Todo Lists

buffer overflow in sprintf(3) due to a regression where after the refactor the...

pre-authentication double-free in unpriviledged sandboxed client process when the...

Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device...

the return code of of tcf_classify is insufficiently validated before interpreting part of...

cbq_classify in net/sched/sch_cbq.c allows attackers to cause a denial of service...

memory corruption with IPV6_CHECKSUM socket option

use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to crash the...

heap-overflow in set_ntacl_dacl() when setting a malformed file attribute under the label...

memory leak in smb2_handle_negotiate() under error conditions

smb2_write() and smb2_write_pipe do not avlidate the length when no padding is used

use-after-free in smb2_tree_disconnect) when a danging pointer is accessed in compound requests

out of bound read in smb2_tree_connnect

null pointer dereference in net/sched/sch_api.c

send buffer overflow in NFSv2 READDIR

use-after-free in in gadgetfs driver when concurrently mounting and unmounting the gadgetfs...

integer type confusion in get_proc_long

userspace can cause kernel memory corruption in drivers/usb/mon/mon_bin.c

A message in non-native endianness with out-of-band Unix file descriptors would cause a...

An invalid array of fixed-length elements where the length of the array is not a multiple...

A syntactically invalid type signature with incorrectly nested parentheses and curly...

use-after-free in ufx_ops_open() due to race condition with ufx_usb_disconnect() when...

use-after-free when dvb_demux_open() is called between the two syncs of dvbdev->users and...

I pxa3xx_gcu_write defined in  drivers/video/fbdev/pxa3xx-gcu.c, a count parameter of type...

nfqnl_mangle in net/netfilter/nfnetlink_queue.c allows remote attackers to cause a denial...

double xfrm_pols_put() in xfrm_bundle_lookup()

use-after-free in nilfs_new_inode in fs/nilfs2/inode.c

memory leak when nilfs_attach_log_writer() fails to create a log writer thread

potential use-after-free in sch_sfb enqueue()

use-after-free in nfp6000_area_init in drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c

memory leaks in net/unix/af_unix.c

mat2 before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process....

use after free in spl2sw_nvmem_get_mac_address

memory leak in ipv6_renew_options() when one thread is converting an IPv6 socket into IPv4...

double-free in rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c

Samba AD users can crash the server process with an LDAP add or modify request.

tcp clients could be fingerprinted due to insufficient randomness when selecting the source port

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin...

If array shift operations are not used, the Garbage Collector may have become confused...

Firefox's HTML parser did not correctly interpret HTML comment tags, resulting in an...

An attacker could have exploited a timing attack by sending a large number of...

links using that scheme could be constructed to call internal macros with arbitrary...

programs inside a container can cause the containerd daemon to consume memory without bound...

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array...

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_mft_rec_alloc in...

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_names_full_collate in...

A crafted NTFS image can cause heap exhaustion in ntfs_get_attribute_value in NTFS-3G...

The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the...

Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread()...

If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts...

race-condition with xfrm_probe_algs() in net/key/af_key.c

Integer overflow in xmlBuf (buf.c) and xmlBuffer (tree.c) can lead to out-of-bounds memory...

In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails,...

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls...

double free related to rtrs_clt_dev_release in drivers/infiniband/ulp/rtrs/rtrs-clt.c

out-of-bounds read in string-to-float conversion

double-free in Regexp compilation

When handling split HTTP headers, GRUB2 HTTP code accidentally moves its internal data...

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read...

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended...

usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1...

Mozilla developers and community members Randell Jesup, Sebastian Hengst, and the Mozilla...

In unusual circumstances, selecting text could cause text selection caching to behave...

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was...

SVG's <use> element could have been used to load unexpected content that could have...

The sourceMapURL feature in devtools was missing security checks that would have allowed a...

By using a link with rel="localization" a use-after-free could have been triggered by...

An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof...

An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the...

An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a...

Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several...

Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally...

A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows...

A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and...

Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission...

tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in parse_mpls in common/get.c

tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_l2len_protocol in...

tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_ipv6_next in common/get.c

tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in get_layer4_v6 in common/get.c

ZAP proxy does not verify the certificate chain of the HTTPS servers it connects to

libcurl would reuse a previously created connection even when a TLS or SSH related option...

libcurl provides the `CURLOPT_CERTINFO` option to allow applications to request details to...

The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding...

libcurl wrongly allows HTTP cookies to be set for Top Level Domains (TLDs) if the host name...

If curl adds a number to not "clobber" the output and an error occurs during transfer, the...

A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c...

In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint...

An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows...

drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket...

st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel...

When installing an add-on, Thunderbird verified the signature before prompting the user;...

Previously Thunderbird for macOS and Linux would download temporary files to a...

If an attacker could control the contents of an iframe sandboxed with allow-popups but not...

When resizing a popup after requesting fullscreen access, the popup would not display the...

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in...

Unauthorized users can filter issues by contact and organization

RNDIS USB gadget in drivers/usb/gadget/function/rndis.c lacks validation of the size of the...

GitLab was returning contributor emails due to improper data handling in the Datadog integration

A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the...

A heap-based buffer overflow flaw was found in the Fribidi package and affects the...

Membership changes are not reflected in TODO for confidential notes, allowing a former...

stored XSS in job error messages allows attackers to perform arbitrary actions on behalf of...

A malicious maintainer could exfiltrate an integration's access token by modifying the...

An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in...

drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release.

freerpd servers using authentication against a SAM file with an invalid path configured...

Puma behind a proxy that does not properly validate that the incoming HTTP request matches...

waitress behind a proxy that does not properly validate the incoming HTTP request matches...

The rust regex crate did not properly prevent crafted regular expressions from taking an...

It may be possible for malicious group or project maintainers to change their corresponding...

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames...

gitlab allows an authenticated and authorised user to import a project that includes branch...

While looking up path-based authorization rules, mod_dav_svn servers may attempt to use...

A stack overflow re2c 2.2 exists due to infinite recursion issues in src/dfa/dead_rules.cc.

containers launched through containerd’s CRI implementation with a specially-crafted image...

puma may not always call close on the response body. Rails, prior to version 7.0.2.2,...

Use-after-free of ID and IDREF attributes in valid.c

It may be possible to gain access to a private project through an email invite by using...

gitlab allows a malicious Group Owner to retain a usable Group Access Token even after the...

It may be possible for group members to bypass 2FA enforcement enabled at the group level...

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such...

path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization...

path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path

A logic issue was addressed with improved state management. A malicious website may cause...

NULL pointer dereference in kvm_irq_delivery_to_apic_fast() could cause the the host to crash

KGDB and KDB allow read and write access to kernel memory but were not restricted during lockdown

gitlab allows a malicious authenticated user to view a public project's Deploy Key's public...

possible double-free vulnerability in the OLE2 file parser

possible NULL-pointer dereference crash in the scan verdict cache check

possible multi-byte heap buffer overflow write vulnerability in the signature database load module

a sleep called in an atomic context could cause kernel panic during nfc firmware download

An attacker could have caused an uninitialized variable on the stack to be mistakenly...

Heap buffer overflow in DevTools

Inappropriate implementation in PDF

Insufficient policy enforcement in Safe Browsing

Insufficient policy enforcement in COOP

Insufficient policy enforcement in Extensions API

Insufficient policy enforcement in File System API

Use after free in App Service

Type Confusion in V8

Inappropriate implementation in Extensions API

Insufficient validation of untrusted input in Data Transfer

Use after free in Tablet Mode

Use after free in Bookmarks

Use after free in WebApp Installs

Use after free in Tab Groups

Inappropriate implementation in Extensions

possible use-after-free due to race condition when simulating NFC device from user space

A concurrency use-after-free was found in the Linux kernel.

Use after free in Web UI Diagnostics.

Use after free in Sharing.

Use after free in ANGLE.

Heap buffer overflow in V8 Internationalization.

Inappropriate implementation in Web Contents.

Use after free in Performance APIs.

Use after free in Permission Prompts.

Use after free in Browser UI.

Use after free in Sharesheet.

file.copy operations in GruntJS are vulnerable to a TOC-TOU race condition leading to...

A NULL pointer dereference flaw in the implementation of the X.25 set of standardized...

GitLab all versions starting from 13.9 before 14.8.6, all versions starting from 14.9...

a local user can use a race condition in `drivers/tty/tty_buffers.c` to cause a memory leak...

GitLab all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before...

Missing invalidation of Markdown caching causes potential payloads from a previously...

GitLab all versions starting from 12.10 before 14.8.6, all versions starting from 14.9...

GitLab all versions before 14.8.6, all versions starting from 14.9 before 14.9.4, all...

GitLab from 12.6 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions...

Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions...

Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before...

Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all...

Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before...

Improper input validation in GitLab CE/EE affecting all versions from 8.12 prior to 14.8.6,...

A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux...

Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all...

Buffer Overflow in uudecoder in Mutt affecting all versions starting from 0.94.13 before...

The c_rehash script does not properly sanitise shell metacharacters to prevent command...

There are NPD and use-after-free vulnerabilities in net/ax25/ax25_timer.c of linux that...

There are use-after-free vulnerabilities in net/ax25/af_ax25.c of linux that allow attacker...

There are null-ptr-deref vulnerability and use-after-free vulnerabilities in...

There are use-after-free vulnerabilities in drivers/net/hamradio/6pack.c of linux that...

When importing a revoked key that specified key compromise as the revocation reason,...

After a VR Process is destroyed, a reference to it may have been retained and used, leading...

A use-after-free vulnerability was found in drivers/net/hamradio in the Linux kernel. In...

Null Pointer Dereference Caused Segmentation Fault in gpac prior to 2.1.0-DEV

Linux Kernel v5.2+: x86/kvm: cmpxchg_gpte can write to pfns outside the userspace region

An improper authorization issue has been discovered in GitLab CE/EE affecting all versions...

use after free in mrb_vm_exec in mruby prior to 3.2

It is a type confusion weakness in the Chrome V8 JavaScript engine. Google is aware that an...

race condition in snd_pcm_hw_free leading to use-after-free

CVE-2022-1016 pertains to uninitialized stack data in the nft_do_chain routine....

CVE-2022-1015 pertains to an out of bounds access in nf_tables expression evaluation due to...

A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls...

Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory...

A NULL pointer dereference was found in the Linux kernel’s UDF file system functionality in...

A kernel information leak flaw was identified in the scsi_ioctl function in...

file.copy operations in GruntJS are not protected against symlink traversal for both source...

NULL pointer dereference in load_buffer

In the QEMU virtio-fs shared file system daemon (virtiofsd) a local guest user can create...

A denial of service (DOS) issue was found in the Linux kernel’s smb2_ioctl_query_info...

heap buffer overflow when composing or clearing frames in GIF files

Buffer Overflow via /libr/core/anal_objc.c mach-o parser

NULL Pointer Dereference via libr/bin/p/bin_symbols.c binary symbol parser

In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not...

In the QXL display device emulation in QEMU. A double fetch of guest controlled values...

An unprivileged write to the file handler flaw in the Linux kernel's control groups and...

use-after-free in win_linetabsize()

An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker...

Using puma with a proxy which forwards LF characters as line endings could allow HTTP...

Subversion servers reveal 'copyfrom' paths that should be hidden according to configured...

An integer overflow in the cursor_alloc() function of the QXL display device emulation can...

In the QXL display device emulation in QEMU. A double fetch of guest controlled values...

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete...

In the QEMU virtio-fs shared file system daemon (virtiofsd) a local guest user can create...

A kernel information leak flaw was identified in the scsi_ioctl function in...

A NULL pointer dereference was found in the Linux kernel’s UDF file system functionality in...

A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls...

A vulnerability was found in PackageKit in the way some of the methods exposed by the...

A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user...

use after free in mrb_vm_exec in mruby prior to 3.2

Null Pointer Dereference Caused Segmentation Fault in gpac prior to 2.1.0-DEV

Format string vulnerability in evdev device handling

Buffer Overflow in uudecoder in Mutt affecting all versions starting from 0.94.13 before...

The state file is used to prevent parallel executions of multiple instances of logrotate by...

a local user can use a race condition in `drivers/tty/tty_buffers.c` to cause a memory leak...

A concurrency use-after-free was found in the Linux kernel.

executing an illegal instruction in a kvm guest on an intel cpu causes a null pointer dereference

path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path

path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization...

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such...

A stack overflow re2c 2.2 exists due to infinite recursion issues in src/dfa/dead_rules.cc.

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames...

A flaw was found in the Linux kernel. When an application tries to open a directory (using...

A flaw was found in rsyslog's reception TCP modules. This flaw allows an attacker to craft...

drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release.

An issue was discovered in the Linux kernel before 5.16.5. There is a memory leak in...

NULL pointer dereference in the kernel's USB gadget subsystem allows a local user to crash...

A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an...

A heap-based buffer overflow flaw was found in the Fribidi package and affects the...

A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the...

RNDIS USB gadget in drivers/usb/gadget/function/rndis.c lacks validation of the size of the...

the fix for CVE-2021-3748 forgot to unmap the cached virtqueue elements on error, leading...

In case of error in the vhost-vsock device, an invalid element was not detached from the...

CUPS requires users to demonstrate root/admin level access to perform various printer...

drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket...

An issue was discovered in the Linux kernel before 5.16.12. drivers/net/usb/sr9700.c allows...

In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint...

ZAP proxy does not verify the certificate chain of the HTTPS servers it connects to

tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in get_layer4_v6 in common/get.c

tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_ipv6_next in common/get.c

tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_l2len_protocol in...

tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in parse_mpls in common/get.c

double free related to rtrs_clt_dev_release in drivers/infiniband/ulp/rtrs/rtrs-clt.c

Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local...

The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the...