VulniPulse uses Google Ads measurement to understand visits from advertisements and campaign performance. It runs cookie-free until you choose — accepting enables cookies for more accurate attribution. Rejecting keeps it cookie-free and never limits the site.
See exactly what is measuredComplete feed
Advisories the vendor has revised
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix arithmetic issues in dma_length() dma_length() derives DMA region usage from command stream values and updates region_size[]: len = ((len + stride[0]) * size0 + stride[1]) * size1 region_size[region] = max(..., len + dma->offset) Several arithmetic issues can corrupt the derived region size: - signed stride values may underflow when added to len - intermediate multiplications may overflow - len + dma->offset may overflow during region_size updates - dma_length() error returns were not validated by the caller region_size[] is later used by ethosu_job.c to validate command stream accesses against GEM buffer sizes. Arithmetic wraparound can therefore under-report region usage and bypass the bounds validation. The dma_length() function, responsible for calculating Direct Memory Access (DMA) region usage, contains several arithmetic issues. These issues, including potential underflows and overflows during calculations, can lead to an under-reporting of memory region sizes. This under-reporting can bypass crucial bounds validation checks, potentially allowing an attacker to access memory outside of its intended boundaries. Red Hat severity: not rated. Weakness: CWE-190.
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject NPU_OP_RESIZE commands from userspace NPU_OP_RESIZE is a U85-only command that the driver does not yet implement. The existing WARN_ON(1) placeholder fires unconditionally whenever userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE, causing unbounded kernel log spam. If panic_on_warn is set the kernel panics, giving any unprivileged user with access to the DRM device a trivial denial-of-service primitive. Replace the WARN_ON(1) with an explicit -EINVAL return so the ioctl rejects the command before it reaches hardware. An unprivileged local user with access to the Direct Rendering Manager (DRM) device could submit a specific command (`NPU_OP_RESIZE`) that the driver does not properly handle. This could lead to excessive kernel log spam and, if the `panic_on_warn` setting is enabled, cause the kernel to crash, resulting in a denial of service (DoS). Red Hat severity: not rated. Weakness: CWE-617. Red Hat lists Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9 as not affected.
In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix NULL pointer dereference in rpmsg callback A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock. There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL.
In the Linux kernel, the following vulnerability has been resolved: tee: optee: prevent use-after-free when the client exits before the supplicant Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the client wait as killable so it can be interrupted during shutdown or after a supplicant crash. This changes the original lifetime expectations: the client task can now terminate while the supplicant is still processing its request. If the client exits first it removes the request from its queue and kfree()s it, while the request ID remains in supp->idr. A subsequent lookup on the supplicant path then dereferences freed memory, leading to a use-after-free. Serialise access to the request with supp->mutex: * Hold supp->mutex in optee_supp_recv() and optee_supp_send() while looking up and touching the request. * Let optee_supp_thrd_req() notice that the client has terminated and signal optee_supp_send() accordingly. With these changes the request cannot be freed while the supplicant still has a reference, eliminating the race. A flaw was found in the Linux kernel's Trusted Execution Environment (TEE) subsystem, specifically within the OP-TEE driver. This use-after-free vulnerability occurs when a client task terminates before its associated supplicant has finished processing a request.
Fix use-after-free during device removal. Red Hat rates this a security issue. Weakness: CWE-364.
refill RX buffers before XDP or skb use. Red Hat rates this a security issue. Weakness: CWE-763.
fix use-after-free on first_skb in __input_process_payload. Red Hat rates this a security issue. Weakness: CWE-367.
Fix using an uninitialized stack variable in rseq_exit_user_update(). Red Hat rates this a security issue. Weakness: CWE-908.
Clamp VBIOS HDMI retimer register count to array size. Red Hat rates this a security issue. Weakness: CWE-1284.
reject DMA commands with uninitialized length. Red Hat rates this a security issue. Weakness: CWE-190.
Fix use-after-free in metadata dst teardown. Red Hat rates this a security issue. Weakness: CWE-825.
fix NULL pointer dereference in suspend/resume. Red Hat rates this a security issue. Weakness: CWE-476.
fix IFM region index out-of-bounds in command stream parser. Red Hat rates this a security issue. Weakness: CWE-1285.
keep err zero after successful ovl_cache_get(). Red Hat rates this a security issue. Weakness: CWE-253.
Fix NULL deref on rsu_send_msg() timeout in probe. Red Hat rates this a security issue.
sync RX data at the hardware packet offset. Red Hat rates this a security issue. Weakness: CWE-821.
bound SRP_RSP sense copy by the received length. Red Hat rates this a security issue. Weakness: CWE-130.
fix resource freeing order. Red Hat rates this a security issue.
use correct flags for device private PMD entry. Red Hat rates this a security issue.
limit XDP frame size to the RX buffer. Red Hat rates this a security issue. Weakness: CWE-787.