ReportizFlow
Filtered by vendor
Subscriptions
Total
6672 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-50241 | 1 Linux | 1 Linux Kernel | 2025-11-25 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: NFSD: fix use-after-free on source server when doing inter-server copy Use-after-free occurred when the laundromat tried to free expired cpntf_state entry on the s2s_cp_stateids list after inter-server copy completed. The sc_cp_list that the expired copy state was inserted on was already freed. When COPY completes, the Linux client normally sends LOCKU(lock_state x), FREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server. The nfs4_put_stid call from nfsd4_free_stateid cleans up the copy state from the s2s_cp_stateids list before freeing the lock state's stid. However, sometimes the CLOSE was sent before the FREE_STATEID request. When this happens, the nfsd4_close_open_stateid call from nfsd4_close frees all lock states on its st_locks list without cleaning up the copy state on the sc_cp_list list. When the time the FREE_STATEID arrives the server returns BAD_STATEID since the lock state was freed. This causes the use-after-free error to occur when the laundromat tries to free the expired cpntf_state. This patch adds a call to nfs4_free_cpntf_statelist in nfsd4_close_open_stateid to clean up the copy state before calling free_ol_stateid_reaplist to free the lock state's stid on the reaplist. | ||||
| CVE-2023-53153 | 1 Linux | 1 Linux Kernel | 2025-11-25 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Fix use after free for wext Key information in wext.connect is not reset on (re)connect and can hold data from a previous connection. Reset key data to avoid that drivers or mac80211 incorrectly detect a WEP connection request and access the freed or already reused memory. Additionally optimize cfg80211_sme_connect() and avoid an useless schedule of conn_work. | ||||
| CVE-2022-50243 | 1 Linux | 1 Linux Kernel | 2025-11-24 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: sctp: handle the error returned from sctp_auth_asoc_init_active_key When it returns an error from sctp_auth_asoc_init_active_key(), the active_key is actually not updated. The old sh_key will be freeed while it's still used as active key in asoc. Then an use-after-free will be triggered when sending patckets, as found by syzbot: sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 sctp_set_owner_w net/sctp/socket.c:132 [inline] sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863 sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 This patch is to fix it by not replacing the sh_key when it returns errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key(). For sctp_auth_set_active_key(), old active_key_id will be set back to asoc->active_key_id when the same thing happens. | ||||
| CVE-2022-50245 | 1 Linux | 1 Linux Kernel | 2025-11-24 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: rapidio: fix possible UAF when kfifo_alloc() fails If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free priv. But priv is still in the chdev->file_list, then list traversal may cause UAF. This fixes the following smatch warning: drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list | ||||
| CVE-2025-38703 | 1 Linux | 1 Linux Kernel | 2025-11-24 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: drm/xe: Make dma-fences compliant with the safe access rules Xe can free some of the data pointed to by the dma-fences it exports. Most notably the timeline name can get freed if userspace closes the associated submit queue. At the same time the fence could have been exported to a third party (for example a sync_fence fd) which will then cause an use- after-free on subsequent access. To make this safe we need to make the driver compliant with the newly documented dma-fence rules. Driver has to ensure a RCU grace period between signalling a fence and freeing any data pointed to by said fence. For the timeline name we simply make the queue be freed via kfree_rcu and for the shared lock associated with multiple queues we add a RCU grace period before freeing the per GT structure holding the lock. | ||||
| CVE-2022-50240 | 1 Linux | 1 Linux Kernel | 2025-11-24 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: android: binder: stop saving a pointer to the VMA Do not record a pointer to a VMA outside of the mmap_lock for later use. This is unsafe and there are a number of failure paths *after* the recorded VMA pointer may be freed during setup. There is no callback to the driver to clear the saved pointer from generic mm code. Furthermore, the VMA pointer may become stale if any number of VMA operations end up freeing the VMA so saving it was fragile to being with. Instead, change the binder_alloc struct to record the start address of the VMA and use vma_lookup() to get the vma when needed. Add lockdep mmap_lock checks on updates to the vma pointer to ensure the lock is held and depend on that lock for synchronization of readers and writers - which was already the case anyways, so the smp_wmb()/smp_rmb() was not necessary. [[email protected]: fix drivers/android/binder_alloc_selftest.c] | ||||
| CVE-2025-59238 | 1 Microsoft | 10 365, 365 Apps, Office and 7 more | 2025-11-22 | 7.8 High |
| Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-59227 | 1 Microsoft | 12 365, 365 Apps, Office and 9 more | 2025-11-22 | 7.8 High |
| Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-59226 | 1 Microsoft | 6 365, 365 Apps, Office 2021 and 3 more | 2025-11-22 | 7.8 High |
| Use after free in Microsoft Office Visio allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-59225 | 1 Microsoft | 12 365, 365 Apps, Excel and 9 more | 2025-11-22 | 7.8 High |
| Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-59224 | 1 Microsoft | 13 365, 365 Apps, Excel and 10 more | 2025-11-22 | 7.8 High |
| Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-59223 | 1 Microsoft | 13 365, 365 Apps, Excel and 10 more | 2025-11-22 | 7.8 High |
| Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-59222 | 1 Microsoft | 15 365, 365 Apps, Office and 12 more | 2025-11-22 | 7.8 High |
| Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-59221 | 1 Microsoft | 15 365, 365 Apps, Office and 12 more | 2025-11-22 | 7 High |
| Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-59210 | 1 Microsoft | 8 Windows, Windows 11, Windows 11 24h2 and 5 more | 2025-11-22 | 7.4 High |
| Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability | ||||
| CVE-2025-59189 | 1 Microsoft | 8 Windows, Windows 11, Windows 11 24h2 and 5 more | 2025-11-22 | 7.4 High |
| Use after free in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally. | ||||
| CVE-2025-58738 | 1 Microsoft | 23 Windows, Windows 10, Windows 10 1507 and 20 more | 2025-11-22 | 7 High |
| Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-58737 | 1 Microsoft | 11 Remote Desktop, Windows, Windows Server and 8 more | 2025-11-22 | 7 High |
| Use after free in Windows Remote Desktop allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-58736 | 1 Microsoft | 30 Windows, Windows 10, Windows 10 1507 and 27 more | 2025-11-22 | 7 High |
| Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-58734 | 1 Microsoft | 24 Windows, Windows 10 1507, Windows 10 1607 and 21 more | 2025-11-22 | 7 High |
| Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | ||||