Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration<br /> <br /> link_id is taken from the ML Reconfiguration element (control &amp; 0x000f),<br /> so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS<br /> (15) elements, so index 15 is out-of-bounds. Skip subelements with<br /> link_id &gt;= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds<br /> write.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: secure_seq: add back ports to TS offset<br /> <br /> This reverts 28ee1b746f49 ("secure_seq: downgrade to per-host timestamp offsets")<br /> <br /> tcp_tw_recycle went away in 2017.<br /> <br /> Zhouyan Deng reported off-path TCP source port leakage via<br /> SYN cookie side-channel that can be fixed in multiple ways.<br /> <br /> One of them is to bring back TCP ports in TS offset randomization.<br /> <br /> As a bonus, we perform a single siphash() computation<br /> to provide both an ISN and a TS offset.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/core: Fix refcount bug and potential UAF in perf_mmap<br /> <br /> Syzkaller reported a refcount_t: addition on 0; use-after-free warning<br /> in perf_mmap.<br /> <br /> The issue is caused by a race condition between a failing mmap() setup<br /> and a concurrent mmap() on a dependent event (e.g., using output<br /> redirection).<br /> <br /> In perf_mmap(), the ring_buffer (rb) is allocated and assigned to<br /> event-&gt;rb with the mmap_mutex held. The mutex is then released to<br /> perform map_range().<br /> <br /> If map_range() fails, perf_mmap_close() is called to clean up.<br /> However, since the mutex was dropped, another thread attaching to<br /> this event (via inherited events or output redirection) can acquire<br /> the mutex, observe the valid event-&gt;rb pointer, and attempt to<br /> increment its reference count. If the cleanup path has already<br /> dropped the reference count to zero, this results in a<br /> use-after-free or refcount saturation warning.<br /> <br /> Fix this by extending the scope of mmap_mutex to cover the<br /> map_range() call. This ensures that the ring buffer initialization<br /> and mapping (or cleanup on failure) happens atomically effectively,<br /> preventing other threads from accessing a half-initialized or<br /> dying ring buffer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata<br /> <br /> We found an infinite loop bug in the ntfs3 file system that can lead to a<br /> Denial-of-Service (DoS) condition.<br /> <br /> A malformed NTFS image can cause an infinite loop when an attribute header<br /> indicates an empty run list, while directory entries reference it as<br /> containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way<br /> to represent an empty run list, and run_unpack() correctly handles this by<br /> checking if evcn + 1 equals svcn and returning early without parsing any run<br /> data. However, this creates a problem when there is metadata inconsistency,<br /> where the attribute header claims to be empty (evcn=-1) but the caller<br /> expects to read actual data. When run_unpack() immediately returns success<br /> upon seeing this condition, it leaves the runs_tree uninitialized with<br /> run-&gt;runs as a NULL. The calling function attr_load_runs_range() assumes<br /> that a successful return means that the runs were loaded and sets clen to 0,<br /> expecting the next run_lookup_entry() call to succeed. Because runs_tree<br /> remains uninitialized, run_lookup_entry() continues to fail, and the loop<br /> increments vcn by zero (vcn += 0), leading to an infinite loop.<br /> <br /> This patch adds a retry counter to detect when run_lookup_entry() fails<br /> consecutively after attr_load_runs_vcn(). If the run is still not found on<br /> the second attempt, it indicates corrupted metadata and returns -EINVAL,<br /> preventing the Denial-of-Service (DoS) vulnerability.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: ntfs3: check return value of indx_find to avoid infinite loop<br /> <br /> We found an infinite loop bug in the ntfs3 file system that can lead to a<br /> Denial-of-Service (DoS) condition.<br /> <br /> A malformed dentry in the ntfs3 filesystem can cause the kernel to hang<br /> during the lookup operations. By setting the HAS_SUB_NODE flag in an<br /> INDEX_ENTRY within a directory&amp;#39;s INDEX_ALLOCATION block and manipulating the<br /> VCN pointer, an attacker can cause the indx_find() function to repeatedly<br /> read the same block, allocating 4 KB of memory each time. The kernel lacks<br /> VCN loop detection and depth limits, causing memory exhaustion and an OOM<br /> crash.<br /> <br /> This patch adds a return value check for fnd_push() to prevent a memory<br /> exhaustion vulnerability caused by infinite loops. When the index exceeds the<br /> size of the fnd-&gt;nodes array, fnd_push() returns -EINVAL. The indx_find()<br /> function checks this return value and stops processing, preventing further<br /> memory allocation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST<br /> <br /> We found an infinite loop bug in the ntfs3 file system that can lead to a<br /> Denial-of-Service (DoS) condition.<br /> <br /> A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute<br /> indicates a zero data size while the driver allocates memory for it.<br /> <br /> When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set<br /> to zero, it still allocates memory because of al_aligned(0). This creates an<br /> inconsistent state where ni-&gt;attr_list.size is zero, but ni-&gt;attr_list.le is<br /> non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute<br /> list exists and enumerates only the primary MFT record. When it finds<br /> ATTR_LIST, the code reloads it and restarts the enumeration, repeating<br /> indefinitely. The mount operation never completes, hanging the kernel thread.<br /> <br /> This patch adds validation to ensure that data_size is non-zero before memory<br /> allocation. When a zero-sized ATTR_LIST is detected, the function returns<br /> -EINVAL, preventing a DoS vulnerability.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/siw: Fix potential NULL pointer dereference in header processing<br /> <br /> If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(),<br /> qp-&gt;rx_fpdu can be NULL. The error path in siw_tcp_rx_data()<br /> dereferences qp-&gt;rx_fpdu-&gt;more_ddp_segs without checking, which<br /> may lead to a NULL pointer deref. Only check more_ddp_segs when<br /> rx_fpdu is present.<br /> <br /> KASAN splat:<br /> [ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]<br /> [ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50

beefree.io SDK is vulnerable to Stored XSS in Social Media icon URL parameter in email builder functionality. Malicious attacker can inject arbitrary HTML and JS into template, which will be rendered/executed when visiting preview page. However due to beefree&amp;#39;s Content Security Policy not all payloads will execute successfully.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> This issue has been fixed in version 3.47.0.

Missing Authorization vulnerability in WebberZone Contextual Related Posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contextual Related Posts: from n/a before 4.2.2.

The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish_request() functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate any post on the site including private, draft, and trashed posts they shouldn&amp;#39;t have access to. Additionally, attackers with Author-level access and above can use the Rewrite &amp; Republish feature to overwrite any published post with their own content.

A JSONPath injection vulnerability in Spring AI&amp;#39;s AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents.<br /> <br /> This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.<br /> <br /> The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and &amp;&amp; are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.

A critical SQL injection vulnerability in Spring AI&amp;#39;s MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands.<br /> <br /> The vulnerability exists due to missing input sanitization.