Redis是一个持久保存在磁盘上的内存数据库。在Redis中执行的特制Lua脚本可能会触发cjson库中的堆溢出，并导致堆损坏和潜在的远程代码执行。从2.6开始，所有支持Lua脚本的Redis版本都存在该问题，并且仅影响经过身份验证和授权的用户。该问题已在版本7.0.12、6.2.13和6.0.20中修复。

Redis是一个持久保存在磁盘上的内存数据库。在7.0.12之前的Redit7.0中，从命令和参数列表中提取键名称在某些情况下可能会触发堆溢出并导致读取随机堆内存、堆损坏和潜在的远程代码执行。多种场景可能会导致经过身份验证的用户执行特制的COMMANDGETKEYS或COMMANDGETKEYSANDFLAGS，以及使用与密钥名称匹配的ACL规则设置的经过身份验证的用户执行引用密钥名称的可变参数列表的特制命令。该漏洞已在Redis7.0.12中修复。

A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas (VMAs) is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers, and gain root privileges.

A flaw was found in the subsequent get_user_pages_fast in the Linux kernel’s interface for symmetric key cipher algorithms in the skcipher_recvmsg of crypto/algif_skcipher.c function. This flaw allows a local user to crash the system.

HTTP/1客户端不完全验证Host标头的内容。恶意制作的Host标头可以注入额外的标头或整个请求。通过修复，HTTP/1客户端现在拒绝发送包含无效Request.Host或Request.URL.Host值的请求。

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

linux内核的drivers/tty/vt/vc_screen.c文件中vcs_read存在use-after-free漏洞，在console_unlock之后的极小时差内，通过主动调用vc_deallocate可以释放vc_data，之后在vcs_size触发uaf，修复方式可以是在每次vcs_size调用之前先调用vcs_vc尝试得到vc，以此来检查指针是否合法，影响版本2.6.38-rc3<=版本<6.2-rc7，包含4.19和5.10

An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c.

An issue was discovered in the USB subsystem in the Linux kernel through 6.4.2. There is an out-of-bounds and crash in read_descriptors in drivers/usb/core/sysfs.c.

linux内核的nf_tables组件的nft_byteorder_eval函数中因为union的使用，当此时priv->size为2时，虽然下标是按16位的标准（除去2字节得到长度）但是实际访问时因为union会联合32位和十六位，导致实际每次访问向后移32位最终越界，影响版本，3.13-rc1<版本，包含4.19和5.10

nft_chain_lookup_byid函数忽略了变量genmask，没有判断chain是否已被删除，修复比较简单，在通过id找chain时候加上判断chain是否被delete，可以提权已有公开exp，影响版本5.9-rc1<=版本，包含5.10修复还没commit到主分支上，在参考链接里

linux内核的io_uring存在time-of-checktotime-of-use漏洞，可导致提权，因为io_close被分成两部分，导致中间过程可以不连续被中间篡改，需要加锁，影响版本5.6-rc1<版本<6.0-rc1看代码我们的4.19和5.10都引入部分漏洞代码没有全部引入，存在潜在风险，所以这个漏洞不按应急处理

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599.

An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service. This occurs in bgp_capability_msg_parse in bgpd/bgp_packet.c.

In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution."

A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records.

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.

A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

QEMU中的9p直通文件系统(9pfs)实现中发现了一个缺陷。9pfs服务器没有禁止在主机端打开特殊文件，这可能允许恶意客户端通过在共享文件夹中创建和打开设备文件来逃离导出的9p树。

A vulnerability was found in webkitgtk. This issue occurs when processing web content, which may lead to arbitrary code execution.

A flaw was found in the MCTP protocol in the Linux kernel. The function mctp_unregister() reclaims the device's relevant resource when a netcard detaches. However, a running routine may be unaware of this and cause the use-after-free of the mdev->addrs object, potentially leading to a denial of service.

A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.\n\nMishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue.\n\nWe recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.

Linux内核io_uring子系统中的释放后使用漏洞可被利用来实现本地权限提升。\n\n与链接超时竞争io_uring取消轮询请求可能会导致hrtimer中出现UAF。\n\n我们建议升级过去提交ef7dfac51d8ed961b742218f526bd589f3900a59（5.10稳定版为4716c73b188566865bdd79c3a6709696a224ac04，0e388fce7aec40992eadee654193cad345d626635.15稳定）。

An issue was discovered in the Linux kernel brcm_nvram_parse in drivers/nvmem/brcm_nvram.c. Lacks for the check of the return value of kzalloc() can cause the NULL Pointer Dereference.

A NULL pointer dereference flaw was found in the Linux kernel AMD Sensor Fusion Hub driver. This flaw allows a local user to crash the system.

A NULL pointer dereference flaw was found in the Linux kernel's drivers/gpu/drm/msm/msm_gem_submit.c code in the submit_lookup_cmds function, which fails because it lacks a check of the return value of kmalloc(). This issue allows a local user to crash the system.

在linux内核的Netfilter子系统内，当添加一条新规则指向一个匿名集合时，会错误的执行nf_tables_rule_release，导致该被release的指针仍然在transaction链里，访问到时触发uaf，应该先置为NFT_TRANS_PREPARE再destory，需要CAP_NET_ADMIN权限才能触发，有潜在提权可能，影响版本3.16-rc1<=版本<6.4-rc7包含4.19和5.10

A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.\n\nThe out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled.\n\n\nWe recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

Linux内核中的SR-IPv6实现中发现越界读取漏洞。该缺陷存在于seg6属性的处理中。该问题是由于对用户提供的数据验证不当造成的，这可能会导致读取超出已分配缓冲区的末尾。此缺陷允许特权本地用户泄露有关受影响的Linux内核安装的敏感信息。

A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.

end_pattern (called from internal_fnmatch) in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash), as demonstrated by use of the fnmatch library function with the **(!() pattern. NOTE: this is not the same as CVE-2015-8984; also, some Linux distributions have fixed CVE-2015-8984 but have not fixed this additional fnmatch issue.

当用户进行新型SYN洪水攻击时，Linux内核IPv6功能中的IPv6连接查找表中发现了哈希冲突缺陷。位于本地网络或具有高带宽连接的用户可以将接受IPV6连接的服务器的CPU使用率提高到95%。

A use-after-free flaw was found in mt7921_check_offload_capability in drivers/net/wireless/mediatek/mt76/mt7921/init.c in wifi mt76/mt7921 sub-component in the Linux Kernel. This flaw could allow an attacker to crash the system after 'features' memory release. This vulnerability could even lead to a kernel information leak problem.

The issue was addressed with improved bounds checks. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.8 and iPadOS 15.7.8, Safari 16.5, iOS 16.5 and iPadOS 16.5. A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.

A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic.

Nokogiri是一个用于Ruby的开源XML和HTML库。Nokogiri`=1.13.4`。此问题没有已知的解决方法。

linux的cls_flower模块存在越界写漏洞，可导致提权，已公开poc暂无exp，可以通过把cls_flower内核模块加入黑名单禁止加载的形式来缓解，具体做法参考https://access.redhat.com/solutions/41278或者自行搜索，影响版本4.19-rc1<=版本<6.4-rc5，包含4.19和5.10

Grafana is validating Azure AD accounts based on the email claim. \n\nOn Azure AD, the profile email field is not unique and can be easily modified. \n\nThis leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

OpenPrintingCUPS是一个基于标准的开源打印系统，适用于Linux和其他类Unix操作系统。从版本2.0.0开始到版本2.4.6之前，CUPS在连接关闭后将可用内存的数据记录到日志服务，而此时它应该在之前记录数据。这是一个释放后使用错误，会影响整个cupsd进程。\n\n此问题的确切原因是在`scheduler/client.c`中调用函数`httpClose(con->http)`。问题是httpClose总是在其参数不为null的情况下在调用结束时释放指针，仅让cupsdLogClient将指针传递给httpGetHostname。如果LogLevel为warn或更高，并且在两种情况下，函数`cupsdAcceptClient`中会出现此问题：对IP地址进行双重查找（在`cupsd.conf`中设置HostNameLookupsDouble）无法解析，或者如果CUPS使用TCP包装器编译，连接被`/etc/hosts.allow`和`/etc/hosts.deny`的规则拒绝。\n\n版本2.4.6有针对此问题的补丁。

在Linux内核的集成传感器集线器(ISH)驱动程序中发现了空指针取消引用。此问题可能会导致本地用户导致系统崩溃。

如果在配置了stale-answer-enableyes;和stale-answer-client-timeout0;的BIND9解析器上达到了recursive-clients配额，则可能会出现一系列与service-stale相关的查找由于堆栈溢出，导致`named`循环并意外终止。\n此问题影响BIND9版本9.16.33到9.16.41、9.18.7到9.18.15、9.16.33-S1到9.16.41-S1，9.18.11-S1至9.18.15-S1。

A `named` instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (`synth-from-dnssec`) enabled can be remotely terminated using a zone with a malformed NSEC record.\nThis issue affects BIND 9 versions 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1 through 9.18.15-S1.

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

在5.2.10和6.4.0之前的Sidekiq的api.rb中，请求图表统计数据时没有天数限制。这会使系统超载，影响WebUI，并使其对用户不可用。

ApacheTomcat11.0.0-M5、10.1.8、9.0.74和8.5.88中错误66512修复中的回归意味着，如果响应不包含任何HTTP标头，则不会为响应发送AJPSEND_HEADERS消息这反过来意味着至少一个AJP代理(mod_proxy_ajp)将使用前一个请求的响应标头，从而导致信息泄漏。

An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.

A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector).\n\nReferences:\nhttps://nodejs.org/en/blog/vulnerability/june-2023-security-releases

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions.\n\nReferences:\nhttps://nodejs.org/en/blog/vulnerability/june-2023-security-releases

31之前在dbus-broker中发现了一个问题。它依赖于c-uitl/c-shquote来解析DBus服务的Exec行。如果提供了恶意Exec行，c-shquote包含一个基于堆栈的缓冲区，该缓冲区会被过度读取。

linux内核中存在设备移除之前没有清楚worker导致的uaf，影响版本2.6.39-rc1<=版本<6.4-rc1

Memory safety bugs present in Firefox 113. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 114.

A vulnerability was found in drivers/cpufreq/qcom-cpufreq-hw.c in cpufreq subsystem in the Linux Kernel. This flaw, during device unbind will lead to double release problem leading to denial of service.

A flaw was found in the IPv6 module of the Linux kernel. The arg.result was not used consistently in fib6_rule_lookup, sometimes holding rt6_info and other times fib6_info. This was not accounted for in other parts of the code where rt6_info was expected unconditionally, potentially leading to a kernel panic in fib6_rule_suppress.

A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk with .download. This could have led to accidental execution of malicious code.\n\n*This bug only affects Firefox and Thunderbird on Windows. Other versions of Firefox and Thunderbird are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.

A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server.\n\n*Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.

An attacker could have caused an out of bounds memory access using WebGL APIs, leading to memory corruption and a potentially exploitable crash.\n\n*This bug only affects Firefox and Thunderbird for macOS. Other operating systems are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.

Semantic-release是一个开源npm包，用于自动化版本管理和包发布。在受影响的版本中，如果通常由语义发布掩盖的秘密包含encodeURI从uri编码中排除的字符，则可能会意外泄露。发生情况进一步限于执行上下文，在这种情况下，如果不修改存储库URL以注入凭据，则无法对相关存储库进行推送访问。建议用户升级。无法升级的用户应确保不包含URL中包含的encodeURI编码中排除的字符的密钥已被正确屏蔽。

A compromised child process could have injected XBL Bindings into privileged CSS rules, resulting in arbitrary code execution and a sandbox escape. This vulnerability affects Firefox < 70.

在6.3.2之前的Linux内核中发现了一个问题。在drivers/staging/media/rkvdec/rkvdec.c的rkvdec_remove中发现了释放后使用。

在6.3.2之前的Linux内核中发现了一个问题。在drivers/usb/gadget/udc/renesas_usb3.c的renesas_usb3_remove中发现了释放后使用。

从6.3.8开始，在Linux内核中发现了一个问题。在drivers/net/ethernet/renesas/ravb_main.c的ravb_remove中发现了释放后使用。

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in cedrus_remove in drivers/staging/media/sunxi/cedrus/cedrus.c.

TIFFClose()中的NULL指针取消引用是由于在指定区域时无法打开输出文件(不存在的路径或需要/dev/null等权限的路径)引起的。

An issue was discovered in dec_patch_dictionary.cc in libjxl before 0.8.2. An integer underflow in patch decoding can lead to a denial of service, such as an infinite loop.

An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.

c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.

An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\nEven though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

.NET and Visual Studio Elevation of Privilege Vulnerability

A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.

A use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queue_event() fails.

The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.

A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.

cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. If you use the Backend Error Handler (beh) to create an accessible network printer, this security vulnerability can cause remote code execution. `beh.c` contains the line `retval = system(cmdline) >> 8;` which calls the `system` command with the operand `cmdline`. `cmdline` contains multiple user controlled, unsanitized values. As a result an attacker with network access to the hosted print server can exploit this vulnerability to inject system commands which are executed in the context of the running server. This issue has been addressed in commit `8f2740357` and is expected to be bundled in the next release. Users are advised to upgrade when possible and to restrict access to network printers in the meantime.

schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.

A use after free vulnerability was found in the webkitgtk package. Processing maliciously crafted web content may lead to arbitrary code execution.

Grafana is an open-source platform for monitoring and observability. \n\nUsing public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.\n\nThe only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly.\n\nThis might enable malicious users to crash Grafana instances through that endpoint.\n\nUsers may upgrade to version 9.4.12 and 9.5.3 to receive a fix.

Grafana is an open-source platform for monitoring and observability. \n\nThe option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.\n\nThis might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.\n\nUsers may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.

In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796883; Issue ID: ALPS07796883.

In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796900; Issue ID: ALPS07796900.

In wlan, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07796914; Issue ID: ALPS07796914.

A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag().

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory.

In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

** DISPUTED ** An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated "When modifying the block device while it is mounted by the filesystem" access.