVE-2025-67268 at NVDSUSE bug 1255913CVE-2025-67269SUSE Liberty Linux 10
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.
ImportantCVE-2025-67269 at SUSECVE-2025-67269 at NVDSUSE bug 1255914CVE-2025-67733SUSE Liberty Linux 10
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
ModerateCVE-2025-67733 at SUSECVE-2025-67733 at NVDSUSE bug 1258746CVE-2025-67873SUSE Liberty Linux 10
Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, Skipdata length is not bounds-checked, so a user-provided skipdata callback can make cs_disasm/cs_disasm_iter memcpy more than 24 bytes into cs_insn.bytes, causing a heap buffer overflow in the disassembly path. Commit cbef767ab33b82166d263895f24084b75b316df3 fixes the issue.
ModerateCVE-2025-67873 at SUSECVE-2025-67873 at NVDSUSE bug 1255309CVE-2025-68114SUSE Liberty Linux 10
Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, an unchecked vsnprintf return in SStream_concat lets a malicious cs_opt_mem.vsnprintf drive SStream's index negative or past the end, leading to a stack buffer underflow/overflow when the next write occurs. Commit 2c7797182a1618be12017d7d41e0b6581d5d529e fixes the issue.
ModerateCVE-2025-68114 at SUSECVE-2025-68114 at NVDSUSE bug 1255310CVE-2025-68121SUSE Liberty Linux 10
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
ImportantCVE-2025-68121 at SUSECVE-2025-68121 at NVDSUSE bug 1256818CVE-2025-68160SUSE Liberty Linux 10
Issue summary: Writing large, newline-free data into a BIO chain using the
line-buffering filter where the next BIO performs short writes can trigger
a heap-based out-of-bounds write.
Impact summary: This out-of-bounds write can cause memory corruption which
typically results in a crash, leading to Denial of Service for an application.
The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in
TLS/SSL data paths. In OpenSSL command-line applications, it is typically
only pushed onto stdout/stderr on VMS systems. Third-party applications that
explicitly use this filter with a BIO chain that can short-write and that
write large, newline-free data influenced by an attacker would be affected.
However, the circumstances where this could happen are unlikely to be under
attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated
data controlled by an attacker. For that reason the issue was assessed as
Low severity.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the BIO implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
ModerateCVE-2025-68160 at SUSECVE-2025-68160 at NVDSUSE bug 1256834CVE-2025-68183SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr
Currently when both IMA and EVM are in fix mode, the IMA signature will
be reset to IMA hash if a program first stores IMA signature in
security.ima and then writes/removes some other security xattr for the
file.
For example, on Fedora, after booting the kernel with "ima_appraise=fix
evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima,
installing/reinstalling a package will not make good reference IMA
signature generated. Instead IMA hash is generated,
# getfattr -m - -d -e hex /usr/bin/bash
# file: usr/bin/bash
security.ima=0x0404...
This happens because when setting security.selinux, the IMA_DIGSIG flag
that had been set early was cleared. As a result, IMA hash is generated
when the file is closed.
Similarly, IMA signature can be cleared on file close after removing
security xattr like security.evm or setting/removing ACL.
Prevent replacing the IMA file signature with a file hash, by preventing
the IMA_DIGSIG flag from being reset.
Here's a minimal C reproducer which sets security.selinux as the last
step which can also replaced by removing security.evm or setting ACL,
#include <stdio.h>
#include <sys/xattr.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
int main() {
const char* file_path = "/usr/sbin/test_binary";
const char* hex_string = "030204d33204490066306402304";
int length = strlen(hex_string);
char* ima_attr_value;
int fd;
fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
if (fd == -1) {
perror("Error opening file");
return 1;
}
ima_attr_value = (char*)malloc(length / 2 );
for (int i = 0, j = 0; i < length; i += 2, j++) {
sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
}
if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
const char* selinux_value= "system_u:object_r:bin_t:s0";
if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
close(fd);
return 0;
}
ModerateCVE-2025-68183 at SUSECVE-2025-68183 at NVDSUSE bug 1255251CVE-2025-68285SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
libceph: fix potential use-after-free in have_mon_and_osd_map()
The wait loop in __ceph_open_session() can race with the client
receiving a new monmap or osdmap shortly after the initial map is
received. Both ceph_monc_handle_map() and handle_one_map() install
a new map immediately after freeing the old one
kfree(monc->monmap);
monc->monmap = monmap;
ceph_osdmap_destroy(osdc->osdmap);
osdc->osdmap = newmap;
under client->monc.mutex and client->osdc.lock respectively, but
because neither is taken in have_mon_and_osd_map() it's possible for
client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in
client->monc.monmap && client->monc.monmap->epoch &&
client->osdc.osdmap && client->osdc.osdmap->epoch;
condition to dereference an already freed map. This happens to be
reproducible with generic/395 and generic/397 with KASAN enabled:
BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70
Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305
CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266
...
Call Trace:
<TASK>
have_mon_and_osd_map+0x56/0x70
ceph_open_session+0x182/0x290
ceph_get_tree+0x333/0x680
vfs_get_tree+0x49/0x180
do_new_mount+0x1a3/0x2d0
path_mount+0x6dd/0x730
do_mount+0x99/0xe0
__do_sys_mount+0x141/0x180
do_syscall_64+0x9f/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Allocated by task 13305:
ceph_osdmap_alloc+0x16/0x130
ceph_osdc_init+0x27a/0x4c0
ceph_create_client+0x153/0x190
create_fs_client+0x50/0x2a0
ceph_get_tree+0xff/0x680
vfs_get_tree+0x49/0x180
do_new_mount+0x1a3/0x2d0
path_mount+0x6dd/0x730
do_mount+0x99/0xe0
__do_sys_mount+0x141/0x180
do_syscall_64+0x9f/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 9475:
kfree+0x212/0x290
handle_one_map+0x23c/0x3b0
ceph_osdc_handle_map+0x3c9/0x590
mon_dispatch+0x655/0x6f0
ceph_con_process_message+0xc3/0xe0
ceph_con_v1_try_read+0x614/0x760
ceph_con_workfn+0x2de/0x650
process_one_work+0x486/0x7c0
process_scheduled_works+0x73/0x90
worker_thread+0x1c8/0x2a0
kthread+0x2ec/0x300
ret_from_fork+0x24/0x40
ret_from_fork_asm+0x1a/0x30
Rewrite the wait loop to check the above condition directly with
client->monc.mutex and client->osdc.lock taken as appropriate. While
at it, improve the timeout handling (previously mount_timeout could be
exceeded in case wait_event_interruptible_timeout() slept more than
once) and access client->auth_err under client->monc.mutex to match
how it's set in finish_auth().
monmap_show() and osdmap_show() now take the respective lock before
accessing the map as well.
ImportantCVE-2025-68285 at SUSECVE-2025-68285 at NVDSUSE bug 1255401SUSE bug 1255402CVE-2025-68287SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
This patch addresses a race condition caused by unsynchronized
execution of multiple call paths invoking `dwc3_remove_requests()`,
leading to premature freeing of USB requests and subsequent crashes.
Three distinct execution paths interact with `dwc3_remove_requests()`:
Path 1:
Triggered via `dwc3_gadget_reset_interrupt()` during USB reset
handling. The call stack includes:
- `dwc3_ep0_reset_state()`
- `dwc3_ep0_stall_and_restart()`
- `dwc3_ep0_out_start()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 2:
Also initiated from `dwc3_gadget_reset_interrupt()`, but through
`dwc3_stop_active_transfers()`. The call stack includes:
- `dwc3_stop_active_transfers()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 3:
Occurs independently during `adb root` execution, which triggers
USB function unbind and bind operations. The sequence includes:
- `gserial_disconnect()`
- `usb_ep_disable()`
- `dwc3_gadget_ep_disable()`
- `dwc3_remove_requests()` with `-ESHUTDOWN` status
Path 3 operates asynchronously and lacks synchronization with Paths
1 and 2. When Path 3 completes, it disables endpoints and frees 'out'
requests. If Paths 1 or 2 are still processing these requests,
accessing freed memory leads to a crash due to use-after-free conditions.
To fix this added check for request completion and skip processing
if already completed and added the request status for ep0 while queue.
ModerateCVE-2025-68287 at SUSECVE-2025-68287 at NVDSUSE bug 1255152CVE-2025-68301SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net: atlantic: fix fragment overflow handling in RX path
The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)
fragments when handling large multi-descriptor packets. This causes an
out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.
The issue occurs because the driver doesn't check the total number of
fragments before calling skb_add_rx_frag(). When a packet requires more
than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.
Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for. And reusing the existing check to
prevent the overflow earlier in the code path.
This crash occurred in production with an Aquantia AQC113 10G NIC.
Stack trace from production environment:
```
RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0
Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89
ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90
c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48
89 fa 83
RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287
RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:
fffffffe0a0c8000
RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:
0000000000037a40
RBP: 0000000000000024 R08: 0000000000000000 R09:
0000000000000021
R10: 0000000000000848 R11: 0000000000000000 R12:
ffffa9bec02a8e24
R13: ffff925ad8615570 R14: 0000000000000000 R15:
ffff925b22e80a00
FS: 0000000000000000(0000)
GS:ffff925e47880000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:
0000000000f72ef0
PKRU: 55555554
Call Trace:
<IRQ>
aq_ring_rx_clean+0x175/0xe60 [atlantic]
? aq_ring_rx_clean+0x14d/0xe60 [atlantic]
? aq_ring_tx_clean+0xdf/0x190 [atlantic]
? kmem_cache_free+0x348/0x450
? aq_vec_poll+0x81/0x1d0 [atlantic]
? __napi_poll+0x28/0x1c0
? net_rx_action+0x337/0x420
```
Changes in v4:
- Add Fixes: tag to satisfy patch validation requirements.
Changes in v3:
- Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for.
ModerateCVE-2025-68301 at SUSECVE-2025-68301 at NVDSUSE bug 1255120CVE-2025-68305SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
There is a potential race condition between sock bind and socket write
iter. bind may free the same cmd via mgmt_pending before write iter sends
the cmd, just as syzbot reported in UAF[1].
Here we use hci_dev_lock to synchronize the two, thereby avoiding the
UAF mentioned in [1].
[1]
syzbot reported:
BUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316
Read of size 8 at addr ffff888077164818 by task syz.0.17/5989
Call Trace:
mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316
set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
sock_write_iter+0x279/0x360 net/socket.c:1195
Allocated by task 5989:
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
sock_write_iter+0x279/0x360 net/socket.c:1195
Freed by task 5991:
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477
hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314
ModerateCVE-2025-68305 at SUSECVE-2025-68305 at NVDSUSE bug 1255169CVE-2025-68349SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
Fixes a crash when layout is null during this call stack:
write_inode
-> nfs4_write_inode
-> pnfs_layoutcommit_inode
pnfs_set_layoutcommit relies on the lseg refcount to keep the layout
around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt
to reference a null layout.
ModerateCVE-2025-68349 at SUSECVE-2025-68349 at NVDSUSE bug 1255544CVE-2025-68366SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
nbd: defer config unlock in nbd_genl_connect
There is one use-after-free warning when running NBD_CMD_CONNECT and
NBD_CLEAR_SOCK:
nbd_genl_connect
nbd_alloc_and_init_config // config_refs=1
nbd_start_device // config_refs=2
set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3
recv_work done // config_refs=2
NBD_CLEAR_SOCK // config_refs=1
close nbd // config_refs=0
refcount_inc -> uaf
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290
nbd_genl_connect+0x16d0/0x1ab0
genl_family_rcv_msg_doit+0x1f3/0x310
genl_rcv_msg+0x44a/0x790
The issue can be easily reproduced by adding a small delay before
refcount_inc(&nbd->config_refs) in nbd_genl_connect():
mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
+ printk("before sleep\n");
+ mdelay(5 * 1000);
+ printk("after sleep\n");
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
ModerateCVE-2025-68366 at SUSECVE-2025-68366 at NVDSUSE bug 1255622CVE-2025-68615SUSE Liberty Linux 10
net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash. This issue has been patched in versions 5.9.5 and 5.10.pre2.
ImportantCVE-2025-68615 at SUSECVE-2025-68615 at NVDSUSE bug 1255491CVE-2025-68724SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Use check_add_overflow() to guard against potential integer overflows
when adding the binary blob lengths and the size of an asymmetric_key_id
structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a
possible buffer overflow when copying data from potentially malicious
X.509 certificate fields that can be arbitrarily large, such as ASN.1
INTEGER serial numbers, issuer names, etc.
ModerateCVE-2025-68724 at SUSECVE-2025-68724 at NVDSUSE bug 1255550CVE-2025-68741SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix improper freeing of purex item
In qla2xxx_process_purls_iocb(), an item is allocated via
qla27xx_copy_multiple_pkt(), which internally calls
qla24xx_alloc_purex_item().
The qla24xx_alloc_purex_item() function may return a pre-allocated item
from a per-adapter pool for small allocations, instead of dynamically
allocating memory with kzalloc().
An error handling path in qla2xxx_process_purls_iocb() incorrectly uses
kfree() to release the item. If the item was from the pre-allocated
pool, calling kfree() on it is a bug that can lead to memory corruption.
Fix this by using the correct deallocation function,
qla24xx_free_purex_item(), which properly handles both dynamically
allocated and pre-allocated items.
ModerateCVE-2025-68741 at SUSECVE-2025-68741 at NVDSUSE bug 1255703CVE-2025-68800SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Cited commit added a dedicated mutex (instead of RTNL) to protect the
multicast route list, so that it will not change while the driver
periodically traverses it in order to update the kernel about multicast
route stats that were queried from the device.
One instance of list entry deletion (during route replace) was missed
and it can result in a use-after-free [1].
Fix by acquiring the mutex before deleting the entry from the list and
releasing it afterwards.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043
CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)
Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017
Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]
Call Trace:
<TASK>
dump_stack_lvl+0xba/0x110
print_report+0x174/0x4f5
kasan_report+0xdf/0x110
mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Freed by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x43/0x70
kfree+0x14e/0x700
mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
ModerateCVE-2025-68800 at SUSECVE-2025-68800 at NVDSUSE bug 1256646CVE-2025-68811SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
svcrdma: use rc_pageoff for memcpy byte offset
svc_rdma_copy_inline_range added rc_curpage (page index) to the page
base instead of the byte offset rc_pageoff. Use rc_pageoff so copies
land within the current page.
Found by ZeroPath (https://zeropath.com)
ModerateCVE-2025-68811 at SUSECVE-2025-68811 at NVDSUSE bug 1256677CVE-2025-68973SUSE Liberty Linux 10
In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)
ImportantCVE-2025-68973 at SUSECVE-2025-68973 at NVDSUSE bug 1255714SUSE bug 1255715CVE-2025-69418SUSE Liberty Linux 10
Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.
ModerateCVE-2025-69418 at SUSECVE-2025-69418 at NVDSUSE bug 1256835CVE-2025-69419SUSE Liberty Linux 10
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously
crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing
non-ASCII BMP code point can trigger a one byte write before the allocated
buffer.
Impact summary: The out-of-bounds write can cause a memory corruption
which can have various consequences including a Denial of Service.
The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12
BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,
the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16
source byte count as the destination buffer capacity to UTF8_putc(). For BMP
code points above U+07FF, UTF-8 requires three bytes, but the forwarded
capacity can be just two bytes. UTF8_putc() then returns -1, and this negative
value is added to the output length without validation, causing the
length to become negative. The subsequent trailing NUL byte is then written
at a negative offset, causing write outside of heap allocated buffer.
The vulnerability is reachable via the public PKCS12_get_friendlyname() API
when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a
different code path that avoids this issue, PKCS12_get_friendlyname() directly
invokes the vulnerable function. Exploitation requires an attacker to provide
a malicious PKCS#12 file to be parsed by the application and the attacker
can just trigger a one zero byte write before the allocated buffer.
For that reason the issue was assessed as Low severity according to our
Security Policy.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.
OpenSSL 1.0.2 is not affected by this issue.
ModerateCVE-2025-69419 at SUSECVE-2025-69419 at NVDSUSE bug 1256836CVE-2025-69420SUSE Liberty Linux 10
Issue summary: A type confusion vulnerability exists in the TimeStamp Response
verification code where an ASN1_TYPE union member is accessed without first
validating the type, causing an invalid or NULL pointer dereference when
processing a malformed TimeStamp Response file.
Impact summary: An application calling TS_RESP_verify_response() with a
malformed TimeStamp Response can be caused to dereference an invalid or
NULL pointer when reading, resulting in a Denial of Service.
The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()
access the signing cert attribute value without validating its type.
When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory
through the ASN1_TYPE union, causing a crash.
Exploiting this vulnerability requires an attacker to provide a malformed
TimeStamp Response to an application that verifies timestamp responses. The
TimeStamp protocol (RFC 3161) is not widely used and the impact of the
exploit is just a Denial of Service. For these reasons the issue was
assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the TimeStamp Response implementation is outside the OpenSSL FIPS module
boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.
OpenSSL 1.0.2 is not affected by this issue.
ModerateCVE-2025-69420 at SUSECVE-2025-69420 at NVDSUSE bug 1256837CVE-2025-69421SUSE Liberty Linux 10
Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer
dereference in the PKCS12_item_decrypt_d2i_ex() function.
Impact summary: A NULL pointer dereference can trigger a crash which leads to
Denial of Service for an application processing PKCS#12 files.
The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct
parameter is NULL before dereferencing it. When called from
PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can
be NULL, causing a crash. The vulnerability is limited to Denial of Service
and cannot be escalated to achieve code execution or memory disclosure.
Exploiting this issue requires an attacker to provide a malformed PKCS#12 file
to an application that processes it. For that reason the issue was assessed as
Low severity according to our Security Policy.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
ModerateCVE-2025-69421 at SUSECVE-2025-69421 at NVDSUSE bug 1256838CVE-2025-69534SUSE Liberty Linux 10
Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.
ImportantCVE-2025-69534 at SUSECVE-2025-69534 at NVDSUSE bug 1259256CVE-2025-6965SUSE Liberty Linux 10
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
ImportantCVE-2025-6965 at SUSECVE-2025-6965 at NVDSUSE bug 1246597CVE-2025-69720SUSE Liberty Linux 10
The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.
ModerateCVE-2025-69720 at SUSECVE-2025-69720 at NVDSUSE bug 1259924CVE-2025-71085SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
There exists a kernel oops caused by a BUG_ON(nhead < 0) at
net/core/skbuff.c:2232 in pskb_expand_head().
This bug is triggered as part of the calipso_skbuff_setattr()
routine when skb_cow() is passed headroom > INT_MAX
(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
The root cause of the bug is due to an implicit integer cast in
__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
that delta = headroom - skb_headroom(skb) is never negative, otherwise
we will trigger a BUG_ON in pskb_expand_head(). However, if
headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
becomes negative, and pskb_expand_head() is passed a negative value for
nhead.
Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
by only using skb_cow() to grow headroom.
PoC:
Using `netlabelctl` tool:
netlabelctl map del default
netlabelctl calipso add pass doi:7
netlabelctl map add default address:0::1/128 protocol:calipso,7
Then run the following PoC:
int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
// setup msghdr
int cmsg_size = 2;
int cmsg_len = 0x60;
struct msghdr msg;
struct sockaddr_in6 dest_addr;
struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
sizeof(struct cmsghdr) + cmsg_len);
msg.msg_name = &dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = NULL;
msg.msg_iovlen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = cmsg_len;
msg.msg_flags = 0;
// setup sockaddr
dest_addr.sin6_family = AF_INET6;
dest_addr.sin6_port = htons(31337);
dest_addr.sin6_flowinfo = htonl(31337);
dest_addr.sin6_addr = in6addr_loopback;
dest_addr.sin6_scope_id = 31337;
// setup cmsghdr
cmsg->cmsg_len = cmsg_len;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_HOPOPTS;
char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
sendmsg(fd, &msg, 0);
ImportantCVE-2025-71085 at SUSECVE-2025-71085 at NVDSUSE bug 1256623SUSE bug 1256624CVE-2025-71201SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix early read unlock of page with EOF in middle
The read result collection for buffered reads seems to run ahead of the
completion of subrequests under some circumstances, as can be seen in the
following log snippet:
9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0
...
netfs_sreq: R=00001b55[1] DOWN TERM f=192 s=0 5fb2/5fb2 s=5 e=0
...
netfs_collect_folio: R=00001b55 ix=00004 r=4000-5000 t=4000/5fb2
netfs_folio: i=157f3 ix=00004-00004 read-done
netfs_folio: i=157f3 ix=00004-00004 read-unlock
netfs_collect_folio: R=00001b55 ix=00005 r=5000-5fb2 t=5000/5fb2
netfs_folio: i=157f3 ix=00005-00005 read-done
netfs_folio: i=157f3 ix=00005-00005 read-unlock
...
netfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff
netfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=c
netfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff
netfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=8
...
netfs_sreq: R=00001b55[2] ZERO SUBMT f=000 s=5fb2 0/4e s=0 e=0
netfs_sreq: R=00001b55[2] ZERO TERM f=102 s=5fb2 4e/4e s=5 e=0
The 'cto=5fb2' indicates the collected file pos we've collected results to
so far - but we still have 0x4e more bytes to go - so we shouldn't have
collected folio ix=00005 yet. The 'ZERO' subreq that clears the tail
happens after we unlock the folio, allowing the application to see the
uncleared tail through mmap.
The problem is that netfs_read_unlock_folios() will unlock a folio in which
the amount of read results collected hits EOF position - but the ZERO
subreq lies beyond that and so happens after.
Fix this by changing the end check to always be the end of the folio and
never the end of the file.
In the future, I should look at clearing to the end of the folio here rather
than adding a ZERO subreq to do this. On the other hand, the ZERO subreq can
run in parallel with an async READ subreq. Further, the ZERO subreq may still
be necessary to, say, handle extents in a ceph file that don't have any
backing store and are thus implicitly all zeros.
This can be reproduced by creating a file, the size of which doesn't align
to a page boundary, e.g. 24998 (0x5fb2) bytes and then doing something
like:
xfs_io -c "mmap -r 0 0x6000" -c "madvise -d 0 0x6000" \
-c "mread -v 0 0x6000" /xfstest.test/x
The last 0x4e bytes should all be 00, but if the tail hasn't been cleared
yet, you may see rubbish there. This can be reproduced with kafs by
modifying the kernel to disable the call to netfs_read_subreq_progress()
and to stop afs_issue_read() from doing the async call for NETFS_READAHEAD.
Reproduction can be made easier by inserting an mdelay(100) in
netfs_issue_read() for the ZERO-subreq case.
AFS and CIFS are normally unlikely to show this as they dispatch READ ops
asynchronously, which allows the ZERO-subreq to finish first. 9P's READ op is
completely synchronous, so the ZERO-subreq will always happen after. It isn't
seen all the time, though, because the collection may be done in a worker
thread.
ModerateCVE-2025-71201 at SUSECVE-2025-71201 at NVDSUSE bug 1258225CVE-2025-71238SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix bsg_done() causing double free
Kernel panic observed on system,
[5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000
[5353358.825194] #PF: supervisor write access in kernel mode
[5353358.825195] #PF: error_code(0x0002) - not-present page
[5353358.825196] PGD 100006067 P4D 0
[5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI
[5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1
[5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025
[5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10
[5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246
[5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000
[5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000
[5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000
[5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090
[5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000
[5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000
[5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0
[5353358.825221] PKRU: 55555554
[5353358.825222] Call Trace:
[5353358.825223] <TASK>
[5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df
[5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df
[5353358.825232] ? sg_copy_buffer+0xc8/0x110
[5353358.825236] ? __die_body.cold+0x8/0xd
[5353358.825238] ? page_fault_oops+0x134/0x170
[5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110
[5353358.825244] ? exc_page_fault+0xa8/0x150
[5353358.825247] ? asm_exc_page_fault+0x22/0x30
[5353358.825252] ? memcpy_erms+0x6/0x10
[5353358.825253] sg_copy_buffer+0xc8/0x110
[5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx]
[5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx]
Most routines in qla_bsg.c call bsg_done() only for success cases.
However a few invoke it for failure case as well leading to a double
free. Validate before calling bsg_done().
ModerateCVE-2025-71238 at SUSECVE-2025-71238 at NVDSUSE bug 1259186CVE-2025-7345SUSE Liberty Linux 10
A flaw exists in gdk-pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib's g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution.
ImportantCVE-2025-7345 at SUSECVE-2025-7345 at NVDSUSE bug 1246114SUSE bug 1259184CVE-2025-7493SUSE Liberty Linux 10
A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential, FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator's name. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
CriticalCVE-2025-7493 at SUSECVE-2025-7493 at NVDCVE-2025-8291SUSE Liberty Linux 10
The 'zipfile' module would not check the validity of the ZIP64 End of
Central Directory (EOCD) Locator record offset value would not be used to
locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be
assumed to be the previous record in the ZIP archive. This could be abused
to create ZIP archives that are handled differently by the 'zipfile' module
compared to other ZIP implementations.
Remediation maintains this behavior, but checks that the offset specified
in the ZIP64 EOCD Locator record matches the expected value.
LowCVE-2025-8291 at SUSECVE-2025-8291 at NVDSUSE bug 1251305CVE-2025-8677SUSE Liberty Linux 10
Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion.
This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.
ImportantCVE-2025-8677 at SUSECVE-2025-8677 at NVDSUSE bug 1252378CVE-2025-8714SUSE Liberty Linux 10
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
ImportantCVE-2025-8714 at SUSECVE-2025-8714 at NVDSUSE bug 1248122CVE-2025-8715SUSE Liberty Linux 10
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
ImportantCVE-2025-8715 at SUSECVE-2025-8715 at NVDSUSE bug 1248119CVE-2025-9086SUSE Liberty Linux 10
1. A cookie is set using the `secure` keyword for `https://target`
2. curl is redirected to or otherwise made to speak with `http://target` (same
hostname, but using clear text HTTP) using the same cookie set
3. The same cookie name is set - but with just a slash as path (`path=\"/\",`).
Since this site is not secure, the cookie *should* just be ignored.
4. A bug in the path comparison logic makes curl read outside a heap buffer
boundary
The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of the
secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.
ImportantCVE-2025-9086 at SUSECVE-2025-9086 at NVDSUSE bug 1249191CVE-2025-9230SUSE Liberty Linux 10
Issue summary: An application trying to decrypt CMS messages encrypted using
password based encryption can trigger an out-of-bounds read and write.
Impact summary: This out-of-bounds read may trigger a crash which leads to
Denial of Service for an application. The out-of-bounds write can cause
a memory corruption which can have various consequences including
a Denial of Service or Execution of attacker-supplied code.
Although the consequences of a successful exploit of this vulnerability
could be severe, the probability that the attacker would be able to
perform it is low. Besides, password based (PWRI) encryption support in CMS
messages is very rarely used. For that reason the issue was assessed as
Moderate severity according to our Security Policy.
The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this
issue, as the CMS implementation is outside the OpenSSL FIPS module
boundary.
ImportantCVE-2025-9230 at SUSECVE-2025-9230 at NVDSUSE bug 1250232SUSE bug 1250410CVE-2025-9566SUSE Liberty Linux 10
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.
Binary-Affected: podman
Upstream-version-introduced: v4.0.0
Upstream-version-fixed: v5.6.1
ImportantCVE-2025-9566 at SUSECVE-2025-9566 at NVDSUSE bug 1249154CVE-2025-9615SUSE Liberty Linux 10
A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.
ModerateCVE-2025-9615 at SUSECVE-2025-9615 at NVDSUSE bug 1257359CVE-2025-9817SUSE Liberty Linux 10
SSH dissector crash in Wireshark 4.4.0 to 4.4.8 allows denial of service
ModerateCVE-2025-9817 at SUSECVE-2025-9817 at NVDSUSE bug 1249090CVE-2025-9820SUSE Liberty Linux 10
A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.
ModerateCVE-2025-9820 at SUSECVE-2025-9820 at NVDSUSE bug 1254132CVE-2025-9900SUSE Liberty Linux 10
A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.
By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
ImportantCVE-2025-9900 at SUSECVE-2025-9900 at NVDSUSE bug 1250404SUSE bug 1253310CVE-2026-0672SUSE Liberty Linux 10
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
ImportantCVE-2026-0672 at SUSECVE-2026-0672 at NVDSUSE bug 1257031SUSE bug 1259734CVE-2026-0719SUSE Liberty Linux 10
A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk.
ImportantCVE-2026-0719 at SUSECVE-2026-0719 at NVDSUSE bug 1256399SUSE bug 1263697CVE-2026-0861SUSE Liberty Linux 10
Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.
Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.
Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.
ImportantCVE-2026-0861 at SUSECVE-2026-0861 at NVDSUSE bug 1256766SUSE bug 1256913CVE-2026-0865SUSE Liberty Linux 10
User-controlled header names and values containing newlines can allow injecting HTTP headers.
ModerateCVE-2026-0865 at SUSECVE-2026-0865 at NVDSUSE bug 1257042CVE-2026-0877SUSE Liberty Linux 10
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
ImportantCVE-2026-0877 at SUSECVE-2026-0877 at NVDSUSE bug 1256340CVE-2026-0878SUSE Liberty Linux 10
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
ImportantCVE-2026-0878 at SUSECVE-2026-0878 at NVDSUSE bug 1256340CVE-2026-0879SUSE Liberty Linux 10
Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
ImportantCVE-2026-0879 at SUSECVE-2026-0879 at NVDSUSE bug 1256340CVE-2026-0880SUSE Liberty Linux 10
Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
ImportantCVE-2026-0880 at SUSECVE-2026-0880 at NVDSUSE bug 1256340CVE-2026-0882SUSE Liberty Linux 10
Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
ImportantCVE-2026-0882 at SUSECVE-2026-0882 at NVDSUSE bug 1256340CVE-2026-0883SUSE Liberty Linux 10
Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
ImportantCVE-2026-0883 at SUSECVE-2026-0883 at NVDSUSE bug 1256340CVE-2026-0884SUSE Liberty Linux 10
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
ImportantCVE-2026-0884 at SUSECVE-2026-0884 at NVDSUSE bug 1256340CVE-2026-0885SUSE Liberty Linux 10
Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
ImportantCVE-2026-0885 at SUSECVE-2026-0885 at NVDSUSE bug 1256340CVE-2026-0886SUSE Liberty Linux 10
Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
ImportantCVE-2026-0886 at SUSECVE-2026-0886 at NVDSUSE bug 1256340CVE-2026-0887SUSE Liberty Linux 10
Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
ImportantCVE-2026-0887 at SUSECVE-2026-0887 at NVDSUSE bug 1256340CVE-2026-0890SUSE Liberty Linux 10
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
ImportantCVE-2026-0890 at SUSECVE-2026-0890 at NVDSUSE bug 1256340CVE-2026-0891SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
ImportantCVE-2026-0891 at SUSECVE-2026-0891 at NVDSUSE bug 1256340CVE-2026-0915SUSE Liberty Linux 10
Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.
ModerateCVE-2026-0915 at SUSECVE-2026-0915 at NVDSUSE bug 1256822CVE-2026-0964SUSE Liberty Linux 10
A malicious SCP server can send unexpected paths that could make the
client application override local files outside of working directory.
This could be misused to create malicious executable or configuration
files and make the user execute them under specific consequences.
This is the same issue as in OpenSSH, tracked as CVE-2019-6111.
ModerateCVE-2026-0964 at SUSECVE-2026-0964 at NVDSUSE bug 1258049CVE-2026-0965SUSE Liberty Linux 10
A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations.
LowCVE-2026-0965 at SUSECVE-2026-0965 at NVDSUSE bug 1258045CVE-2026-0966SUSE Liberty Linux 10
A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.
ModerateCVE-2026-0966 at SUSECVE-2026-0966 at NVDSUSE bug 1258054CVE-2026-0967SUSE Liberty Linux 10
A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.
LowCVE-2026-0967 at SUSECVE-2026-0967 at NVDSUSE bug 1258081CVE-2026-0968SUSE Liberty Linux 10
A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.
LowCVE-2026-0968 at SUSECVE-2026-0968 at NVDSUSE bug 1258080CVE-2026-0994SUSE Liberty Linux 10
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python's recursion stack and causing a RecursionError.
ModerateCVE-2026-0994 at SUSECVE-2026-0994 at NVDSUSE bug 1257173CVE-2026-10118SUSE Liberty Linux 10
A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF.
ImportantCVE-2026-10118 at SUSECVE-2026-10118 at NVDCVE-2026-1299SUSE Liberty Linux 10
The
email module, specifically the "BytesGenerator" class, didn't properly quote newlines for email headers when
serializing an email message allowing for header injection when an email
is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".
ImportantCVE-2026-1299 at SUSECVE-2026-1299 at NVDSUSE bug 1257181CVE-2026-1502SUSE Liberty Linux 10
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
ModerateCVE-2026-1502 at SUSECVE-2026-1502 at NVDSUSE bug 1261969CVE-2026-1519SUSE Liberty Linux 10
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.
ImportantCVE-2026-1519 at SUSECVE-2026-1519 at NVDSUSE bug 1260805CVE-2026-1525SUSE Liberty Linux 10
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
* Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
* Applications that accept user-controlled header names without case-normalization
Potential consequences:
* Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
* HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
CriticalCVE-2026-1525 at SUSECVE-2026-1525 at NVDCVE-2026-1526SUSE Liberty Linux 10
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
ImportantCVE-2026-1526 at SUSECVE-2026-1526 at NVDCVE-2026-1527SUSE Liberty Linux 10
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
* Inject arbitrary HTTP headers
* Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:
// lib/dispatcher/client-h1.js:1121
if (upgrade) {
header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
ModerateCVE-2026-1527 at SUSECVE-2026-1527 at NVDCVE-2026-1528SUSE Liberty Linux 10
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
ImportantCVE-2026-1528 at SUSECVE-2026-1528 at NVDCVE-2026-1642SUSE Liberty Linux 10
A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side-along with conditions beyond the attacker's control-may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
ModerateCVE-2026-1642 at SUSECVE-2026-1642 at NVDSUSE bug 1257675CVE-2026-1709SUSE Liberty Linux 10
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.
CriticalCVE-2026-1709 at SUSECVE-2026-1709 at NVDSUSE bug 1257895CVE-2026-1761SUSE Liberty Linux 10
A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction.
ImportantCVE-2026-1761 at SUSECVE-2026-1761 at NVDSUSE bug 1257598SUSE bug 1263697CVE-2026-1933SUSE Liberty Linux 10
A flaw was found in Samba's handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types.
ImportantCVE-2026-1933 at SUSECVE-2026-1933 at NVDSUSE bug 1261188CVE-2026-2003SUSE Liberty Linux 10
Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
ModerateCVE-2026-2003 at SUSECVE-2026-2003 at NVDSUSE bug 1258008CVE-2026-2004SUSE Liberty Linux 10
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
ImportantCVE-2026-2004 at SUSECVE-2026-2004 at NVDSUSE bug 1258009CVE-2026-2005SUSE Liberty Linux 10
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
ImportantCVE-2026-2005 at SUSECVE-2026-2005 at NVDSUSE bug 1258010CVE-2026-2006SUSE Liberty Linux 10
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
ImportantCVE-2026-2006 at SUSECVE-2026-2006 at NVDSUSE bug 1258011CVE-2026-2007SUSE Liberty Linux 10
Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected.
ImportantCVE-2026-2007 at SUSECVE-2026-2007 at NVDSUSE bug 1258012CVE-2026-2100SUSE Liberty Linux 10
A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.
ImportantCVE-2026-2100 at SUSECVE-2026-2100 at NVDSUSE bug 1257820CVE-2026-21441SUSE Liberty Linux 10
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.
ModerateCVE-2026-21441 at SUSECVE-2026-21441 at NVDSUSE bug 1256331CVE-2026-21637SUSE Liberty Linux 10
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
ModerateCVE-2026-21637 at SUSECVE-2026-21637 at NVDSUSE bug 1256576CVE-2026-21710SUSE Liberty Linux 10
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.
When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.
* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
ImportantCVE-2026-21710 at SUSECVE-2026-21710 at NVDSUSE bug 1260455CVE-2026-21711SUSE Liberty Linux 10
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.
As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.
This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
ModerateCVE-2026-21711 at SUSECVE-2026-21711 at NVDSUSE bug 1260458CVE-2026-21712SUSE Liberty Linux 10
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
ModerateCVE-2026-21712 at SUSECVE-2026-21712 at NVDSUSE bug 1260460CVE-2026-21713SUSE Liberty Linux 10
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.
Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
ModerateCVE-2026-21713 at SUSECVE-2026-21713 at NVDSUSE bug 1260463CVE-2026-21714SUSE Liberty Linux 10
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2??-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.
This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
ModerateCVE-2026-21714 at SUSECVE-2026-21714 at NVDSUSE bug 1260480CVE-2026-21715SUSE Liberty Linux 10
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.
As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
LowCVE-2026-21715 at SUSECVE-2026-21715 at NVDSUSE bug 1260482CVE-2026-21716SUSE Liberty Linux 10
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.
As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
ModerateCVE-2026-21716 at SUSECVE-2026-21716 at NVDSUSE bug 1260462CVE-2026-21717SUSE Liberty Linux 10
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.
The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
ModerateCVE-2026-21717 at SUSECVE-2026-21717 at NVDSUSE bug 1260494CVE-2026-21721SUSE Liberty Linux 10
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization-internal privilege escalation.
ImportantCVE-2026-21721 at SUSECVE-2026-21721 at NVDSUSE bug 1257337CVE-2026-21863SUSE Liberty Linux 10
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
ModerateCVE-2026-21863 at SUSECVE-2026-21863 at NVDSUSE bug 1258788CVE-2026-21925SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-21925 at SUSECVE-2026-21925 at NVDSUSE bug 1257034CVE-2026-21933SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-21933 at SUSECVE-2026-21933 at NVDSUSE bug 1257037CVE-2026-21936SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-21936 at SUSECVE-2026-21936 at NVDSUSE bug 1258057CVE-2026-21937SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-21937 at SUSECVE-2026-21937 at NVDSUSE bug 1258059CVE-2026-21941SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-21941 at SUSECVE-2026-21941 at NVDSUSE bug 1258060CVE-2026-21945SUSE Liberty Linux 10
Unknown.
ImportantCVE-2026-21945 at SUSECVE-2026-21945 at NVDSUSE bug 1257038CVE-2026-21948SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-21948 at SUSECVE-2026-21948 at NVDSUSE bug 1258061CVE-2026-21964SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-21964 at SUSECVE-2026-21964 at NVDSUSE bug 1258058CVE-2026-21968SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-21968 at SUSECVE-2026-21968 at NVDSUSE bug 1257736CVE-2026-21998SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-21998 at SUSECVE-2026-21998 at NVDCVE-2026-22001SUSE Liberty Linux 10
Unknown.
LowCVE-2026-22001 at SUSECVE-2026-22001 at NVDCVE-2026-22002SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-22002 at SUSECVE-2026-22002 at NVDCVE-2026-22004SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-22004 at SUSECVE-2026-22004 at NVDCVE-2026-22005SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-22005 at SUSECVE-2026-22005 at NVDCVE-2026-22007SUSE Liberty Linux 10
Unknown.
LowCVE-2026-22007 at SUSECVE-2026-22007 at NVDSUSE bug 1262490CVE-2026-22008SUSE Liberty Linux 10
Unknown.
LowCVE-2026-22008 at SUSECVE-2026-22008 at NVDSUSE bug 1262493CVE-2026-22009SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-22009 at SUSECVE-2026-22009 at NVDCVE-2026-22013SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-22013 at SUSECVE-2026-22013 at NVDSUSE bug 1262494CVE-2026-22015SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-22015 at SUSECVE-2026-22015 at NVDCVE-2026-22016SUSE Liberty Linux 10
Unknown.
ImportantCVE-2026-22016 at SUSECVE-2026-22016 at NVDSUSE bug 1262495CVE-2026-22017SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-22017 at SUSECVE-2026-22017 at NVDCVE-2026-22018SUSE Liberty Linux 10
Unknown.
LowCVE-2026-22018 at SUSECVE-2026-22018 at NVDSUSE bug 1262496CVE-2026-22021SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-22021 at SUSECVE-2026-22021 at NVDSUSE bug 1262497CVE-2026-2229SUSE Liberty Linux 10
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
* The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
* The createInflateRaw() call is not wrapped in a try-catch block
* The resulting exception propagates up through the call stack and crashes the Node.js process
ImportantCVE-2026-2229 at SUSECVE-2026-2229 at NVDCVE-2026-22695SUSE Liberty Linux 10
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.
ModerateCVE-2026-22695 at SUSECVE-2026-22695 at NVDSUSE bug 1256525CVE-2026-22795SUSE Liberty Linux 10
Issue summary: An invalid or NULL pointer dereference can happen in
an application processing a malformed PKCS#12 file.
Impact summary: An application processing a malformed PKCS#12 file can be
caused to dereference an invalid or NULL pointer on memory read, resulting
in a Denial of Service.
A type confusion vulnerability exists in PKCS#12 parsing code where
an ASN1_TYPE union member is accessed without first validating the type,
causing an invalid pointer read.
The location is constrained to a 1-byte address space, meaning any
attempted pointer manipulation can only target addresses between 0x00 and 0xFF.
This range corresponds to the zero page, which is unmapped on most modern
operating systems and will reliably result in a crash, leading only to a
Denial of Service. Exploiting this issue also requires a user or application
to process a maliciously crafted PKCS#12 file. It is uncommon to accept
untrusted PKCS#12 files in applications as they are usually used to store
private keys which are trusted by definition. For these reasons, the issue
was assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.
OpenSSL 1.0.2 is not affected by this issue.
ModerateCVE-2026-22795 at SUSECVE-2026-22795 at NVDSUSE bug 1256839CVE-2026-22796SUSE Liberty Linux 10
Issue summary: A type confusion vulnerability exists in the signature
verification of signed PKCS#7 data where an ASN1_TYPE union member is
accessed without first validating the type, causing an invalid or NULL
pointer dereference when processing malformed PKCS#7 data.
Impact summary: An application performing signature verification of PKCS#7
data or calling directly the PKCS7_digest_from_attributes() function can be
caused to dereference an invalid or NULL pointer when reading, resulting in
a Denial of Service.
The function PKCS7_digest_from_attributes() accesses the message digest attribute
value without validating its type. When the type is not V_ASN1_OCTET_STRING,
this results in accessing invalid memory through the ASN1_TYPE union, causing
a crash.
Exploiting this vulnerability requires an attacker to provide a malformed
signed PKCS#7 to an application that verifies it. The impact of the
exploit is just a Denial of Service, the PKCS7 API is legacy and applications
should be using the CMS API instead. For these reasons the issue was
assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module
boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
ModerateCVE-2026-22796 at SUSECVE-2026-22796 at NVDSUSE bug 1256840CVE-2026-22801SUSE Liberty Linux 10
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.
ModerateCVE-2026-22801 at SUSECVE-2026-22801 at NVDSUSE bug 1256526CVE-2026-22852SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1.
ImportantCVE-2026-22852 at SUSECVE-2026-22852 at NVDSUSE bug 1256718CVE-2026-22853SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR's NDR array reader does not perform bounds checking on the on-wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1.
ImportantCVE-2026-22853 at SUSECVE-2026-22853 at NVDSUSE bug 1256719CVE-2026-22854SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.
ImportantCVE-2026-22854 at SUSECVE-2026-22854 at NVDSUSE bug 1256720CVE-2026-22855SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1.
ModerateCVE-2026-22855 at SUSECVE-2026-22855 at NVDSUSE bug 1256721CVE-2026-22856SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use-after-free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.
ImportantCVE-2026-22856 at SUSECVE-2026-22856 at NVDSUSE bug 1256722CVE-2026-22858SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1.
ModerateCVE-2026-22858 at SUSECVE-2026-22858 at NVDSUSE bug 1256724CVE-2026-22859SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server-supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out-of-bounds read. This vulnerability is fixed in 3.20.1.
ModerateCVE-2026-22859 at SUSECVE-2026-22859 at NVDSUSE bug 1256725CVE-2026-2291SUSE Liberty Linux 10
dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.
ImportantCVE-2026-2291 at SUSECVE-2026-2291 at NVDSUSE bug 1258251CVE-2026-2297SUSE Liberty Linux 10
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
ModerateCVE-2026-2297 at SUSECVE-2026-2297 at NVDSUSE bug 1259240CVE-2026-22998SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
added ttag bounds checking and data_offset
validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
whether the command's data structures (cmd->req.sg and cmd->iov) have
been properly initialized before processing H2C_DATA PDUs.
The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
without NULL checks. This can be triggered by sending H2C_DATA PDU
immediately after the ICREQ/ICRESP handshake, before
sending a CONNECT command or NVMe write command.
Attack vectors that trigger NULL pointer dereferences:
1. H2C_DATA PDU sent before CONNECT -> both pointers NULL
2. H2C_DATA PDU for READ command -> cmd->req.sg allocated, cmd->iov NULL
3. H2C_DATA PDU for uninitialized command slot -> both pointers NULL
The fix validates both cmd->req.sg and cmd->iov before calling
nvmet_tcp_build_pdu_iovec(). Both checks are required because:
- Uninitialized commands: both NULL
- READ commands: cmd->req.sg allocated, cmd->iov NULL
- WRITE commands: both allocated
ModerateCVE-2026-22998 at SUSECVE-2026-22998 at NVDSUSE bug 1257209CVE-2026-23001SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix possible UAF in macvlan_forward_source()
Add RCU protection on (struct macvlan_source_entry)->vlan.
Whenever macvlan_hash_del_source() is called, we must clear
entry->vlan pointer before RCU grace period starts.
This allows macvlan_forward_source() to skip over
entries queued for freeing.
Note that macvlan_dev are already RCU protected, as they
are embedded in a standard netdev (netdev_priv(ndev)).
https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
ImportantCVE-2026-23001 at SUSECVE-2026-23001 at NVDSUSE bug 1257232SUSE bug 1257233CVE-2026-23010SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix use-after-free in inet6_addr_del().
syzbot reported use-after-free of inet6_ifaddr in
inet6_addr_del(). [0]
The cited commit accidentally moved ipv6_del_addr() for
mngtmpaddr before reading its ifp->flags for temporary
addresses in inet6_addr_del().
Let's move ipv6_del_addr() down to fix the UAF.
[0]:
BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593
CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181
inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582
sock_do_ioctl+0x118/0x280 net/socket.c:1254
sock_ioctl+0x227/0x6b0 net/socket.c:1375
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f164cf8f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749
RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003
RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288
</TASK>
Allocated by task 9593:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120
inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050
addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160
inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580
sock_do_ioctl+0x118/0x280 net/socket.c:1254
sock_ioctl+0x227/0x6b0 net/socket.c:1375
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6099:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free_freelist_hook mm/slub.c:2569 [inline]
slab_free_bulk mm/slub.c:6696 [inline]
kmem_cache_free_bulk mm/slub.c:7383 [inline]
kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362
kfree_bulk include/linux/slab.h:830 [inline]
kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523
kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline]
kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqu
---truncated---
ModerateCVE-2026-23010 at SUSECVE-2026-23010 at NVDSUSE bug 1257332CVE-2026-23097SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
migrate: correct lock ordering for hugetlb file folios
Syzbot has found a deadlock (analyzed by Lance Yang):
1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).
2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire
folio_lock.
migrate_pages()
-> migrate_hugetlbs()
-> unmap_and_move_huge_page() <- Takes folio_lock!
-> remove_migration_ptes()
-> __rmap_walk_file()
-> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!
hugetlbfs_fallocate()
-> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)!
-> hugetlbfs_zero_partial_page()
-> filemap_lock_hugetlb_folio()
-> filemap_lock_folio()
-> __filemap_get_folio <- Waits for folio_lock!
The migration path is the one taking locks in the wrong order according to
the documentation at the top of mm/rmap.c. So expand the scope of the
existing i_mmap_lock to cover the calls to remove_migration_ptes() too.
This is (mostly) how it used to be after commit c0d0381ade79. That was
removed by 336bf30eb765 for both file & anon hugetlb pages when it should
only have been removed for anon hugetlb pages.
ModerateCVE-2026-23097 at SUSECVE-2026-23097 at NVDSUSE bug 1257815CVE-2026-23144SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
When a context DAMON sysfs directory setup is failed after setup of attrs/
directory, subdirectories of attrs/ directory are not cleaned up. As a
result, DAMON sysfs interface is nearly broken until the system reboots,
and the memory for the unremoved directory is leaked.
Cleanup the directories under such failures.
ModerateCVE-2026-23144 at SUSECVE-2026-23144 at NVDSUSE bug 1258290CVE-2026-23146SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
hci_uart_register_dev(), which calls proto->open() to initialize
hu->priv. However, if a TTY write wakeup occurs during this window,
hci_uart_tx_wakeup() may schedule write_work before hu->priv is
initialized, leading to a NULL pointer dereference in
hci_uart_write_work() when proto->dequeue() accesses hu->priv.
The race condition is:
CPU0 CPU1
---- ----
hci_uart_set_proto()
set_bit(HCI_UART_PROTO_INIT)
hci_uart_register_dev()
tty write wakeup
hci_uart_tty_wakeup()
hci_uart_tx_wakeup()
schedule_work(&hu->write_work)
proto->open(hu)
// initializes hu->priv
hci_uart_write_work()
hci_uart_dequeue()
proto->dequeue(hu)
// accesses hu->priv (NULL!)
Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
succeeds, ensuring hu->priv is initialized before any work can be
scheduled.
ModerateCVE-2026-23146 at SUSECVE-2026-23146 at NVDSUSE bug 1258234CVE-2026-23156SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
efivarfs: fix error propagation in efivar_entry_get()
efivar_entry_get() always returns success even if the underlying
__efivar_entry_get() fails, masking errors.
This may result in uninitialized heap memory being copied to userspace
in the efivarfs_file_read() path.
Fix it by returning the error from __efivar_entry_get().
ModerateCVE-2026-23156 at SUSECVE-2026-23156 at NVDSUSE bug 1258317CVE-2026-23171SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
bonding: fix use-after-free due to enslave fail after slave array update
Fix a use-after-free which happens due to enslave failure after the new
slave has been added to the array. Since the new slave can be used for Tx
immediately, we can use it after it has been freed by the enslave error
cleanup path which frees the allocated slave memory. Slave update array is
supposed to be called last when further enslave failures are not expected.
Move it after xdp setup to avoid any problems.
It is very easy to reproduce the problem with a simple xdp_pass prog:
ip l add bond1 type bond mode balance-xor
ip l set bond1 up
ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass
ip l add dumdum type dummy
Then run in parallel:
while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done;
mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"
The crash happens almost immediately:
[ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI
[ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]
[ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)
[ 605.602979] Tainted: [B]=BAD_PAGE
[ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210
[ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89
[ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213
[ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000
[ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be
[ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c
[ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000
[ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84
[ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000
[ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0
[ 605.603373] Call Trace:
[ 605.603392] <TASK>
[ 605.603410] __dev_queue_xmit+0x448/0x32a0
[ 605.603434] ? __pfx_vprintk_emit+0x10/0x10
[ 605.603461] ? __pfx_vprintk_emit+0x10/0x10
[ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10
[ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603546] ? _printk+0xcb/0x100
[ 605.603566] ? __pfx__printk+0x10/0x10
[ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603627] ? add_taint+0x5e/0x70
[ 605.603648] ? add_taint+0x2a/0x70
[ 605.603670] ? end_report.cold+0x51/0x75
[ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]
ModerateCVE-2026-23171 at SUSECVE-2026-23171 at NVDSUSE bug 1258349CVE-2026-23191SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix racy access at PCM trigger
The PCM trigger callback of aloop driver tries to check the PCM state
and stop the stream of the tied substream in the corresponding cable.
Since both check and stop operations are performed outside the cable
lock, this may result in UAF when a program attempts to trigger
frequently while opening/closing the tied stream, as spotted by
fuzzers.
For addressing the UAF, this patch changes two things:
- It covers the most of code in loopback_check_format() with
cable->lock spinlock, and add the proper NULL checks. This avoids
already some racy accesses.
- In addition, now we try to check the state of the capture PCM stream
that may be stopped in this function, which was the major pain point
leading to UAF.
ImportantCVE-2026-23191 at SUSECVE-2026-23191 at NVDSUSE bug 1258395SUSE bug 1258396CVE-2026-23193SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
In iscsit_dec_session_usage_count(), the function calls complete() while
holding the sess->session_usage_lock. Similar to the connection usage count
logic, the waiter signaled by complete() (e.g., in the session release
path) may wake up and free the iscsit_session structure immediately.
This creates a race condition where the current thread may attempt to
execute spin_unlock_bh() on a session structure that has already been
deallocated, resulting in a KASAN slab-use-after-free.
To resolve this, release the session_usage_lock before calling complete()
to ensure all dereferences of the sess pointer are finished before the
waiter is allowed to proceed with deallocation.
ModerateCVE-2026-23193 at SUSECVE-2026-23193 at NVDSUSE bug 1258414CVE-2026-23204SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_u32: use skb_header_pointer_careful()
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221
ImportantCVE-2026-23204 at SUSECVE-2026-23204 at NVDSUSE bug 1258340SUSE bug 1259126CVE-2026-23205SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
smb/client: fix memory leak in smb2_open_file()
Reproducer:
1. server: directories are exported read-only
2. client: mount -t cifs //${server_ip}/export /mnt
3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct
4. client: umount /mnt
5. client: sleep 1
6. client: modprobe -r cifs
The error message is as follows:
=============================================================================
BUG cifs_small_rq (Not tainted): Objects remaining on __kmem_cache_shutdown()
-----------------------------------------------------------------------------
Object 0x00000000d47521be @offset=14336
...
WARNING: mm/slub.c:1251 at __kmem_cache_shutdown+0x34e/0x440, CPU#0: modprobe/1577
...
Call Trace:
<TASK>
kmem_cache_destroy+0x94/0x190
cifs_destroy_request_bufs+0x3e/0x50 [cifs]
cleanup_module+0x4e/0x540 [cifs]
__se_sys_delete_module+0x278/0x400
__x64_sys_delete_module+0x5f/0x70
x64_sys_call+0x2299/0x2ff0
do_syscall_64+0x89/0x350
entry_SYSCALL_64_after_hwframe+0x76/0x7e
...
kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x3e/0x50 [cifs]
WARNING: mm/slab_common.c:532 at kmem_cache_destroy+0x16b/0x190, CPU#0: modprobe/1577
LowCVE-2026-23205 at SUSECVE-2026-23205 at NVDSUSE bug 1258341CVE-2026-23209SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix error recovery in macvlan_common_newlink()
valis provided a nice repro to crash the kernel:
ip link add p1 type veth peer p2
ip link set address 00:00:00:00:00:20 dev p1
ip link set up dev p1
ip link set up dev p2
ip link add mv0 link p2 type macvlan mode source
ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20
ping -c1 -I p1 1.2.3.4
He also gave a very detailed analysis:
<quote valis>
The issue is triggered when a new macvlan link is created with
MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or
MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan
port and register_netdevice() called from macvlan_common_newlink()
fails (e.g. because of the invalid link name).
In this case macvlan_hash_add_source is called from
macvlan_change_sources() / macvlan_common_newlink():
This adds a reference to vlan to the port's vlan_source_hash using
macvlan_source_entry.
vlan is a pointer to the priv data of the link that is being created.
When register_netdevice() fails, the error is returned from
macvlan_newlink() to rtnl_newlink_create():
if (ops->newlink)
err = ops->newlink(dev, ¶ms, extack);
else
err = register_netdevice(dev);
if (err < 0) {
free_netdev(dev);
goto out;
}
and free_netdev() is called, causing a kvfree() on the struct
net_device that is still referenced in the source entry attached to
the lower device's macvlan port.
Now all packets sent on the macvlan port with a matching source mac
address will trigger a use-after-free in macvlan_forward_source().
</quote valis>
With all that, my fix is to make sure we call macvlan_flush_sources()
regardless of @create value whenever "goto destroy_macvlan_port;"
path is taken.
Many thanks to valis for following up on this issue.
ImportantCVE-2026-23209 at SUSECVE-2026-23209 at NVDSUSE bug 1258518SUSE bug 1258784CVE-2026-23231SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
nf_tables_addchain() publishes the chain to table->chains via
list_add_tail_rcu() (in nft_chain_add()) before registering hooks.
If nf_tables_register_hook() then fails, the error path calls
nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()
with no RCU grace period in between.
This creates two use-after-free conditions:
1) Control-plane: nf_tables_dump_chains() traverses table->chains
under rcu_read_lock(). A concurrent dump can still be walking
the chain when the error path frees it.
2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly
installs the IPv4 hook before IPv6 registration fails. Packets
entering nft_do_chain() via the transient IPv4 hook can still be
dereferencing chain->blob_gen_X when the error path frees the
chain.
Add synchronize_rcu() between nft_chain_del() and the chain destroy
so that all RCU readers -- both dump threads and in-flight packet
evaluation -- have finished before the chain is freed.
ImportantCVE-2026-23231 at SUSECVE-2026-23231 at NVDSUSE bug 1259188SUSE bug 1259189CVE-2026-23270SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
As Paolo said earlier [1]:
"Since the blamed commit below, classify can return TC_ACT_CONSUMED while
the current skb being held by the defragmentation engine. As reported by
GangMin Kim, if such packet is that may cause a UaF when the defrag engine
later on tries to tuch again such packet."
act_ct was never meant to be used in the egress path, however some users
are attaching it to egress today [2]. Attempting to reach a middle
ground, we noticed that, while most qdiscs are not handling
TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we
address the issue by only allowing act_ct to bind to clsact/ingress
qdiscs and shared blocks. That way it's still possible to attach act_ct to
egress (albeit only with clsact).
[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/
[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
ModerateCVE-2026-23270 at SUSECVE-2026-23270 at NVDSUSE bug 1259886CVE-2026-23375SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mm: thp: deny THP for files on anonymous inodes
file_thp_enabled() incorrectly allows THP for files on anonymous inodes
(e.g. guest_memfd and secretmem). These files are created via
alloc_file_pseudo(), which does not call get_write_access() and leaves
inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being
true, they appear as read-only regular files when
CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP
collapse.
Anonymous inodes can never pass the inode_is_open_for_write() check
since their i_writecount is never incremented through the normal VFS
open path. The right thing to do is to exclude them from THP eligibility
altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real
filesystem files (e.g. shared libraries), not for pseudo-filesystem
inodes.
For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create
large folios in the page cache via the collapse path, but the
guest_memfd fault handler does not support large folios. This triggers
WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().
For secretmem, collapse_file() tries to copy page contents through the
direct map, but secretmem pages are removed from the direct map. This
can result in a kernel crash:
BUG: unable to handle page fault for address: ffff88810284d000
RIP: 0010:memcpy_orig+0x16/0x130
Call Trace:
collapse_file
hpage_collapse_scan_file
madvise_collapse
Secretmem is not affected by the crash on upstream as the memory failure
recovery handles the failed copy gracefully, but it still triggers
confusing false memory failure reports:
Memory failure: 0x106d96f: recovery action for clean unevictable
LRU page: Recovered
Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all
anonymous inode files.
ModerateCVE-2026-23375 at SUSECVE-2026-23375 at NVDSUSE bug 1260576CVE-2026-23392SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: release flowtable after rcu grace period on error
Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane.
This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu().
There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage. The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised.
Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.
ImportantCVE-2026-23392 at SUSECVE-2026-23392 at NVDSUSE bug 1260531SUSE bug 1262016CVE-2026-2340SUSE Liberty Linux 10
A flaw was found in Samba's vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.
ModerateCVE-2026-2340 at SUSECVE-2026-2340 at NVDSUSE bug 1261158CVE-2026-23401SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
When installing an emulated MMIO SPTE, do so *after* dropping/zapping the
existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was
right about it being impossible to convert a shadow-present SPTE to an
MMIO SPTE due to a _guest_ write, it failed to account for writes to guest
memory that are outside the scope of KVM.
E.g. if host userspace modifies a shadowed gPTE to switch from a memslot
to emulted MMIO and then the guest hits a relevant page fault, KVM will
install the MMIO SPTE without first zapping the shadow-present SPTE.
------------[ cut here ]------------
is_shadow_present_pte(*sptep)
WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292
Modules linked in: kvm_intel kvm irqbypass
CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]
Call Trace:
<TASK>
mmu_set_spte+0x237/0x440 [kvm]
ept_page_fault+0x535/0x7f0 [kvm]
kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
kvm_mmu_page_fault+0x8d/0x620 [kvm]
vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb5/0x730
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x47fa3f
</TASK>
---[ end trace 0000000000000000 ]---
ModerateCVE-2026-23401 at SUSECVE-2026-23401 at NVDSUSE bug 1261288CVE-2026-23455SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.
Add a check to ensure len is positive after the decrement.
ModerateCVE-2026-23455 at SUSECVE-2026-23455 at NVDSUSE bug 1261687CVE-2026-23479SUSE Liberty Linux 10
Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.
ImportantCVE-2026-23479 at SUSECVE-2026-23479 at NVDSUSE bug 1264164CVE-2026-23490SUSE Liberty Linux 10
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
ImportantCVE-2026-23490 at SUSECVE-2026-23490 at NVDSUSE bug 1256902CVE-2026-23530SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
ImportantCVE-2026-23530 at SUSECVE-2026-23530 at NVDSUSE bug 1256940CVE-2026-23531SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
ImportantCVE-2026-23531 at SUSECVE-2026-23531 at NVDSUSE bug 1256941CVE-2026-23532SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client's `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
ImportantCVE-2026-23532 at SUSECVE-2026-23532 at NVDSUSE bug 1256942CVE-2026-23533SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
ImportantCVE-2026-23533 at SUSECVE-2026-23533 at NVDSUSE bug 1256943CVE-2026-23534SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client-side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
ImportantCVE-2026-23534 at SUSECVE-2026-23534 at NVDSUSE bug 1256944CVE-2026-23631SUSE Liberty Linux 10
Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.
ImportantCVE-2026-23631 at SUSECVE-2026-23631 at NVDSUSE bug 1264165CVE-2026-23732SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client-side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue.
ModerateCVE-2026-23732 at SUSECVE-2026-23732 at NVDSUSE bug 1256945CVE-2026-23745SUSE Liberty Linux 10
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
ImportantCVE-2026-23745 at SUSECVE-2026-23745 at NVDSUSE bug 1257002CVE-2026-23865SUSE Liberty Linux 10
An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.
ModerateCVE-2026-23865 at SUSECVE-2026-23865 at NVDSUSE bug 1259118CVE-2026-23868SUSE Liberty Linux 10
Giflib contains a double-free vulnerability that is the result of a shallow copy in GifMakeSavedImage and incorrect error handling. The conditions needed to trigger this vulnerability are difficult but may be possible.
ModerateCVE-2026-23868 at SUSECVE-2026-23868 at NVDSUSE bug 1259502SUSE bug 1262590SUSE bug 1266445CVE-2026-23883SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client-side use after free, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
ImportantCVE-2026-23883 at SUSECVE-2026-23883 at NVDSUSE bug 1256946CVE-2026-23884SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client-side use after free, causing a crash (DoS) and potential heap corruption with code-execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
ImportantCVE-2026-23884 at SUSECVE-2026-23884 at NVDSUSE bug 1256947CVE-2026-23893SUSE Liberty Linux 10
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication.
ModerateCVE-2026-23893 at SUSECVE-2026-23893 at NVDSUSE bug 1257116CVE-2026-23948SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerability in rdp_write_logon_info_v2() allows a malicious RDP server to crash FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0.
ModerateCVE-2026-23948 at SUSECVE-2026-23948 at NVDSUSE bug 1258001CVE-2026-23950SUSE Liberty Linux 10
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `?` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `?` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `?` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
ImportantCVE-2026-23950 at SUSECVE-2026-23950 at NVDCVE-2026-24049SUSE Liberty Linux 10
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
ImportantCVE-2026-24049 at SUSECVE-2026-24049 at NVDSUSE bug 1257100CVE-2026-2447SUSE Liberty Linux 10
Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2.
ImportantCVE-2026-2447 at SUSECVE-2026-2447 at NVDSUSE bug 1258388SUSE bug 1263813CVE-2026-24491SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.
ImportantCVE-2026-24491 at SUSECVE-2026-24491 at NVDSUSE bug 1257981CVE-2026-24675SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, urb_select_interface can free the device's MS config on error but later code still dereferences it, leading to a use after free in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
ImportantCVE-2026-24675 at SUSECVE-2026-24675 at NVDSUSE bug 1257982CVE-2026-24676SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed in 3.22.0.
ImportantCVE-2026-24676 at SUSECVE-2026-24676 at NVDSUSE bug 1257983CVE-2026-24678SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, A capture thread sends sample responses using a freed channel callback after a device channel close, leading to a use after free in ecam_channel_write. This vulnerability is fixed in 3.22.0.
ImportantCVE-2026-24678 at SUSECVE-2026-24678 at NVDSUSE bug 1257985CVE-2026-24679SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, The URBDRC client uses server-supplied interface numbers as array indices without bounds checks, causing an out-of-bounds read in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
ImportantCVE-2026-24679 at SUSECVE-2026-24679 at NVDSUSE bug 1257986CVE-2026-24681SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, aAsynchronous bulk transfer completions can use a freed channel callback after URBDRC channel close, leading to a use after free in urb_write_completion. This vulnerability is fixed in 3.22.0.
ImportantCVE-2026-24681 at SUSECVE-2026-24681 at NVDSUSE bug 1257988CVE-2026-24682SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, audin_server_recv_formats frees an incorrect number of audio formats on parse failure (i + i), leading to out-of-bounds access in audio_formats_free. This vulnerability is fixed in 3.22.0.
ImportantCVE-2026-24682 at SUSECVE-2026-24682 at NVDSUSE bug 1257989CVE-2026-24683SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. ainput_send_input_event caches channel_callback in a local variable and later uses it without synchronization; a concurrent channel close can free or reinitialize the callback, leading to a use after free. Prior to 3.22.0, This vulnerability is fixed in 3.22.0.
ImportantCVE-2026-24683 at SUSECVE-2026-24683 at NVDSUSE bug 1257990CVE-2026-24684SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.22.0.
ImportantCVE-2026-24684 at SUSECVE-2026-24684 at NVDSUSE bug 1257991CVE-2026-24733SUSE Liberty Linux 10
Improper Input Validation vulnerability in Apache Tomcat.
Tomcat did not limit HTTP/0.9 requests to the GET method. If a security
constraint was configured to allow HEAD requests to a URI but deny GET
requests, the user could bypass that constraint on GET requests by
sending a (specification invalid) HEAD request using HTTP/0.9.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.
Older, EOL versions are also affected.
Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.
ModerateCVE-2026-24733 at SUSECVE-2026-24733 at NVDSUSE bug 1258385CVE-2026-24734SUSE Liberty Linux 10
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.
This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.
The following versions were EOL at the time the CVE was created but are
known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected.
Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue.
Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.
ModerateCVE-2026-24734 at SUSECVE-2026-24734 at NVDSUSE bug 1258387CVE-2026-24842SUSE Liberty Linux 10
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
ImportantCVE-2026-24842 at SUSECVE-2026-24842 at NVDSUSE bug 1257415CVE-2026-24880SUSE Liberty Linux 10
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Other, unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.
ModerateCVE-2026-24880 at SUSECVE-2026-24880 at NVDSUSE bug 1261850CVE-2026-24882SUSE Liberty Linux 10
In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.
ImportantCVE-2026-24882 at SUSECVE-2026-24882 at NVDSUSE bug 1257396CVE-2026-25243SUSE Liberty Linux 10
Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.
ImportantCVE-2026-25243 at SUSECVE-2026-25243 at NVDSUSE bug 1264166CVE-2026-25506SUSE Liberty Linux 10
MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.
ImportantCVE-2026-25506 at SUSECVE-2026-25506 at NVDSUSE bug 1257651CVE-2026-25547SUSE Liberty Linux 10
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
ImportantCVE-2026-25547 at SUSECVE-2026-25547 at NVDSUSE bug 1257834CVE-2026-25646SUSE Liberty Linux 10
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.
ImportantCVE-2026-25646 at SUSECVE-2026-25646 at NVDSUSE bug 1258020SUSE bug 1261341SUSE bug 1265430SUSE bug 1265909CVE-2026-25679SUSE Liberty Linux 10
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
ModerateCVE-2026-25679 at SUSECVE-2026-25679 at NVDSUSE bug 1259264CVE-2026-25749SUSE Liberty Linux 10
Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
ModerateCVE-2026-25749 at SUSECVE-2026-25749 at NVDSUSE bug 1257889SUSE bug 1262591CVE-2026-2581SUSE Liberty Linux 10
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).
In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.
Impacted users are applications that use Undici's deduplication interceptor against endpoints that may produce large or long-lived response bodies.
PatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.
Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.
ModerateCVE-2026-2581 at SUSECVE-2026-2581 at NVDSUSE bug 1268480CVE-2026-25854SUSE Liberty Linux 10
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.
Other, unsupported versions may also be affected
Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
ModerateCVE-2026-25854 at SUSECVE-2026-25854 at NVDSUSE bug 1261851CVE-2026-25952SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.
ModerateCVE-2026-25952 at SUSECVE-2026-25952 at NVDSUSE bug 1258921CVE-2026-25997SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue.
ModerateCVE-2026-25997 at SUSECVE-2026-25997 at NVDSUSE bug 1258977CVE-2026-26103SUSE Liberty Linux 10
A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.
ImportantCVE-2026-26103 at SUSECVE-2026-26103 at NVDSUSE bug 1258868CVE-2026-26104SUSE Liberty Linux 10
A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.
ModerateCVE-2026-26104 at SUSECVE-2026-26104 at NVDSUSE bug 1258867CVE-2026-26127SUSE Liberty Linux 10
Unknown.
ImportantCVE-2026-26127 at SUSECVE-2026-26127 at NVDCVE-2026-26130SUSE Liberty Linux 10
Unknown.
ImportantCVE-2026-26130 at SUSECVE-2026-26130 at NVDCVE-2026-26171SUSE Liberty Linux 10
Unknown.
ImportantCVE-2026-26171 at SUSECVE-2026-26171 at NVDCVE-2026-26955SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command - full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
ImportantCVE-2026-26955 at SUSECVE-2026-26955 at NVDSUSE bug 1258982SUSE bug 1263692CVE-2026-26965SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128x128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data - control-flow-relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.
ImportantCVE-2026-26965 at SUSECVE-2026-26965 at NVDSUSE bug 1258985SUSE bug 1263692CVE-2026-26986SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.
ModerateCVE-2026-26986 at SUSECVE-2026-26986 at NVDSUSE bug 1258967CVE-2026-26996SUSE Liberty Linux 10
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
ImportantCVE-2026-26996 at SUSECVE-2026-26996 at NVDSUSE bug 1258621CVE-2026-27135SUSE Liberty Linux 10
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
ImportantCVE-2026-27135 at SUSECVE-2026-27135 at NVDSUSE bug 1259835CVE-2026-27137SUSE Liberty Linux 10
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
ModerateCVE-2026-27137 at SUSECVE-2026-27137 at NVDSUSE bug 1259266CVE-2026-27140SUSE Liberty Linux 10
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
ImportantCVE-2026-27140 at SUSECVE-2026-27140 at NVDSUSE bug 1261653CVE-2026-27143SUSE Liberty Linux 10
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
ImportantCVE-2026-27143 at SUSECVE-2026-27143 at NVDSUSE bug 1261654CVE-2026-27144SUSE Liberty Linux 10
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
ModerateCVE-2026-27144 at SUSECVE-2026-27144 at NVDSUSE bug 1261655CVE-2026-2757SUSE Liberty Linux 10
Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2757 at SUSECVE-2026-2757 at NVDSUSE bug 1258568CVE-2026-2758SUSE Liberty Linux 10
Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2758 at SUSECVE-2026-2758 at NVDSUSE bug 1258568CVE-2026-2759SUSE Liberty Linux 10
Incorrect boundary conditions in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2759 at SUSECVE-2026-2759 at NVDSUSE bug 1258568CVE-2026-2760SUSE Liberty Linux 10
Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2760 at SUSECVE-2026-2760 at NVDSUSE bug 1258568CVE-2026-2761SUSE Liberty Linux 10
Sandbox escape in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2761 at SUSECVE-2026-2761 at NVDSUSE bug 1258568CVE-2026-2762SUSE Liberty Linux 10
Integer overflow in the JavaScript: Standard Library component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2762 at SUSECVE-2026-2762 at NVDSUSE bug 1258568CVE-2026-27622SUSE Liberty Linux 10
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.
ImportantCVE-2026-27622 at SUSECVE-2026-27622 at NVDSUSE bug 1259177CVE-2026-2763SUSE Liberty Linux 10
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2763 at SUSECVE-2026-2763 at NVDSUSE bug 1258568CVE-2026-2764SUSE Liberty Linux 10
JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2764 at SUSECVE-2026-2764 at NVDSUSE bug 1258568CVE-2026-2765SUSE Liberty Linux 10
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2765 at SUSECVE-2026-2765 at NVDSUSE bug 1258568CVE-2026-27651SUSE Liberty Linux 10
When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
ImportantCVE-2026-27651 at SUSECVE-2026-27651 at NVDSUSE bug 1260415CVE-2026-27654SUSE Liberty Linux 10
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
ImportantCVE-2026-27654 at SUSECVE-2026-27654 at NVDSUSE bug 1260416CVE-2026-2766SUSE Liberty Linux 10
Use-after-free in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2766 at SUSECVE-2026-2766 at NVDSUSE bug 1258568CVE-2026-2767SUSE Liberty Linux 10
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2767 at SUSECVE-2026-2767 at NVDSUSE bug 1258568CVE-2026-2768SUSE Liberty Linux 10
Sandbox escape in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2768 at SUSECVE-2026-2768 at NVDSUSE bug 1258568CVE-2026-2769SUSE Liberty Linux 10
Use-after-free in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2769 at SUSECVE-2026-2769 at NVDSUSE bug 1258568CVE-2026-2770SUSE Liberty Linux 10
Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2770 at SUSECVE-2026-2770 at NVDSUSE bug 1258568CVE-2026-2771SUSE Liberty Linux 10
Undefined behavior in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2771 at SUSECVE-2026-2771 at NVDSUSE bug 1258568CVE-2026-2772SUSE Liberty Linux 10
Use-after-free in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2772 at SUSECVE-2026-2772 at NVDSUSE bug 1258568CVE-2026-2773SUSE Liberty Linux 10
Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2773 at SUSECVE-2026-2773 at NVDSUSE bug 1258568CVE-2026-2774SUSE Liberty Linux 10
Integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2774 at SUSECVE-2026-2774 at NVDSUSE bug 1258568CVE-2026-2775SUSE Liberty Linux 10
Mitigation bypass in the DOM: HTML Parser component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2775 at SUSECVE-2026-2775 at NVDSUSE bug 1258568CVE-2026-2776SUSE Liberty Linux 10
Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2776 at SUSECVE-2026-2776 at NVDSUSE bug 1258568CVE-2026-2777SUSE Liberty Linux 10
Privilege escalation in the Messaging System component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2777 at SUSECVE-2026-2777 at NVDSUSE bug 1258568CVE-2026-2778SUSE Liberty Linux 10
Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2778 at SUSECVE-2026-2778 at NVDSUSE bug 1258568CVE-2026-27784SUSE Liberty Linux 10
The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
ImportantCVE-2026-27784 at SUSECVE-2026-27784 at NVDSUSE bug 1260417CVE-2026-2779SUSE Liberty Linux 10
Incorrect boundary conditions in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2779 at SUSECVE-2026-2779 at NVDSUSE bug 1258568CVE-2026-2780SUSE Liberty Linux 10
Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2780 at SUSECVE-2026-2780 at NVDSUSE bug 1258568CVE-2026-2781SUSE Liberty Linux 10
Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, Thunderbird 140.8, and Firefox ESR 115.35.
ImportantCVE-2026-2781 at SUSECVE-2026-2781 at NVDSUSE bug 1258568CVE-2026-2782SUSE Liberty Linux 10
Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2782 at SUSECVE-2026-2782 at NVDSUSE bug 1258568CVE-2026-2783SUSE Liberty Linux 10
Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2783 at SUSECVE-2026-2783 at NVDSUSE bug 1258568CVE-2026-2784SUSE Liberty Linux 10
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2784 at SUSECVE-2026-2784 at NVDSUSE bug 1258568CVE-2026-2785SUSE Liberty Linux 10
Invalid pointer in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2785 at SUSECVE-2026-2785 at NVDSUSE bug 1258568CVE-2026-27857SUSE Liberty Linux 10
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.
ModerateCVE-2026-27857 at SUSECVE-2026-27857 at NVDSUSE bug 1260898SUSE bug 1265150CVE-2026-27858SUSE Liberty Linux 10
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory.
Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
ImportantCVE-2026-27858 at SUSECVE-2026-27858 at NVDSUSE bug 1260901CVE-2026-2786SUSE Liberty Linux 10
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2786 at SUSECVE-2026-2786 at NVDSUSE bug 1258568CVE-2026-2787SUSE Liberty Linux 10
Use-after-free in the DOM: Window and Location component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2787 at SUSECVE-2026-2787 at NVDSUSE bug 1258568CVE-2026-27877SUSE Liberty Linux 10
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
ImportantCVE-2026-27877 at SUSECVE-2026-27877 at NVDSUSE bug 1261026CVE-2026-2788SUSE Liberty Linux 10
Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2788 at SUSECVE-2026-2788 at NVDSUSE bug 1258568CVE-2026-2789SUSE Liberty Linux 10
Use-after-free in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2789 at SUSECVE-2026-2789 at NVDSUSE bug 1258568CVE-2026-2790SUSE Liberty Linux 10
Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2790 at SUSECVE-2026-2790 at NVDSUSE bug 1258568CVE-2026-27904SUSE Liberty Linux 10
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
ImportantCVE-2026-27904 at SUSECVE-2026-27904 at NVDSUSE bug 1258994CVE-2026-2791SUSE Liberty Linux 10
Mitigation bypass in the Networking: Cache component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2791 at SUSECVE-2026-2791 at NVDSUSE bug 1258568CVE-2026-2792SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2792 at SUSECVE-2026-2792 at NVDSUSE bug 1258568CVE-2026-2793SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
ImportantCVE-2026-2793 at SUSECVE-2026-2793 at NVDSUSE bug 1258568CVE-2026-28390SUSE Liberty Linux 10
Issue summary: During processing of a crafted CMS EnvelopedData message
with KeyTransportRecipientInfo a NULL pointer dereference can happen.
Impact summary: Applications that process attacker-controlled CMS data may
crash before authentication or cryptographic operations occur resulting in
Denial of Service.
When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with
RSA-OAEP encryption is processed, the optional parameters field of
RSA-OAEP SourceFunc algorithm identifier is examined without checking
for its presence. This results in a NULL pointer dereference if the field
is missing.
Applications and services that call CMS_decrypt() on untrusted input
(e.g., S/MIME processing or CMS-based protocols) are vulnerable.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
ModerateCVE-2026-28390 at SUSECVE-2026-28390 at NVDSUSE bug 1261678CVE-2026-28417SUSE Liberty Linux 10
Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.
ModerateCVE-2026-28417 at SUSECVE-2026-28417 at NVDSUSE bug 1259051SUSE bug 1262591CVE-2026-28421SUSE Liberty Linux 10
Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.
ModerateCVE-2026-28421 at SUSECVE-2026-28421 at NVDSUSE bug 1259055SUSE bug 1262591CVE-2026-28780SUSE Liberty Linux 10
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server.
If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.
This issue affects Apache HTTP Server: through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes the issue.
ModerateCVE-2026-28780 at SUSECVE-2026-28780 at NVDSUSE bug 1264163CVE-2026-29111SUSE Liberty Linux 10
systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.
ModerateCVE-2026-29111 at SUSECVE-2026-29111 at NVDSUSE bug 1259418CVE-2026-29129SUSE Liberty Linux 10
Configured cipher preference order not preserved vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.
Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
ModerateCVE-2026-29129 at SUSECVE-2026-29129 at NVDSUSE bug 1261852CVE-2026-29145SUSE Liberty Linux 10
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.
Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.
ModerateCVE-2026-29145 at SUSECVE-2026-29145 at NVDSUSE bug 1261853CVE-2026-29146SUSE Liberty Linux 10
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
ImportantCVE-2026-29146 at SUSECVE-2026-29146 at NVDSUSE bug 1261854SUSE bug 1265977SUSE bug 1265978CVE-2026-2920SUSE Liberty Linux 10
GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843.
ImportantCVE-2026-2920 at SUSECVE-2026-2920 at NVDSUSE bug 1259367CVE-2026-2921SUSE Liberty Linux 10
GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.
ImportantCVE-2026-2921 at SUSECVE-2026-2921 at NVDSUSE bug 1259369SUSE bug 1263812CVE-2026-2922SUSE Liberty Linux 10
GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the processing of video packets. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28845.
ImportantCVE-2026-2922 at SUSECVE-2026-2922 at NVDSUSE bug 1259370CVE-2026-2923SUSE Liberty Linux 10
GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the handling of coordinates. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28838.
ImportantCVE-2026-2923 at SUSECVE-2026-2923 at NVDSUSE bug 1259375CVE-2026-29518SUSE Liberty Linux 10
Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.
ImportantCVE-2026-29518 at SUSECVE-2026-29518 at NVDSUSE bug 1264511SUSE bug 1264514CVE-2026-29775SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId equal to maxCells, bypassing the guard and accessing cells[] one element past the allocated array. This vulnerability is fixed in 3.24.0.
LowCVE-2026-29775 at SUSECVE-2026-29775 at NVDSUSE bug 1259684CVE-2026-3012SUSE Liberty Linux 10
A flaw was found in Samba's certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications.
ImportantCVE-2026-3012 at SUSECVE-2026-3012 at NVDSUSE bug 1261159CVE-2026-3039SUSE Liberty Linux 10
BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments.
This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
ImportantCVE-2026-3039 at SUSECVE-2026-3039 at NVDSUSE bug 1265591CVE-2026-3082SUSE Liberty Linux 10
GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the processing of Huffman tables. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28840.
ImportantCVE-2026-3082 at SUSECVE-2026-3082 at NVDSUSE bug 1259399SUSE bug 1263812CVE-2026-3083SUSE Liberty Linux 10
GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the processing of X-QDM RTP payload elements. When parsing the packetid element, the process does not properly validate user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28850.
ImportantCVE-2026-3083 at SUSECVE-2026-3083 at NVDSUSE bug 1259405SUSE bug 1263812CVE-2026-3085SUSE Liberty Linux 10
GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the processing of X-QDM RTP payloads. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28851.
ImportantCVE-2026-3085 at SUSECVE-2026-3085 at NVDSUSE bug 1259406SUSE bug 1263812CVE-2026-30892SUSE Liberty Linux 10
crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected. Version 1.27 patches the issue.
ImportantCVE-2026-30892 at SUSECVE-2026-30892 at NVDSUSE bug 1260608CVE-2026-30922SUSE Liberty Linux 10
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with "Indefinite Length" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.
ImportantCVE-2026-30922 at SUSECVE-2026-30922 at NVDSUSE bug 1259803CVE-2026-31402SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
This size was calculated based on OPEN responses and does not account
for LOCK denied responses, which include the conflicting lock owner as
a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).
When a LOCK operation is denied due to a conflict with an existing lock
that has a large owner, nfsd4_encode_operation() copies the full encoded
response into the undersized replay buffer via read_bytes_from_xdr_buf()
with no bounds check. This results in a slab-out-of-bounds write of up
to 944 bytes past the end of the buffer, corrupting adjacent heap memory.
This can be triggered remotely by an unauthenticated attacker with two
cooperating NFSv4.0 clients: one sets a lock with a large owner string,
then the other requests a conflicting lock to provoke the denial.
We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full
opaque, but that would increase the size of every stateowner, when most
lockowners are not that large.
Instead, fix this by checking the encoded response length against
NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the
response is too large, set rp_buflen to 0 to skip caching the replay
payload. The status is still cached, and the client already received the
correct response on the original request.
ImportantCVE-2026-31402 at SUSECVE-2026-31402 at NVDSUSE bug 1261638SUSE bug 1261640SUSE bug 1265160CVE-2026-31408SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately
releases the lock without holding a reference to the socket. A concurrent
close() can free the socket between the lock release and the subsequent
sk->sk_state access, resulting in a use-after-free.
Other functions in the same file (sco_sock_timeout(), sco_conn_del())
correctly use sco_sock_hold() to safely hold a reference under the lock.
Fix by using sco_sock_hold() to take a reference before releasing the
lock, and adding sock_put() on all exit paths.
ImportantCVE-2026-31408 at SUSECVE-2026-31408 at NVDSUSE bug 1261797SUSE bug 1261799SUSE bug 1265552CVE-2026-31419SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: fix use-after-free in bond_xmit_broadcast()
bond_xmit_broadcast() reuses the original skb for the last slave
(determined by bond_is_last_slave()) and clones it for others.
Concurrent slave enslave/release can mutate the slave list during
RCU-protected iteration, changing which slave is "last" mid-loop.
This causes the original skb to be double-consumed (double-freed).
Replace the racy bond_is_last_slave() check with a simple index
comparison (i + 1 == slaves_count) against the pre-snapshot slave
count taken via READ_ONCE() before the loop. This preserves the
zero-copy optimization for the last slave while making the "last"
determination stable against concurrent list mutations.
The UAF can trigger the following crash:
==================================================================
BUG: KASAN: slab-use-after-free in skb_clone
Read of size 8 at addr ffff888100ef8d40 by task exploit/147
CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:123)
print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
kasan_report (mm/kasan/report.c:597)
skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)
bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)
bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)
dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)
__dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)
ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)
ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)
ip6_output (net/ipv6/ip6_output.c:250)
ip6_send_skb (net/ipv6/ip6_output.c:1985)
udp_v6_send_skb (net/ipv6/udp.c:1442)
udpv6_sendmsg (net/ipv6/udp.c:1733)
__sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
</TASK>
Allocated by task 147:
Freed by task 147:
The buggy address belongs to the object at ffff888100ef8c80
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 192 bytes inside of
freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)
Memory state around the buggy address:
ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
ImportantCVE-2026-31419 at SUSECVE-2026-31419 at NVDSUSE bug 1262066SUSE bug 1262733CVE-2026-31431SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_aead - Revert to operating out-of-place
This mostly reverts commit 72548b093ee3 except for the copying of
the associated data.
There is no benefit in operating in-place in algif_aead since the
source and destination come from different mappings. Get rid of
all the complexity added for in-place operation and just copy the
AD directly.
ImportantCVE-2026-31431 at SUSECVE-2026-31431 at NVDSUSE bug 1262573SUSE bug 1263689SUSE bug 1263938SUSE bug 1263939SUSE bug 1264274SUSE bug 1265460CVE-2026-31467SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
erofs: add GFP_NOIO in the bio completion if needed
The bio completion path in the process context (e.g. dm-verity)
will directly call into decompression rather than trigger another
workqueue context for minimal scheduling latencies, which can
then call vm_map_ram() with GFP_KERNEL.
Due to insufficient memory, vm_map_ram() may generate memory
swapping I/O, which can cause submit_bio_wait to deadlock
in some scenarios.
Trimmed down the call stack, as follows:
f2fs_submit_read_io
submit_bio //bio_list is initialized.
mmc_blk_mq_recovery
z_erofs_endio
vm_map_ram
__pte_alloc_kernel
__alloc_pages_direct_reclaim
shrink_folio_list
__swap_writepage
submit_bio_wait //bio_list is non-NULL, hang!!!
Use memalloc_noio_{save,restore}() to wrap up this path.
ModerateCVE-2026-31467 at SUSECVE-2026-31467 at NVDSUSE bug 1267738CVE-2026-31532SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
can: raw: fix ro->uniq use-after-free in raw_rcv()
raw_release() unregisters raw CAN receive filters via can_rx_unregister(),
but receiver deletion is deferred with call_rcu(). This leaves a window
where raw_rcv() may still be running in an RCU read-side critical section
after raw_release() frees ro->uniq, leading to a use-after-free of the
percpu uniq storage.
Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific
socket destructor. can_rx_unregister() takes an extra reference to the
socket and only drops it from the RCU callback, so freeing uniq from
sk_destruct ensures the percpu area is not released until the relevant
callbacks have drained.
[mkl: applied manually]
ModerateCVE-2026-31532 at SUSECVE-2026-31532 at NVDSUSE bug 1262757CVE-2026-31581SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ALSA: 6fire: fix use-after-free on disconnect
In usb6fire_chip_abort(), the chip struct is allocated as the card's
private data (via snd_card_new with sizeof(struct sfire_chip)). When
snd_card_free_when_closed() is called and no file handles are open, the
card and embedded chip are freed synchronously. The subsequent
chip->card = NULL write then hits freed slab memory.
Call trace:
usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]
usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182
usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458
...
hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953
Fix by moving the card lifecycle out of usb6fire_chip_abort() and into
usb6fire_chip_disconnect(). The card pointer is saved in a local
before any teardown, snd_card_disconnect() is called first to prevent
new opens, URBs are aborted while chip is still valid, and
snd_card_free_when_closed() is called last so chip is never accessed
after the card may be freed.
ModerateCVE-2026-31581 at SUSECVE-2026-31581 at NVDSUSE bug 1263167SUSE bug 1263168CVE-2026-31607SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
usbip: validate number_of_packets in usbip_pack_ret_submit()
When a USB/IP client receives a RET_SUBMIT response,
usbip_pack_ret_submit() unconditionally overwrites
urb->number_of_packets from the network PDU. This value is
subsequently used as the loop bound in usbip_recv_iso() and
usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible
array whose size was fixed at URB allocation time based on the
*original* number_of_packets from the CMD_SUBMIT.
A malicious USB/IP server can set number_of_packets in the response
to a value larger than what was originally submitted, causing a heap
out-of-bounds write when usbip_recv_iso() writes to
urb->iso_frame_desc[i] beyond the allocated region.
KASAN confirmed this with kernel 7.0.0-rc5:
BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640
Write of size 4 at addr ffff888106351d40 by task vhci_rx/69
The buggy address is located 0 bytes to the right of
allocated 320-byte region [ffff888106351c00, ffff888106351d40)
The server side (stub_rx.c) and gadget side (vudc_rx.c) already
validate number_of_packets in the CMD_SUBMIT path since commits
c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle
malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden
CMD_SUBMIT path to handle malicious input"). The server side validates
against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.
On the client side we have the original URB, so we can use the tighter
bound: the response must not exceed the original number_of_packets.
This mirrors the existing validation of actual_length against
transfer_buffer_length in usbip_recv_xbuff(), which checks the
response value against the original allocation size.
Kelvin Mbogo's series ("usb: usbip: fix integer overflow in
usbip_recv_iso()", v2) hardens the receive-side functions themselves;
this patch complements that work by catching the bad value at its
source -- in usbip_pack_ret_submit() before the overwrite -- and
using the tighter per-URB allocation bound rather than the global
USBIP_MAX_ISO_PACKETS limit.
Fix this by checking rpdu->number_of_packets against
urb->number_of_packets in usbip_pack_ret_submit() before the
overwrite. On violation, clamp to zero so that usbip_recv_iso() and
usbip_pad_iso() safely return early.
ModerateCVE-2026-31607 at SUSECVE-2026-31607 at NVDSUSE bug 1263600CVE-2026-31613SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix OOB reads parsing symlink error response
When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()
returns success without any length validation, leaving the symlink
parsers as the only defense against an untrusted server.
symlink_data() walks SMB 3.1.1 error contexts with the loop test "p <
end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset
0. When the server-controlled ErrorDataLength advances p to within 1-7
bytes of end, the next iteration will read past it. When the matching
context is found, sym->SymLinkErrorTag is read at offset 4 from
p->ErrorContextData with no check that the symlink header itself fits.
smb2_parse_symlink_response() then bounds-checks the substitute name
using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from
iov_base. That value is computed as sizeof(smb2_err_rsp) +
sizeof(smb2_symlink_err_rsp), which is correct only when
ErrorContextCount == 0.
With at least one error context the symlink data sits 8 bytes deeper,
and each skipped non-matching context shifts it further by 8 +
ALIGN(ErrorDataLength, 8). The check is too short, allowing the
substitute name read to run past iov_len. The out-of-bound heap bytes
are UTF-16-decoded into the symlink target and returned to userspace via
readlink(2).
Fix this all up by making the loops test require the full context header
to fit, rejecting sym if its header runs past end, and bound the
substitute name against the actual position of sym->PathBuffer rather
than a fixed offset.
Because sub_offs and sub_len are 16bits, the pointer math will not
overflow here with the new greater-than.
ImportantCVE-2026-31613 at SUSECVE-2026-31613 at NVDSUSE bug 1263769SUSE bug 1263770CVE-2026-31684SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net: sched: act_csum: validate nested VLAN headers
tcf_csum_act() walks nested VLAN headers directly from skb->data when an
skb still carries in-payload VLAN tags. The current code reads
vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
first ensuring that the full VLAN header is present in the linear area.
If only part of an inner VLAN header is linearized, accessing
h_vlan_encapsulated_proto reads past the linear area, and the following
skb_pull(VLAN_HLEN) may violate skb invariants.
Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
pulling each nested VLAN header. If the header still is not fully
available, drop the packet through the existing error path.
ModerateCVE-2026-31684 at SUSECVE-2026-31684 at NVDSUSE bug 1263596CVE-2026-31685SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ip6t_eui64: reject invalid MAC header for all packets
`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
and compares it with the low 64 bits of the IPv6 source address.
The existing guard only rejects an invalid MAC header when
`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
can still reach `eth_hdr(skb)` even when the MAC header is not valid.
Fix this by removing the `par->fragoff != 0` condition so that packets
with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.
ImportantCVE-2026-31685 at SUSECVE-2026-31685 at NVDSUSE bug 1263668SUSE bug 1263670CVE-2026-31709SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
smb: client: validate the whole DACL before rewriting it in cifsacl
build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a
server-supplied dacloffset and then use the incoming ACL to rebuild the
chmod/chown security descriptor.
The original fix only checked that the struct smb_acl header fits before
reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate
header-field OOB read, but the rewrite helpers still walk ACEs based on
pdacl->num_aces with no structural validation of the incoming DACL body.
A malicious server can return a truncated DACL that still contains a
header, claims one or more ACEs, and then drive
replace_sids_and_copy_aces() or set_chmod_dacl() past the validated
extent while they compare or copy attacker-controlled ACEs.
Factor the DACL structural checks into validate_dacl(), extend them to
validate each ACE against the DACL bounds, and use the shared validator
before the chmod/chown rebuild paths. parse_dacl() reuses the same
validator so the read-side parser and write-side rewrite paths agree on
what constitutes a well-formed incoming DACL.
ImportantCVE-2026-31709 at SUSECVE-2026-31709 at NVDSUSE bug 1264024SUSE bug 1264140CVE-2026-31790SUSE Liberty Linux 10
Issue summary: Applications using RSASVE key encapsulation to establish
a secret encryption key can send contents of an uninitialized memory buffer to
a malicious peer.
Impact summary: The uninitialized buffer might contain sensitive data from the
previous execution of the application process which leads to sensitive data
leakage to an attacker.
RSA_public_encrypt() returns the number of bytes written on success and -1
on error. The affected code tests only whether the return value is non-zero.
As a result, if RSA encryption fails, encapsulation can still return success to
the caller, set the output lengths, and leave the caller to use the contents of
the ciphertext buffer as if a valid KEM ciphertext had been produced.
If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an
attacker-supplied invalid RSA public key without first validating that key,
then this may cause stale or uninitialized contents of the caller-provided
ciphertext buffer to be disclosed to the attacker in place of the KEM
ciphertext.
As a workaround calling EVP_PKEY_public_check() or
EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate
the issue.
The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.
ModerateCVE-2026-31790 at SUSECVE-2026-31790 at NVDSUSE bug 1260445CVE-2026-31806SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values are used during bitmap decoding and memory operations without proper bounds checking, this can lead to a heap buffer overflow. Since the attacker can also control the associated pixel data transmitted by the server, the overflow may be exploitable to overwrite adjacent heap memory. This vulnerability is fixed in 3.24.0.
ImportantCVE-2026-31806 at SUSECVE-2026-31806 at NVDSUSE bug 1259653CVE-2026-31883SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header sizes from a size_t variable without checking for underflow. When nBlockAlign (received from the server) is set such that size % block_size == 0 triggers the header parsing at a point where size is smaller than the header (4 or 8 bytes), the subtraction wraps size to ~SIZE_MAX. The while (size > 0) loop then continues for an astronomical number of iterations. This vulnerability is fixed in 3.24.0.
ImportantCVE-2026-31883 at SUSECVE-2026-31883 at NVDSUSE bug 1259679CVE-2026-31884SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAlign. The nBlockAlign value comes from the Server Audio Formats PDU on the RDPSND channel. The value 0 is not validated anywhere before reaching the decoder. When nBlockAlign = 0, the modulo operation causes a SIGFPE (floating point exception) crash. This vulnerability is fixed in 3.24.0.
ModerateCVE-2026-31884 at SUSECVE-2026-31884 at NVDSUSE bug 1259680CVE-2026-31885SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.
ImportantCVE-2026-31885 at SUSECVE-2026-31885 at NVDSUSE bug 1259686CVE-2026-31958SUSE Liberty Linux 10
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
ImportantCVE-2026-31958 at SUSECVE-2026-31958 at NVDSUSE bug 1259552CVE-2026-3201SUSE Liberty Linux 10
USB HID protocol dissector memory exhaustion in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service
LowCVE-2026-3201 at SUSECVE-2026-3201 at NVDSUSE bug 1258907CVE-2026-3203SUSE Liberty Linux 10
RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service
LowCVE-2026-3203 at SUSECVE-2026-3203 at NVDSUSE bug 1258909CVE-2026-32178SUSE Liberty Linux 10
Unknown.
ImportantCVE-2026-32178 at SUSECVE-2026-32178 at NVDCVE-2026-32203SUSE Liberty Linux 10
Unknown.
ImportantCVE-2026-32203 at SUSECVE-2026-32203 at NVDCVE-2026-32280SUSE Liberty Linux 10
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
ImportantCVE-2026-32280 at SUSECVE-2026-32280 at NVDSUSE bug 1261656CVE-2026-32281SUSE Liberty Linux 10
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
ModerateCVE-2026-32281 at SUSECVE-2026-32281 at NVDSUSE bug 1261657CVE-2026-32282SUSE Liberty Linux 10
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
ModerateCVE-2026-32282 at SUSECVE-2026-32282 at NVDSUSE bug 1261658CVE-2026-32283SUSE Liberty Linux 10
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
ModerateCVE-2026-32283 at SUSECVE-2026-32283 at NVDSUSE bug 1261659CVE-2026-32597SUSE Liberty Linux 10
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 ?4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
ImportantCVE-2026-32597 at SUSECVE-2026-32597 at NVDSUSE bug 1259616CVE-2026-32647SUSE Liberty Linux 10
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
ImportantCVE-2026-32647 at SUSECVE-2026-32647 at NVDSUSE bug 1260420CVE-2026-32710SUSE Liberty Linux 10
MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code execution. These conditions require tight control over memory layout which is generally only attainable in a lab environment. This issue is fixed in MariaDB 11.4.10, MariaDB 11.8.6, and MariaDB 12.2.2.
ImportantCVE-2026-32710 at SUSECVE-2026-32710 at NVDSUSE bug 1260081CVE-2026-32748SUSE Liberty Linux 10
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
ImportantCVE-2026-32748 at SUSECVE-2026-32748 at NVDSUSE bug 1260453CVE-2026-32990SUSE Liberty Linux 10
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.
This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.
Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
ImportantCVE-2026-32990 at SUSECVE-2026-32990 at NVDSUSE bug 1258371CVE-2026-33007SUSE Liberty Linux 10
A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration.
Users are recommended to upgrade to version 2.4.67, which fixes this issue.
ModerateCVE-2026-33007 at SUSECVE-2026-33007 at NVDSUSE bug 1263954CVE-2026-33116SUSE Liberty Linux 10
Unknown.
ImportantCVE-2026-33116 at SUSECVE-2026-33116 at NVDCVE-2026-33186SUSE Liberty Linux 10
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
ImportantCVE-2026-33186 at SUSECVE-2026-33186 at NVDSUSE bug 1260085CVE-2026-33210SUSE Liberty Linux 10
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
CriticalCVE-2026-33210 at SUSECVE-2026-33210 at NVDSUSE bug 1260071CVE-2026-33278SUSE Liberty Linux 10
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.
ImportantCVE-2026-33278 at SUSECVE-2026-33278 at NVDSUSE bug 1265587CVE-2026-33412SUSE Liberty Linux 10
Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
ModerateCVE-2026-33412 at SUSECVE-2026-33412 at NVDSUSE bug 1259985SUSE bug 1262591CVE-2026-33416SUSE Liberty Linux 10
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.
ImportantCVE-2026-33416 at SUSECVE-2026-33416 at NVDSUSE bug 1260754CVE-2026-33526SUSE Liberty Linux 10
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
ImportantCVE-2026-33526 at SUSECVE-2026-33526 at NVDSUSE bug 1260452CVE-2026-33554SUSE Liberty Linux 10
ipmi-oem in FreeIPMI before 1.6.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Three subcommands were found to have exploitable buffer overflows on response messages. They are: "ipmi-oem dell get-last-post-code - get the last POST code and string describing the error on some Dell servers," "ipmi-oem supermicro extra-firmware-info - get extra firmware info on Supermicro servers," and "ipmi-oem wistron read-proprietary-string - read a proprietary string on Wistron servers."
ImportantCVE-2026-33554 at SUSECVE-2026-33554 at NVDSUSE bug 1260414CVE-2026-33636SUSE Liberty Linux 10
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.
ImportantCVE-2026-33636 at SUSECVE-2026-33636 at NVDSUSE bug 1260755CVE-2026-33810SUSE Liberty Linux 10
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
ModerateCVE-2026-33810 at SUSECVE-2026-33810 at NVDSUSE bug 1261662CVE-2026-33811SUSE Liberty Linux 10
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
ImportantCVE-2026-33811 at SUSECVE-2026-33811 at NVDSUSE bug 1264508CVE-2026-33814SUSE Liberty Linux 10
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
ImportantCVE-2026-33814 at SUSECVE-2026-33814 at NVDSUSE bug 1264506CVE-2026-33816SUSE Liberty Linux 10
Memory-safety vulnerability in github.com/jackc/pgx/v5.
ImportantCVE-2026-33816 at SUSECVE-2026-33816 at NVDSUSE bug 1261812CVE-2026-33845SUSE Liberty Linux 10
A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.
ImportantCVE-2026-33845 at SUSECVE-2026-33845 at NVDSUSE bug 1263704CVE-2026-33846SUSE Liberty Linux 10
A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.
ImportantCVE-2026-33846 at SUSECVE-2026-33846 at NVDSUSE bug 1263705CVE-2026-33857SUSE Liberty Linux 10
Out-of-bounds Read vulnerability in mod_proxy_ajp of
Apache HTTP Server.
This issue affects Apache HTTP Server: through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes the issue.
ModerateCVE-2026-33857 at SUSECVE-2026-33857 at NVDSUSE bug 1263952CVE-2026-33982SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, there is a heap-buffer-overflow READ vulnerability at 24 bytes before the allocation, in winpr_aligned_offset_recalloc(). This issue has been patched in version 3.24.2.
ModerateCVE-2026-33982 at SUSECVE-2026-33982 at NVDSUSE bug 1261222CVE-2026-33983SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits WLog_WARN, execution continues. The wrapped value (247) is used as a shift exponent, causing undefined behavior and an approximately 80 billion iteration loop (CPU DoS). This issue has been patched in version 3.24.2.
ModerateCVE-2026-33983 at SUSECVE-2026-33983 at NVDSUSE bug 1261200CVE-2026-33984SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count before the winpr_aligned_recalloc() call. If realloc fails, size is inflated while pixels still points to the old, smaller buffer. On a subsequent call where count <= size (the inflated value), realloc is skipped. The caller then writes count * bpp bytes of attacker-controlled pixel data into the undersized buffer, causing a heap buffer overflow. This issue has been patched in version 3.24.2.
ImportantCVE-2026-33984 at SUSECVE-2026-33984 at NVDSUSE bug 1261211CVE-2026-33985SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, pixel data from adjacent heap memory is rendered to screen, potentially leaking sensitive data to the attacker. This issue has been patched in version 3.24.2.
ModerateCVE-2026-33985 at SUSECVE-2026-33985 at NVDSUSE bug 1261217CVE-2026-33987SUSE Liberty Linux 10
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in persistent_cache_read_entry_v3() in libfreerdp/cache/persistent.c, persistent->bmpSize is updated before winpr_aligned_recalloc(). If realloc fails, bmpSize is inflated while bmpData points to the old buffer. This issue has been patched in version 3.24.2.
ModerateCVE-2026-33987 at SUSECVE-2026-33987 at NVDSUSE bug 1261226CVE-2026-33999SUSE Liberty Linux 10
A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-safety violations and potentially a denial of service (DoS) or other severe impacts.
ModerateCVE-2026-33999 at SUSECVE-2026-33999 at NVDSUSE bug 1260922CVE-2026-34001SUSE Liberty Linux 10
A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.
ImportantCVE-2026-34001 at SUSECVE-2026-34001 at NVDSUSE bug 1260924SUSE bug 1265555CVE-2026-34003SUSE Liberty Linux 10
A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash, leading to a Denial of Service (DoS). In certain configurations, higher impact outcomes may be possible.
ModerateCVE-2026-34003 at SUSECVE-2026-34003 at NVDSUSE bug 1260926CVE-2026-34032SUSE Liberty Linux 10
Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server.
This issue affects Apache HTTP Server: through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes the issue.
ImportantCVE-2026-34032 at SUSECVE-2026-34032 at NVDSUSE bug 1263951CVE-2026-34043SUSE Liberty Linux 10
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
ImportantCVE-2026-34043 at SUSECVE-2026-34043 at NVDCVE-2026-34059SUSE Liberty Linux 10
Buffer Over-read vulnerability in Apache HTTP Server.
This issue affects Apache HTTP Server: through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes the issue.
ImportantCVE-2026-34059 at SUSECVE-2026-34059 at NVDSUSE bug 1263950CVE-2026-34078SUSE Liberty Linux 10
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4.
ImportantCVE-2026-34078 at SUSECVE-2026-34078 at NVDSUSE bug 1261769CVE-2026-34079SUSE Liberty Linux 10
Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4.
ModerateCVE-2026-34079 at SUSECVE-2026-34079 at NVDSUSE bug 1261770CVE-2026-34180SUSE Liberty Linux 10
Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive
element whose content exceeds 2 gigabytes in length may cause a heap buffer
over-read on 64-bit Unix and Unix-like platforms.
Impact summary: The heap buffer over-read may crash the application (Denial of
Service) or to load into the decoded ASN.1 object contents of memory beyond the
end of the input buffer. More typically such ASN.1 elements would instead be
truncated.
An integer truncation in OpenSSL's ASN.1 decoder causes the content length of
an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the
worst case the truncated length is treated as a request to scan the binary
content for a terminating zero byte, possibly causing OpenSSL to read either
less than or beyond the end of the allocated buffer.
Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or
any other d2i_* decoding function are affected. OpenSSL's own command-line
tools are not vulnerable, as data read through the BIO layer is checked before
it reaches the affected code. The issue only affects 64-bit Unix and Unix-like
platforms; 32-bit platforms and 64-bit Windows are not affected.
The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue,
as the affected code is outside the OpenSSL FIPS module boundary.
ModerateCVE-2026-34180 at SUSECVE-2026-34180 at NVDSUSE bug 1266342CVE-2026-34181SUSE Liberty Linux 10
Issue Summary: The PKCS#12 file processing fails to perform sufficient input
validation for files that use Password-Based Message Authentication Code 1
(PBMAC1) integrity mechanism allowing a certificate and private key forgery.
Impact Summary: An attacker impersonating a user can cause a service reading
PKCS#12 files to accept forged certificates and private keys with a 1 in 256
probability.
If a service accepting PKCS#12 files is using passwords for authenticating
the received files, the attacker can create unencrypted PKCS#12 files that
use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing
them to craft a file that will be accepted with a 1 in 256 probability.
That would then cause the service to accept a certificate and private key
controlled by the attacker.
The FIPS modules are not affected by this issue, as the affected code is
outside the OpenSSL FIPS module boundary.
ModerateCVE-2026-34181 at SUSECVE-2026-34181 at NVDSUSE bug 1266343CVE-2026-34182SUSE Liberty Linux 10
Issue Summary: Cryptographic Message Services (CMS) processing fails to perform
sufficient input validation on the cipher and tag length fields of
AuthEnvelopedData containers, leading to various potential compromises.
Impact Summary: Attackers making use of these vulnerabilities may achieve
key-equivalent functionality for a given CMS recipient and/or bypass integrity
validation for a given message.
In one use case, an attacker may send a CMS message containing
AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL
erroneously allows this selection, and attempts to decrypt and validate the
message.
An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData
addressed to the victim can re-emit it with the recipientInfos set left
byte-for-byte intact, so the victim's private key still unwraps the genuine CEK
(the content-encryption key), but with the inner OID rewritten to AES-256-OFB
(Output Feedback Mode, an unauthenticated keystream mode) and with an
attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the
real CEK, never consults the MAC field, and CMS_decrypt() returns success.
If the application under attack responds to the attacker with any indicator
showing success or failure of the decryption effort, it is possible for the
attacker to use this as an oracle to obtain key equivalent functionality for the
CEK used for the chosen recipient of the message.
In another use case, an attacker can reduce the tag length of the chosen AEAD
cipher for a given AuthEnvelopedData container to be a single byte long,
allowing an attacker to brute force CMS decryption, producing an integrity
bypass for applications that trust CMS_decrypt() to reject modified content.
The FIPS modules are not affected by this issue.
ModerateCVE-2026-34182 at SUSECVE-2026-34182 at NVDSUSE bug 1266344CVE-2026-34183SUSE Liberty Linux 10
Issue summary: Remote peer may exhaust heap memory of the QUIC
server or client by flooding it with packets containing PATH_CHALLENGE
frames.
Impact summary: A malicious remote peer can cause an unbounded
memory allocation which can lead to an abnormal termination of the
application acting as a QUIC client or server and a Denial of Service.
A remote peer may exhaust heap memory by flooding the local
QUIC stack with PATH_CHALLENGE frames. The local QUIC stack
allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.
The allocated PATH_RESPONSE frame gets freed only when the remote
peer acknowledges reception of the PATH_RESPONSE frame which will
not be done by a malicious peer.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by
this issue. The QUIC stack is outside of OpenSSL FIPS module
boundary.
ModerateCVE-2026-34183 at SUSECVE-2026-34183 at NVDSUSE bug 1266345CVE-2026-34268SUSE Liberty Linux 10
Unknown.
LowCVE-2026-34268 at SUSECVE-2026-34268 at NVDSUSE bug 1262500CVE-2026-34270SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-34270 at SUSECVE-2026-34270 at NVDCVE-2026-34271SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-34271 at SUSECVE-2026-34271 at NVDCVE-2026-34276SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-34276 at SUSECVE-2026-34276 at NVDCVE-2026-34282SUSE Liberty Linux 10
Unknown.
ImportantCVE-2026-34282 at SUSECVE-2026-34282 at NVDSUSE bug 1262501CVE-2026-34303SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-34303 at SUSECVE-2026-34303 at NVDSUSE bug 1266435CVE-2026-34304SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-34304 at SUSECVE-2026-34304 at NVDCVE-2026-34308SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-34308 at SUSECVE-2026-34308 at NVDCVE-2026-34483SUSE Liberty Linux 10
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.
ModerateCVE-2026-34483 at SUSECVE-2026-34483 at NVDSUSE bug 1261855CVE-2026-34486SUSE Liberty Linux 10
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
ImportantCVE-2026-34486 at SUSECVE-2026-34486 at NVDSUSE bug 1261854SUSE bug 1265977SUSE bug 1265978CVE-2026-34487SUSE Liberty Linux 10
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
ModerateCVE-2026-34487 at SUSECVE-2026-34487 at NVDSUSE bug 1261856CVE-2026-34500SUSE Liberty Linux 10
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
ModerateCVE-2026-34500 at SUSECVE-2026-34500 at NVDSUSE bug 1261857CVE-2026-34588SUSE Liberty Linux 10
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
ImportantCVE-2026-34588 at SUSECVE-2026-34588 at NVDSUSE bug 1261624CVE-2026-3497SUSE Liberty Linux 10
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
ModerateCVE-2026-3497 at SUSECVE-2026-3497 at NVDSUSE bug 1259642CVE-2026-34982SUSE Liberty Linux 10
Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
ImportantCVE-2026-34982 at SUSECVE-2026-34982 at NVDSUSE bug 1261271CVE-2026-34986SUSE Liberty Linux 10
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.
ImportantCVE-2026-34986 at SUSECVE-2026-34986 at NVDSUSE bug 1262805CVE-2026-35091SUSE Liberty Linux 10
A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents
ImportantCVE-2026-35091 at SUSECVE-2026-35091 at NVDSUSE bug 1261299CVE-2026-35092SUSE Liberty Linux 10
A flaw was found in Corosync. An integer overflow vulnerability in Corosync's join message sanity validation allows a remote, unauthenticated attacker to send crafted User Datagram Protocol (UDP) packets. This can cause the service to crash, leading to a denial of service. This vulnerability specifically affects Corosync deployments configured to use totemudp/totemudpu mode.
ImportantCVE-2026-35092 at SUSECVE-2026-35092 at NVDSUSE bug 1261300CVE-2026-35177SUSE Liberty Linux 10
Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.
ModerateCVE-2026-35177 at SUSECVE-2026-35177 at NVDSUSE bug 1261745CVE-2026-35236SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-35236 at SUSECVE-2026-35236 at NVDCVE-2026-35237SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-35237 at SUSECVE-2026-35237 at NVDCVE-2026-35238SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-35238 at SUSECVE-2026-35238 at NVDCVE-2026-35239SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-35239 at SUSECVE-2026-35239 at NVDCVE-2026-35240SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-35240 at SUSECVE-2026-35240 at NVDCVE-2026-35385SUSE Liberty Linux 10
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
ImportantCVE-2026-35385 at SUSECVE-2026-35385 at NVDSUSE bug 1261427SUSE bug 1267255SUSE bug 1267879CVE-2026-35386SUSE Liberty Linux 10
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
LowCVE-2026-35386 at SUSECVE-2026-35386 at NVDSUSE bug 1261428SUSE bug 1267252SUSE bug 1267253CVE-2026-35387SUSE Liberty Linux 10
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
LowCVE-2026-35387 at SUSECVE-2026-35387 at NVDSUSE bug 1261429SUSE bug 1267252SUSE bug 1267253CVE-2026-35388SUSE Liberty Linux 10
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
LowCVE-2026-35388 at SUSECVE-2026-35388 at NVDSUSE bug 1261441SUSE bug 1267252SUSE bug 1267253CVE-2026-35414SUSE Liberty Linux 10
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
ModerateCVE-2026-35414 at SUSECVE-2026-35414 at NVDSUSE bug 1261430SUSE bug 1264198CVE-2026-35535SUSE Liberty Linux 10
In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.
ImportantCVE-2026-35535 at SUSECVE-2026-35535 at NVDSUSE bug 1261420SUSE bug 1265943CVE-2026-35536SUSE Liberty Linux 10
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
ImportantCVE-2026-35536 at SUSECVE-2026-35536 at NVDSUSE bug 1261399CVE-2026-3608SUSE Liberty Linux 10
Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error.
This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.
ImportantCVE-2026-3608 at SUSECVE-2026-3608 at NVDSUSE bug 1260380CVE-2026-3644SUSE Liberty Linux 10
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
ModerateCVE-2026-3644 at SUSECVE-2026-3644 at NVDSUSE bug 1259734CVE-2026-37457SUSE Liberty Linux 10
An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component.
ImportantCVE-2026-37457 at SUSECVE-2026-37457 at NVDSUSE bug 1263863CVE-2026-37459SUSE Liberty Linux 10
An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
ImportantCVE-2026-37459 at SUSECVE-2026-37459 at NVDSUSE bug 1264051CVE-2026-37555SUSE Liberty Linux 10
An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.
ImportantCVE-2026-37555 at SUSECVE-2026-37555 at NVDSUSE bug 1263695CVE-2026-3832SUSE Liberty Linux 10
A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.
ModerateCVE-2026-3832 at SUSECVE-2026-3832 at NVDSUSE bug 1263706CVE-2026-3833SUSE Liberty Linux 10
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.
ModerateCVE-2026-3833 at SUSECVE-2026-3833 at NVDSUSE bug 1263707CVE-2026-3889SUSE Liberty Linux 10
Spoofing issue in Thunderbird. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.
ImportantCVE-2026-3889 at SUSECVE-2026-3889 at NVDSUSE bug 1260083CVE-2026-39373SUSE Liberty Linux 10
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.
ImportantCVE-2026-39373 at SUSECVE-2026-39373 at NVDSUSE bug 1261802CVE-2026-39817SUSE Liberty Linux 10
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
ModerateCVE-2026-39817 at SUSECVE-2026-39817 at NVDSUSE bug 1264505CVE-2026-39819SUSE Liberty Linux 10
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
ModerateCVE-2026-39819 at SUSECVE-2026-39819 at NVDSUSE bug 1264504CVE-2026-39820SUSE Liberty Linux 10
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
ImportantCVE-2026-39820 at SUSECVE-2026-39820 at NVDSUSE bug 1264503CVE-2026-39823SUSE Liberty Linux 10
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.
ModerateCVE-2026-39823 at SUSECVE-2026-39823 at NVDSUSE bug 1264509CVE-2026-39825SUSE Liberty Linux 10
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
ModerateCVE-2026-39825 at SUSECVE-2026-39825 at NVDSUSE bug 1264500CVE-2026-39826SUSE Liberty Linux 10
If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.
ModerateCVE-2026-39826 at SUSECVE-2026-39826 at NVDSUSE bug 1264507CVE-2026-39836SUSE Liberty Linux 10
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
ImportantCVE-2026-39836 at SUSECVE-2026-39836 at NVDSUSE bug 1264501CVE-2026-39979SUSE Liberty Linux 10
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
ModerateCVE-2026-39979 at SUSECVE-2026-39979 at NVDSUSE bug 1262071CVE-2026-40164SUSE Liberty Linux 10
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n?) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
ModerateCVE-2026-40164 at SUSECVE-2026-40164 at NVDSUSE bug 1262072CVE-2026-40170SUSE Liberty Linux 10
ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.
ImportantCVE-2026-40170 at SUSECVE-2026-40170 at NVDSUSE bug 1262273CVE-2026-40355SUSE Liberty Linux 10
In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.
ModerateCVE-2026-40355 at SUSECVE-2026-40355 at NVDSUSE bug 1263366CVE-2026-40356SUSE Liberty Linux 10
In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.
ModerateCVE-2026-40356 at SUSECVE-2026-40356 at NVDSUSE bug 1263367CVE-2026-4046SUSE Liberty Linux 10
The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.
This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.
ImportantCVE-2026-4046 at SUSECVE-2026-4046 at NVDSUSE bug 1261206SUSE bug 1261209CVE-2026-41035SUSE Liberty Linux 10
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
ImportantCVE-2026-41035 at SUSECVE-2026-41035 at NVDSUSE bug 1262223CVE-2026-4111SUSE Liberty Linux 10
A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.
ImportantCVE-2026-4111 at SUSECVE-2026-4111 at NVDSUSE bug 1259634CVE-2026-41316SUSE Liberty Linux 10
ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.
ImportantCVE-2026-41316 at SUSECVE-2026-41316 at NVDSUSE bug 1262441CVE-2026-41651SUSE Liberty Linux 10
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5.
A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`:
1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING.
2. Silent state-transition rejection (lines 873-882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` -> `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags.
3. Late flag read at execution time (lines 2273-2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.
ImportantCVE-2026-41651 at SUSECVE-2026-41651 at NVDSUSE bug 1262220CVE-2026-42009SUSE Liberty Linux 10
A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.
ImportantCVE-2026-42009 at SUSECVE-2026-42009 at NVDSUSE bug 1263708CVE-2026-42010SUSE Liberty Linux 10
A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest-Shamir-Adleman - Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.
ImportantCVE-2026-42010 at SUSECVE-2026-42010 at NVDSUSE bug 1263709CVE-2026-42011SUSE Liberty Linux 10
A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.
ModerateCVE-2026-42011 at SUSECVE-2026-42011 at NVDSUSE bug 1263710CVE-2026-42012SUSE Liberty Linux 10
A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.
ImportantCVE-2026-42012 at SUSECVE-2026-42012 at NVDSUSE bug 1263711CVE-2026-42013SUSE Liberty Linux 10
A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.
ModerateCVE-2026-42013 at SUSECVE-2026-42013 at NVDSUSE bug 1263712CVE-2026-42014SUSE Liberty Linux 10
A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.
ModerateCVE-2026-42014 at SUSECVE-2026-42014 at NVDSUSE bug 1263713CVE-2026-42015SUSE Liberty Linux 10
A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.
ModerateCVE-2026-42015 at SUSECVE-2026-42015 at NVDSUSE bug 1263714CVE-2026-42198SUSE Liberty Linux 10
pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
ImportantCVE-2026-42198 at SUSECVE-2026-42198 at NVDSUSE bug 1264174CVE-2026-4224SUSE Liberty Linux 10
When an Expat parser with a registered ElementDeclHandler parses an inline
document type definition containing a deeply nested content model a C stack
overflow occurs.
ImportantCVE-2026-4224 at SUSECVE-2026-4224 at NVDSUSE bug 1259735CVE-2026-42499SUSE Liberty Linux 10
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
ImportantCVE-2026-42499 at SUSECVE-2026-42499 at NVDSUSE bug 1264502CVE-2026-42501SUSE Liberty Linux 10
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module's dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running "rm go.sum ; go mod tidy ; go mod verify", which will revalidate all dependencies of the current module. The specific flaw in more detail: The go command consults the checksum database to validate downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash reported by the checksum database matches the hash of the downloaded module. If, however, the checksum database returns a successful response that contains no entry for the module, the go command incorrectly permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case the go command will not connect to the checksum database directly. Checksums reported by the checksum database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated module, could cause the go command to proceed as if a downloaded module has been validated.
ImportantCVE-2026-42501 at SUSECVE-2026-42501 at NVDSUSE bug 1264499CVE-2026-4271SUSE Liberty Linux 10
A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS).
ImportantCVE-2026-4271 at SUSECVE-2026-4271 at NVDSUSE bug 1259767CVE-2026-42764SUSE Liberty Linux 10
Issue summary: Receiving a QUIC initial packet with an invalid token may
trigger a NULL pointer dereference in the OpenSSL QUIC server with
address validation disabled.
Impact summary: NULL pointer dereference typically causes abnormal termination
of the affected QUIC server process and a Denial of Service.
If the address validation is disabled in the OpenSSL QUIC server
implementation, an attacker can crash the server by sending an initial
packet with an invalid or expired token.
By default, the client address validation is enabled in the OpenSSL QUIC server
implementation, which makes the default configuration not vulnerable
to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with
the SSL_new_listener() call, the address validation is disabled making the
vulnerable code reachable.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
ModerateCVE-2026-42764 at SUSECVE-2026-42764 at NVDSUSE bug 1266347CVE-2026-42766SUSE Liberty Linux 10
Issue summary: A specially crafted password-encrypted CMS message
can trigger a NULL pointer dereference during CMS decryption.
Impact summary: This NULL pointer dereference leads to an application crash
and a Denial of Service.
The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as
OPTIONAL in the ASN.1 specification and may therefore be absent in specially
crafted inputs. During the password-based CMS decryption the OpenSSL
CMS implementation dereferences this field without first checking whether it
was present.
An attacker who supplies such a CMS message to an application performing
password-based CMS decryption can trigger an application crash, leading to
a Denial of Service.
Applications that process password-encrypted CMS messages may be affected.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
ModerateCVE-2026-42766 at SUSECVE-2026-42766 at NVDSUSE bug 1266349CVE-2026-42767SUSE Liberty Linux 10
Issue summary: An attacker-controlled CMP (Certificate Management Protocol)
server could trigger a NULL pointer dereference in a CMP client application.
Impact summary: A NULL pointer dereference causes a crash of the
application and a Denial of Service.
An attacker controlling a CMP server (or acting as a man-in-the-middle) could
craft a CMP response containing a CRMF (Certificate Request Message Format)
CertRepMessage with an EncryptedValue structure where the symmAlg field
has an algorithm OID but no parameters field. When the OpenSSL CMP client
processes this response, the NULL dereference occurs, causing a crash of
the CMP client.
Applications that process untrusted CMP/CRMF messages may be affected.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
ModerateCVE-2026-42767 at SUSECVE-2026-42767 at NVDSUSE bug 1266350CVE-2026-42768SUSE Liberty Linux 10
Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to
Bleichenbacher-style attack when an attacker is able to provide the CMS or
S/MIME messages and observe the error code and/or decryption output.
Impact summary: The Bleichenbacher-style attack allows an attacker to use the
victim's vulnerable application as a way to decrypt or sign messages with the
victim's private RSA key.
The attack is possible in 2 variants.
1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without
providing the recipient certificate. In this case OpenSSL iterates over every
KeyTransRecipientInfo (KTRI) without stopping at the first success.
An attacker who authors a message with two KTRI entries - the first one
wrapping a real CEK under the victim's public key, the second with an
arbitrary probe ciphertext - obtains opportunity to iterate the 2nd KTRI to
get a valid PKCS#1 v1.5 padding if the error code of the application is
available.
That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an
adaptive-chosen-ciphertext side channel from which the attacker decrypts any
RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under
it.
2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with
the recipient certificate, and the recipient is not found, a random
key is substituted.
An attacker who authors a message and is able to compare both error code and
the result of the decryption, can mount a Bleichenbacher oracle.
We are not aware of any applications that provide a remote attacker
an opportunity to mount an attack described in these scenarios. We consider
the existence of such application very unlikely, and for this reason this
CVE has been evaluated as Low severity.
To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the
invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described
in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit
rejection was explicitly disabled.
The implicit rejection mechanism always returns a plaintext value,
the symmetric key. This result is deterministic for the ciphertext and the
private key. The length of the decryption result can happen to match the
length of the key of the symmetric cipher that was used for the content
encryption. When a certificate is not provided, the last RecipientInfo
producing a key that looks valid will be used. It may cause getting garbage
content on decryption. As a proper way to deal with this a recipient
certificate has to be provided to identify the particular RecipientInfo for
decryption.
The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as
CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.
ModerateCVE-2026-42768 at SUSECVE-2026-42768 at NVDSUSE bug 1266351CVE-2026-42769SUSE Liberty Linux 10
Issue Summary: An error in the callback used to verify the certificate
provided in a Root CA key update Certificate Management Protocol (CMP)
message response rendered the certificate validation ineffectual, which
could lead to escalation of credentials from the Registration Authority (RA)
level to the root Certification Authority (root CA) level.
Impact Summary: The Registration Autority could replace the root CA
certificate for the CMP clients with an arbitrary root CA certificate.
One of the parts of the Certificate Management Protocol (CMP), specified in
RFC 9810, is Root Certification Authority (root CA) key Rollover,
which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'.
As part of these messages, 'newWithOld' certificate, the new root CA
certificate signed with the old root CA key, is provided, and verifying its
signature is crucial for transferring the trust from the old CA key to the
new one.
The 'id-it-rootCaKeyUpdate' messages are expected to be processed with
OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld'
certificate. A typo in the certificate chain building code led to adding
an incorrect certificate ('newWithOld' instead of 'oldRoot') to the
certificate chain, rendering the certificate verification process ineffectual
(only the issuer name and the algorithm OIDs were verified by other parts
of the verification code).
An attacker who already has credentials that satisfy the CMP message
protection checks can generate a new key pair and use a crafted self-signed
certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP
clients would accept as a new trust anchor.
Significant preconditions for the attack (having valid RA-level credentials)
are the reason the issue was assigned Low severity.
The FIPS modules are not affected by this issue, as the affected code is
outside the OpenSSL FIPS module boundary.
ModerateCVE-2026-42769 at SUSECVE-2026-42769 at NVDSUSE bug 1266352CVE-2026-42770SUSE Liberty Linux 10
Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42)
peer key, the peer key is not properly checked for the subgroup membership.
Impact summary: A malicious peer which presents an X9.42 key carrying the
victim's p and g parameters, a forged q = r (a small prime factor of the
cofactor (p−1)/q_local), and a public value Y of order r can recover the
victim's private key after a small number of key exchange attempts.
When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the
subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's
own q parameter, not the local key's q. The peer's domain parameters are
then matched against the domain parameters of the private key, but the value
of q is not compared.
A malicious peer who presents an X9.42 key carrying the victim's p, g,
a forged q = r (a small prime factor of the cofactor), and a public
value Y of order r passes all checks. The shared secret then takes only
r distinct values, leaking priv mod r. Repeating for each small-prime
factor of the cofactor and combining via CRT recovers the full private
key (Lim-Lee / small-subgroup-confinement attack).
The realistic attack surface is narrow: principally CMP deployments with
long-lived RA/CA DHX keys and bespoke enterprise or government applications
using X9.42 DHX static keys with interactive protocols and therefore this
issue was assigned Low severity.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this
issue.
ModerateCVE-2026-42770 at SUSECVE-2026-42770 at NVDSUSE bug 1266353CVE-2026-42899SUSE Liberty Linux 10
Unknown.
ImportantCVE-2026-42899 at SUSECVE-2026-42899 at NVDCVE-2026-42944SUSE Liberty Linux 10
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
ImportantCVE-2026-42944 at SUSECVE-2026-42944 at NVDSUSE bug 1265578CVE-2026-42945SUSE Liberty Linux 10
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
ImportantCVE-2026-42945 at SUSECVE-2026-42945 at NVDSUSE bug 1265232SUSE bug 1265566CVE-2026-42959SUSE Liberty Linux 10
NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.
ImportantCVE-2026-42959 at SUSECVE-2026-42959 at NVDSUSE bug 1265586CVE-2026-43006SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
io_uring/rsrc: reject zero-length fixed buffer import
validate_fixed_range() admits buf_addr at the exact end of the
registered region when len is zero, because the check uses strict
greater-than (buf_end > imu->ubuf + imu->len). io_import_fixed()
then computes offset == imu->len, which causes the bvec skip logic
to advance past the last bio_vec entry and read bv_offset from
out-of-bounds slab memory.
Return early from io_import_fixed() when len is zero. A zero-length
import has no data to transfer and should not walk the bvec array
at all.
BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0
Read of size 4 at addr ffff888002bcc254 by task poc/103
Call Trace:
io_import_reg_buf+0x697/0x7f0
io_write_fixed+0xd9/0x250
__io_issue_sqe+0xad/0x710
io_issue_sqe+0x7d/0x1100
io_submit_sqes+0x86a/0x23c0
__do_sys_io_uring_enter+0xa98/0x1590
Allocated by task 103:
The buggy address is located 12 bytes to the right of
allocated 584-byte region [ffff888002bcc000, ffff888002bcc248)
ModerateCVE-2026-43006 at SUSECVE-2026-43006 at NVDSUSE bug 1264018CVE-2026-43020SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: validate LTK enc_size on load
Load Long Term Keys stores the user-provided enc_size and later uses
it to size fixed-size stack operations when replying to LE LTK
requests. An enc_size larger than the 16-byte key buffer can therefore
overflow the reply stack buffer.
Reject oversized enc_size values while validating the management LTK
record so invalid keys never reach the stored key state.
ModerateCVE-2026-43020 at SUSECVE-2026-43020 at NVDSUSE bug 1264006CVE-2026-43023SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: fix race conditions in sco_sock_connect()
sco_sock_connect() checks sk_state and sk_type without holding
the socket lock. Two concurrent connect() syscalls on the same
socket can both pass the check and enter sco_connect(), leading
to use-after-free.
The buggy scenario involves three participants and was confirmed
with additional logging instrumentation:
Thread A (connect): HCI disconnect: Thread B (connect):
sco_sock_connect(sk) sco_sock_connect(sk)
sk_state==BT_OPEN sk_state==BT_OPEN
(pass, no lock) (pass, no lock)
sco_connect(sk): sco_connect(sk):
hci_dev_lock hci_dev_lock
hci_connect_sco <- blocked
-> hcon1
sco_conn_add->conn1
lock_sock(sk)
sco_chan_add:
conn1->sk = sk
sk->conn = conn1
sk_state=BT_CONNECT
release_sock
hci_dev_unlock
hci_dev_lock
sco_conn_del:
lock_sock(sk)
sco_chan_del:
sk->conn=NULL
conn1->sk=NULL
sk_state=
BT_CLOSED
SOCK_ZAPPED
release_sock
hci_dev_unlock
(unblocked)
hci_connect_sco
-> hcon2
sco_conn_add
-> conn2
lock_sock(sk)
sco_chan_add:
sk->conn=conn2
sk_state=
BT_CONNECT
// zombie sk!
release_sock
hci_dev_unlock
Thread B revives a BT_CLOSED + SOCK_ZAPPED socket back to
BT_CONNECT. Subsequent cleanup triggers double sock_put() and
use-after-free. Meanwhile conn1 is leaked as it was orphaned
when sco_conn_del() cleared the association.
Fix this by:
- Moving lock_sock() before the sk_state/sk_type checks in
sco_sock_connect() to serialize concurrent connect attempts
- Fixing the sk_type != SOCK_SEQPACKET check to actually
return the error instead of just assigning it
- Adding a state re-check in sco_connect() after lock_sock()
to catch state changes during the window between the locks
- Adding sco_pi(sk)->conn check in sco_chan_add() to prevent
double-attach of a socket to multiple connections
- Adding hci_conn_drop() on sco_chan_add failure to prevent
HCI connection leaks
ImportantCVE-2026-43023 at SUSECVE-2026-43023 at NVDSUSE bug 1264137SUSE bug 1264138CVE-2026-43027SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_helper: pass helper to expect cleanup
nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()
to remove expectations belonging to the helper being unregistered.
However, it passes NULL instead of the helper pointer as the data
argument, so expect_iter_me() never matches any expectation and all
of them survive the cleanup.
After unregister returns, nfnl_cthelper_del() frees the helper
object immediately. Subsequent expectation dumps or packet-driven
init_conntrack() calls then dereference the freed exp->helper,
causing a use-after-free.
Pass the actual helper pointer so expectations referencing it are
properly destroyed before the helper object is freed.
BUG: KASAN: slab-use-after-free in string+0x38f/0x430
Read of size 1 at addr ffff888003b14d20 by task poc/103
Call Trace:
string+0x38f/0x430
vsnprintf+0x3cc/0x1170
seq_printf+0x17a/0x240
exp_seq_show+0x2e5/0x560
seq_read_iter+0x419/0x1280
proc_reg_read+0x1ac/0x270
vfs_read+0x179/0x930
ksys_read+0xef/0x1c0
Freed by task 103:
The buggy address is located 32 bytes inside of
freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)
ImportantCVE-2026-43027 at SUSECVE-2026-43027 at NVDSUSE bug 1263933SUSE bug 1264252CVE-2026-43037SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
Oskar Kjos reported the following problem.
ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written
by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes
IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region
as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff
at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr
value. __ip_options_echo() then reads optlen from attacker-controlled
packet data at sptr[rr+1] and copies that many bytes into dopt->__data,
a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).
To fix this we clear skb2->cb[], as suggested by Oskar Kjos.
Also add minimal IPv4 header validation (version == 4, ihl >= 5).
ImportantCVE-2026-43037 at SUSECVE-2026-43037 at NVDSUSE bug 1263995SUSE bug 1265197CVE-2026-43051SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
The wacom_intuos_bt_irq() function processes Bluetooth HID reports
without sufficient bounds checking. A maliciously crafted short report
can trigger an out-of-bounds read when copying data into the wacom
structure.
Specifically, report 0x03 requires at least 22 bytes to safely read
the processed data and battery status, while report 0x04 (which
falls through to 0x03) requires 32 bytes.
Add explicit length checks for these report IDs and log a warning if
a short report is received.
ModerateCVE-2026-43051 at SUSECVE-2026-43051 at NVDSUSE bug 1264065CVE-2026-43077SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_aead - Fix minimum RX size check for decryption
The check for the minimum receive buffer size did not take the
tag size into account during decryption. Fix this by adding the
required extra length.
ImportantCVE-2026-43077 at SUSECVE-2026-43077 at NVDSUSE bug 1264470SUSE bug 1265306CVE-2026-43110SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: validate bsscfg indices in IF events
brcmf_fweh_handle_if_event() validates the firmware-provided interface
index before it touches drvr->iflist[], but it still uses the raw
bsscfgidx field as an array index without a matching range check.
Reject IF events whose bsscfg index does not fit in drvr->iflist[]
before indexing the interface array.
[add missing wifi prefix]
ImportantCVE-2026-43110 at SUSECVE-2026-43110 at NVDSUSE bug 1264482SUSE bug 1264483CVE-2026-43116SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ctnetlink: ensure safe access to master conntrack
Holding reference on the expectation is not sufficient, the master
conntrack object can just go away, making exp->master invalid.
To access exp->master safely:
- Grab the nf_conntrack_expect_lock, this gets serialized with
clean_from_lists() which also holds this lock when the master
conntrack goes away.
- Hold reference on master conntrack via nf_conntrack_find_get().
Not so easy since the master tuple to look up for the master conntrack
is not available in the existing problematic paths.
This patch goes for extending the nf_conntrack_expect_lock section
to address this issue for simplicity, in the cases that are described
below this is just slightly extending the lock section.
The add expectation command already holds a reference to the master
conntrack from ctnetlink_create_expect().
However, the delete expectation command needs to grab the spinlock
before looking up for the expectation. Expand the existing spinlock
section to address this to cover the expectation lookup. Note that,
the nf_ct_expect_iterate_net() calls already grabs the spinlock while
iterating over the expectation table, which is correct.
The get expectation command needs to grab the spinlock to ensure master
conntrack does not go away. This also expands the existing spinlock
section to cover the expectation lookup too. I needed to move the
netlink skb allocation out of the spinlock to keep it GFP_KERNEL.
For the expectation events, the IPEXP_DESTROY event is already delivered
under the spinlock, just move the delivery of IPEXP_NEW under the
spinlock too because the master conntrack event cache is reached through
exp->master.
While at it, add lockdep notations to help identify what codepaths need
to grab the spinlock.
ModerateCVE-2026-43116 at SUSECVE-2026-43116 at NVDSUSE bug 1264619CVE-2026-43128SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
RDMA/umem: Fix double dma_buf_unpin in failure path
In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to
ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf
is immediately unpinned but the umem_dmabuf->pinned flag is still
set. Then, when ib_umem_release() is called, it calls
ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again.
Fix this by removing the immediate unpin upon failure and just let
the ib_umem_release/revoke path handle it. This also ensures the
proper unmap-unpin unwind ordering if the dmabuf_map_pages call
happened to fail due to dma_resv_wait_timeout (and therefore has
a non-NULL umem_dmabuf->sgt).
ModerateCVE-2026-43128 at SUSECVE-2026-43128 at NVDSUSE bug 1264612CVE-2026-43158SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
xfs: fix freemap adjustments when adding xattrs to leaf blocks
xfs/592 and xfs/794 both trip this assertion in the leaf block freemap
adjustment code after ~20 minutes of running on my test VMs:
ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t)
+ xfs_attr3_leaf_hdr_size(leaf));
Upon enabling quite a lot more debugging code, I narrowed this down to
fsstress trying to set a local extended attribute with namelen=3 and
valuelen=71. This results in an entry size of 80 bytes.
At the start of xfs_attr3_leaf_add_work, the freemap looks like this:
i 0 base 448 size 0 rhs 448 count 46
i 1 base 388 size 132 rhs 448 count 46
i 2 base 2120 size 4 rhs 448 count 46
firstused = 520
where "rhs" is the first byte past the end of the leaf entry array.
This is inconsistent -- the entries array ends at byte 448, but
freemap[1] says there's free space starting at byte 388!
By the end of the function, the freemap is in worse shape:
i 0 base 456 size 0 rhs 456 count 47
i 1 base 388 size 52 rhs 456 count 47
i 2 base 2120 size 4 rhs 456 count 47
firstused = 440
Important note: 388 is not aligned with the entries array element size
of 8 bytes.
Based on the incorrect freemap, the name area starts at byte 440, which
is below the end of the entries array! That's why the assertion
triggers and the filesystem shuts down.
How did we end up here? First, recall from the previous patch that the
freemap array in an xattr leaf block is not intended to be a
comprehensive map of all free space in the leaf block. In other words,
it's perfectly legal to have a leaf block with:
* 376 bytes in use by the entries array
* freemap[0] has [base = 376, size = 8]
* freemap[1] has [base = 388, size = 1500]
* the space between 376 and 388 is free, but the freemap stopped
tracking that some time ago
If we add one xattr, the entries array grows to 384 bytes, and
freemap[0] becomes [base = 384, size = 0]. So far, so good. But if we
add a second xattr, the entries array grows to 392 bytes, and freemap[0]
gets pushed up to [base = 392, size = 0]. This is bad, because
freemap[1] hasn't been updated, and now the entries array and the free
space claim the same space.
The fix here is to adjust all freemap entries so that none of them
collide with the entries array. Note that this fix relies on commit
2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow") and
the previous patch that resets zero length freemap entries to have
base = 0.
ModerateCVE-2026-43158 at SUSECVE-2026-43158 at NVDSUSE bug 1264595CVE-2026-43190SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_tcpmss: check remaining length before reading optlen
Quoting reporter:
In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads
op[i+1] directly without validating the remaining option length.
If the last byte of the option field is not EOL/NOP (0/1), the code attempts
to index op[i+1]. In the case where i + 1 == optlen, this causes an
out-of-bounds read, accessing memory past the optlen boundary
(either reading beyond the stack buffer _opt or the
following payload).
ImportantCVE-2026-43190 at SUSECVE-2026-43190 at NVDSUSE bug 1264848SUSE bug 1264849CVE-2026-43205SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
dpaa2-switch: validate num_ifs to prevent out-of-bounds write
The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
but never validates it against DPSW_MAX_IF (64). This value controls
iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
num_ifs >= 64, the loop can write past the array bounds.
Add a bound check for num_ifs in dpaa2_switch_init().
dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port
num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all
ports match the flood filter, the loop fills all 64 slots and the control
interface write overflows by one entry.
The check uses >= because num_ifs == DPSW_MAX_IF is also functionally
broken.
build_if_id_bitmap() silently drops any ID >= 64:
if (id[i] < DPSW_MAX_IF)
bmap[id[i] / 64] |= ...
ModerateCVE-2026-43205 at SUSECVE-2026-43205 at NVDSUSE bug 1264328CVE-2026-43284SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
ImportantCVE-2026-43284 at SUSECVE-2026-43284 at NVDSUSE bug 1264449SUSE bug 1264459SUSE bug 1265383CVE-2026-43303SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
mm/page_alloc: clear page->private in free_pages_prepare()
Several subsystems (slub, shmem, ttm, etc.) use page->private but don't
clear it before freeing pages. When these pages are later allocated as
high-order pages and split via split_page(), tail pages retain stale
page->private values.
This causes a use-after-free in the swap subsystem. The swap code uses
page->private to track swap count continuations, assuming freshly
allocated pages have page->private == 0. When stale values are present,
swap_count_continued() incorrectly assumes the continuation list is valid
and iterates over uninitialized page->lru containing LIST_POISON values,
causing a crash:
KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
RIP: 0010:__do_sys_swapoff+0x1151/0x1860
Fix this by clearing page->private in free_pages_prepare(), ensuring all
freed pages have clean state regardless of previous use.
ModerateCVE-2026-43303 at SUSECVE-2026-43303 at NVDSUSE bug 1264974CVE-2026-43322SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: Fix UAF in le_read_features_complete
This fixes the following backtrace caused by hci_conn being freed
before le_read_features_complete but after
hci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue
is not able to prevent it:
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
BUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]
BUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344
Write of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52
CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:194 [inline]
kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline]
le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344
hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Allocated by task 5932:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
__hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963
hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084
le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714
hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861
hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408
hci_event_func net/bluetooth/hci_event.c:7716 [inline]
hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773
hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Freed by task 5932:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
__kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6663 [inline]
kfree+0x2f8/0x6e0 mm/slub.c:6871
device_release+0xa4/0x240 drivers/base/core.c:2565
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x590 lib/kobject.
---truncated---
ModerateCVE-2026-43322 at SUSECVE-2026-43322 at NVDSUSE bug 1265063CVE-2026-43329SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
netfilter: flowtable: strictly check for maximum number of actions
The maximum number of flowtable hardware offload actions in IPv6 is:
* ethernet mangling (4 payload actions, 2 for each ethernet address)
* SNAT (4 payload actions)
* DNAT (4 payload actions)
* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)
for QinQ.
* Redirect (1 action)
Which makes 17, while the maximum is 16. But act_ct supports for tunnels
actions too. Note that payload action operates at 32-bit word level, so
mangling an IPv6 address takes 4 payload actions.
Update flow_action_entry_next() calls to check for the maximum number of
supported actions.
While at it, rise the maximum number of actions per flow from 16 to 24
so this works fine with IPv6 setups.
ImportantCVE-2026-43329 at SUSECVE-2026-43329 at NVDSUSE bug 1265085SUSE bug 1265317CVE-2026-43500SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
ImportantCVE-2026-43500 at SUSECVE-2026-43500 at NVDSUSE bug 1264450SUSE bug 1264458SUSE bug 1265383CVE-2026-43501SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps
the next segment into ipv6_hdr->daddr, recompresses, then pulls the old
header and pushes the new one plus the IPv6 header back. The
recompressed header can be larger than the received one when the swap
reduces the common-prefix length the segments share with daddr (CmprI=0,
CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).
pskb_expand_head() was gated on segments_left == 0, so on earlier
segments the push consumed unchecked headroom. Once skb_push() leaves
fewer than skb->mac_len bytes in front of data,
skb_mac_header_rebuild()'s call to:
skb_set_mac_header(skb, -skb->mac_len);
will store (data - head) - mac_len into the u16 mac_header field, which
wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB
past skb->head.
A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two
segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one
pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.
Fix this by expanding the head whenever the remaining room is less than
the push size plus mac_len, and request that much extra so the rebuilt
MAC header fits afterwards.
ImportantCVE-2026-43501 at SUSECVE-2026-43501 at NVDSUSE bug 1266009SUSE bug 1266015CVE-2026-43618SUSE Liberty Linux 10
Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.
ImportantCVE-2026-43618 at SUSECVE-2026-43618 at NVDSUSE bug 1264512CVE-2026-4371SUSE Liberty Linux 10
A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.
ImportantCVE-2026-4371 at SUSECVE-2026-4371 at NVDSUSE bug 1260083CVE-2026-43964SUSE Liberty Linux 10
Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.
ModerateCVE-2026-43964 at SUSECVE-2026-43964 at NVDSUSE bug 1264062CVE-2026-4408SUSE Liberty Linux 10
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.
CriticalCVE-2026-4408 at SUSECVE-2026-4408 at NVDSUSE bug 1261163SUSE bug 1267999CVE-2026-4424SUSE Liberty Linux 10
A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.
ImportantCVE-2026-4424 at SUSECVE-2026-4424 at NVDSUSE bug 1259927SUSE bug 1265940CVE-2026-4437SUSE Liberty Linux 10
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.
ModerateCVE-2026-4437 at SUSECVE-2026-4437 at NVDSUSE bug 1260078CVE-2026-4438SUSE Liberty Linux 10
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.
ModerateCVE-2026-4438 at SUSECVE-2026-4438 at NVDSUSE bug 1260082SUSE bug 1260333CVE-2026-44673SUSE Liberty Linux 10
libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.
ImportantCVE-2026-44673 at SUSECVE-2026-44673 at NVDSUSE bug 1265330CVE-2026-4480SUSE Liberty Linux 10
A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J"
substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system.
CriticalCVE-2026-4480 at SUSECVE-2026-4480 at NVDSUSE bug 1261161SUSE bug 1267999CVE-2026-4519SUSE Liberty Linux 10
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
ModerateCVE-2026-4519 at SUSECVE-2026-4519 at NVDSUSE bug 1260026SUSE bug 1262319CVE-2026-45445SUSE Liberty Linux 10
Issue summary: When an application drives an AES-OCB context through the
public EVP_Cipher() one-shot interface, the application-supplied
initialisation vector (IV) is silently discarded.
Impact summary: Every message encrypted under the same key uses the
same effective nonce regardless of the IV supplied by the caller,
resulting in (key, nonce) reuse and loss of confidentiality. If the
same code path is used to compute the authentication tag, the tag
depends only on the (key, IV) pair and not on the plaintext or
ciphertext, allowing universal forgery of arbitrary ciphertext from a
single captured message.
OpenSSL provides two ways to drive a cipher: the documented streaming
interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level
one-shot, EVP_Cipher(), whose documentation explicitly recommends
against use by applications in favour of EVP_CipherUpdate() and
EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes
the application-supplied IV into the OCB context before processing
data; the one-shot handler did not. Every call to EVP_Cipher() on an
AES-OCB context therefore ran with the all-zero key-derived offset
state left by cipher initialisation, regardless of the caller's IV.
If EVP_EncryptFinal_ex() is subsequently used to obtain the
authentication tag, the deferred IV setup runs at that point and
clears the running checksum that should have been accumulated over the
plaintext. The resulting tag is a function of (key, IV) only and
verifies against any ciphertext produced under the same (key, IV)
pair.
The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a
TLS cipher suite, and libssl does not call EVP_Cipher() in any case.
Applications that drive AES-OCB through the documented streaming AEAD
API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only
applications that combine the AES-OCB cipher with the EVP_Cipher()
one-shot API are vulnerable.
The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by
this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.
ModerateCVE-2026-45445 at SUSECVE-2026-45445 at NVDSUSE bug 1266355CVE-2026-45446SUSE Liberty Linux 10
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV
(RFC 8452) mishandle the authentication of AAD (Additional Authenticated
Data) with an empty ciphertext allowing a forgery of such messages.
Impact summary: An attacker can forge empty messages with arbitrary AAD
to the victim's application using these ciphers.
AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD
modes: they accept a key, nonce, optional AAD (bytes that are authenticated
but not encrypted), and plaintext, and produces ciphertext plus a 16-byte
tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only
if the tag is verified succesfully.
In OpenSSL's provider implementation of these ciphers, the expected tag is
computed only when decryption function is invoked with non-empty data.
If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without
invocation of the ciphertext update, which can happen when the received
ciphertext length is zero, the tag is never recalculated and still holds its
all-zeros value.
When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty
ciphertext, and all-zeros tag passes authentication under any key they do not
know, single-shot. When AES-SIV is used, for mounting the attack it's
necessary for the application to reuse the decryption context without
resetting the key.
AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since
OpenSSL 3.2.
No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support
either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must
implement their own protocol and use the EVP interface. Also they must skip the
ciphertext update when a message with an empty ciphertext arrives.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as these algorithms are not FIPS approved and the affected code is
outside the OpenSSL FIPS module boundary.
ModerateCVE-2026-45446 at SUSECVE-2026-45446 at NVDSUSE bug 1266356CVE-2026-45447SUSE Liberty Linux 10
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could
trigger a use-after-free during PKCS#7 signature verification.
Impact summary: A use-after-free may result in process crashes, heap
corruption, or potentially remote code execution.
When processing a PKCS#7 or S/MIME signed message, if the SignedData
digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may
incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent
use of the BIO by the calling application results in a use-after-free
condition.
In the common case this occurs when the application later calls
BIO_free() on the BIO originally passed to PKCS7_verify(). Depending
on allocator behavior and application-specific BIO usage patterns, this
may result in a crash or other memory corruption. In some application
contexts this may potentially be exploitable for remote code execution.
Applications that process PKCS#7 or S/MIME signed messages using OpenSSL
PKCS#7 APIs may be affected. Applications using the CMS APIs for this
processing are not affected.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
ImportantCVE-2026-45447 at SUSECVE-2026-45447 at NVDSUSE bug 1266357SUSE bug 1266389CVE-2026-45491SUSE Liberty Linux 10
Unknown.
ModerateCVE-2026-45491 at SUSECVE-2026-45491 at NVDCVE-2026-45591SUSE Liberty Linux 10
Unknown.
ImportantCVE-2026-45591 at SUSECVE-2026-45591 at NVDCVE-2026-46054SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
selinux: fix overlayfs mmap() and mprotect() access checks
The existing SELinux security model for overlayfs is to allow access if
the current task is able to access the top level file (the "user" file)
and the mounter's credentials are sufficient to access the lower
level file (the "backing" file). Unfortunately, the current code does
not properly enforce these access controls for both mmap() and mprotect()
operations on overlayfs filesystems.
This patch makes use of the newly created security_mmap_backing_file()
LSM hook to provide the missing backing file enforcement for mmap()
operations, and leverages the backing file API and new LSM blob to
provide the necessary information to properly enforce the mprotect()
access controls.
ModerateCVE-2026-46054 at SUSECVE-2026-46054 at NVDSUSE bug 1267475CVE-2026-46243SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
smb: client: reject userspace cifs.spnego descriptions
cifs.spnego key descriptions contain authority-bearing fields such as
pid, uid, creduid, and upcall_target that cifs.upcall treats as
kernel-originating inputs. However, userspace can also create keys of
this type through request_key(2) or add_key(2), allowing those fields to
be supplied without CIFS origin.
Only accept cifs.spnego descriptions while CIFS is using its private
spnego_cred to request the key.
ImportantCVE-2026-46243 at SUSECVE-2026-46243 at NVDSUSE bug 1266238SUSE bug 1266265CVE-2026-46300SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: preserve shared-frag marker during coalescing
skb_try_coalesce() can attach paged frags from @from to @to. If @from
has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
externally-owned or page-cache-backed frags, but the shared-frag marker
is currently lost.
That breaks the invariant relied on by later in-place writers. In
particular, ESP input checks skb_has_shared_frag() before deciding
whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP
receive coalescing has moved shared frags into an unmarked skb, ESP can
see skb_has_shared_frag() as false and decrypt in place over page-cache
backed frags.
Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
frags. The tailroom copy path does not need the marker because it copies
bytes into @to's linear data rather than transferring frag descriptors.
ImportantCVE-2026-46300 at SUSECVE-2026-46300 at NVDSUSE bug 1265209SUSE bug 1265226SUSE bug 1265312SUSE bug 1265383SUSE bug 1265960CVE-2026-4631SUSE Liberty Linux 10
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.
CriticalCVE-2026-4631 at SUSECVE-2026-4631 at NVDSUSE bug 1261829CVE-2026-46333SUSE Liberty Linux 10
In the Linux kernel, the following vulnerability has been resolved:
ptrace: slightly saner 'get_dumpable()' logic
The 'dumpability' of a task is fundamentally about the memory image of
the task - the concept comes from whether it can core dump or not - and
makes no sense when you don't have an associated mm.
And almost all users do in fact use it only for the case where the task
has a mm pointer.
But we have one odd special case: ptrace_may_access() uses 'dumpable' to
check various other things entirely independently of the MM (typically
explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
threads that no longer have a VM (and maybe never did, like most kernel
threads).
It's not what this flag was designed for, but it is what it is.
The ptrace code does check that the uid/gid matches, so you do have to
be uid-0 to see kernel thread details, but this means that the
traditional "drop capabilities" model doesn't make any difference for
this all.
Make it all make a *bit* more sense by saying that if you don't have a
MM pointer, we'll use a cached "last dumpability" flag if the thread
ever had a MM (it will be zero for kernel threads since it is never
set), and require a proper CAP_SYS_PTRACE capability to override.
ImportantCVE-2026-46333 at SUSECVE-2026-46333 at NVDSUSE bug 1265308SUSE bug 1265384CVE-2026-4684SUSE Liberty Linux 10
Race condition, use-after-free in the Graphics: WebRender component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4684 at SUSECVE-2026-4684 at NVDSUSE bug 1260083CVE-2026-4685SUSE Liberty Linux 10
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4685 at SUSECVE-2026-4685 at NVDSUSE bug 1260083CVE-2026-4686SUSE Liberty Linux 10
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4686 at SUSECVE-2026-4686 at NVDSUSE bug 1260083CVE-2026-4687SUSE Liberty Linux 10
Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4687 at SUSECVE-2026-4687 at NVDSUSE bug 1260083CVE-2026-4688SUSE Liberty Linux 10
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4688 at SUSECVE-2026-4688 at NVDSUSE bug 1260083CVE-2026-4689SUSE Liberty Linux 10
Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4689 at SUSECVE-2026-4689 at NVDSUSE bug 1260083CVE-2026-4690SUSE Liberty Linux 10
Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4690 at SUSECVE-2026-4690 at NVDSUSE bug 1260083CVE-2026-4691SUSE Liberty Linux 10
Use-after-free in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4691 at SUSECVE-2026-4691 at NVDSUSE bug 1260083CVE-2026-4692SUSE Liberty Linux 10
Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4692 at SUSECVE-2026-4692 at NVDSUSE bug 1260083CVE-2026-4693SUSE Liberty Linux 10
Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4693 at SUSECVE-2026-4693 at NVDSUSE bug 1260083CVE-2026-4694SUSE Liberty Linux 10
Incorrect boundary conditions, integer overflow in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4694 at SUSECVE-2026-4694 at NVDSUSE bug 1260083CVE-2026-4695SUSE Liberty Linux 10
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4695 at SUSECVE-2026-4695 at NVDSUSE bug 1260083CVE-2026-4696SUSE Liberty Linux 10
Use-after-free in the Layout: Text and Fonts component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4696 at SUSECVE-2026-4696 at NVDSUSE bug 1260083CVE-2026-4697SUSE Liberty Linux 10
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4697 at SUSECVE-2026-4697 at NVDSUSE bug 1260083CVE-2026-4698SUSE Liberty Linux 10
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4698 at SUSECVE-2026-4698 at NVDSUSE bug 1260083CVE-2026-4699SUSE Liberty Linux 10
Incorrect boundary conditions in the Layout: Text and Fonts component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4699 at SUSECVE-2026-4699 at NVDSUSE bug 1260083CVE-2026-4700SUSE Liberty Linux 10
Mitigation bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4700 at SUSECVE-2026-4700 at NVDSUSE bug 1260083CVE-2026-4701SUSE Liberty Linux 10
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4701 at SUSECVE-2026-4701 at NVDSUSE bug 1260083CVE-2026-4702SUSE Liberty Linux 10
JIT miscompilation in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4702 at SUSECVE-2026-4702 at NVDSUSE bug 1260083CVE-2026-4704SUSE Liberty Linux 10
Denial-of-service in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4704 at SUSECVE-2026-4704 at NVDSUSE bug 1260083CVE-2026-4705SUSE Liberty Linux 10
Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4705 at SUSECVE-2026-4705 at NVDSUSE bug 1260083CVE-2026-4706SUSE Liberty Linux 10
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4706 at SUSECVE-2026-4706 at NVDSUSE bug 1260083CVE-2026-4707SUSE Liberty Linux 10
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4707 at SUSECVE-2026-4707 at NVDSUSE bug 1260083CVE-2026-4708SUSE Liberty Linux 10
Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4708 at SUSECVE-2026-4708 at NVDSUSE bug 1260083CVE-2026-4709SUSE Liberty Linux 10
Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4709 at SUSECVE-2026-4709 at NVDSUSE bug 1260083CVE-2026-4710SUSE Liberty Linux 10
Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4710 at SUSECVE-2026-4710 at NVDSUSE bug 1260083CVE-2026-4711SUSE Liberty Linux 10
Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4711 at SUSECVE-2026-4711 at NVDSUSE bug 1260083CVE-2026-4712SUSE Liberty Linux 10
Information disclosure in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4712 at SUSECVE-2026-4712 at NVDSUSE bug 1260083CVE-2026-4713SUSE Liberty Linux 10
Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4713 at SUSECVE-2026-4713 at NVDSUSE bug 1260083CVE-2026-4714SUSE Liberty Linux 10
Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4714 at SUSECVE-2026-4714 at NVDSUSE bug 1260083CVE-2026-4715SUSE Liberty Linux 10
Uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4715 at SUSECVE-2026-4715 at NVDSUSE bug 1260083CVE-2026-4716SUSE Liberty Linux 10
Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4716 at SUSECVE-2026-4716 at NVDSUSE bug 1260083CVE-2026-4717SUSE Liberty Linux 10
Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4717 at SUSECVE-2026-4717 at NVDSUSE bug 1260083CVE-2026-4718SUSE Liberty Linux 10
Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4718 at SUSECVE-2026-4718 at NVDSUSE bug 1260083CVE-2026-4719SUSE Liberty Linux 10
Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4719 at SUSECVE-2026-4719 at NVDSUSE bug 1260083CVE-2026-4720SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4720 at SUSECVE-2026-4720 at NVDSUSE bug 1260083CVE-2026-4721SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
ImportantCVE-2026-4721 at SUSECVE-2026-4721 at NVDSUSE bug 1260083CVE-2026-4775SUSE Liberty Linux 10
A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution.
ImportantCVE-2026-4775 at SUSECVE-2026-4775 at NVDSUSE bug 1260411CVE-2026-4786SUSE Liberty Linux 10
Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.
ImportantCVE-2026-4786 at SUSECVE-2026-4786 at NVDSUSE bug 1260026SUSE bug 1262319CVE-2026-4800SUSE Liberty Linux 10
Impact:
The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
CriticalCVE-2026-4800 at SUSECVE-2026-4800 at NVDCVE-2026-4802SUSE Liberty Linux 10
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.
ImportantCVE-2026-4802 at SUSECVE-2026-4802 at NVDSUSE bug 1265040CVE-2026-4878SUSE Liberty Linux 10
A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.
ImportantCVE-2026-4878 at SUSECVE-2026-4878 at NVDSUSE bug 1261809CVE-2026-4890SUSE Liberty Linux 10
A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
ImportantCVE-2026-4890 at SUSECVE-2026-4890 at NVDSUSE bug 1265001CVE-2026-4891SUSE Liberty Linux 10
A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
ModerateCVE-2026-4891 at SUSECVE-2026-4891 at NVDSUSE bug 1265002CVE-2026-4892SUSE Liberty Linux 10
A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.
ImportantCVE-2026-4892 at SUSECVE-2026-4892 at NVDSUSE bug 1265003CVE-2026-4893SUSE Liberty Linux 10
An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.
ModerateCVE-2026-4893 at SUSECVE-2026-4893 at NVDSUSE bug 1265004CVE-2026-49975SUSE Liberty Linux 10
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.
This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
ImportantCVE-2026-49975 at SUSECVE-2026-49975 at NVDSUSE bug 1267503CVE-2026-5119SUSE Liberty Linux 10
A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.
ModerateCVE-2026-5119 at SUSECVE-2026-5119 at NVDSUSE bug 1261019CVE-2026-5172SUSE Liberty Linux 10
A buffer overflow in dnsmasq's extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record's end.
ImportantCVE-2026-5172 at SUSECVE-2026-5172 at NVDSUSE bug 1265006CVE-2026-5201SUSE Liberty Linux 10
A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.
ImportantCVE-2026-5201 at SUSECVE-2026-5201 at NVDSUSE bug 1261210SUSE bug 1265941CVE-2026-5260SUSE Liberty Linux 10
A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.
ModerateCVE-2026-5260 at SUSECVE-2026-5260 at NVDSUSE bug 1263715CVE-2026-5405SUSE Liberty Linux 10
RDP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution
ImportantCVE-2026-5405 at SUSECVE-2026-5405 at NVDSUSE bug 1263767CVE-2026-5419SUSE Liberty Linux 10
A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure.
ModerateCVE-2026-5419 at SUSECVE-2026-5419 at NVDSUSE bug 1263716CVE-2026-5656SUSE Liberty Linux 10
Profile import path traversal in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution
ImportantCVE-2026-5656 at SUSECVE-2026-5656 at NVDSUSE bug 1263809CVE-2026-5713SUSE Liberty Linux 10
The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.
ModerateCVE-2026-5713 at SUSECVE-2026-5713 at NVDSUSE bug 1262132CVE-2026-5731SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.
ImportantCVE-2026-5731 at SUSECVE-2026-5731 at NVDSUSE bug 1261663CVE-2026-5732SUSE Liberty Linux 10
Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.
ImportantCVE-2026-5732 at SUSECVE-2026-5732 at NVDSUSE bug 1261663CVE-2026-5734SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.
ImportantCVE-2026-5734 at SUSECVE-2026-5734 at NVDSUSE bug 1261663CVE-2026-5946SUSE Liberty Linux 10
Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) - for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths - recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data - can cause assertion failures in `named`.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
ImportantCVE-2026-5946 at SUSECVE-2026-5946 at NVDSUSE bug 1265594CVE-2026-6100SUSE Liberty Linux 10
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.
The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.
ImportantCVE-2026-6100 at SUSECVE-2026-6100 at NVDSUSE bug 1262098CVE-2026-6735SUSE Liberty Linux 10
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
ModerateCVE-2026-6735 at SUSECVE-2026-6735 at NVDSUSE bug 1264775CVE-2026-6746SUSE Liberty Linux 10
Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6746 at SUSECVE-2026-6746 at NVDSUSE bug 1262230CVE-2026-6747SUSE Liberty Linux 10
Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6747 at SUSECVE-2026-6747 at NVDSUSE bug 1262230CVE-2026-6748SUSE Liberty Linux 10
Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6748 at SUSECVE-2026-6748 at NVDSUSE bug 1262230CVE-2026-6749SUSE Liberty Linux 10
Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6749 at SUSECVE-2026-6749 at NVDSUSE bug 1262230CVE-2026-6750SUSE Liberty Linux 10
Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6750 at SUSECVE-2026-6750 at NVDSUSE bug 1262230CVE-2026-6751SUSE Liberty Linux 10
Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6751 at SUSECVE-2026-6751 at NVDSUSE bug 1262230CVE-2026-6752SUSE Liberty Linux 10
Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6752 at SUSECVE-2026-6752 at NVDSUSE bug 1262230CVE-2026-6753SUSE Liberty Linux 10
Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6753 at SUSECVE-2026-6753 at NVDSUSE bug 1262230CVE-2026-6754SUSE Liberty Linux 10
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6754 at SUSECVE-2026-6754 at NVDSUSE bug 1262230CVE-2026-6757SUSE Liberty Linux 10
Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6757 at SUSECVE-2026-6757 at NVDSUSE bug 1262230CVE-2026-6759SUSE Liberty Linux 10
Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6759 at SUSECVE-2026-6759 at NVDSUSE bug 1262230CVE-2026-6761SUSE Liberty Linux 10
Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6761 at SUSECVE-2026-6761 at NVDSUSE bug 1262230CVE-2026-6762SUSE Liberty Linux 10
Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6762 at SUSECVE-2026-6762 at NVDSUSE bug 1262230CVE-2026-6763SUSE Liberty Linux 10
Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6763 at SUSECVE-2026-6763 at NVDSUSE bug 1262230CVE-2026-6764SUSE Liberty Linux 10
Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6764 at SUSECVE-2026-6764 at NVDSUSE bug 1262230CVE-2026-6765SUSE Liberty Linux 10
Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6765 at SUSECVE-2026-6765 at NVDSUSE bug 1262230CVE-2026-6766SUSE Liberty Linux 10
Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6766 at SUSECVE-2026-6766 at NVDSUSE bug 1262230CVE-2026-6767SUSE Liberty Linux 10
Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6767 at SUSECVE-2026-6767 at NVDSUSE bug 1262230CVE-2026-6769SUSE Liberty Linux 10
Privilege escalation in the Debugger component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6769 at SUSECVE-2026-6769 at NVDSUSE bug 1262230CVE-2026-6770SUSE Liberty Linux 10
Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6770 at SUSECVE-2026-6770 at NVDSUSE bug 1262230CVE-2026-6771SUSE Liberty Linux 10
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6771 at SUSECVE-2026-6771 at NVDSUSE bug 1262230CVE-2026-6772SUSE Liberty Linux 10
Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6772 at SUSECVE-2026-6772 at NVDSUSE bug 1262230CVE-2026-6776SUSE Liberty Linux 10
Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6776 at SUSECVE-2026-6776 at NVDSUSE bug 1262230CVE-2026-6785SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6785 at SUSECVE-2026-6785 at NVDSUSE bug 1262230CVE-2026-6786SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
CriticalCVE-2026-6786 at SUSECVE-2026-6786 at NVDSUSE bug 1262230CVE-2026-6893SUSE Liberty Linux 10
A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.
ImportantCVE-2026-6893 at SUSECVE-2026-6893 at NVDSUSE bug 1268322CVE-2026-7258SUSE Liberty Linux 10
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
ImportantCVE-2026-7258 at SUSECVE-2026-7258 at NVDSUSE bug 1264774CVE-2026-7259SUSE Liberty Linux 10
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
ImportantCVE-2026-7259 at SUSECVE-2026-7259 at NVDSUSE bug 1264773CVE-2026-7262SUSE Liberty Linux 10
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
ModerateCVE-2026-7262 at SUSECVE-2026-7262 at NVDSUSE bug 1264771CVE-2026-7320SUSE Liberty Linux 10
Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
CriticalCVE-2026-7320 at SUSECVE-2026-7320 at NVDSUSE bug 1263110CVE-2026-7321SUSE Liberty Linux 10
Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird 140.10.1.
CriticalCVE-2026-7321 at SUSECVE-2026-7321 at NVDSUSE bug 1263110CVE-2026-7322SUSE Liberty Linux 10
Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
CriticalCVE-2026-7322 at SUSECVE-2026-7322 at NVDSUSE bug 1263110CVE-2026-7323SUSE Liberty Linux 10
Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
CriticalCVE-2026-7323 at SUSECVE-2026-7323 at NVDSUSE bug 1263110CVE-2026-7383SUSE Liberty Linux 10
Issue summary: A signed integer overflow when sizing the destination
buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap
buffer overflow.
Impact summary: A heap buffer overflow may lead to a crash or possibly
attacker controlled code execution or other undefined behaviour.
In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination
size for Unicode output is computed in a signed int: by left shift
of the input character count for BMPSTRING (UTF-16) and
UNIVERSALSTRING (UTF-32), and by summing per-character byte counts
for UTF8STRING. The calculation overflows when the input reaches
around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30
characters) the size wraps to zero, OPENSSL_malloc(1) is called, and
the subsequent character copy writes several gigabytes past the
one-byte allocation.
X.509 certificate processing routes through ASN1_STRING_set_by_NID(),
whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID
size limits cap the input length; no network protocol or
certificate-handling path in OpenSSL exercises the overflow.
Triggering the bug requires an application that calls
ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers
a custom string type via ASN1_STRING_TABLE_add(), with
attacker-controlled input on the order of half a gigabyte or more.
For these reasons this issue was assigned Low severity.
The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by
this issue, as the affected code is outside the OpenSSL FIPS module
boundary.
ModerateCVE-2026-7383 at SUSECVE-2026-7383 at NVDSUSE bug 1266340CVE-2026-7568SUSE Liberty Linux 10
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
ImportantCVE-2026-7568 at SUSECVE-2026-7568 at NVDSUSE bug 1264769CVE-2026-8388SUSE Liberty Linux 10
Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
ImportantCVE-2026-8388 at SUSECVE-2026-8388 at NVDSUSE bug 1265432CVE-2026-8391SUSE Liberty Linux 10
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
ImportantCVE-2026-8391 at SUSECVE-2026-8391 at NVDSUSE bug 1265432CVE-2026-8401SUSE Liberty Linux 10
Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
ImportantCVE-2026-8401 at SUSECVE-2026-8401 at NVDSUSE bug 1265432CVE-2026-8631SUSE Liberty Linux 10
A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary code execution via an integer overflow in the hpcups processing path when handling crafted print data.
CriticalCVE-2026-8631 at SUSECVE-2026-8631 at NVDSUSE bug 1266023CVE-2026-8632SUSE Liberty Linux 10
A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary code execution via operating system command injection.
ImportantCVE-2026-8632 at SUSECVE-2026-8632 at NVDSUSE bug 1266024CVE-2026-8946SUSE Liberty Linux 10
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8946 at SUSECVE-2026-8946 at NVDSUSE bug 1265212CVE-2026-8947SUSE Liberty Linux 10
Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8947 at SUSECVE-2026-8947 at NVDSUSE bug 1265212CVE-2026-8950SUSE Liberty Linux 10
Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8950 at SUSECVE-2026-8950 at NVDSUSE bug 1265212CVE-2026-8953SUSE Liberty Linux 10
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8953 at SUSECVE-2026-8953 at NVDSUSE bug 1265212CVE-2026-8954SUSE Liberty Linux 10
Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8954 at SUSECVE-2026-8954 at NVDSUSE bug 1265212CVE-2026-8955SUSE Liberty Linux 10
Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8955 at SUSECVE-2026-8955 at NVDSUSE bug 1265212CVE-2026-8956SUSE Liberty Linux 10
Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8956 at SUSECVE-2026-8956 at NVDSUSE bug 1265212CVE-2026-8957SUSE Liberty Linux 10
Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8957 at SUSECVE-2026-8957 at NVDSUSE bug 1265212CVE-2026-8958SUSE Liberty Linux 10
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8958 at SUSECVE-2026-8958 at NVDSUSE bug 1265212CVE-2026-8959SUSE Liberty Linux 10
Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8959 at SUSECVE-2026-8959 at NVDSUSE bug 1265212CVE-2026-8961SUSE Liberty Linux 10
Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8961 at SUSECVE-2026-8961 at NVDSUSE bug 1265212CVE-2026-8962SUSE Liberty Linux 10
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8962 at SUSECVE-2026-8962 at NVDSUSE bug 1265212CVE-2026-8968SUSE Liberty Linux 10
Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8968 at SUSECVE-2026-8968 at NVDSUSE bug 1265212CVE-2026-8970SUSE Liberty Linux 10
Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8970 at SUSECVE-2026-8970 at NVDSUSE bug 1265212CVE-2026-8974SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8974 at SUSECVE-2026-8974 at NVDSUSE bug 1265212CVE-2026-8975SUSE Liberty Linux 10
Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
ImportantCVE-2026-8975 at SUSECVE-2026-8975 at NVDSUSE bug 1265212CVE-2026-9064SUSE Liberty Linux 10
A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.
ImportantCVE-2026-9064 at SUSECVE-2026-9064 at NVDSUSE bug 1265898CVE-2026-9076SUSE Liberty Linux 10
Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)
processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK
cipher can trigger a heap out-of-bounds read in kek_unwrap_key().
Impact summary: A heap buffer over-read may trigger a crash which leads to
Denial of Service for an application if the input buffer ends at a memory
page boundary and the following page is unmapped. There is no information
disclosure as the over-read bytes are not revealed to the attacker.
The key unwrapping function performs a check-byte test as specified in the
RFC that reads 7 bytes from a heap allocation that is based on the wrapped
key length from the message. There is a minimum length check based on the
block length of the wrapping cipher. However the cipher is selected from
an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no
requirement that the cipher be a block cipher. When an attacker selects
a stream-mode cipher the guard will be ineffective and the allocated buffer
containing the unwrapped key can be too small to fit the check-bytes
specified in the RFC and a buffer over-read can happen.
Applications calling CMS_decrypt() or CMS_decrypt_set1_password()
(equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS
data are vulnerable to this issue. No password knowledge is required: the
over-read happens during the unwrap attempt before any authentication
succeeds.
The over-read is limited to a few bytes and is not written to output, so
there is no information disclosure. Triggering a crash requires the
allocation to border unmapped memory, which is unlikely with the normal
allocator.
The FIPS modules are not affected by this issue.
ModerateCVE-2026-9076 at SUSECVE-2026-9076 at NVDSUSE bug 1266341perl-XML-Parsersles_es-release-serverkernel-defaultkgraft-patch-3_12_38-44-defaultkgraft-patch-3_12_39-47-defaultkgraft-patch-3_12_43-52_6-defaultkgraft-patch-3_12_44-52_10-defaultkgraft-patch-3_12_44-52_18-defaultkgraft-patch-3_12_48-52_27-defaultkgraft-patch-3_12_49-11-defaultkgraft-patch-3_12_51-52_31-defaultkgraft-patch-3_12_51-52_34-defaultkgraft-patch-3_12_51-52_39-defaultkgraft-patch-3_12_51-60_20-defaultkgraft-patch-3_12_51-60_25-defaultkgraft-patch-3_12_53-60_30-defaultkgraft-patch-3_12_57-60_35-defaultkgraft-patch-3_12_59-60_41-defaultkgraft-patch-3_12_59-60_45-defaultkgraft-patch-3_12_32-33-defaultkgraft-patch-3_12_36-38-defaultkgraft-patch-4_4_21-69-defaultkgraft-patch-4_4_21-81-defaultkgraft-patch-4_4_21-84-defaultkgraft-patch-4_4_21-90-defaultkgraft-patch-4_4_38-93-defaultkgraft-patch-3_12_62-60_62-defaultkgraft-patch-3_12_62-60_64_8-defaultkgraft-patch-3_12_67-60_64_18-defaultkgraft-patch-3_12_67-60_64_21-defaultkgraft-patch-4_4_103-6_33-defaultkgraft-patch-4_4_103-6_38-defaultkgraft-patch-4_4_82-6_3-defaultkgraft-patch-4_4_82-6_6-defaultkgraft-patch-4_4_82-6_9-defaultkgraft-patch-4_4_92-6_18-defaultkgraft-patch-4_4_92-6_30-defaultkgraft-patch-4_4_49-92_11-defaultkgraft-patch-4_4_49-92_14-defaultkgraft-patch-4_4_59-92_17-defaultkgraft-patch-4_4_59-92_20-defaultkgraft-patch-4_4_59-92_24-defaultkgraft-patch-4_4_74-92_29-defaultkgraft-patch-4_4_74-92_32-defaultkgraft-patch-4_4_74-92_35-defaultkgraft-patch-4_4_74-92_38-defaultkgraft-patch-4_4_90-92_45-defaultkgraft-patch-4_12_14-95_40-defaultkgraft-patch-4_12_14-120-defaultkgraft-patch-4_12_14-122_7-defaultkernel-livepatch-4_12_14-150_41-defaultkernel-livepatch-4_12_14-197_26-defaultkgraft-patch-4_4_114-94_11-defaultkgraft-patch-4_4_114-94_14-defaultkgraft-patch-4_4_103-92_53-defaultkgraft-patch-4_4_103-92_56-defaultkgraft-patch-4_4_90-92_50-defaultkernel-livepatch-4_12_14-23-defaultkernel-livepatch-4_12_14-25_3-defaultkgraft-patch-3_12_67-60_64_24-defaultkgraft-patch-3_12_69-60_64_29-defaultkgraft-patch-3_12_69-60_64_32-defaultkgraft-patch-3_12_69-60_64_35-defaultkgraft-patch-4_4_73-5-defaultkgraft-patch-4_4_120-94_17-defaultkgraft-patch-4_4_126-94_22-defaultkgraft-patch-4_12_14-95_19-defaultkgraft-patch-4_12_14-95_24-defaultkgraft-patch-4_12_14-95_29-defaultkgraft-patch-4_12_14-95_32-defaultkgraft-patch-4_12_14-95_37-defaultkgraft-patch-4_12_14-95_45-defaultkgraft-patch-4_12_14-95_48-defaultkgraft-patch-4_12_14-95_51-defaultkgraft-patch-4_12_14-122_12-defaultkgraft-patch-4_12_14-122_17-defaultkgraft-patch-4_12_14-122_20-defaultkernel-livepatch-4_12_14-150_22-defaultkernel-livepatch-4_12_14-150_27-defaultkernel-livepatch-4_12_14-150_32-defaultkernel-livepatch-4_12_14-150_35-defaultkernel-livepatch-4_12_14-150_38-defaultkernel-livepatch-4_12_14-150_47-defaultkernel-livepatch-4_12_14-195-defaultkernel-livepatch-4_12_14-197_10-defaultkernel-livepatch-4_12_14-197_15-defaultkernel-livepatch-4_12_14-197_18-defaultkernel-livepatch-4_12_14-197_21-defaultkernel-livepatch-4_12_14-197_29-defaultkernel-livepatch-4_12_14-197_34-defaultkernel-livepatch-4_12_14-197_37-defaultkernel-livepatch-4_12_14-197_4-defaultkernel-livepatch-4_12_14-197_40-defaultkernel-livepatch-4_12_14-197_7-defaultkgraft-patch-4_4_131-94_29-defaultkgraft-patch-4_4_132-94_33-defaultkernel-livepatch-4_12_14-25_13-defaultkernel-livepatch-4_12_14-25_6-defaultkgraft-patch-4_4_138-94_39-defaultkgraft-patch-4_4_140-94_42-defaultkgraft-patch-4_4_143-94_47-defaultkernel-livepatch-4_12_14-25_16-defaultkgraft-patch-4_4_155-94_50-defaultkgraft-patch-4_4_156-94_57-defaultkgraft-patch-4_4_156-94_61-defaultkgraft-patch-4_4_156-94_64-defaultkernel-livepatch-4_12_14-25_19-defaultkgraft-patch-4_12_14-94_41-defaultkgraft-patch-4_12_14-95_3-defaultkgraft-patch-4_12_14-95_6-defaultkernel-livepatch-4_12_14-25_28-defaultkgraft-patch-4_4_162-94_69-defaultkgraft-patch-4_4_162-94_72-defaultkernel-livepatch-4_12_14-25_22-defaultkernel-livepatch-4_12_14-25_25-defaultzziplibzziplib-develzziplib-utilskgraft-patch-4_12_14-95_68-defaultkgraft-patch-4_12_14-95_71-defaultkgraft-patch-4_12_14-95_74-defaultkgraft-patch-4_12_14-95_77-defaultkgraft-patch-4_12_14-95_80-defaultkgraft-patch-4_12_14-95_83-defaultkernel-livepatch-4_12_14-150_66-defaultkernel-livepatch-4_12_14-150_69-defaultkernel-livepatch-4_12_14-150_72-defaultkernel-livepatch-4_12_14-150_75-defaultkernel-livepatch-4_12_14-150_78-defaultkgraft-patch-4_12_14-95_13-defaultkgraft-patch-4_12_14-95_16-defaultkernel-livepatch-4_12_14-150_14-defaultkernel-livepatch-4_12_14-150_17-defaultkgraft-patch-4_4_175-94_79-defaultkgraft-patch-4_4_176-94_88-defaultkgraft-patch-4_4_178-94_91-defaultkgraft-patch-4_4_180-94_97-defaultkgraft-patch-4_12_14-95_54-defaultkernel-livepatch-4_12_14-150_52-defaultkgraft-patch-4_12_14-95_57-defaultkgraft-patch-4_12_14-95_60-defaultkernel-livepatch-4_12_14-150_55-defaultkernel-livepatch-4_12_14-150_58-defaultkernel-livepatch-4_12_14-150_63-defaultkgraft-patch-4_12_14-95_65-defaultkgraft-patch-4_12_14-122_23-defaultkgraft-patch-4_12_14-122_26-defaultkgraft-patch-4_12_14-122_29-defaultkgraft-patch-4_12_14-122_32-defaultkgraft-patch-4_12_14-122_37-defaultkgraft-patch-4_12_14-122_41-defaultkgraft-patch-4_12_14-122_46-defaultkgraft-patch-4_12_14-122_51-defaultkgraft-patch-4_12_14-122_54-defaultkernel-livepatch-4_12_14-197_45-defaultkernel-livepatch-4_12_14-197_48-defaultkernel-livepatch-4_12_14-197_51-defaultkernel-livepatch-4_12_14-197_56-defaultkernel-livepatch-4_12_14-197_61-defaultkernel-livepatch-4_12_14-197_64-defaultkernel-livepatch-4_12_14-197_67-defaultkernel-livepatch-4_12_14-197_72-defaultkernel-livepatch-4_12_14-197_75-defaultkernel-livepatch-5_3_18-22-defaultkernel-livepatch-5_3_18-24_12-defaultkernel-livepatch-5_3_18-24_15-defaultkernel-livepatch-5_3_18-24_9-defaultkernel-livepatch-5_3_18-24_24-defaultkernel-livepatch-5_3_18-24_29-defaultkernel-livepatch-5_3_18-24_34-defaultkernel-livepatch-5_3_18-24_37-defaultkernel-livepatch-5_3_18-24_43-defaultkgraft-patch-4_12_14-122_60-defaultkgraft-patch-4_12_14-122_63-defaultkernel-livepatch-4_12_14-197_83-defaultkernel-livepatch-4_12_14-197_86-defaultkernel-livepatch-5_3_18-24_49-defaultkernel-livepatch-5_3_18-24_52-defaultkernel-livepatch-5_3_18-57-defaultkgraft-patch-4_12_14-122_57-defaultkernel-livepatch-4_12_14-197_78-defaultkernel-livepatch-5_3_18-24_46-defaultkgraft-patch-4_12_14-122_66-defaultkernel-livepatch-5_3_18-24_53_4-defaultkgraft-patch-4_12_14-122_71-defaultkgraft-patch-4_12_14-122_74-defaultkgraft-patch-4_12_14-122_77-defaultkernel-livepatch-4_12_14-197_89-defaultkernel-livepatch-4_12_14-197_92-defaultkernel-livepatch-5_3_18-24_61-defaultkernel-livepatch-5_3_18-24_64-defaultkernel-livepatch-5_3_18-24_67-defaultkgraft-patch-4_12_14-95_102-defaultkgraft-patch-4_12_14-95_105-defaultkgraft-patch-4_12_14-95_88-defaultkgraft-patch-4_12_14-95_93-defaultkgraft-patch-4_12_14-95_96-defaultkgraft-patch-4_12_14-95_99-defaultkgraft-patch-4_12_14-122_103-defaultkgraft-patch-4_12_14-122_106-defaultkgraft-patch-4_12_14-122_110-defaultkgraft-patch-4_12_14-122_113-defaultkgraft-patch-4_12_14-122_116-defaultkgraft-patch-4_12_14-122_121-defaultkgraft-patch-4_12_14-122_124-defaultkgraft-patch-4_12_14-122_127-defaultkgraft-patch-4_12_14-122_130-defaultkgraft-patch-4_12_14-122_88-defaultkgraft-patch-4_12_14-122_91-defaultkgraft-patch-4_12_14-122_98-defaultkernel-livepatch-4_12_14-150000_150_89-defaultkernel-livepatch-4_12_14-150000_150_92-defaultkernel-livepatch-4_12_14-150000_150_95-defaultkernel-livepatch-4_12_14-150000_150_98-defaultkernel-livepatch-4_12_14-150_83-defaultkernel-livepatch-4_12_14-150_86-defaultkernel-livepatch-4_12_14-150100_197_111-defaultkernel-livepatch-4_12_14-150100_197_114-defaultkernel-livepatch-4_12_14-150100_197_117-defaultkernel-livepatch-4_12_14-150100_197_120-defaultkernel-livepatch-4_12_14-197_102-defaultkernel-livepatch-4_12_14-197_105-defaultkernel-livepatch-4_12_14-197_108-defaultkernel-livepatch-5_3_18-150200_24_112-defaultkernel-livepatch-5_3_18-150200_24_115-defaultkernel-livepatch-5_3_18-150200_24_126-defaultkernel-livepatch-5_3_18-24_102-defaultkernel-livepatch-5_3_18-24_107-defaultkernel-livepatch-5_3_18-24_83-defaultkernel-livepatch-5_3_18-24_86-defaultkernel-livepatch-5_3_18-24_93-defaultkernel-livepatch-5_3_18-24_96-defaultkernel-livepatch-5_3_18-24_99-defaultkernel-livepatch-5_3_18-150300_59_43-defaultkernel-livepatch-5_3_18-150300_59_46-defaultkernel-livepatch-5_3_18-150300_59_49-defaultkernel-livepatch-5_3_18-150300_59_54-defaultkernel-livepatch-5_3_18-150300_59_60-defaultkernel-livepatch-5_3_18-150300_59_63-defaultkernel-livepatch-5_3_18-150300_59_68-defaultkernel-livepatch-5_3_18-150300_59_71-defaultkernel-livepatch-5_3_18-150300_59_76-defaultkernel-livepatch-5_3_18-150300_59_87-defaultkernel-livepatch-5_3_18-59_24-defaultkernel-livepatch-5_3_18-59_27-defaultkernel-livepatch-5_3_18-59_34-defaultkernel-livepatch-5_3_18-59_37-defaultkernel-livepatch-5_3_18-59_40-defaultkernel-livepatch-5_14_21-150400_22-defaultkernel-livepatch-5_14_21-150400_24_11-defaultkernel-livepatch-5_14_21-150400_24_18-defaultkgraft-patch-4_12_14-122_80-defaultkgraft-patch-4_12_14-122_83-defaultkernel-livepatch-4_12_14-197_99-defaultkernel-livepatch-5_3_18-24_70-defaultkernel-livepatch-5_3_18-24_75-defaultkernel-livepatch-5_3_18-24_78-defaultkernel-livepatch-5_3_18-59_10-defaultkernel-livepatch-5_3_18-59_13-defaultkernel-livepatch-5_3_18-59_16-defaultkernel-livepatch-5_3_18-59_19-defaultkernel-livepatch-5_3_18-59_5-defaultkernel-livepatch-5_3_18-150200_24_129-defaultkernel-livepatch-5_3_18-150200_24_134-defaultkernel-livepatch-5_3_18-150300_59_90-defaultkernel-livepatch-5_3_18-150300_59_93-defaultkernel-livepatch-5_3_18-150300_59_98-defaultkernel-livepatch-5_14_21-150400_24_21-defaultkernel-livepatch-5_14_21-150400_24_28-defaultkernel-livepatch-5_14_21-150400_24_33-defaultkgraft-patch-4_12_14-122_162-defaultkgraft-patch-4_12_14-122_165-defaultkgraft-patch-4_12_14-122_173-defaultkgraft-patch-4_12_14-122_176-defaultkgraft-patch-4_12_14-122_179-defaultkgraft-patch-4_12_14-122_183-defaultkgraft-patch-4_12_14-122_186-defaultkgraft-patch-4_12_14-122_189-defaultkgraft-patch-4_12_14-122_194-defaultkgraft-patch-4_12_14-122_201-defaultkgraft-patch-4_12_14-122_216-defaultkernel-livepatch-5_3_18-150200_24_154-defaultkernel-livepatch-5_3_18-150200_24_157-defaultkernel-livepatch-5_3_18-150200_24_160-defaultkernel-livepatch-5_3_18-150200_24_163-defaultkernel-livepatch-5_3_18-150200_24_166-defaultkernel-livepatch-5_3_18-150200_24_169-defaultkernel-livepatch-5_3_18-150200_24_172-defaultkernel-livepatch-5_3_18-150200_24_175-defaultkernel-livepatch-5_3_18-150200_24_178-defaultkernel-livepatch-5_3_18-150200_24_183-defaultkernel-livepatch-5_3_18-150200_24_188-defaultkernel-livepatch-5_3_18-150300_59_124-defaultkernel-livepatch-5_3_18-150300_59_127-defaultkernel-livepatch-5_3_18-150300_59_130-defaultkernel-livepatch-5_3_18-150300_59_133-defaultkernel-livepatch-5_3_18-150300_59_138-defaultkernel-livepatch-5_3_18-150300_59_141-defaultkernel-livepatch-5_3_18-150300_59_144-defaultkernel-livepatch-5_3_18-150300_59_147-defaultkernel-livepatch-5_3_18-150300_59_150-defaultkernel-livepatch-5_3_18-150300_59_153-defaultkernel-livepatch-5_3_18-150300_59_158-defaultkernel-livepatch-5_3_18-150300_59_161-defaultkernel-livepatch-5_3_18-150200_24_191-defaultkernel-livepatch-5_3_18-150200_24_194-defaultkernel-livepatch-5_3_18-150200_24_197-defaultkernel-livepatch-5_3_18-150300_59_164-defaultkernel-livepatch-5_3_18-150300_59_167-defaultkernel-livepatch-5_14_21-150500_55_36-defaultkernel-livepatch-5_14_21-150500_55_39-defaultkernel-livepatch-5_14_21-150500_55_44-defaultkernel-livepatch-5_14_21-150500_55_49-defaultkernel-livepatch-5_14_21-150500_55_52-defaultkernel-livepatch-5_14_21-150500_55_59-defaultkernel-livepatch-5_14_21-150500_55_62-defaultkernel-livepatch-5_14_21-150500_55_65-defaultkernel-livepatch-5_14_21-150500_55_68-defaultkernel-livepatch-5_14_21-150500_55_73-defaultkernel-livepatch-5_14_21-150400_24_100-defaultkernel-livepatch-5_14_21-150400_24_103-defaultkernel-livepatch-5_14_21-150400_24_108-defaultkernel-livepatch-5_14_21-150400_24_111-defaultkernel-livepatch-5_14_21-150400_24_116-defaultkernel-livepatch-5_14_21-150400_24_119-defaultkernel-livepatch-5_14_21-150400_24_122-defaultkernel-livepatch-5_14_21-150400_24_125-defaultkernel-livepatch-5_14_21-150400_24_88-defaultkernel-livepatch-5_14_21-150400_24_92-defaultkernel-livepatch-5_14_21-150400_24_97-defaultkernel-livepatch-5_14_21-150500_55_28-defaultkernel-livepatch-5_14_21-150500_55_31-defaultkernel-livepatch-5_3_18-150300_59_101-defaultkgraft-patch-4_12_14-95_108-defaultkgraft-patch-4_12_14-95_111-defaultkgraft-patch-4_12_14-122_133-defaultkgraft-patch-4_12_14-122_136-defaultkernel-livepatch-4_12_14-150100_197_123-defaultkernel-livepatch-4_12_14-150100_197_126-defaultkernel-livepatch-4_12_14-150000_150_101-defaultkernel-livepatch-4_12_14-150000_150_104-defaultkgraft-patch-4_12_14-95_114-defaultkgraft-patch-4_12_14-122_139-defaultkgraft-patch-4_12_14-122_144-defaultkernel-livepatch-4_12_14-150100_197_131-defaultkernel-livepatch-5_3_18-150200_24_139-defaultkernel-livepatch-5_14_21-150400_24_38-defaultkernel-livepatch-5_3_18-150200_24_142-defaultkernel-livepatch-5_3_18-150200_24_145-defaultkernel-livepatch-5_3_18-150300_59_106-defaultkernel-livepatch-5_3_18-150300_59_109-defaultkernel-livepatch-5_3_18-150300_59_112-defaultkernel-livepatch-5_3_18-150300_59_115-defaultkgraft-patch-4_12_14-122_159-defaultkernel-livepatch-5_3_18-150200_24_151-defaultkernel-livepatch-5_3_18-150300_59_121-defaultkernel-livepatch-5_14_21-150400_24_60-defaultkernel-livepatch-5_14_21-150400_24_63-defaultkernel-livepatch-5_14_21-150400_24_66-defaultkernel-livepatch-5_14_21-150400_24_69-defaultkernel-livepatch-5_14_21-150400_24_74-defaultkernel-livepatch-5_14_21-150400_24_81-defaultkernel-rtkernel-livepatch-5_14_21-150500_11-rtkernel-livepatch-5_14_21-150500_53-defaultkernel-livepatch-5_14_21-150500_55_12-defaultkernel-livepatch-5_14_21-150500_55_19-defaultkernel-livepatch-5_14_21-150500_55_7-defaultkgraft-patch-4_12_14-122_219-defaultkgraft-patch-4_12_14-122_222-defaultkgraft-patch-4_12_14-122_225-defaultkgraft-patch-4_12_14-122_228-defaultkernel-livepatch-5_3_18-150300_59_170-defaultkernel-livepatch-5_3_18-150300_59_174-defaultkernel-livepatch-5_14_21-150400_24_128-defaultkernel-livepatch-5_14_21-150400_24_133-defaultkernel-livepatch-5_14_21-150500_55_80-defaultkgraft-patch-4_12_14-122_231-defaultkernel-livepatch-5_3_18-150300_59_179-defaultkernel-livepatch-5_14_21-150400_24_136-defaultkernel-livepatch-5_14_21-150500_55_83-defaultkgraft-patch-4_12_14-122_234-defaultkgraft-patch-4_12_14-122_237-defaultkgraft-patch-4_12_14-122_244-defaultkgraft-patch-4_12_14-122_247-defaultkgraft-patch-4_12_14-122_250-defaultkernel-livepatch-5_3_18-150300_59_182-defaultkernel-livepatch-5_3_18-150300_59_185-defaultkernel-livepatch-5_3_18-150300_59_188-defaultkernel-livepatch-5_3_18-150300_59_195-defaultkernel-livepatch-5_3_18-150300_59_198-defaultkernel-livepatch-5_14_21-150400_24_141-defaultkernel-livepatch-5_14_21-150400_24_144-defaultkernel-livepatch-5_14_21-150400_24_147-defaultkernel-livepatch-5_14_21-150400_24_150-defaultkernel-livepatch-5_14_21-150400_24_153-defaultkernel-livepatch-5_14_21-150400_24_158-defaultkernel-livepatch-5_14_21-150500_55_88-defaultkernel-livepatch-5_14_21-150500_55_91-defaultkernel-livepatch-5_14_21-150500_55_94-defaultkernel-livepatch-5_14_21-150500_55_97-defaultkgraft-patch-4_12_14-122_255-defaultkgraft-patch-4_12_14-122_258-defaultkgraft-patch-4_12_14-122_261-defaultkgraft-patch-4_12_14-122_266-defaultkgraft-patch-4_12_14-122_269-defaultkgraft-patch-4_12_14-122_272-defaultkernel-livepatch-5_14_21-150400_24_161-defaultkernel-livepatch-5_14_21-150400_24_164-defaultkernel-livepatch-5_14_21-150400_24_167-defaultkernel-livepatch-5_14_21-150400_24_170-defaultkernel-livepatch-5_14_21-150400_24_173-defaultkernel-livepatch-5_14_21-150400_24_176-defaultkernel-livepatch-5_3_18-150300_59_201-defaultkernel-livepatch-5_3_18-150300_59_204-defaultkernel-livepatch-5_3_18-150300_59_207-defaultkernel-livepatch-5_3_18-150300_59_211-defaultkernel-livepatch-5_3_18-150300_59_215-defaultkernel-livepatch-5_3_18-150300_59_218-defaultkernel-livepatch-5_14_21-150500_55_100-defaultkernel-livepatch-5_14_21-150500_55_103-defaultkernel-livepatch-5_14_21-150500_55_110-defaultkernel-livepatch-5_14_21-150500_55_113-defaultkernel-livepatch-5_14_21-150500_55_116-defaultkernel-livepatch-5_14_21-150500_55_121-defaultkgraft-patch-4_12_14-122_275-defaultkernel-livepatch-5_14_21-150400_24_179-defaultkernel-livepatch-5_14_21-150500_55_124-defaultkernel-livepatch-5_3_18-150300_59_221-defaultkgraft-patch-4_12_14-122_280-defaultkgraft-patch-4_12_14-122_283-defaultkgraft-patch-4_12_14-122_290-defaultkernel-livepatch-5_14_21-150400_24_184-defaultkernel-livepatch-5_14_21-150400_24_187-defaultkernel-livepatch-5_14_21-150500_55_127-defaultkernel-livepatch-5_14_21-150500_55_130-defaultkernel-livepatch-5_14_21-150500_55_133-defaultkernel-livepatch-5_14_21-150400_24_41-defaultkgraft-patch-4_12_14-122_147-defaultkernel-livepatch-5_14_21-150400_15_11-rtkernel-livepatch-5_14_21-150400_24_46-defaultkernel-livepatch-5_14_21-150400_24_55-defaultkgraft-patch-4_12_14-95_117-defaultkernel-livepatch-4_12_14-150100_197_134-defaultkgraft-patch-4_12_14-122_150-defaultkgraft-patch-4_12_14-122_153-defaultkgraft-patch-4_12_14-122_156-defaultkernel-livepatch-4_12_14-150100_197_137-defaultkernel-livepatch-4_12_14-150100_197_142-defaultkernel-livepatch-4_12_14-150100_197_145-defaultkernel-livepatch-5_3_18-150200_24_148-defaultkernel-livepatch-5_3_18-150300_59_118-defaultkgraft-patch-4_12_14-95_120-defaultkernel-livepatch-4_12_14-150100_197_157-defaultkernel-livepatch-4_12_14-150100_197_148-defaultkernel-livepatch-4_12_14-150100_197_151-defaultkernel-livepatch-4_12_14-150100_197_154-defaultkernel-livepatch-4_12_14-150100_197_160-defaultkernel-livepatch-4_12_14-150100_197_165-defaultkernel-livepatch-4_12_14-150100_197_168-defaultkgraft-patch-4_12_14-95_125-defaultlibtifflibtiff-devellibtiff-toolskernel-livepatch-6_4_0-150600_21-defaultkernel-livepatch-6_4_0-150600_23_14-defaultkernel-livepatch-6_4_0-150600_23_17-defaultkernel-livepatch-6_4_0-150600_23_22-defaultkernel-livepatch-6_4_0-150600_23_7-defaultkernel-livepatch-6_4_0-150600_8-rtmariadbmariadb-backupmariadb-client-utilsmariadb-commonmariadb-develmariadb-embeddedmariadb-embedded-develmariadb-errmsgmariadb-gssapi-servermariadb-oqgraph-enginemariadb-pammariadb-servermariadb-server-galeramariadb-server-utilsmariadb-testkernelkernel-abi-stablelistskernel-corekernel-cross-headerskernel-debugkernel-debug-corekernel-debug-moduleskernel-debug-modules-corekernel-debug-modules-extrakernel-debug-uki-virtkernel-dockernel-headerskernel-moduleskernel-modules-corekernel-modules-extrakernel-modules-extra-matchedkernel-rt-corekernel-rt-debugkernel-rt-debug-corekernel-rt-debug-moduleskernel-rt-debug-modules-corekernel-rt-debug-modules-extrakernel-rt-moduleskernel-rt-modules-corekernel-rt-modules-extrakernel-toolskernel-tools-libskernel-uki-virtkernel-uki-virt-addonslibperfperfpython3-perfrtlarvkernel-livepatch-6_4_0-150600_23_30-defaultkernel-livepatch-6_4_0-150600_23_33-defaultkernel-livepatch-6_4_0-150600_23_38-defaultkernel-livepatch-6_4_0-150600_23_42-defaultkernel-livepatch-6_4_0-150600_23_47-defaultkernel-livepatch-6_4_0-150600_23_50-defaultkernel-livepatch-6_4_0-150600_23_53-defaultkernel-livepatch-6_4_0-150600_23_60-defaultkernel-livepatch-6_4_0-150600_23_65-defaultkernel-livepatch-6_4_0-150600_23_70-defaultkernel-livepatch-6_4_0-150600_23_73-defaultkernel-livepatch-6_4_0-150700_5-rtkernel-livepatch-6_4_0-150700_51-defaultkernel-livepatch-6_4_0-150700_53_11-defaultkernel-livepatch-6_4_0-150700_53_16-defaultkernel-livepatch-6_4_0-150700_53_19-defaultkernel-livepatch-6_4_0-150700_53_3-defaultkernel-livepatch-6_4_0-150700_53_6-defaultkgraft-patch-4_12_14-122_293-defaultphpphp-bcmathphp-cliphp-commonphp-dbaphp-dbgphp-develphp-embeddedphp-enchantphp-ffiphp-fpmphp-gdphp-gmpphp-intlphp-ldapphp-mbstringphp-mysqlndphp-odbcphp-opcachephp-pdophp-pgsqlphp-processphp-snmpphp-soapphp-xmlqemu-guest-agentqemu-imgqemu-kvmqemu-kvm-audio-paqemu-kvm-block-blkioqemu-kvm-block-curlqemu-kvm-block-rbdqemu-kvm-commonqemu-kvm-coreqemu-kvm-device-display-virtio-gpuqemu-kvm-device-display-virtio-gpu-pciqemu-kvm-device-display-virtio-vgaqemu-kvm-device-usb-hostqemu-kvm-device-usb-redirectqemu-kvm-docsqemu-kvm-toolsqemu-kvm-ui-egl-headlessqemu-kvm-ui-openglqemu-pr-helperrsyncrsync-daemonrsync-rrsyncpython3-unboundunboundunbound-anchorunbound-develunbound-dracutunbound-libsunbound-utilslibxml2libxml2-devellibxml2-staticpython3-libxml2kernel-livepatch-5_3_18-150200_24_200-defaultkernel-livepatch-6_4_0-150600_23_25-defaultpython3-requestsgitgit-allgit-coregit-core-docgit-credential-libsecretgit-daemongit-emailgit-guigit-instawebgit-subtreegit-svngitkgitwebperl-Gitperl-Git-SVNlibndpshadow-utilsshadow-utils-subidshadow-utils-subid-develfirefoxthunderbirdqt6-qtsvgqt6-qtsvg-develqt6-qtsvg-examplesbinutilsbinutils-develbinutils-goldgcc-toolset-15-binutilsgcc-toolset-15-binutils-develgcc-toolset-15-binutils-goldgcc-toolset-15-binutils-gprofngopensslopenssl-developenssl-libsopenssl-perlhaproxykeakea-dockea-hookskea-keamakea-libsqt6-qtquick3dqt6-qtquick3d-develqt6-qtquick3d-exampleslibipa_hbaclibsss_autofslibsss_certmaplibsss_idmaplibsss_nss_idmaplibsss_nss_idmap-devellibsss_sudopython3-libipa_hbacpython3-libsss_nss_idmappython3-ssspython3-sss-murmurpython3-sssdconfigsssdsssd-adsssd-clientsssd-commonsssd-common-pacsssd-dbussssd-idpsssd-ipasssd-kcmsssd-krb5sssd-krb5-commonsssd-ldapsssd-nfs-idmapsssd-passkeysssd-proxysssd-toolssssd-winbind-idmaplibluksmetalibluksmeta-develluksmetapython-unversioned-commandpython3python3-debugpython3-develpython3-idlepython3-libspython3-testpython3-tkinterlibsoup3libsoup3-devellibsoup3-doclibnfsidmaplibnfsidmap-develnfs-utilsnfs-utils-coreosnfsv4-client-utilspostgresqlpostgresql-contribpostgresql-docspostgresql-plperlpostgresql-plpython3postgresql-pltclpostgresql-private-develpostgresql-private-libspostgresql-serverpostgresql-server-develpostgresql-staticpostgresql-testpostgresql-test-rpm-macrospostgresql-upgradepostgresql-upgrade-devellibpqlibpq-develcockpit-ha-clusterpcspcs-snmpsgx-commonsgx-libssgx-mpasgx-pccssgx-pccs-adminsgx-pckid-tooltdx-qgswiresharkwireshark-cliwireshark-develglib2glib2-develglib2-docglib2-staticglib2-testsmingw32-glib2mingw32-glib2-staticmingw64-glib2mingw64-glib2-statickeylimekeylime-basekeylime-registrarkeylime-selinuxkeylime-tenantkeylime-toolskeylime-verifierpython3-keylimelibblkidlibblkid-devellibfdisklibfdisk-devellibmountlibmount-devellibsmartcolslibsmartcols-devellibuuidlibuuid-develpython3-libmountutil-linuxutil-linux-coreuuiddvsftpdqt6-qtdeclarativeqt6-qtdeclarative-develqt6-qtdeclarative-examplesqt6-qtdeclarative-staticgnutlsgnutls-c++gnutls-danegnutls-develgnutls-fipsgnutls-utils389-ds-base389-ds-base-bdb389-ds-base-devel389-ds-base-libs389-ds-base-snmppython3-lib389fontforgemysql-selinuxmysql8.4mysql8.4-commonmysql8.4-develmysql8.4-errmsgmysql8.4-libsmysql8.4-servermysql8.4-testmysql8.4-test-datakernel-livepatch-5_14_21-150500_55_136-defaultdelveipp-usbedk2-ovmfedk2-toolsedk2-tools-docrubyruby-bundled-gemsruby-default-gemsruby-develruby-docruby-libsrubygem-bigdecimalrubygem-bundlerrubygem-io-consolerubygem-irbrubygem-jsonrubygem-minitestrubygem-power_assertrubygem-psychrubygem-raccrubygem-rakerubygem-rbsrubygem-rdocrubygem-rexmlrubygem-rssrubygem-test-unitrubygem-typeprofrubygemsrubygems-develgit-lfsvalkeyvalkey-develpython3-jinja2python3-jinja2+i18nghostscriptghostscript-docghostscript-tools-dvipdfghostscript-tools-fontsghostscript-tools-printinglibgslibgs-develjava-21-openjdkjava-21-openjdk-demojava-21-openjdk-demo-fastdebugjava-21-openjdk-demo-slowdebugjava-21-openjdk-develjava-21-openjdk-devel-fastdebugjava-21-openjdk-devel-slowdebugjava-21-openjdk-fastdebugjava-21-openjdk-headlessjava-21-openjdk-headless-fastdebugjava-21-openjdk-headless-slowdebugjava-21-openjdk-javadocjava-21-openjdk-javadoc-zipjava-21-openjdk-jmodsjava-21-openjdk-jmods-fastdebugjava-21-openjdk-jmods-slowdebugjava-21-openjdk-slowdebugjava-21-openjdk-srcjava-21-openjdk-src-fastdebugjava-21-openjdk-src-slowdebugjava-21-openjdk-static-libsjava-21-openjdk-static-libs-fastdebugjava-21-openjdk-static-libs-slowdebugxzxz-develxz-libsxz-lzma-compattomcattomcat-admin-webappstomcat-docs-webapptomcat-el-5.0-apitomcat-jsp-3.1-apitomcat-libtomcat-servlet-6.0-apitomcat-webappstomcat9tomcat9-admin-webappstomcat9-docs-webapptomcat9-el-3.0-apitomcat9-jsp-2.3-apitomcat9-libtomcat9-servlet-4.0-apitomcat9-webappspopplerpoppler-cpppoppler-cpp-develpoppler-develpoppler-glibpoppler-glib-develpoppler-glib-docpoppler-qt6poppler-qt6-develpoppler-utilsopensshopenssh-askpassopenssh-clientsopenssh-keycatopenssh-keysignopenssh-serverkrb5-develkrb5-libskrb5-pkinitkrb5-serverkrb5-server-ldapkrb5-workstationlibkadm5kernel-rt-debug-kvmkernel-rt-kvmkernel-livepatch-6_4_0-150600_23_78-defaultkernel-livepatch-6_4_0-150600_23_81-defaultkernel-livepatch-6_4_0-150700_53_22-defaultkernel-livepatch-6_4_0-150700_53_25-defaultbindbind-chrootbind-develbind-dnssec-utilsbind-docbind-libsbind-licensebind-utilsperlperl-Attribute-Handlersperl-AutoLoaderperl-AutoSplitperl-Bperl-Benchmarkperl-Class-Structperl-Config-Extensionsperl-DBM_Filterperl-Devel-Peekperl-Devel-SelfStubberperl-DirHandleperl-Dumpvalueperl-DynaLoaderperl-Englishperl-Errnoperl-ExtUtils-Constantperl-ExtUtils-Embedperl-ExtUtils-Miniperlperl-Fcntlperl-File-Basenameperl-File-Compareperl-File-Copyperl-File-DosGlobperl-File-Findperl-File-statperl-FileCacheperl-FileHandleperl-FindBinperl-GDBM_Fileperl-Getopt-Stdperl-Hash-Utilperl-Hash-Util-FieldHashperl-I18N-Collateperl-I18N-LangTagsperl-I18N-Langinfoperl-IOperl-IPC-Open3perl-Locale-Maketext-Simpleperl-Math-Complexperl-Memoizeperl-Module-Loadedperl-NDBM_Fileperl-NEXTperl-Netperl-ODBM_Fileperl-Opcodeperl-POSIXperl-Pod-Functionsperl-Pod-Htmlperl-Safeperl-Search-Dictperl-SelectSaverperl-SelfLoaderperl-Symbolperl-Sys-Hostnameperl-Term-Completeperl-Term-ReadLineperl-Testperl-Text-Abbrevperl-Threadperl-Thread-Semaphoreperl-Tieperl-Tie-Fileperl-Tie-Memoizeperl-Timeperl-Time-Pieceperl-Unicode-UCDperl-User-pwentperl-autouseperl-baseperl-blibperl-debuggerperl-deprecateperl-develperl-diagnosticsperl-docperl-encoding-warningsperl-fieldsperl-filetestperl-ifperl-interpreterperl-lessperl-libperl-libnetcfgperl-libsperl-localeperl-macrosperl-meta-notationperl-mroperl-openperl-overloadperl-overloadingperl-phperl-sigtrapperl-sortperl-subsperl-utilsperl-varsperl-vmsishtaropentelemetry-collectorgo-toolsetgolanggolang-bingolang-docsgolang-miscgolang-racegolang-srcgolang-testspython3-setuptoolspython3-setuptools-wheelpython3-tornadopodmanpodman-dockerpodman-remotepodman-testsbuildahbuildah-testsiputilsgnome-remote-desktopiculibiculibicu-develjava-25-openjdkjava-25-openjdk-demojava-25-openjdk-demo-fastdebugjava-25-openjdk-demo-slowdebugjava-25-openjdk-develjava-25-openjdk-devel-fastdebugjava-25-openjdk-devel-slowdebugjava-25-openjdk-fastdebugjava-25-openjdk-headlessjava-25-openjdk-headless-fastdebugjava-25-openjdk-headless-slowdebugjava-25-openjdk-javadocjava-25-openjdk-javadoc-zipjava-25-openjdk-jmodsjava-25-openjdk-jmods-fastdebugjava-25-openjdk-jmods-slowdebugjava-25-openjdk-slowdebugjava-25-openjdk-srcjava-25-openjdk-src-fastdebugjava-25-openjdk-src-slowdebugjava-25-openjdk-static-libsjava-25-openjdk-static-libs-fastdebugjava-25-openjdk-static-libs-slowdebuglibsshlibssh-configlibssh-develvim-X11vim-commonvim-datavim-enhancedvim-filesystemvim-minimalxxdiperf3kgraft-patch-4_12_14-122_296-defaultkgraft-patch-4_12_14-122_299-defaultkgraft-patch-4_12_14-122_302-defaultkernel-livepatch-5_14_21-150400_24_194-defaultkernel-livepatch-5_14_21-150400_24_197-defaultkernel-livepatch-5_14_21-150400_24_200-defaultkernel-livepatch-5_14_21-150400_24_205-defaultkernel-livepatch-5_14_21-150400_24_209-defaultkernel-livepatch-5_14_21-150500_55_141-defaultkernel-livepatch-5_14_21-150500_55_144-defaultkernel-livepatch-5_14_21-150500_55_149-defaultkernel-livepatch-5_14_21-150500_55_163-defaultkernel-livepatch-6_4_0-150600_23_100-defaultkernel-livepatch-6_4_0-150600_23_103-defaultkernel-livepatch-6_4_0-150600_23_84-defaultkernel-livepatch-6_4_0-150600_23_87-defaultkernel-livepatch-6_4_0-150600_23_92-defaultkernel-livepatch-6_4_0-150600_23_95-defaultkernel-livepatch-6_4_0-150700_53_28-defaultkernel-livepatch-6_4_0-150700_53_31-defaultkernel-livepatch-6_4_0-150700_53_34-defaultkernel-livepatch-6_4_0-150700_53_37-defaultkernel-livepatch-6_4_0-150700_53_40-defaultkernel-livepatch-6_4_0-150700_53_45-defaultnodejsnodejs-develnodejs-docsnodejs-full-i18nnodejs-libsnodejs-npmnodejs24nodejs24-develnodejs24-docsnodejs24-full-i18nnodejs24-libsnodejs24-npmaspnetcore-runtime-10.0aspnetcore-runtime-dbg-10.0aspnetcore-targeting-pack-10.0dotnet-apphost-pack-10.0dotnet-hostdotnet-hostfxr-10.0dotnet-runtime-10.0dotnet-runtime-dbg-10.0dotnet-sdk-10.0dotnet-sdk-10.0-source-built-artifactsdotnet-sdk-aot-10.0dotnet-sdk-dbg-10.0dotnet-targeting-pack-10.0dotnet-templates-10.0mod_mdcupscups-clientcups-develcups-filesystemcups-ipptoolcups-libscups-lpdcups-printerapphttpdhttpd-corehttpd-develhttpd-filesystemhttpd-manualhttpd-toolsmod_ldapmod_luamod_proxy_htmlmod_sessionmod_sslgrafanagrafana-selinuximage-builderosbuild-composerosbuild-composer-coreosbuild-composer-workerskopeoskopeo-testsdovecotdovecot-develdovecot-mysqldovecot-pgsqldovecot-pigeonholepython3-kdcproxybsdtarlibarchivelibarchive-develexpatexpat-develpampam-develpam-libsgrub2-commongrub2-efi-x64grub2-efi-x64-cdbootgrub2-efi-x64-modulesgrub2-pcgrub2-pc-modulesgrub2-toolsgrub2-tools-efigrub2-tools-extragrub2-tools-minimalgo-filesystemgo-rpm-macrosgo-rpm-templatesgo-srpm-macrosgrafana-pcpbrotlibrotli-devellibbrotlipython3-brotlisquidxorg-x11-server-Xwaylandxorg-x11-server-Xwayland-develjava-25-openjdk-crypto-adapterjava-25-openjdk-crypto-adapter-fastdebugjava-25-openjdk-crypto-adapter-slowdebuglibpnglibpng-develpython3-urllib3gpsdgpsd-clientspython3-gpsdcapstonecapstone-develcapstone-javapython3-capstonego-fdo-clientgo-fdo-servergo-fdo-server-manufacturergo-fdo-server-ownergo-fdo-server-rendezvousnet-snmpnet-snmp-agent-libsnet-snmp-develnet-snmp-libsnet-snmp-perlnet-snmp-perl-modulenet-snmp-utilspython3-net-snmpgnupg2gnupg2-smimepython3-markdownsqlitesqlite-develsqlite-libsncursesncurses-basencurses-c++-libsncurses-develncurses-libsncurses-termgdk-pixbuf2gdk-pixbuf2-develgdk-pixbuf2-modulesipa-clientipa-client-commonipa-client-encrypted-dnsipa-client-epnipa-client-sambaipa-commonipa-selinuxipa-selinux-lunaipa-selinux-nfastipa-serveripa-server-commonipa-server-dnsipa-server-encrypted-dnsipa-server-trust-adpython3-ipaclientpython3-ipalibpython3-ipaserverpython3-ipatestscurllibcurllibcurl-devellibcurl-minimalNetworkManagerNetworkManager-adslNetworkManager-bluetoothNetworkManager-cloud-setupNetworkManager-config-connectivity-suseNetworkManager-config-serverNetworkManager-libnmNetworkManager-libnm-develNetworkManager-ovsNetworkManager-pppNetworkManager-tuiNetworkManager-wifiNetworkManager-wwanglibcglibc-all-langpacksglibc-benchtestsglibc-commonglibc-develglibc-docglibc-gconv-extraglibc-langpack-aaglibc-langpack-afglibc-langpack-agrglibc-langpack-akglibc-langpack-amglibc-langpack-anglibc-langpack-anpglibc-langpack-arglibc-langpack-asglibc-langpack-astglibc-langpack-aycglibc-langpack-azglibc-langpack-beglibc-langpack-bemglibc-langpack-berglibc-langpack-bgglibc-langpack-bhbglibc-langpack-bhoglibc-langpack-biglibc-langpack-bnglibc-langpack-boglibc-langpack-brglibc-langpack-brxglibc-langpack-bsglibc-langpack-bynglibc-langpack-caglibc-langpack-ceglibc-langpack-chrglibc-langpack-ckbglibc-langpack-cmnglibc-langpack-crhglibc-langpack-csglibc-langpack-csbglibc-langpack-cvglibc-langpack-cyglibc-langpack-daglibc-langpack-deglibc-langpack-doiglibc-langpack-dsbglibc-langpack-dvglibc-langpack-dzglibc-langpack-elglibc-langpack-englibc-langpack-eoglibc-langpack-esglibc-langpack-etglibc-langpack-euglibc-langpack-faglibc-langpack-ffglibc-langpack-figlibc-langpack-filglibc-langpack-foglibc-langpack-frglibc-langpack-furglibc-langpack-fyglibc-langpack-gaglibc-langpack-gbmglibc-langpack-gdglibc-langpack-gezglibc-langpack-glglibc-langpack-guglibc-langpack-gvglibc-langpack-haglibc-langpack-hakglibc-langpack-heglibc-langpack-higlibc-langpack-hifglibc-langpack-hneglibc-langpack-hrglibc-langpack-hsbglibc-langpack-htglibc-langpack-huglibc-langpack-hyglibc-langpack-iaglibc-langpack-idglibc-langpack-igglibc-langpack-ikglibc-langpack-isglibc-langpack-itglibc-langpack-iuglibc-langpack-jaglibc-langpack-kaglibc-langpack-kabglibc-langpack-kkglibc-langpack-klglibc-langpack-kmglibc-langpack-knglibc-langpack-koglibc-langpack-kokglibc-langpack-ksglibc-langpack-kuglibc-langpack-kvglibc-langpack-kwglibc-langpack-kyglibc-langpack-lbglibc-langpack-lgglibc-langpack-liglibc-langpack-lijglibc-langpack-lnglibc-langpack-loglibc-langpack-ltglibc-langpack-lvglibc-langpack-lzhglibc-langpack-magglibc-langpack-maiglibc-langpack-mfeglibc-langpack-mgglibc-langpack-mhrglibc-langpack-miglibc-langpack-miqglibc-langpack-mjwglibc-langpack-mkglibc-langpack-mlglibc-langpack-mnglibc-langpack-mniglibc-langpack-mnwglibc-langpack-mrglibc-langpack-msglibc-langpack-mtglibc-langpack-myglibc-langpack-nanglibc-langpack-nbglibc-langpack-ndsglibc-langpack-neglibc-langpack-nhnglibc-langpack-niuglibc-langpack-nlglibc-langpack-nnglibc-langpack-nrglibc-langpack-nsoglibc-langpack-ocglibc-langpack-omglibc-langpack-orglibc-langpack-osglibc-langpack-paglibc-langpack-papglibc-langpack-plglibc-langpack-psglibc-langpack-ptglibc-langpack-quzglibc-langpack-rajglibc-langpack-rifglibc-langpack-roglibc-langpack-ruglibc-langpack-rwglibc-langpack-saglibc-langpack-sahglibc-langpack-satglibc-langpack-scglibc-langpack-sdglibc-langpack-seglibc-langpack-sgsglibc-langpack-shnglibc-langpack-shsglibc-langpack-siglibc-langpack-sidglibc-langpack-skglibc-langpack-slglibc-langpack-smglibc-langpack-soglibc-langpack-sqglibc-langpack-srglibc-langpack-ssglibc-langpack-ssyglibc-langpack-stglibc-langpack-suglibc-langpack-svglibc-langpack-swglibc-langpack-syrglibc-langpack-szlglibc-langpack-taglibc-langpack-tcyglibc-langpack-teglibc-langpack-tgglibc-langpack-thglibc-langpack-theglibc-langpack-tiglibc-langpack-tigglibc-langpack-tkglibc-langpack-tlglibc-langpack-tnglibc-langpack-toglibc-langpack-tokglibc-langpack-tpiglibc-langpack-trglibc-langpack-tsglibc-langpack-ttglibc-langpack-ugglibc-langpack-ukglibc-langpack-unmglibc-langpack-urglibc-langpack-uzglibc-langpack-veglibc-langpack-viglibc-langpack-waglibc-langpack-waeglibc-langpack-walglibc-langpack-woglibc-langpack-xhglibc-langpack-yiglibc-langpack-yoglibc-langpack-yueglibc-langpack-yuwglibc-langpack-zghglibc-langpack-zhglibc-langpack-zuglibc-locale-sourceglibc-minimal-langpackglibc-nss-develglibc-staticglibc-utilslibnslnss_dbnss_hesiodpython3.14python3.14-debugpython3.14-develpython3.14-freethreadingpython3.14-freethreading-debugpython3.14-freethreading-develpython3.14-freethreading-idlepython3.14-freethreading-libspython3.14-freethreading-testpython3.14-freethreading-tkinterpython3.14-idlepython3.14-libspython3.14-testpython3.14-tkinterprotobufprotobuf-compilerprotobuf-develprotobuf-liteprotobuf-lite-develpython3-protobufnginxnginx-all-modulesnginx-corenginx-filesystemnginx-mod-develnginx-mod-http-image-filternginx-mod-http-perlnginx-mod-http-xslt-filternginx-mod-mailnginx-mod-streamldb-toolslibldblibldb-devellibnetapilibnetapi-devellibsmbclientlibsmbclient-devellibwbclientlibwbclient-develpython3-ldbpython3-sambapython3-samba-dcpython3-samba-testsambasamba-clientsamba-client-libssamba-commonsamba-common-libssamba-common-toolssamba-dc-libssamba-dcerpcsamba-develsamba-gpupdatesamba-krb5-printingsamba-ldb-ldap-modulessamba-libssamba-pidlsamba-testsamba-test-libssamba-toolssamba-usersharessamba-vfs-iouringsamba-winbindsamba-winbind-clientssamba-winbind-krb5-locatorsamba-winbind-modulessamba-winexepostgresql18postgresql18-contribpostgresql18-docspostgresql18-plperlpostgresql18-plpython3postgresql18-private-develpostgresql18-private-libspostgresql18-serverpostgresql18-server-develpostgresql18-staticpostgresql18-testpostgresql18-test-rpm-macrospostgresql18-upgradepostgresql18-upgrade-develp11-kitp11-kit-clientp11-kit-develp11-kit-serverp11-kit-trustfreerdpfreerdp-develfreerdp-libsfreerdp-serverlibwinprlibwinpr-develdnsmasqdnsmasq-utilsfence-agents-aliyunfence-agents-allfence-agents-amt-wsfence-agents-apcfence-agents-apc-snmpfence-agents-awsfence-agents-azure-armfence-agents-bladecenterfence-agents-brocadefence-agents-cisco-mdsfence-agents-cisco-ucsfence-agents-commonfence-agents-drac5fence-agents-eaton-snmpfence-agents-emersonfence-agents-epsfence-agents-gcefence-agents-heuristics-pingfence-agents-hpbladefence-agents-ibm-powervsfence-agents-ibm-vpcfence-agents-ibmbladefence-agents-ifmibfence-agents-ilo-moonshotfence-agents-ilo-mpfence-agents-ilo-sshfence-agents-ilo2fence-agents-intelmodularfence-agents-ipdufence-agents-ipmilanfence-agents-kdumpfence-agents-kubevirtfence-agents-mpathfence-agents-nutanix-ahvfence-agents-openstackfence-agents-redfishfence-agents-rhevmfence-agents-rsafence-agents-rsbfence-agents-sbdfence-agents-scsifence-agents-virshfence-agents-vmware-restfence-agents-vmware-soapfence-agents-wtifence-virtfence-virtdfence-virtd-cpgfence-virtd-libvirtfence-virtd-multicastfence-virtd-serialfence-virtd-tcpha-cloud-supportpython3-pyasn1python3-pyasn1-modulesgiflibgiflib-developencryptokiopencryptoki-ccatokopencryptoki-developencryptoki-icsftokopencryptoki-libsopencryptoki-swtokpython3-wheelpython3-wheel-wheellibvpxlibvpx-develmungemunge-develmunge-libslibudisks2libudisks2-develudisks2udisks2-iscsiudisks2-lsmudisks2-lvm2aspnetcore-runtime-9.0aspnetcore-runtime-dbg-9.0aspnetcore-targeting-pack-9.0dotnet-apphost-pack-9.0dotnet-hostfxr-9.0dotnet-runtime-9.0dotnet-runtime-dbg-9.0dotnet-sdk-9.0dotnet-sdk-9.0-source-built-artifactsdotnet-sdk-aot-9.0dotnet-sdk-dbg-9.0dotnet-targeting-pack-9.0dotnet-templates-9.0netstandard-targeting-pack-2.1aspnetcore-runtime-8.0aspnetcore-runtime-dbg-8.0aspnetcore-targeting-pack-8.0dotnet-apphost-pack-8.0dotnet-hostfxr-8.0dotnet-runtime-8.0dotnet-runtime-dbg-8.0dotnet-sdk-8.0dotnet-sdk-8.0-source-built-artifactsdotnet-sdk-dbg-8.0dotnet-targeting-pack-8.0dotnet-templates-8.0libnghttp2libnghttp2-develnghttp2openexropenexr-developenexr-libssystemdsystemd-boot-unsignedsystemd-containersystemd-develsystemd-journal-remotesystemd-libssystemd-oomdsystemd-pamsystemd-resolvedsystemd-rpm-macrossystemd-udevsystemd-ukifygstreamer1-plugins-bad-freegstreamer1-plugins-bad-free-develgstreamer1-plugins-bad-free-libsgstreamer1-plugins-basegstreamer1-plugins-base-develgstreamer1-plugins-base-toolsgstreamer1-plugins-goodgstreamer1-plugins-good-gtkgstreamer1-plugins-ugly-freecruncrun-krungaleramariadb11.8mariadb11.8-backupmariadb11.8-client-utilsmariadb11.8-commonmariadb11.8-develmariadb11.8-embeddedmariadb11.8-embedded-develmariadb11.8-errmsgmariadb11.8-gssapi-servermariadb11.8-oqgraph-enginemariadb11.8-pammariadb11.8-servermariadb11.8-server-galeramariadb11.8-server-utilsmariadb11.8-testruby4.0ruby4.0-develruby4.0-docruby4.0-rubygem-mysql2ruby4.0-rubygem-pgfreeipmifreeipmi-bmc-watchdogfreeipmi-develfreeipmi-ipmidetectdfreeipmi-ipmiseldflatpakflatpak-develflatpak-libsflatpak-selinuxflatpak-session-helpercorosynccorosync-vqsimcorosynclibcorosynclib-develsudosudo-python-pluginfrrfrr-selinuxlibsndfilelibsndfile-devellibsndfile-utilspython3-jwcryptojqjq-develkrb5-xrealmauthzPackageKitPackageKit-command-not-foundPackageKit-glibPackageKit-glib-develPackageKit-gstreamer-pluginPackageKit-gtk3-modulepostgresql-jdbckernel-debug-modules-partnerkernel-debug-uki-virt-addonskernel-modules-partnerkernel-rt-debug-modules-partnerkernel-rt-modules-partnerkernel-selftests-internalpostfixpostfix-cdbpostfix-ldappostfix-lmdbpostfix-mysqlpostfix-pcrepostfix-perl-scriptspostfix-pgsqlpostfix-sqlitelibyanglibyang-devellibyang-devel-doccockpitcockpit-bridgecockpit-doccockpit-packagekitcockpit-storagedcockpit-systemcockpit-wscockpit-ws-selinuxlibcaplibcap-develmod_http2dracutdracut-capsdracut-config-genericdracut-config-rescuedracut-livedracut-networkdracut-squashdracut-toolshpliphplip-commonhplip-libslibsane-hpaio(x86_64)0:2.47-6.1.el10_10:10-00:3.12.38-44.10:5-2.1-00:3.12.39-47.10:3.12.43-52.6.10:3.12.44-52.10.10:4-2.1-00:3.12.44-52.18.10:3.12.48-52.27.10:3-2.1-00:3.12.49-11.10:5-14.2-00:3.12.51-52.31.10:3.12.51-52.34.10:3.12.51-52.39.10:2-2.1-00:3.12.51-60.20.20:3.12.51-60.25.10:3.12.53-60.30.10:3.12.57-60.35.10:2-2.2-00:3.12.59-60.41.20:3.12.59-60.45.20:3.12.59-60.45.20:3.12.32-33.10:3.12.32-33.10:3.12.36-38.10:3.12.36-38.10:2-7.1-00:2-10.1-00:3.12.39-47.10:2-3.1-00:2-6.1-00:3.12.43-52.6.10:2-5.1-00:3.12.49-11.10:4-2.3-00:2-4.1-00:3.12.44-52.18.10:3.12.51-60.25.10:3.12.51-60.20.20:3-8.2-00:6-2.1-00:4-11.2-00:3.12.53-60.30.10:4.4.21-69.10:4.4.21-81.30:4.4.21-84.10:4.4.21-90.10:4.4.38-93.10:4.4.38-93.10:3.12.57-60.35.10:6-17.2-00:3.12.59-60.41.20:7-20.2-00:7-2.1-00:3.12.62-60.62.10:3-5.1-00:3.12.62-60.62.10:2-9.1-00:3.12.62-60.64.8.20:3.12.62-60.64.8.20:8-23.2-00:8-2.1-00:3.12.67-60.64.18.10:4.4.21-81.30:3.12.67-60.64.21.10:4.4.21-84.10:4.4.103-6.33.10:5-2.2-00:4.4.103-6.38.10:4.4.82-6.3.10:8-2.2-00:4.4.82-6.6.10:7-2.2-00:4.4.82-6.9.10:4.4.92-6.18.10:6-2.2-00:4.4.92-6.30.10:4.4.92-6.30.10:9-18.10.1-00:9-2.1-00:4.4.49-92.11.10:4.4.49-92.14.10:4.4.59-92.17.30:4.4.59-92.20.20:4.4.59-92.24.20:4.4.74-92.29.10:4.4.74-92.32.10:4.4.74-92.35.10:4.4.74-92.38.10:4.4.74-92.38.10:10-18.13.1-00:10-4.1-00:9-4.1-00:7-4.1-00:6-4.1-00:5-4.1-00:4-4.1-00:3-4.1-00:4.4.74-92.35.10:4.4.82-6.3.10:7-21.1-00:7-3.1-00:6-3.1-00:4-3.1-00:3-3.1-00:4.4.59-92.20.20:4.4.90-92.45.10:4.4.90-92.45.10:4.4.92-6.18.10:4.12.14-95.40.10:4.12.14-95.40.10:4.12.14-120.10:8-21.2-00:4.12.14-122.7.10:4.12.14-122.7.10:4.12.14-150.41.10:4.12.14-150.41.10:4.12.14-197.26.10:4.12.14-197.26.10:11-2.1-00:4.4.59-92.24.20:10-2.1-00:4.4.82-6.9.10:4.4.114-94.11.30:4.4.114-94.14.10:4.4.21-69.10:4.4.103-92.53.10:4.4.103-92.56.10:4.4.90-92.50.10:4.4.90-92.50.10:4.12.14-23.10:4.12.14-25.3.10:4.12.14-25.3.10:8-18.7.1-00:4.4.49-92.11.10:3.12.67-60.64.24.10:3.12.69-60.64.29.10:4-11.1-00:3.12.69-60.64.32.10:3.12.69-60.64.35.10:4.4.49-92.14.10:4.4.74-92.29.10:4.4.73-5.10:2-2.3.2-00:4.4.73-5.10:3-2.2-00:4.4.120-94.17.10:4.4.126-94.22.10:4.12.14-95.19.10:4.12.14-95.24.10:4.12.14-95.29.10:4.12.14-95.32.10:4.12.14-95.37.10:4.12.14-95.45.10:4.12.14-95.48.10:4.12.14-95.51.10:4.12.14-95.51.10:5-12.2-00:4.12.14-122.12.10:4.12.14-122.17.10:4.12.14-122.20.10:4.12.14-150.22.10:4.12.14-150.27.10:4.12.14-150.32.10:4.12.14-150.35.10:4.12.14-150.38.10:4.12.14-150.47.10:4.12.14-150.47.10:4.12.14-195.10:12-34.1-00:4.12.14-197.10.10:4.12.14-197.15.10:4.12.14-197.18.10:4.12.14-197.21.10:4.12.14-197.29.10:4.12.14-197.34.10:4.12.14-197.37.10:4.12.14-197.4.10:4.12.14-197.40.10:4.12.14-197.7.10:4.12.14-197.7.10:4.4.131-94.29.10:4.4.132-94.33.10:4.12.14-25.13.10:3-2.3-00:4.12.14-25.6.10:4.12.14-25.6.10:4.4.138-94.39.10:4.4.140-94.42.10:4.4.143-94.47.10:4-10.2-00:4.12.14-25.16.10:9-25.2-00:4.12.14-23.10:4.4.155-94.50.10:4.4.156-94.57.10:4.4.156-94.61.10:4.4.156-94.64.10:5-13.2-00:4.12.14-25.19.10:4.4.140-94.42.10:10-28.1-00:3-7.3-00:4.12.14-94.41.10:9-2.25.1-00:4.12.14-95.3.10:8-2.5-00:4.12.14-95.6.10:7-2.5-00:4.12.14-95.6.10:4.12.14-25.28.10:7-2.3-00:4.12.14-25.28.10:4.4.162-94.69.20:4.4.162-94.72.10:4.4.162-94.72.10:3-2.7.2-00:4.12.14-95.3.10:8-22.2-00:4.12.14-25.22.10:4.12.14-25.25.1(x86_64)0:0.13.78-2.el100:6-16.2-00:4.12.14-95.68.10:14-2.2-00:4.12.14-95.71.10:13-2.2-00:4.12.14-95.74.10:10-2.2-00:4.12.14-95.77.10:9-2.2-00:4.12.14-95.80.10:4.12.14-95.83.20:4.12.14-95.83.20:4.12.14-150.66.10:4.12.14-150.69.10:4.12.14-150.72.10:4.12.14-150.75.10:4.12.14-150.78.10:4.12.14-150.78.10:5-2.5-00:4-2.5-00:2-2.5-00:10-2.5-00:9-2.5-00:12-2.1-00:4.4.132-94.33.10:7-19.2-00:6-15.2-00:4.12.14-120.10:4.12.14-95.13.10:6-2.5-00:4.12.14-95.16.10:4.12.14-150.14.20:6-2.3-00:4.12.14-150.17.10:5-2.13.1-00:4.4.175-94.79.10:4.4.176-94.88.10:4.4.178-94.91.20:4.4.178-94.91.20:6-2.16.1-00:4-10.1-00:4.12.14-195.10:4.4.180-94.97.10:4.4.180-94.97.10:3-7.2-00:4.12.14-197.4.10:7-2.19.1-00:6-16.1-00:4.12.14-95.45.10:4.12.14-197.29.10:4.12.14-197.18.10:4.12.14-95.29.10:4.12.14-150.32.10:4-2.2-00:4.12.14-95.54.10:4.12.14-95.54.10:4.12.14-150.52.10:4.12.14-150.52.10:8-2.22.1-00:7-19.1-00:3-6.2-00:10-28.2-00:4-2.10.2-00:4.4.175-94.79.10:4.12.14-95.48.10:4.12.14-197.37.10:4.12.14-95.57.10:4.12.14-95.60.10:4.12.14-95.60.10:4.12.14-150.55.10:4.12.14-150.58.10:4.12.14-150.58.10:7-18.2-00:4.12.14-197.40.10:4.12.14-150.63.10:4.12.14-150.69.10:4.12.14-95.65.10:4.12.14-95.65.10:4.12.14-122.23.10:4.12.14-122.26.10:4.12.14-122.29.10:4.12.14-122.32.10:4.12.14-122.37.10:4.12.14-122.41.10:4.12.14-122.46.10:4.12.14-122.51.20:4.12.14-122.54.10:4.12.14-122.54.10:4.12.14-150.63.10:4.12.14-197.45.10:4.12.14-197.48.10:4.12.14-197.51.10:4.12.14-197.56.10:4.12.14-197.61.10:4.12.14-197.64.10:4.12.14-197.67.10:4.12.14-197.72.10:4.12.14-197.75.10:4.12.14-197.75.10:5.3.18-22.20:7-5.2-00:5.3.18-24.12.10:5.3.18-24.15.10:5.3.18-24.9.10:5.3.18-24.9.10:5.3.18-24.24.10:5.3.18-24.29.20:5.3.18-24.34.10:5.3.18-24.37.10:5.3.18-24.43.20:4.12.14-197.61.10:4-9.1-00:11-31.2-00:4.12.14-95.57.10:4.12.14-150.55.10:4.12.14-197.51.10:2-5.2-00:2-2.3-00:4.12.14-197.56.10:4.12.14-197.45.10:5.3.18-22.20:9-3.2-00:4.12.14-197.67.10:5-5.2-00:4.12.14-95.71.10:4.12.14-122.60.10:4.12.14-122.63.10:4.12.14-122.63.10:4.12.14-197.83.10:4.12.14-197.86.10:4.12.14-197.86.10:5.3.18-24.49.20:5.3.18-24.52.10:5.3.18-24.52.10:5.3.18-57.30:10-3.2-00:5.3.18-57.30:11-2.2-00:4.12.14-122.57.10:4.12.14-122.60.10:4.12.14-197.78.10:4.12.14-197.78.10:8-5.2-00:4.12.14-95.68.10:4.12.14-150.66.10:4.12.14-197.83.10:5.3.18-24.46.10:6-5.2-00:4.12.14-122.57.10:12-2.2-00:4.12.14-122.66.20:4.12.14-122.66.20:11-5.2-00:5.3.18-24.53.4.10:4.12.14-95.77.10:15-2.2-00:4.12.14-122.71.10:4.12.14-122.74.10:4.12.14-122.77.10:4.12.14-122.77.10:4.12.14-150.72.10:4.12.14-197.89.20:4.12.14-197.92.10:4.12.14-197.92.10:14-5.2-00:5.3.18-24.61.10:5.3.18-24.64.10:5.3.18-24.67.30:4.12.14-95.102.10:4.12.14-95.105.10:13-2.3-00:4.12.14-95.88.10:9-2.3-00:4.12.14-95.93.10:8-2.3-00:4.12.14-95.96.10:4.12.14-95.99.30:4.12.14-95.99.30:4.12.14-122.103.10:14-2.3-00:4.12.14-122.106.10:12-2.3-00:4.12.14-122.110.10:10-2.3-00:4.12.14-122.113.10:4.12.14-122.116.10:4.12.14-122.121.20:5-2.3-00:4.12.14-122.124.30:4.12.14-122.127.10:4.12.14-122.130.10:4.12.14-122.88.10:16-2.3-00:4.12.14-122.91.20:4.12.14-122.98.10:4.12.14-122.98.10:4.12.14-150000.150.89.10:7-150000.2.2-00:4.12.14-150000.150.92.20:4-150000.2.1-00:4.12.14-150000.150.95.10:2-150000.2.1-00:4.12.14-150000.150.98.10:13-150000.2.2-00:4.12.14-150.83.10:9-150000.2.2-00:4.12.14-150.86.10:8-150000.2.2-00:4.12.14-150.86.10:4.12.14-150100.197.111.10:7-150100.2.2-00:4.12.14-150100.197.114.20:4-150100.2.1-00:4.12.14-150100.197.117.10:2-150100.2.1-00:4.12.14-150100.197.120.10:4.12.14-197.102.20:13-150100.2.2-00:4.12.14-197.105.10:9-150100.2.2-00:4.12.14-197.108.10:8-150100.2.2-00:4.12.14-197.108.10:5.3.18-150200.24.112.10:7-150200.2.2-00:5.3.18-150200.24.115.10:5-150200.2.1-00:5.3.18-150200.24.126.10:2-150200.2.1-00:5.3.18-24.102.10:12-150200.2.2-00:5.3.18-24.107.10:11-150200.2.2-00:5.3.18-24.83.20:16-150200.2.2-00:5.3.18-24.86.20:5.3.18-24.93.10:15-150200.2.2-00:5.3.18-24.96.10:14-150200.2.2-00:5.3.18-24.99.10:13-150200.2.2-00:5.3.18-24.99.10:5.3.18-150300.59.43.10:13-150300.2.2-00:5.3.18-150300.59.46.10:5.3.18-150300.59.49.10:12-150300.2.2-00:5.3.18-150300.59.54.10:11-150300.2.2-00:5.3.18-150300.59.60.40:10-150300.2.2-00:5.3.18-150300.59.63.10:7-150300.2.2-00:5.3.18-150300.59.68.10:6-150300.2.2-00:5.3.18-150300.59.71.20:5-150300.2.1-00:5.3.18-150300.59.76.10:4-150300.2.1-00:5.3.18-150300.59.87.10:3-150300.2.1-00:5.3.18-59.24.10:16-150300.2.2-00:5.3.18-59.27.10:5.3.18-59.34.10:15-150300.2.2-00:5.3.18-59.37.20:14-150300.2.2-00:5.3.18-59.40.10:5.3.18-59.40.10:5.14.21-150400.22.10:5-150400.4.12.3-00:5.14.21-150400.24.11.10:2-150400.2.1-00:5.14.21-150400.24.18.10:5.14.21-150400.24.18.10:6-150000.2.1-00:15-150000.2.2-00:11-150000.2.2-00:10-150000.2.2-00:4.12.14-95.80.10:4.12.14-122.80.10:4.12.14-122.83.10:4.12.14-122.88.10:4.12.14-150.75.10:4.12.14-197.99.10:4.12.14-197.99.10:5.3.18-24.70.10:5.3.18-24.75.30:5.3.18-24.78.10:5.3.18-24.78.10:5.3.18-59.10.10:8-150300.2.2-00:5.3.18-59.13.10:5.3.18-59.16.10:5.3.18-59.19.10:5.3.18-59.5.20:5.3.18-59.5.20:4.12.14-197.64.10:13-5.2-00:4.12.14-122.32.10:13-2.1-00:2-150300.2.1-00:12-3.1-00:10-150300.2.1-00:9-150300.2.1-00:8-150300.2.1-00:6-150300.2.1-00:5.3.18-24.53.4.10:9-3.1-00:5.3.18-24.93.10:16-2.2-00:4.12.14-122.80.10:5.3.18-24.75.30:5-3.1-00:4.12.14-95.74.10:4.12.14-122.71.10:4.12.14-197.89.20:5.3.18-24.64.10:10-5.2-00:9-5.2-00:12-5.2-00:6-150100.2.1-00:15-150100.2.2-00:11-150100.2.2-00:10-150100.2.2-00:10-150200.2.2-00:8-150200.2.1-00:18-150200.2.2-00:17-150200.2.2-00:9-150300.2.2-00:7-150300.2.1-00:18-150300.2.2-00:17-150300.2.2-00:8-150400.4.21.1-00:5-150400.2.1-00:5.14.21-150400.24.11.10:8-3.2-00:4.12.14-122.83.10:5.3.18-24.70.10:11-2.3-00:6-3.2-00:2-150200.2.2-00:3-150200.2.2-00:5.3.18-150200.24.129.10:5.3.18-150200.24.134.10:4-150200.2.1-00:3-150200.2.1-00:12-150200.2.1-00:14-150200.2.1-00:11-150200.2.1-00:10-150200.2.1-00:7-150200.2.1-00:6-150200.2.1-00:2-150300.2.2-00:3-150300.2.2-00:5.3.18-150300.59.90.10:5.3.18-150300.59.93.10:5.3.18-150300.59.98.10:14-150200.3.1-00:12-150300.2.1-00:11-150300.2.1-00:2-150400.4.3.3-00:5.14.21-150400.24.21.20:2-150400.2.2-00:5.14.21-150400.24.28.10:5.14.21-150400.24.33.20:5.14.21-150400.24.33.20:15-2.1-00:14-2.1-00:4.12.14-95.96.10:15-150000.2.1-00:12-150000.2.1-00:7-150000.2.1-00:3-150000.2.1-00:13-150200.3.1-00:4-150300.2.2-00:5.3.18-24.96.10:11-3.2-00:5-150300.2.2-00:4.12.14-122.91.20:5.3.18-24.86.20:4.12.14-122.162.10:4.12.14-122.165.10:4.12.14-122.173.10:4.12.14-122.176.10:4.12.14-122.179.10:4.12.14-122.183.10:4.12.14-122.186.10:4.12.14-122.189.10:4.12.14-122.194.10:4.12.14-122.201.10:11-8.10.1-00:4.12.14-122.216.10:9-8.6.1-00:4.12.14-122.216.10:5.3.18-150200.24.154.10:5.3.18-150200.24.157.10:5.3.18-150200.24.160.20:5.3.18-150200.24.163.10:5.3.18-150200.24.166.10:5.3.18-150200.24.169.10:5.3.18-150200.24.172.10:8-150200.2.2-00:5.3.18-150200.24.175.10:9-150200.2.2-00:5.3.18-150200.24.178.10:6-150200.2.2-00:5.3.18-150200.24.183.10:10-150200.5.6.1-00:5.3.18-150200.24.188.10:9-150200.5.6.1-00:5.3.18-150200.24.188.10:5.3.18-150300.59.124.10:5.3.18-150300.59.127.10:5.3.18-150300.59.130.10:5.3.18-150300.59.133.10:5.3.18-150300.59.138.10:5.3.18-150300.59.141.20:5.3.18-150300.59.144.10:5.3.18-150300.59.147.20:5.3.18-150300.59.150.10:5.3.18-150300.59.153.20:12-150300.7.6.1-00:5.3.18-150300.59.158.10:11-150300.7.6.1-00:5.3.18-150300.59.158.10:18-150300.2.1-00:15-150300.2.1-00:14-150300.2.1-00:5.3.18-150300.59.161.10:13-150300.2.1-00:5.3.18-150300.59.161.10:13-150200.2.1-00:5.3.18-150200.24.191.10:8-150200.5.6.1-00:5.3.18-150200.24.194.10:5-150200.5.6.1-00:5.3.18-150200.24.197.10:4-150200.5.6.1-00:5.3.18-150200.24.197.10:10-150300.7.6.1-00:5.3.18-150300.59.164.10:7-150300.7.6.1-00:5.3.18-150300.59.167.10:6-150300.7.6.1-00:5.3.18-150300.59.167.10:9-150200.2.1-00:5.3.18-150200.24.191.10:5.14.21-150500.55.36.10:14-150500.2.1-00:5.14.21-150500.55.39.10:5.14.21-150500.55.44.10:13-150500.2.1-00:5.14.21-150500.55.49.10:13-150500.11.8.1-00:5.14.21-150500.55.52.10:11-150500.11.6.1-00:5.14.21-150500.55.59.10:11-150500.11.10.1-00:5.14.21-150500.55.62.20:9-150500.11.6.1-00:5.14.21-150500.55.65.10:5.14.21-150500.55.68.10:8-150500.11.6.1-00:5.14.21-150500.55.73.10:3-150500.11.6.1-00:5.14.21-150500.55.73.10:15-150200.2.1-00:5.14.21-150400.24.100.20:13-150400.2.1-00:5.14.21-150400.24.103.10:11-150400.2.1-00:5.14.21-150400.24.108.10:13-150400.9.8.1-00:5.14.21-150400.24.111.20:11-150400.9.6.1-00:5.14.21-150400.24.116.10:11-150400.9.8.1-00:5.14.21-150400.24.119.10:10-150400.9.6.1-00:5.14.21-150400.24.122.20:8-150400.9.6.1-00:5.14.21-150400.24.125.10:5-150400.9.6.1-00:5.14.21-150400.24.88.10:15-150400.2.1-00:5.14.21-150400.24.92.10:14-150400.2.1-00:5.14.21-150400.24.97.10:5.14.21-150400.24.97.10:5.14.21-150500.55.28.10:15-150500.2.1-00:5.14.21-150500.55.31.10:12-150500.2.1-00:5.14.21-150500.55.68.10:16-2.1-00:16-150000.2.1-00:13-150000.2.1-00:8-150000.2.1-00:8-150100.2.1-00:16-150100.2.1-00:15-150100.2.1-00:13-150100.2.1-00:16-150200.2.1-00:16-150200.3.1-00:10-150000.2.1-00:5-150000.2.1-00:5-150100.2.1-00:12-150100.2.1-00:10-150100.2.1-00:4.12.14-95.88.10:4.12.14-150.83.10:7-150100.2.1-00:3-150100.2.1-00:14-150100.2.1-00:15-150200.3.1-00:4.12.14-95.93.10:5.14.21-150400.22.10:14-150000.2.2-00:5-150000.2.2-00:4-150000.2.2-00:5-150100.2.2-00:4-150100.2.2-00:16-150100.2.2-00:14-150100.2.2-00:18-150200.3.2-00:4-150200.2.2-00:19-150200.3.2-00:17-150200.3.1-00:17-2.2-00:6-150000.2.2-00:12-150000.2.2-00:6-150100.2.2-00:12-150100.2.2-00:6-150400.4.15.3-00:4-150400.4.9.3-00:18-2.3-00:17-2.3-00:5-150000.2.3-00:16-150000.2.3-00:11-150000.2.3-00:7-150000.2.3-00:6-150000.2.3-00:5-150100.2.3-00:11-150100.2.3-00:7-150100.2.3-00:6-150100.2.3-00:16-150100.2.3-00:5-150200.2.3-00:10-150200.2.3-00:9-150200.2.3-00:18-150200.2.3-00:17-150200.2.3-00:16-150200.2.3-00:14-150200.2.3-00:13-150200.2.3-00:12-150200.2.3-00:11-150200.2.3-00:11-150300.2.3-00:10-150300.2.3-00:9-150300.2.3-00:8-150300.3.2-00:5-150300.2.3-00:4-150300.2.3-00:18-150300.2.3-00:17-150300.2.3-00:16-150300.2.3-00:14-150300.2.3-00:13-150300.2.3-00:12-150300.2.3-00:3-150400.4.6.2-00:11-150100.2.1-00:5.3.18-150300.59.101.10:5.3.18-150300.59.98.10:10-150400.4.2-00:7-150400.2.1-00:6-150400.2.1-00:4-150400.2.1-00:3-150400.2.1-00:14-150000.2.1-00:11-150000.2.1-00:3-150100.2.2-00:3-150400.2.2-00:16-150000.2.2-00:19-150300.2.2-00:4.12.14-122.130.10:4.12.14-150100.197.120.10:5.3.18-150200.24.126.10:3-150000.2.2-00:4.12.14-95.108.10:4.12.14-95.111.10:4.12.14-122.133.10:4.12.14-122.136.10:4.12.14-122.136.10:4.12.14-150100.197.123.10:4.12.14-150100.197.126.10:5.14.21-150400.24.28.10:4.12.14-150000.150.101.10:4.12.14-150000.150.104.10:9-150400.4.24.1-00:4.12.14-95.114.10:4.12.14-122.139.10:4.12.14-122.144.10:4.12.14-122.144.10:9-150100.2.1-00:4.12.14-150100.197.131.10:5.3.18-150200.24.139.10:5.3.18-24.107.10:11-150400.7.2-00:8-150400.2.1-00:7-150400.4.18.3-00:5.14.21-150400.24.21.20:5.14.21-150400.24.38.10:5.14.21-150400.24.38.10:5.3.18-150200.24.142.10:5-150200.2.2-00:5.3.18-150200.24.145.10:5.3.18-150200.24.145.10:5.3.18-150300.59.106.10:5.3.18-150300.59.109.10:5.3.18-150300.59.112.10:5.3.18-150300.59.115.20:12-150400.2.3-00:4.12.14-122.159.10:4.12.14-122.201.10:5.3.18-150200.24.151.10:5.3.18-150300.59.121.20:5.14.21-150400.24.60.10:5.14.21-150400.24.63.10:5.14.21-150400.24.66.10:12-150400.2.1-00:5.14.21-150400.24.69.10:5.14.21-150400.24.74.10:5.14.21-150400.24.81.10:10-150400.2.1-00:9-150400.2.1-00:5.14.21-150500.11.20:13-150500.3.1-00:5.14.21-150500.53.20:12-150500.6.1-00:5.14.21-150500.55.12.10:11-150500.2.1-00:5.14.21-150500.55.19.10:10-150500.2.1-00:9-150500.2.1-00:8-150500.2.1-00:7-150500.2.1-00:6-150500.2.1-00:5.14.21-150500.55.7.10:5.14.21-150500.55.7.10:11-150400.2.2-00:9-150400.2.2-00:14-150400.2.2-00:13-150400.2.2-00:12-150400.2.2-00:14-150500.2.2-00:13-150500.2.2-00:12-150500.2.2-00:11-150500.2.2-00:10-150500.2.2-00:5.14.21-150500.55.59.10:14-150500.6.1-00:13-150500.9.1-00:5.14.21-150500.53.20:4.12.14-122.219.10:4.12.14-122.222.10:4.12.14-122.225.10:4.12.14-122.228.10:4.12.14-122.228.10:16-150300.2.1-00:5.3.18-150300.59.170.10:5.3.18-150300.59.170.10:4.12.14-122.222.10:5.3.18-150300.59.174.10:5.3.18-150300.59.174.10:16-150400.2.1-00:5.14.21-150400.24.128.10:5.14.21-150400.24.133.20:5.14.21-150400.24.133.20:16-150500.2.1-00:5.14.21-150500.55.80.20:5-150500.2.1-00:5.14.21-150500.55.80.20:17-150300.2.1-00:5.14.21-150400.24.128.10:4-150500.2.1-00:5.14.21-150500.55.65.10:6-8.6.1-00:4-8.6.1-00:3-8.6.1-00:2-8.6.1-00:4.12.14-122.231.10:18-4.1-00:4.12.14-122.231.10:4-150300.7.6.1-00:3-150300.7.6.1-00:5.3.18-150300.59.179.10:2-150300.7.6.1-00:5.3.18-150300.59.179.10:3-150400.9.6.1-00:2-150400.9.6.1-00:5.14.21-150400.24.136.10:5.14.21-150400.24.136.10:2-150500.11.6.1-00:5.14.21-150500.55.83.10:5.14.21-150500.55.83.10:4.12.14-122.234.10:4.12.14-122.237.10:4.12.14-122.244.10:4.12.14-122.247.10:4.12.14-122.250.10:4.12.14-122.250.10:5.3.18-150300.59.182.10:5.3.18-150300.59.185.10:5.3.18-150300.59.188.10:5.3.18-150300.59.195.10:5.3.18-150300.59.198.10:5.3.18-150300.59.198.10:5.14.21-150400.24.141.10:5.14.21-150400.24.144.10:5.14.21-150400.24.147.10:5.14.21-150400.24.150.10:5.14.21-150400.24.153.10:5.14.21-150400.24.158.10:5.14.21-150400.24.158.10:5.14.21-150500.55.88.10:5.14.21-150500.55.91.10:5.14.21-150500.55.94.10:5.14.21-150500.55.97.10:5.14.21-150500.55.97.10:17-2.1-00:4.12.14-122.247.10:5.3.18-150300.59.195.10:18-150400.2.2-00:16-150400.2.2-00:8-150400.2.2-00:7-150400.2.2-00:6-150400.2.2-00:5.14.21-150400.24.150.10:17-150500.2.2-00:16-150500.2.2-00:9-150500.2.2-00:5-150500.2.2-00:2-150500.2.2-00:5.14.21-150500.55.94.10:18-2.1-00:4.12.14-122.255.10:4.12.14-122.255.10:18-150400.2.1-00:4.12.14-122.258.10:4.12.14-122.261.10:4.12.14-122.266.10:4.12.14-122.269.10:4.12.14-122.272.10:4.12.14-122.272.10:19-150400.2.1-00:5.14.21-150400.24.161.10:5.14.21-150400.24.164.10:5.14.21-150400.24.167.10:5.14.21-150400.24.170.20:5.14.21-150400.24.173.10:5.14.21-150400.24.176.10:5.14.21-150400.24.176.10:19-150300.4.1-00:17-150300.4.1-00:15-150300.4.1-00:11-150300.4.1-00:5.3.18-150300.59.201.10:9-150300.4.1-00:5.3.18-150300.59.204.10:5.3.18-150300.59.207.10:8-150300.4.1-00:5.3.18-150300.59.211.10:5.3.18-150300.59.215.10:5.3.18-150300.59.218.10:5.3.18-150300.59.218.10:14-4.1-00:13-4.1-00:11-4.1-00:18-150400.4.1-00:17-150400.4.1-00:16-150400.4.1-00:15-150400.4.1-00:10-150400.4.1-00:9-150400.4.1-00:8-150400.4.1-00:7-150400.4.1-00:3-150400.4.1-00:5.14.21-150500.55.100.10:9-150500.4.1-00:5.14.21-150500.55.103.10:5.14.21-150500.55.110.10:8-150500.4.1-00:5.14.21-150500.55.113.10:5.14.21-150500.55.116.10:6-150500.4.1-00:5.14.21-150500.55.121.20:3-150500.4.1-00:18-150500.4.1-00:14-150500.4.1-00:10-150500.4.1-00:4.12.14-122.275.10:4.12.14-122.275.10:5.14.21-150400.24.179.10:5.14.21-150400.24.179.10:5.14.21-150500.55.124.10:3-150500.2.1-00:17-150500.2.1-00:5.3.18-150300.59.221.10:5.3.18-150300.59.221.10:4.12.14-122.280.10:4.12.14-122.283.10:4.12.14-122.290.10:4.12.14-122.290.10:15-150400.2.2-00:5.14.21-150400.24.184.10:5.14.21-150400.24.187.30:5.14.21-150400.24.187.30:15-150500.2.2-00:5.14.21-150500.55.127.10:5.14.21-150500.55.130.30:5.14.21-150500.55.133.10:4.12.14-122.283.10:2-150500.2.1-00:5.14.21-150400.24.41.10:5.14.21-150400.24.41.10:4.12.14-122.147.10:4.12.14-122.147.10:6-150200.2.3-00:3-150200.2.3-00:5.3.18-150200.24.139.10:3-150300.2.3-00:8-150300.2.3-00:6-150300.2.3-00:12-150400.10.3-00:9-150400.2.3-00:8-150400.2.3-00:6-150400.2.3-00:5-150400.2.3-00:4-150400.2.3-00:3-150400.2.3-00:5.14.21-150400.15.11.10:4-150400.2.2-00:14-150400.16.1-00:11-150400.2.3-00:10-150400.2.3-00:7-150400.2.3-00:5.14.21-150400.24.46.10:5.14.21-150400.24.55.30:2-150400.2.3-00:5.14.21-150400.24.60.10:8-150200.2.3-00:4-150200.2.3-00:7-150300.2.3-00:5.14.21-150400.24.46.10:9-150500.6.2-00:4.12.14-95.117.10:4.12.14-150100.197.134.10:4.12.14-150100.197.134.10:5.3.18-150200.24.142.10:13-150400.13.2-00:10-150400.2.2-00:5-150400.2.2-00:4.12.14-122.150.10:4.12.14-122.153.10:4.12.14-122.156.10:4.12.14-122.162.10:8-150100.2.3-00:4.12.14-150100.197.137.20:4.12.14-150100.197.142.10:4.12.14-150100.197.145.10:4.12.14-150100.197.145.10:5.3.18-150200.24.148.10:5.3.18-150200.24.154.10:5.3.18-150300.59.118.10:5.14.21-150400.24.66.10:3-150500.6.2-00:2-150200.2.3-00:2-150300.2.3-00:4.12.14-95.120.40:4.12.14-122.150.10:4.12.14-122.179.10:2-150100.2.2-00:4.12.14-150100.197.157.10:4.12.14-150100.197.157.10:5.14.21-150400.24.55.30:4.12.14-95.120.40:4.12.14-122.153.10:4.12.14-150100.197.137.20:4.12.14-150100.197.148.10:4.12.14-150100.197.151.10:4.12.14-150100.197.154.10:4.12.14-150100.197.160.10:4.12.14-150100.197.165.10:4.12.14-150100.197.168.10:4.12.14-150100.197.168.10:4-150500.9.2-00:5.3.18-150200.24.148.10:4.12.14-122.156.10:4.12.14-150100.197.142.10:4.12.14-150100.197.148.10:2-150500.3.1-00:5.14.21-150400.24.74.10:5.3.18-150200.24.166.10:5.3.18-150300.59.138.10:5.14.21-150400.24.92.10:6-150500.15.1-00:4.12.14-122.159.10:5.3.18-150200.24.151.10:5.14.21-150400.24.63.10:4.12.14-95.114.10:4.12.14-150100.197.131.10:13-150100.2.3-00:10-150100.2.3-00:3-150100.2.3-00:2-150100.2.3-00:5.14.21-150400.24.69.10:4.12.14-95.125.10:4.12.14-95.125.10:5.3.18-150200.24.157.10:12-150300.2.4-00:10-150300.2.4-00:9-150300.2.4-00:13-150400.2.3-00:5-150500.12.2-00:4.12.14-122.165.10:4.12.14-150100.197.151.10:5.14.21-150400.24.81.10:4.12.14-122.173.10:4.12.14-150100.197.154.10:8-150500.2.3-00:7-150500.2.3-00:6-150500.2.3-00:5-150500.2.3-00:4.12.14-122.183.10:5.3.18-150200.24.169.10:5.3.18-150300.59.141.20:8-150500.3.1-00:5.3.18-150200.24.160.20:5.3.18-150200.24.163.10:5.3.18-150300.59.133.10:5.14.21-150400.24.88.10:10-150500.9.1-00:10-150500.9.2-00:4.12.14-122.176.10:12-150100.2.3-00:9-150100.2.3-00:4.12.14-122.186.10:7-150200.2.3-00:5.3.18-150200.24.172.10:5.3.18-150300.59.144.10:4-150500.2.3-00:7-150500.3.1-00:4.12.14-122.189.10:5.3.18-150200.24.175.10:5.3.18-150300.59.147.20:4.12.14-122.194.10:5.3.18-150200.24.178.10:5.3.18-150300.59.150.1(x86_64)0:4.6.0-6.el10_1.20:4.12.14-122.219.10:5.3.18-150200.24.194.10:5.3.18-150300.59.164.10:6.4.0-150600.21.30:6-150600.4.10.1-00:6.4.0-150600.23.14.20:7-150600.13.6.1-00:6.4.0-150600.23.17.10:6.4.0-150600.23.22.10:3-150600.13.6.1-00:6.4.0-150600.23.7.30:6.4.0-150600.8.10:5-150600.3.1-00:6.4.0-150600.8.10:4-150600.1.1-00:2-150600.3.3.2-00:2-150600.2.1-00:6.4.0-150600.23.7.3(x86_64)0:10.11.15-1.el10_1(noarch)0:10.11.15-1.el10_1(x86_64)0:6.12.0-124.38.1.el10_1(noarch)0:6.12.0-124.38.1.el10_10:18-150500.2.1-00:17-150400.2.1-00:6.4.0-150600.23.30.10:17-150600.2.1-00:6.4.0-150600.23.33.10:6.4.0-150600.23.38.10:12-150600.2.1-00:6.4.0-150600.23.42.20:6.4.0-150600.23.47.20:11-150600.2.1-00:6.4.0-150600.23.50.10:10-150600.2.1-00:6.4.0-150600.23.53.10:6.4.0-150600.23.60.50:9-150600.2.1-00:6.4.0-150600.23.65.10:5-150600.2.1-00:6.4.0-150600.23.70.10:6.4.0-150600.23.73.10:6.4.0-150600.23.73.10:6.4.0-150700.5.10:9-150700.3.1-00:6.4.0-150700.51.10:9-150700.3.24.1-00:6.4.0-150700.53.11.10:5-150700.2.1-00:6.4.0-150700.53.16.10:6.4.0-150700.53.19.10:2-150700.2.1-00:6.4.0-150700.53.3.10:9-150700.2.1-00:6.4.0-150700.53.6.10:6.4.0-150700.53.6.10:4.12.14-122.293.10:4.12.14-122.293.10:11-150500.12.1-00:11-150500.3.1-00:5.3.18-150200.24.183.10:5.3.18-150300.59.153.20:4.12.14-150100.197.165.10:12-150500.3.1-0(x86_64)0:8.3.19-1.el10_0(x86_64)0:10.1.0-16.el10_2(x86_64)0:3.4.1-2.el10(noarch)0:3.4.1-2.el100:15-150500.9.2-00:14-150500.12.1-00:5.14.21-150400.24.167.10:18-150600.2.1-00:19-150600.3.1-00:6.4.0-150600.21.30:9-150600.4.19.1-0(x86_64)0:6.12.0-124.8.1.el10_1(noarch)0:6.12.0-124.8.1.el10_1(x86_64)0:1.24.2-7.el100:5.14.21-150400.24.122.20:11-150600.4.25.1-00:10-150600.3.1-00:5.14.21-150500.55.52.10:3-150600.3.2-00:4-150600.3.1-00:5.14.21-150400.24.119.10:7-150600.4.13.1-00:6-150600.3.2-00:8-150600.3.1-00:20-150600.3.1-00:5.14.21-150400.24.125.10:5.3.18-150300.59.207.1(x86_64)0:2.12.5-5.el10_00:19-150400.2.2-00:17-150500.3.1-00:18-150600.4.46.1-00:16-150600.2.1-00:17-150600.3.1-00:4.12.14-122.225.10:13-150600.4.31.1-00:12-150600.3.1-00:14-150600.4.34.1-00:13-150600.3.1-00:12-150600.4.28.1-00:11-150600.3.1-00:19-150600.4.49.1-00:18-150600.3.1-00:5.3.18-150200.24.200.10:2-150200.5.6.1-00:5.3.18-150200.24.200.10:17-150400.2.2-00:18-150500.2.2-00:16-150600.4.40.2-00:14-150600.2.2-00:15-150600.3.1-00:4.12.14-122.234.10:10-150600.4.22.1-00:8-150600.2.1-00:4-150600.2.1-00:6.4.0-150600.23.25.10:3-150600.2.1-00:9-150600.3.1-00:6-150600.2.1-0(noarch)0:2.32.4-1.el10_00:20-150600.2.1-00:15-150600.2.1-00:21-150600.3.1-00:17-150600.4.43.2-00:15-150600.2.2-00:11-150600.2.2-00:10-150600.2.2-00:16-150600.3.1-00:6.4.0-150600.23.22.10:19-150300.2.1-00:19-150600.2.1-00:6.4.0-150600.23.25.10:5.3.18-150300.59.182.10:5.14.21-150400.24.141.10:8-150500.2.2-00:9-150600.2.2-00:10-150500.3.1-00:16-150600.2.2-00:13-150600.2.1-00:2-150400.9.8.1-00:8-150600.4.16.1-00:2-150600.13.6.1-00:7-150600.3.1-0(x86_64)0:2.47.3-1.el10_0(noarch)0:2.47.3-1.el10_00:15-150600.4.37.1-00:14-150600.3.1-00:5.3.18-150300.59.188.10:5.14.21-150400.24.147.10:5.14.21-150500.55.88.10:14-150600.2.1-00:19-2.1-00:4.12.14-122.237.10:6.4.0-150600.23.30.10:5.3.18-150300.59.185.10:5.14.21-150400.24.144.10:5.3.18-150300.59.211.10:5.14.21-150400.24.170.20:15-150600.4.1-00:6.4.0-150600.23.33.10:5.14.21-150500.55.91.10:4.12.14-122.258.10:5.3.18-150300.59.204.10:5.14.21-150400.24.164.1(x86_64)0:1.9-2.el10(x86_64)0:4.15.0-8.el100:7-150600.2.2-00:4.12.14-122.244.10:7-150600.2.1-00:6-150500.2.2-0(x86_64)0:6.12.0-211.16.1.el10_2(noarch)0:6.12.0-211.16.1.el10_2(x86_64)0:6.12.0-211.18.1.el10_2(noarch)0:6.12.0-211.18.1.el10_20:5.14.21-150400.24.153.10:6-150600.2.2-00:2-150600.2.2-00:5.14.21-150400.24.173.1(x86_64)0:3.4.1-2.el10_1.2(noarch)0:3.4.1-2.el10_1.2(x86_64)0:140.3.0-1.el10_0(x86_64)0:6.9.1-2.el10_1.2(x86_64)0:6.9.1-2.el10_1.1(x86_64)0:2.41-58.el10_1.2(x86_64)0:2.44-7.el10_1.1(x86_64)0:3.5.1-7.el10_1(x86_64)0:3.0.5-4.el10_1.1(x86_64)0:3.0.1-2.el10_1(noarch)0:3.0.1-2.el10_1(x86_64)0:10.0.0-14.el10_1.5(x86_64)0:6.9.1-1.el10_1.1(x86_64)0:2.11.1-2.el10_1.1(noarch)0:2.11.1-2.el10_1.1(x86_64)0:10-1.el10(noarch)0:3.12.12-3.el10_1(x86_64)0:3.12.12-3.el10_1(x86_64)0:3.6.5-3.el10_1.7(noarch)0:3.6.5-3.el10_1.7(x86_64)0:2.8.3-0.el10_1.3(x86_64)0:16.11-1.el10_1(noarch)0:16.11-1.el10_1(x86_64)0:16.11-3.el10_1(x86_64)0:140.5.0-2.el10_1(noarch)0:0.12.1-1.el10_1.2(x86_64)0:0.12.1-1.el10_1.2(x86_64)0:2.26-7.el10(x86_64)0:4.4.2-4.el10_1.1(x86_64)0:2.80.4-10.el10_1.12(noarch)0:2.87.0-1.el10(x86_64)0:7.12.1-11.el10_1.3(noarch)0:7.12.1-11.el10_1.3(noarch)0:3.12.13-2.el10_2(x86_64)0:3.12.13-2.el10_2(x86_64)0:2.80.4-12.el10_2.13(x86_64)0:2.40.2-15.el10_1(x86_64)0:8.3.29-1.el10_1(x86_64)0:3.0.5-10.el10_1.1(x86_64)0:140.6.0-1.el10_1(x86_64)0:140.7.0-1.el10_1(x86_64)0:3.6.5-3.el10_1.8(noarch)0:3.6.5-3.el10_1.8(x86_64)0:6.10.1-1.el10_2.1(x86_64)0:3.8.10-3.el10_1(x86_64)0:3.1.3-7.el10_1(noarch)0:3.1.3-7.el10_1(x86_64)0:20230101-14.el10_1(x86_64)0:20230101-15.el10_1(noarch)0:3.12.12-3.el10_1.1(x86_64)0:3.12.12-3.el10_1.1(noarch)0:1.0.14-1.el10_0(x86_64)0:8.4.6-2.el10_0(noarch)0:8.4.6-2.el10_00:3-150700.3.6.2-00:6.4.0-150700.51.10:6.4.0-150600.23.38.10:2-150700.3.1-00:2-150700.3.3.2-00:5.14.21-150500.55.136.10:5.3.18-150300.59.201.10:5.14.21-150400.24.161.10:6.4.0-150600.23.42.20:4.12.14-122.261.10:5.3.18-150300.59.215.10:6-150700.3.15.1-00:5-150700.3.12.2-0(x86_64)0:6.12.0-124.16.1.el10_1(noarch)0:6.12.0-124.16.1.el10_1(x86_64)0:1.24.1-2.el10_0(x86_64)0:0.9.27-3.el10_0(noarch)0:20251114-5.el10_2(x86_64)0:20251114-5.el10_20:6.4.0-150600.23.47.20:8-150700.3.1-00:8-150700.3.21.2-0(x86_64)0:3.3.10-11.el10_1(noarch)0:3.3.10-11.el10_1(x86_64)0:3.1.5-11.el10_1(noarch)0:2.5.22-11.el10_1(x86_64)0:0.7.1-11.el10_1(noarch)0:1.13.1-11.el10_1(x86_64)0:2.7.2-11.el10_1(noarch)0:5.20.0-11.el10_1(noarch)0:2.0.3-11.el10_1(x86_64)0:5.1.2-11.el10_1(x86_64)0:1.7.3-11.el10_1(noarch)0:13.1.0-11.el10_1(x86_64)0:3.4.0-11.el10_1(noarch)0:6.6.3.1-11.el10_1(noarch)0:3.4.4-11.el10_1(noarch)0:0.3.1-11.el10_1(noarch)0:3.6.1-11.el10_1(noarch)0:0.21.9-11.el10_1(noarch)0:3.5.22-11.el10_1(x86_64)0:3.3.8-10.el10_0(noarch)0:3.3.8-10.el10_0(x86_64)0:3.1.5-10.el10_0(noarch)0:2.5.22-10.el10_0(x86_64)0:0.7.1-10.el10_0(noarch)0:1.13.1-10.el10_0(x86_64)0:2.7.2-10.el10_0(noarch)0:5.20.0-10.el10_0(noarch)0:2.0.3-10.el10_0(x86_64)0:5.1.2-10.el10_0(x86_64)0:1.7.3-10.el10_0(noarch)0:13.1.0-10.el10_0(x86_64)0:3.4.0-10.el10_0(noarch)0:6.6.3.1-10.el10_0(noarch)0:3.3.9-10.el10_0(noarch)0:0.3.1-10.el10_0(noarch)0:3.6.1-10.el10_0(noarch)0:0.21.9-10.el10_0(noarch)0:3.5.22-10.el10_0(x86_64)0:3.6.1-4.el10_1(x86_64)0:8.0.4-1.el10_0(noarch)0:3.1.6-1.el10_0(x86_64)0:10.02.1-16.el10_0(noarch)0:10.02.1-16.el10_0(x86_64)0:21.0.8.0.9-1.el10(x86_64)0:5.6.2-4.el10_0(noarch)0:10.1.36-3.el10_1.1(noarch)0:9.0.87-8.el10_1.1(x86_64)0:3.6.5-3.el10_0.6(noarch)0:3.6.5-3.el10_0.6(x86_64)0:24.02.0-7.el10_1(noarch)0:24.02.0-7.el10_1(x86_64)0:2.12.5-9.el10_0(x86_64)0:9.9p1-11.el10(x86_64)0:1.21.3-8.el10_00:6.4.0-150700.53.3.1(x86_64)0:6.12.0-124.31.1.el10_1(noarch)0:6.12.0-124.31.1.el10_10:3-150700.3.1-00:3-150700.2.1-00:4.12.14-122.266.10:6.4.0-150600.23.53.10:5-150700.3.1-0(x86_64)0:6.12.0-124.43.1.el10_1(noarch)0:6.12.0-124.43.1.el10_10:4-150700.3.2-00:4-150700.3.9.2-00:4-150700.2.1-0(x86_64)0:6.12.0-124.49.1.el10_1(noarch)0:6.12.0-124.49.1.el10_10:6-150700.3.1-00:6-150700.2.1-00:10-150700.3.1-00:10-150700.3.27.1-00:10-150700.2.1-00:11-150700.3.1-00:11-150700.3.30.1-00:11-150700.2.1-00:15-150600.2.3-00:12-150700.3.1-00:12-150700.3.33.1-00:12-150700.2.1-00:6.4.0-150600.23.50.10:6.4.0-150600.23.60.5(x86_64)0:6.12.0-124.39.1.el10_1(noarch)0:6.12.0-124.39.1.el10_10:4.12.14-122.269.10:5.14.21-150500.55.133.10:15-150700.3.1-00:15-150700.3.42.1-00:15-150700.2.1-00:14-150700.2.1-0(x86_64)0:6.12.0-124.29.1.el10_1(noarch)0:6.12.0-124.29.1.el10_1(x86_64)0:6.12.0-124.35.1.el10_1(noarch)0:6.12.0-124.35.1.el10_10:7-150700.5.1-00:7-150700.3.18.1-00:7-150700.2.1-00:7-150700.4.1-00:6.4.0-150600.23.70.10:6.4.0-150600.23.65.1(x86_64)0:6.12.0-124.21.1.el10_1(noarch)0:6.12.0-124.21.1.el10_10:8-150700.2.1-00:10-150600.4.1-00:9-150600.4.1-00:8-150600.4.1-00:7-150600.4.1-00:3-150600.4.1-00:3-150700.4.1-0(x86_64)0:6.12.0-211.20.1.el10_2(noarch)0:6.12.0-211.20.1.el10_2(x86_64)0:6.12.0-124.20.1.el10_1(noarch)0:6.12.0-124.20.1.el10_1(x86_64)0:6.12.0-55.41.1.el10_0(noarch)0:6.12.0-55.41.1.el10_0(x86_64)0:6.12.0-124.27.1.el10_1(noarch)0:6.12.0-124.27.1.el10_10:13-150700.3.1-00:13-150700.3.36.1-00:13-150700.2.1-00:5.14.21-150500.55.130.30:6.4.0-150600.23.78.10:6.4.0-150600.23.81.30:6.4.0-150600.23.81.30:6.4.0-150700.53.22.10:6.4.0-150700.53.25.10:6.4.0-150600.23.78.10:13-150600.2.2-00:4-150600.2.2-00:14-150700.3.1-00:14-150700.3.39.1-00:9-150700.2.2-00:14-150700.2.2-0(x86_64)0:9.18.33-10.el10_1.2(noarch)0:9.18.33-10.el10_1.2(x86_64)0:5.40.2-512.2.el10_0(noarch)0:1.03-512.2.el10_0(noarch)0:5.74-512.2.el10_0(x86_64)0:1.89-512.2.el10_0(noarch)0:1.25-512.2.el10_0(noarch)0:0.68-512.2.el10_0(noarch)0:0.03-512.2.el10_0(noarch)0:0.06-512.2.el10_0(x86_64)0:1.34-512.2.el10_0(noarch)0:1.06-512.2.el10_0(noarch)0:1.05-512.2.el10_0(noarch)0:2.27-512.2.el10_0(x86_64)0:1.56-512.2.el10_0(noarch)0:1.11-512.2.el10_0(x86_64)0:1.38-512.2.el10_0(noarch)0:0.25-512.2.el10_0(noarch)0:1.35-512.2.el10_0(noarch)0:1.14-512.2.el10_0(x86_64)0:1.18-512.2.el10_0(noarch)0:2.86-512.2.el10_0(noarch)0:1.100.800-512.2.el10_0(noarch)0:2.41-512.2.el10_0(x86_64)0:1.12-512.2.el10_0(noarch)0:1.44-512.2.el10_0(noarch)0:1.10-512.2.el10_0(noarch)0:2.05-512.2.el10_0(noarch)0:1.54-512.2.el10_0(x86_64)0:1.24-512.2.el10_0(x86_64)0:0.32-512.2.el10_0(x86_64)0:1.27-512.2.el10_0(noarch)0:1.02-512.2.el10_0(noarch)0:0.45-512.2.el10_0(x86_64)0:0.24-512.2.el10_0(x86_64)0:1.55-512.2.el10_0(noarch)0:1.22-512.2.el10_0(noarch)0:0.21-512.2.el10_0(noarch)0:1.62-512.2.el10_0(noarch)0:1.16-512.2.el10_0(noarch)0:0.08-512.2.el10_0(x86_64)0:1.17-512.2.el10_0(noarch)0:0.69-512.2.el10_0(noarch)0:1.04-512.2.el10_0(x86_64)0:1.65-512.2.el10_0(x86_64)0:2.20-512.2.el10_0(noarch)0:2.46-512.2.el10_0(noarch)0:1.07-512.2.el10_0(noarch)0:1.27-512.2.el10_0(noarch)0:1.09-512.2.el10_0(x86_64)0:1.25-512.2.el10_0(noarch)0:1.403-512.2.el10_0(noarch)0:1.17-512.2.el10_0(noarch)0:1.31-512.2.el10_0(noarch)0:3.05-512.2.el10_0(noarch)0:2.13-512.2.el10_0(noarch)0:4.6-512.2.el10_0(noarch)0:1.1-512.2.el10_0(x86_64)0:1.3401-512.2.el10_0(noarch)0:0.78-512.2.el10_0(noarch)0:1.60-512.2.el10_0(noarch)0:0.04-512.2.el10_0(noarch)0:1.40-512.2.el10_0(noarch)0:5.40.2-512.2.el10_0(noarch)0:0.14-512.2.el10_0(noarch)0:0.61.000-512.2.el10_0(x86_64)0:0.65-512.2.el10_0(noarch)0:1.12-512.2.el10_0(x86_64)0:1.29-512.2.el10_0(noarch)0:1.13-512.2.el10_0(noarch)0:1.37-512.2.el10_0(noarch)0:0.02-512.2.el10_0(x86_64)0:16.10-1.el10_0(noarch)0:16.10-1.el10_0(x86_64)0:1.35-9.el10_1(x86_64)0:0.127.0-3.el10_0(x86_64)0:1.24.6-1.el10_0(noarch)0:1.24.6-1.el10_0(x86_64)0:8.0.6-2.el10_1(noarch)0:69.0.3-12.el10_0(x86_64)0:6.4.2-1.el10_0.1(x86_64)0:5.6.0-5.el10_1(noarch)0:5.6.0-5.el10_1(x86_64)0:1.41.8-1.el10_1(x86_64)0:5.6.0-11.el10_1(noarch)0:5.6.0-11.el10_1(x86_64)0:20240905-5.el10(x86_64)0:47.3-2.el10_0(x86_64)0:74.2-5.el10_0(x86_64)0:2.41-58.el10(x86_64)0:1.41.6-1.el10_1(x86_64)0:5.6.0-6.el10_1(noarch)0:5.6.0-6.el10_1(x86_64)0:8.4.7-1.el10_1(noarch)0:8.4.7-1.el10_1(x86_64)0:21.0.9.0.10-1.el10(x86_64)0:25.0.1.0.8-2.el10(x86_64)0:0.11.1-4.el10_1(noarch)0:0.11.1-4.el10_1(x86_64)0:9.1.083-6.el10_1(noarch)0:9.1.083-6.el10_1(x86_64)0:3.17.1-5.el10_10:4.12.14-122.296.10:4.12.14-122.299.10:4.12.14-122.302.10:4.12.14-122.302.10:20-150400.2.1-00:5.14.21-150400.24.194.10:5.14.21-150400.24.197.10:5.14.21-150400.24.200.10:5.14.21-150400.24.205.10:5.14.21-150400.24.209.10:5.14.21-150400.24.209.10:20-150500.2.1-00:19-150500.2.1-00:5.14.21-150500.55.141.10:5.14.21-150500.55.144.10:5.14.21-150500.55.149.10:5.14.21-150500.55.163.10:5.14.21-150500.55.163.10:6.4.0-150600.23.100.10:6.4.0-150600.23.103.10:6.4.0-150600.23.84.10:6.4.0-150600.23.87.10:6.4.0-150600.23.92.10:6.4.0-150600.23.95.10:6.4.0-150600.23.95.10:17-150700.3.1-00:17-150700.3.48.1-00:6.4.0-150700.53.28.10:17-150700.2.1-00:6.4.0-150700.53.31.10:6.4.0-150700.53.34.10:6.4.0-150700.53.37.10:6.4.0-150700.53.40.10:6.4.0-150700.53.45.10:16-150700.2.1-0(x86_64)0:22.22.0-3.el10_1(noarch)0:22.22.0-3.el10_1(x86_64)0:10.9.4-1.22.22.0.3.el10_1(x86_64)0:24.13.0-1.el10_1(noarch)0:24.13.0-1.el10_1(noarch)0:11.6.2-1.24.13.0.1.el10_1(x86_64)0:10.0.0~rc.2.25502.107-0.12.el10_1(x86_64)0:10.0.100~rc.2.25502.107-0.12.el10_1(x86_64)0:2.4.26-4.el10_1(x86_64)0:2.4.10-11.el10_0.1(noarch)0:2.4.10-11.el10_0.1(x86_64)0:2.4.63-4.el10_1.3(noarch)0:2.4.63-4.el10_1.3(x86_64)0:1.25.2-1.el10_1(x86_64)0:1.25.3-1.el10_1(noarch)0:1.25.3-1.el10_1(x86_64)0:10.2.6-21.el10_1(x86_64)0:31-3.el10_1(x86_64)0:149-4.el10_1(x86_64)0:5.6.0-8.el10_1(noarch)0:5.6.0-8.el10_1(x86_64)0:1.20.0-2.el10_1(x86_64)0:2.4.10-12.el10_1.2(noarch)0:2.4.10-12.el10_1.2(x86_64)0:2.3.21-19.el10_2(noarch)0:1.0.0-19.el10_1(x86_64)0:3.7.7-4.el10_0(x86_64)0:2.7.1-1.el10_1.3(x86_64)0:0.11.1-5.el10_1(noarch)0:0.11.1-5.el10_1(x86_64)0:1.6.1-8.el10(noarch)0:2.12-29.el10_1.2(x86_64)0:2.12-29.el10_1.2(x86_64)0:1.41.8-2.el10_1(x86_64)0:1.26.1-1.el10_2(x86_64)0:3.6.1-7.el10_1(x86_64)0:3.6.0-7.el10_1(noarch)0:3.6.0-7.el10_1(x86_64)0:1.25.7-1.el10_1(noarch)0:1.25.7-1.el10_1(x86_64)0:10.2.6-22.el10_1(x86_64)0:5.3.0-2.el10_1(x86_64)0:52.1-1.el10_2(x86_64)0:0.9.27-5.el10_1(x86_64)0:0.144.0-1.el10_1(x86_64)0:5.6.0-12.el10_1(noarch)0:5.6.0-12.el10_1(x86_64)0:1.20.0-3.el10_1(x86_64)0:1.25.5-1.el10_1(noarch)0:1.25.5-1.el10_1(x86_64)0:31-4.el10_1(x86_64)0:0.9.27-4.el10_1(x86_64)0:1.25.8-1.el10_1(noarch)0:1.25.8-1.el10_1(x86_64)0:1.1.0-7.el10_1(x86_64)0:9.9p1-12.el10_1(x86_64)0:6.10-6.el10_1.1(x86_64)0:24.1.5-5.el10_1(x86_64)0:21.0.10.0.7-1.el10(x86_64)0:25.0.2.0.10-1.el10(x86_64)0:1.6.40-8.el10_1.1(noarch)0:1.26.19-2.el10_1.1(noarch)0:9.0.117-1.el10_2(x86_64)0:3.26.1-1.el10_1.1(x86_64)0:8.0.7-1.el10_1(x86_64)0:5.0.1-7.el10_1(noarch)0:5.0.1-7.el10_1(x86_64)0:1.0.0-4.el10_2(x86_64)0:1.0.1-2.el10_2(noarch)0:1.0.1-2.el10_20:6.4.0-150600.23.84.1(x86_64)0:6.12.0-124.28.1.el10_1(noarch)0:6.12.0-124.28.1.el10_1(x86_64)0:5.9.4-15.el10_1.2(x86_64)0:2.4.5-3.el10_1(noarch)0:3.5.1-6.el10_2.1(x86_64)0:3.46.1-5.el10_0(x86_64)0:6.4-15.20240127.el10_1(noarch)0:6.4-15.20240127.el10_10:5.14.21-150400.24.194.10:5.14.21-150500.55.136.10:6.4.0-150600.23.87.1(x86_64)0:6.12.0-124.47.1.el10_1(noarch)0:6.12.0-124.47.1.el10_1(x86_64)0:2.42.12-4.el10_0(x86_64)0:4.12.2-24.el10_1.1(noarch)0:4.12.2-24.el10_1.1(noarch)0:3.12.12-1.el10_1(x86_64)0:3.12.12-1.el10_1(x86_64)0:8.12.1-2.el10_1.2(x86_64)0:3.5.1-4.el10_1(x86_64)0:1.56.0-1.el10(noarch)0:1.56.0-1.el10(x86_64)0:4.4.2-4.el10_1.2(x86_64)0:4.6.0-6.el10_1.1(x86_64)0:3.6.5-3.el10_1.9(noarch)0:3.6.5-3.el10_1.9(x86_64)0:2.39-58.el10_1.7(noarch)0:2.39-58.el10_1.7(x86_64)0:3.14.4-2.el10_2(x86_64)0:0.12.0-2.el10(noarch)0:0.12.0-2.el10(x86_64)0:3.19.6-15.el10_1(x86_64)0:24.02.0-7.el10_2.2(noarch)0:24.02.0-7.el10_2.2(x86_64)0:9.18.33-10.el10_1.3(noarch)0:9.18.33-10.el10_1.3(x86_64)0:22.22.2-1.el10_1(noarch)0:22.22.2-1.el10_1(x86_64)0:10.9.7-1.22.22.2.1.el10_1(x86_64)0:24.14.1-2.el10_1(noarch)0:24.14.1-2.el10_1(noarch)0:11.11.0-1.24.14.1.2.el10_1(x86_64)0:1.26.3-2.el10_1(noarch)0:1.26.3-2.el10_1(x86_64)0:7.12.1-11.el10_1.4(noarch)0:7.12.1-11.el10_1.4(x86_64)0:3.6.5-3.el10_1.10(noarch)0:3.6.5-3.el10_1.10(x86_64)0:4.23.5-109.el10_2(noarch)0:4.23.5-109.el10_2(x86_64)0:16.13-1.el10_2(noarch)0:16.13-1.el10_2(x86_64)0:18.3-1.el10_2(noarch)0:18.3-1.el10_2(x86_64)0:0.26.2-1.el10(x86_64)0:8.4.8-1.el10_1(noarch)0:8.4.8-1.el10_1(x86_64)0:8.4.9-1.el10_2(noarch)0:8.4.9-1.el10_2(x86_64)0:21.0.11.0.10-2.el10_2(x86_64)0:25.0.3.0.9-1.el10_2(x86_64)0:1.6.40-8.el10_1.2(x86_64)0:3.10.3-5.el10_1.5(x86_64)0:3.10.3-5.el10_1.2(x86_64)0:2.90-7.el10_2(x86_64)0:6.12.0-124.45.1.el10_1(noarch)0:6.12.0-124.45.1.el10_10:4.12.14-122.296.10:5.14.21-150400.24.197.10:5.14.21-150500.55.141.10:6.4.0-150600.23.92.10:3-150600.2.2-0(x86_64)0:8.0.9-1.el10_2(x86_64)0:4.16.0-13.el10_1.2(noarch)0:4.16.0-13.el10_1.2(noarch)0:0.6.2-1.el10_1(x86_64)0:3.10.3-5.el10_1.1(x86_64)0:5.2.1-24.el10_2(x86_64)0:3.25.0-5.el10_1.2(noarch)0:0.41.2-5.el10_1.1(x86_64)0:140.8.0-2.el10_1(x86_64)0:1.14.1-6.el10_1(noarch)0:10.1.49-1.el10_2.1(x86_64)0:2.4.5-4.el10_1(x86_64)0:0.5.15-11.el10_1(x86_64)0:1.43.1-1.el10_2(x86_64)0:1.25.2-3.el10_1(x86_64)0:3.7.1-4.el10_2(x86_64)0:3.6.0-8.el10_1(noarch)0:3.6.0-8.el10_1(x86_64)0:1.26.2-2.el10_2(noarch)0:1.26.2-2.el10_2(x86_64)0:10.2.6-23.el10_1(x86_64)0:5.3.0-3.el10_1(x86_64)0:0.9.27-5.el10_1.1(x86_64)0:0.144.0-2.el10_2(x86_64)0:5.8.2-1.el10_2(noarch)0:5.8.2-1.el10_2(x86_64)0:1.22.2-1.el10_2(x86_64)0:9.1.083-6.el10_1.1(noarch)0:9.1.083-6.el10_1.1(x86_64)0:3.10.3-12.el10_2.5(x86_64)0:2.10.90-6.el10_1.1(x86_64)0:10.0.4-1.el10_1(x86_64)0:9.0.14-1.el10_1(x86_64)0:10.0.104-1.el10_1(x86_64)0:9.0.115-1.el10_1(x86_64)0:8.0.25-1.el10_1(x86_64)0:8.0.125-1.el10_1(x86_64)0:10.0.6-1.el10_1(x86_64)0:8.0.26-1.el10_1(x86_64)0:9.0.15-1.el10_1(x86_64)0:10.0.106-1.el10_1(x86_64)0:8.0.126-1.el10_1(x86_64)0:9.0.116-1.el10_1(x86_64)0:3.10.3-5.el10_1.3(x86_64)0:1.64.0-2.el10_1.1(x86_64)0:1.25.9-3.el10_1(noarch)0:1.25.9-3.el10_1(x86_64)0:3.1.10-8.el10_1.1(x86_64)0:1.26.3-2.el10_1.1(noarch)0:1.26.3-2.el10_1.1(x86_64)0:10.2.6-26.el10_2(x86_64)0:3.5.5-3.el10_2(x86_64)0:9.1.083-6.el10_1.3(noarch)0:9.1.083-6.el10_1.3(x86_64)0:2.4.63-13.el10_2.1(noarch)0:2.4.63-13.el10_2.1(x86_64)0:257-13.el10_1.3(noarch)0:257-13.el10_1.3(x86_64)0:1.26.7-2.el10_2(x86_64)0:3.4.4-1.el10_2(noarch)0:3.4.4-1.el10_2(x86_64)0:9.18.33-15.el10_2.2(noarch)0:9.18.33-15.el10_2.2(x86_64)0:1.27-2.el10_2(x86_64)0:4.16.0-21.el10_2.1(noarch)0:4.16.0-21.el10_2.1(x86_64)0:6.12.0-211.22.1.el10_2(noarch)0:6.12.0-211.22.1.el10_20:4.12.14-122.299.10:5.14.21-150400.24.200.10:5.14.21-150500.55.144.1(x86_64)0:6.12.0-124.55.1.el10_1(noarch)0:6.12.0-124.55.1.el10_1(x86_64)0:3.5.5-2.el10_2(x86_64)0:6.5.5-1.el10_2(x86_64)0:4.4.2-4.el10_1.4(x86_64)0:1.26.1-2.el10_2(x86_64)0:0.9.27-7.el10_2(x86_64)0:5.8.2-3.el10_2(noarch)0:5.8.2-3.el10_2(x86_64)0:5.3.0-5.el10_2(x86_64)0:1.0.0-3.el10_2(x86_64)0:1.0.1-1.el10_2(noarch)0:1.0.1-1.el10_2(x86_64)0:26.4.25-1.el10_2(x86_64)0:11.8.6-2.el10_2(noarch)0:11.8.6-2.el10_2(x86_64)0:6.10-6.el10_1.3(x86_64)0:4.0.3-34.el10_2(noarch)0:4.0.3-34.el10_2(x86_64)0:0.5.7-34.el10_2(x86_64)0:1.6.3-34.el10_2(x86_64)0:1.24.2-7.el10_2.1(x86_64)0:140.9.1-1.el10_1(x86_64)0:1.6.40-8.el10_1.4(x86_64)0:1.6.17-1.el10_2(x86_64)0:1.6.40-8.el10_1.3(x86_64)0:1.26.3-4.el10_2(noarch)0:1.26.3-4.el10_2(x86_64)0:3.8.10-4.el10_2(x86_64)0:3.10.3-5.el10_1.6(x86_64)0:24.1.9-4.el10_2(x86_64)0:8.0.27-1.el10_2(x86_64)0:8.0.127-1.el10_2(x86_64)0:1.16.0-9.el10_2.1(noarch)0:1.16.0-9.el10_2.1(x86_64)0:3.5.5-4.el10_2(x86_64)0:3.1.10-8.el10_2.2(x86_64)0:9.9p1-13.el10_1(x86_64)0:9.1.083-9.el10_2.2(noarch)0:9.1.083-9.el10_2.2(x86_64)0:3.1.9-2.el10_1.1(x86_64)0:3.1.10-1.el10_2.1(x86_64)0:9.1.083-9.el10_2.3(noarch)0:9.1.083-9.el10_2.3(x86_64)0:9.9p1-23.el10_2(x86_64)0:1.9.17-4.p2.el10_2(x86_64)0:3.0.1-3.el10_1(noarch)0:3.0.1-3.el10_1(x86_64)0:10.4.4-1.el10_2(noarch)0:10.4.4-1.el10_2(x86_64)0:1.2.2-6.el10_2.1(x86_64)0:140.9.0-1.el10_1(noarch)0:1.5.6-5.el10_2(x86_64)0:1.7.1-11.el10_2.2(x86_64)0:1.21.3-10.el10_2(x86_64)0:2.39-124.el10_2(noarch)0:2.39-124.el10_2(x86_64)0:3.4.1-6.el10_2(noarch)0:3.4.1-6.el10_2(x86_64)0:3.7.7-5.el10_1(x86_64)0:3.3.10-12.el10_1(noarch)0:3.3.10-12.el10_1(x86_64)0:3.1.5-12.el10_1(noarch)0:2.5.22-12.el10_1(x86_64)0:0.7.1-12.el10_1(noarch)0:1.13.1-12.el10_1(x86_64)0:2.7.2-12.el10_1(noarch)0:5.20.0-12.el10_1(noarch)0:2.0.3-12.el10_1(x86_64)0:5.1.2-12.el10_1(x86_64)0:1.7.3-12.el10_1(noarch)0:13.1.0-12.el10_1(x86_64)0:3.4.0-12.el10_1(noarch)0:6.6.3.1-12.el10_1(noarch)0:3.4.4-12.el10_1(noarch)0:0.3.1-12.el10_1(noarch)0:3.6.1-12.el10_1(noarch)0:0.21.9-12.el10_1(noarch)0:3.5.22-12.el10_1(x86_64)0:1.2.8-8.el10_2(noarch)0:42.7.2-1.el10_2.2(x86_64)0:3.6.5-3.el10_2.11(noarch)0:3.6.5-3.el10_2.11(x86_64)0:10.0.8-1.el10_2(x86_64)0:9.0.16-1.el10_2(x86_64)0:10.0.108-1.el10_2(x86_64)0:9.0.117-1.el10_2(x86_64)0:1.26.3-6.el10_2.3(noarch)0:1.26.3-6.el10_2.30:5.14.21-150400.24.205.10:5.14.21-150500.55.149.10:16-150700.3.1-00:16-150700.3.45.1-0(x86_64)0:6.12.0-124.55.1.el10_1.1(noarch)0:6.12.0-124.55.1.el10_1.1(x86_64)0:3.8.5-10.el10_2(x86_64)0:3.7.7-8.el10_1(x86_64)0:2.39-121.el10_2(noarch)0:2.39-121.el10_2(x86_64)0:2.1.148-4.el10_2(x86_64)0:10.0.9-1.el10_2(x86_64)0:8.0.28-1.el10_2(x86_64)0:9.0.17-1.el10_2(x86_64)0:10.0.109-1.el10_2(x86_64)0:8.0.128-1.el10_2(x86_64)0:9.0.118-1.el10_2(x86_64)0:344-3.el10_1(noarch)0:344-3.el10_1(x86_64)0:4.6.0-8.el10_2.1(noarch)0:0.12.1-1.el10_1.3(x86_64)0:0.12.1-1.el10_1.3(x86_64)0:356.2-1.el10_2(noarch)0:356.2-1.el10_2(x86_64)0:2.69-7.el10_2.1(x86_64)0:2.0.29-4.el10_2.1(x86_64)0:2.42.12-4.el10_2.5(x86_64)0:4.4.2-10.el10_2(x86_64)0:8.3.31-1.el10_2(x86_64)0:140.10.0-1.el10_1(x86_64)0:107-7.el10_2(x86_64)0:140.10.1-1.el10_2(x86_64)0:140.11.0-1.el10_2(x86_64)0:3.23.12-10.el10_2.4(x86_64)0:3.2.0-7.el10_2(noarch)0:3.2.0-7.el10_2