VulniPulse uses Google Ads measurement to understand visits from advertisements and campaign performance. It runs cookie-free until you choose — accepting enables cookies for more accurate attribution. Rejecting keeps it cookie-free and never limits the site.
See exactly what is measuredComplete feed
1186 advisories across 32 monitored vendors.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER When protocol sets HCI_PROTO_DEFER, hci_conn_request_evt() calls hci_connect_cfm(conn) without hdev->lock. Generally hci_connect_cfm() assumes it is held, and if conn is deleted concurrently -> UAF. Only SCO and ISO set HCI_PROTO_DEFER and only for defer setup listen, and HCI_EV_CONN_REQUEST is not generated for ISO. In the non-deferred listening socket code paths, hci_connect_cfm(conn) is called with hdev->lock held. Improper handling of locking within the `hci_conn_request_evt()` function, particularly when the `HCI_PROTO_DEFER` protocol is active, can result in a Use-After-Free (UAF) vulnerability. This condition arises when a connection object is accessed after it has been deallocated, potentially allowing a local attacker to cause a system crash or execute arbitrary code. Red Hat severity: Moderate — CVSS 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-364. Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9. Will not fix / out of support: Red Hat Enterprise Linux 6. Red Hat does not currently list a fixing RHSA for this CVE.
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix missing expect put in obj eval nft_ct_expect_obj_eval() allocates an expectation and may call nf_ct_expect_related(), but never drops its local reference. Add nf_ct_expect_put(exp) before return to balance allocation. This oversight leads to a resource leak, which could potentially allow a local attacker to cause a denial of service by exhausting system resources. Red Hat severity: Moderate — CVSS 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-772. Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 9. Red Hat does not currently list a fixing RHSA for this CVE.
In the Linux kernel, the following vulnerability has been resolved: net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove In qrtr_port_remove(), the socket reference count is decremented via __sock_put() before the port is removed from the qrtr_ports XArray and before the RCU grace period elapses. This breaks the fundamental RCU update paradigm. It exposes a race window where a concurrent RCU reader (such as qrtr_reset_ports() or qrtr_port_lookup()) can obtain a pointer to the socket from the XArray, and attempt to call sock_hold() on a socket whose reference count has already dropped to zero. This exact race condition was hit during syzkaller fuzzing, leading to the following refcount saturation warning and a potential Use-After-Free: refcount_t: saturated; leaking memory. WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0 Modules linked in: qrtr(+) bochs drm_shmem_helper ...
In the Linux kernel, the following vulnerability has been resolved: net: ena: PHC: Fix potential use-after-free in get_timestamp Move the phc->active check and resp pointer assignment to after acquiring the spinlock. Previously, phc->active was checked without holding the lock, and resp was cached from ena_dev->phc.virt_addr before the lock was acquired. If ena_com_phc_destroy() runs between the lockless active check and the lock acquisition, it sets active=false, releases the lock, frees the DMA memory, and sets virt_addr=NULL. The get_timestamp path would then read a NULL virt_addr and dereference it. With both the active check and the pointer read under the lock, destroy cannot free the memory while get_timestamp is using it. A flaw was found in the Linux kernel's Elastic Network Adapter (ENA) driver, specifically within the Precision Time Protocol Hardware Clock (PHC) timestamp retrieval function. A race condition exists where the `get_timestamp` function could attempt to access memory that has already been freed by the `ena_com_phc_destroy` function. This use-after-free vulnerability can lead to a NULL pointer dereference, potentially causing a system crash and resulting in a Denial of Service (DoS). Red Hat severity: Moderate — CVSS 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-825.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error When hci_register_dev() fails in hci_uart_register_dev() HCI_UART_PROTO_INIT is not cleared before calling hu->proto->close(hu) and setting hu->hdev to NULL. This means incoming UART data will reach the protocol-specific recv handler in hci_uart_tty_receive() after resources are freed. The write lock ensures all active readers have completed and no new reader can enter the protocol recv path before resources are freed. This allows the protocol-specific recv functions to remove the "HCI_UART_REGISTERED" guard without risking a null pointer dereference if hci_register_dev() fails. A flaw was found in the Linux kernel's Bluetooth Host Controller Interface (HCI) Universal Asynchronous Receiver/Transmitter (UART) driver. When the `hci_register_dev()` function fails, a flag indicating protocol initialization is not properly cleared. This oversight allows incoming UART data to be processed by the protocol-specific receive handler after its associated resources have been released, potentially leading to a null pointer dereference. This vulnerability could result in a system crash, causing a Denial of Service (DoS). Red Hat severity: Moderate — CVSS 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-825.
In the Linux kernel, the following vulnerability has been resolved: NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg In nfsd4_add_rdaccess_to_wrdeleg, if fp->fi_fds[O_RDONLY] is already set by another thread, __nfs4_file_get_access should not be called to increment the nfs4_file access count since that was already done by the thread that added READ access to the file. The extra fi_access count in nfs4_file can prevent the corresponding nfsd_file from being freed. When stopping nfs-server service, these extra access counts trigger a BUG in kmem_cache_destroy() that shows nfsd_file object remaining on __kmem_cache_shutdown. This problem can be reproduced by running the Git project's test suite over NFS. An issue with file access counting in the nfsd4_add_rdaccess_to_wrdeleg function can lead to an extra access count for nfs4_file objects. This prevents the proper freeing of associated resources when the NFS server service is stopped. Consequently, this can trigger a system bug during shutdown, potentially leading to a Denial of Service (DoS) condition. Red Hat severity: Moderate — CVSS 7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-911. Affected Red Hat products: Red Hat Enterprise Linux 10. Red Hat does not currently list a fixing RHSA for this CVE.
Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted IKEv1 packet containing a shorter-than-expected hash payload. This triggers an assertion failure within the Libreswan daemon, causing it to crash and restart, leading to a persistent Denial of Service (DoS) condition if malicious packets are continuously transmitted. Additionally, if the target system relies on RSA keys with weak public exponents (e.g., e=3), a Bleichenbacher-style signature forgery attack may be feasible, potentially allowing the attacker to bypass authentication entirely.
Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected. A flaw was found in Libreswan's implementation of IKEv2 authentication when processing signatures utilizing the RSASSA-PKCS1-v1_5 scheme. A remote, unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted IKEv2 AUTH payload with a shorter-than-expected hash value. This triggers an internal assertion failure, causing the Libreswan daemon to abort and restart, leading to a Denial of Service (DoS). Furthermore, if the Libreswan gateway accepts connections using weak public RSA exponents (such as e=3), an attacker could execute a Bleichenbacher-style signature forgery attack to achieve an authentication bypass.
An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected. A flaw was found in Libreswan's IKEv2 fragment reassembly mechanism. When a VPN gateway processes incoming split network packets (fragments) containing unexpected data, an off-by-one boundary validation error triggers an internal program safety check (assertion failure). While this flaw does not allow data theft or unauthorized system access, a continuous stream of these packets will lead to a persistent Denial of Service (DoS) for legitimate VPN users. Red Hat Product Security rates this vulnerability as having an Important impact, primarily because it can be exploited remotely without authentication. However, the actual exposure depends entirely on your specific VPN configuration: ``` Affected Configurations: This vulnerability only impacts IKEv2 connections.
Uninitialized Use in GPU. Red Hat rates this important (CVSS 5.3). Weakness: CWE-824.
Insufficient validation of untrusted input in Navigation. Red Hat rates this important (CVSS 5.8). Weakness: CWE-1286.
Information disclosure via path traversal in LaTeX backend. Red Hat rates this moderate (CVSS 5.5). Weakness: CWE-22.
Denial of Service due to infinite loop in AtomicReference#update. Red Hat rates this moderate (CVSS 5.9). Weakness: CWE-835.
Incorrect write lock granting leading to broken mutual exclusion. Red Hat rates this low (CVSS 4.7). Weakness: CWE-190.
A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration. This information disclosure could expose sensitive configuration details of the Jenkins environment. Red Hat severity: Moderate — CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). Weakness: CWE-425. Affected Red Hat products: OpenShift Developer Tools and Services. Red Hat does not currently list a fixing RHSA for this CVE.
A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier allows attackers to instantiate types related to job or system configuration other than Pipeline steps through the Pipeline Snippet Generator. This could enable unauthorized modifications to the Jenkins environment. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N). Weakness: CWE-940. Affected Red Hat products: OpenShift Developer Tools and Services. Red Hat does not currently list a fixing RHSA for this CVE.
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. Please note that in logack version 1.5.37 conditional processing using Janino was removed. A flaw was found in logback-core, a logging framework for Java applications. Red Hat severity: Moderate — CVSS 6 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). Weakness: CWE-94.
limit next_id allocation to the valid ID range. Red Hat rates this moderate (CVSS 5.8). Weakness: CWE-825.
In the Linux kernel, the following vulnerability has been resolved: vrf: Fix a potential NPD when removing a port from a VRF RCU readers that identified a net device as a VRF port using netif_is_l3_slave() assume that a subsequent call to netdev_master_upper_dev_get_rcu() will return a VRF device. They then continue to dereference its l3mdev operations. This assumption is not always correct and can result in a NPD [1]. There is no RCU synchronization when removing a port from a VRF, so it is possible for an RCU reader to see a new master device (e.g., a bridge) that does not have l3mdev operations. Fix by adding RCU synchronization after clearing the IFF_L3MDEV_SLAVE flag. Skip this synchronization when a net device is removed from a VRF as part of its deletion and when the VRF device itself is deleted.
In the Linux kernel, the following vulnerability has been resolved: af_unix: Reject SIOCATMARK on non-stream sockets SIOCATMARK reports whether the receive queue is at the urgent mark for MSG_OOB. In AF_UNIX, MSG_OOB is supported only for SOCK_STREAM sockets. SOCK_DGRAM and SOCK_SEQPACKET reject MSG_OOB in sendmsg() and recvmsg(), so they should not support SIOCATMARK either. This vulnerability involves the incorrect handling of the `SIOCATMARK` operation when used with non-stream sockets, such as `SOCK_DGRAM` and `SOCK_SEQPACKET`. These socket types did not properly reject `SIOCATMARK`, an operation intended only for `SOCK_STREAM` sockets. This could lead to unexpected system behavior when an application attempts to perform this unsupported operation. Red Hat severity: Low — CVSS 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-1287. Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6. Will not fix / out of support: Red Hat Enterprise Linux 6. Red Hat does not currently list a fixing RHSA for this CVE.