CVE-2025-21728

CVE-2025-21728

Título es
CVE-2025-21728

Jue, 27/02/2025 – 02:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-21728

Descripción en
In the Linux kernel, the following vulnerability has been resolved:

bpf: Send signals asynchronously if !preemptible

BPF programs can execute in all kinds of contexts and when a program
running in a non-preemptible context uses the bpf_send_signal() kfunc,
it will cause issues because this kfunc can sleep.
Change `irqs_disabled()` to `!preemptible()`.

27/02/2025

27/02/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias


  • https://git.kernel.org/stable/c/092fc76b7ab4163e008f9cde596a58dad2108260

  • https://git.kernel.org/stable/c/78b97783496b454435639937db3303e900a24d3f

  • https://git.kernel.org/stable/c/87c544108b612512b254c8f79aa5c0a8546e2cc4

  • https://git.kernel.org/stable/c/be42a09fe898635b0093c0c8dac1bfabe225c240

  • https://git.kernel.org/stable/c/eeef8e65041a031bd8a747a392c14b76a123a12c

    • Enviar en el boletín
    Off

    CVE-2025-21727

    CVE-2025-21727

    Título es
    CVE-2025-21727

    Jue, 27/02/2025 – 02:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-21727

    Descripción en
    In the Linux kernel, the following vulnerability has been resolved:

    padata: fix UAF in padata_reorder

    A bug was found when run ltp test:

    BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0
    Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206

    CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+
    Workqueue: pdecrypt_parallel padata_parallel_worker
    Call Trace:

    dump_stack_lvl+0x32/0x50
    print_address_description.constprop.0+0x6b/0x3d0
    print_report+0xdd/0x2c0
    kasan_report+0xa5/0xd0
    padata_find_next+0x29/0x1a0
    padata_reorder+0x131/0x220
    padata_parallel_worker+0x3d/0xc0
    process_one_work+0x2ec/0x5a0

    If 'mdelay(10)' is added before calling 'padata_find_next' in the
    'padata_reorder' function, this issue could be reproduced easily with
    ltp test (pcrypt_aead01).

    This can be explained as bellow:

    pcrypt_aead_encrypt

    padata_do_parallel
    refcount_inc(&pd->refcnt); // add refcnt

    padata_do_serial
    padata_reorder // pd
    while (1) {
    padata_find_next(pd, true); // using pd
    queue_work_on

    padata_serial_worker crypto_del_alg
    padata_put_pd_cnt // sub refcnt
    padata_free_shell
    padata_put_pd(ps->pd);
    // pd is freed
    // loop again, but pd is freed
    // call padata_find_next, UAF
    }

    In the padata_reorder function, when it loops in 'while', if the alg is
    deleted, the refcnt may be decreased to 0 before entering
    'padata_find_next', which leads to UAF.

    As mentioned in [1], do_serial is supposed to be called with BHs disabled
    and always happen under RCU protection, to address this issue, add
    synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls
    to finish.

    [1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/
    [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/

    27/02/2025

    27/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd

  • https://git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738

  • https://git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781

  • https://git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de

  • https://git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668

    • Enviar en el boletín
    Off

    CVE-2025-21725

    CVE-2025-21725

    Título es
    CVE-2025-21725

    Jue, 27/02/2025 – 02:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-21725

    Descripción en
    In the Linux kernel, the following vulnerability has been resolved:

    smb: client: fix oops due to unset link speed

    It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always
    be set by the server, so the client must handle any values and then
    prevent oopses like below from happening:

    Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
    CPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41
    04/01/2014
    RIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48
    89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8
    e7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 f7 74 24 18 48 89
    c3 e8 6e cf 1b c1 41 8b 6c 24 28 49 8d 7c 24
    RSP: 0018:ffffc90001817be0 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: ffff88811230022c RCX: ffffffffc041bd99
    RDX: 0000000000000000 RSI: 0000000000000567 RDI: ffff888112300228
    RBP: ffff888112300218 R08: fffff52000302f5f R09: ffffed1022fa58ac
    R10: ffff888117d2c566 R11: 00000000fffffffe R12: ffff888112300200
    R13: 000000012a15343f R14: 0000000000000001 R15: ffff888113f2db58
    FS: 00007fe27119e740(0000) GS:ffff888148600000(0000)
    knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007fe2633c5000 CR3: 0000000124da0000 CR4: 0000000000750ef0
    PKRU: 55555554
    Call Trace:

    ? __die_body.cold+0x19/0x27
    ? die+0x2e/0x50
    ? do_trap+0x159/0x1b0
    ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]
    ? do_error_trap+0x90/0x130
    ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]
    ? exc_divide_error+0x39/0x50
    ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]
    ? asm_exc_divide_error+0x1a/0x20
    ? cifs_debug_data_proc_show+0xa39/0x1460 [cifs]
    ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs]
    ? seq_read_iter+0x42e/0x790
    seq_read_iter+0x19a/0x790
    proc_reg_read_iter+0xbe/0x110
    ? __pfx_proc_reg_read_iter+0x10/0x10
    vfs_read+0x469/0x570
    ? do_user_addr_fault+0x398/0x760
    ? __pfx_vfs_read+0x10/0x10
    ? find_held_lock+0x8a/0xa0
    ? __pfx_lock_release+0x10/0x10
    ksys_read+0xd3/0x170
    ? __pfx_ksys_read+0x10/0x10
    ? __rcu_read_unlock+0x50/0x270
    ? mark_held_locks+0x1a/0x90
    do_syscall_64+0xbb/0x1d0
    entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7fe271288911
    Code: 00 48 8b 15 01 25 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8
    20 ad 01 00 f3 0f 1e fa 80 3d b5 a7 10 00 00 74 13 31 c0 0f 05 3d
    00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec
    RSP: 002b:00007ffe87c079d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
    RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007fe271288911
    RDX: 0000000000040000 RSI: 00007fe2633c6000 RDI: 0000000000000003
    RBP: 00007ffe87c07a00 R08: 0000000000000000 R09: 00007fe2713e6380
    R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000
    R13: 00007fe2633c6000 R14: 0000000000000003 R15: 0000000000000000

    Fix this by setting cifs_server_iface::speed to a sane value (1Gbps)
    by default when link speed is unset.

    27/02/2025

    27/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://git.kernel.org/stable/c/208e102a2fca44e40a6c3f7b9e2609cfd17a15aa

  • https://git.kernel.org/stable/c/3f901c35e1a1b3ed1b528a17ffdb941aa0294458

  • https://git.kernel.org/stable/c/699179dfc8d7da457b152ca5d18ae45f9ed9beaa

  • https://git.kernel.org/stable/c/ad3b49fbdb156aa8ee2026ba590642c9b5a410f2

  • https://git.kernel.org/stable/c/be7a6a77669588bfa5022a470989702bbbb11e7f

    • Enviar en el boletín
    Off

    CVE-2025-21726

    CVE-2025-21726

    Título es
    CVE-2025-21726

    Jue, 27/02/2025 – 02:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-21726

    Descripción en
    In the Linux kernel, the following vulnerability has been resolved:

    padata: avoid UAF for reorder_work

    Although the previous patch can avoid ps and ps UAF for _do_serial, it
    can not avoid potential UAF issue for reorder_work. This issue can
    happen just as below:

    crypto_request crypto_request crypto_del_alg
    padata_do_serial

    padata_reorder
    // processes all remaining
    // requests then breaks
    while (1) {
    if (!padata)
    break;

    }

    padata_do_serial
    // new request added
    list_add
    // sees the new request
    queue_work(reorder_work)
    padata_reorder
    queue_work_on(squeue->work)

    padata_serial_worker
    // completes new request,
    // no more outstanding
    // requests

    crypto_del_alg
    // free pd

    invoke_padata_reorder
    // UAF of pd

    To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work'
    into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.

    27/02/2025

    27/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc

  • https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2

  • https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac

  • https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0

  • https://git.kernel.org/stable/c/dd7d37ccf6b11f3d95e797ebe4e9e886d0332600

    • Enviar en el boletín
    Off

    CVE-2025-21724

    CVE-2025-21724

    Título es
    CVE-2025-21724

    Jue, 27/02/2025 – 02:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-21724

    Descripción en
    In the Linux kernel, the following vulnerability has been resolved:

    iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()

    Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index()
    where shifting the constant "1" (of type int) by bitmap->mapped.pgshift
    (an unsigned long value) could result in undefined behavior.

    The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds
    31 (e.g., pgshift = 63) the shift operation overflows, as the result
    cannot be represented in a 32-bit type.

    To resolve this, the constant is updated to "1UL", promoting it to an
    unsigned long type to match the operand's type.

    27/02/2025

    27/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://git.kernel.org/stable/c/38ac76fc06bc6826a3e4b12a98efbe98432380a9

  • https://git.kernel.org/stable/c/44d9c94b7a3f29a3e07c4753603a35e9b28842a3

  • https://git.kernel.org/stable/c/b1f8453b8ff1ab79a03820ef608256c499769cb6

  • https://git.kernel.org/stable/c/d5d33f01b86af44b23eea61ee309e4ef22c0cdfe

  • https://git.kernel.org/stable/c/e24c1551059268b37f6f40639883eafb281b8b9c

    • Enviar en el boletín
    Off

    CVE-2024-50696

    CVE-2024-50696

    Título es
    CVE-2024-50696

    Mié, 26/02/2025 – 21:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-50696

    Descripción en
    SunGrow WiNet-S V200.001.00.P025 and earlier versions is missing integrity checks for firmware upgrades. Sending a specific MQTT message allows an update to an inverter or a WiNet connectivity dongle with a bogus firmware file that is located on attacker-controlled server.

    26/02/2025

    26/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://en.sungrowpower.com/security-notice-detail-2/6140

    • Enviar en el boletín
    Off

    CVE-2024-50693

    CVE-2024-50693

    Título es
    CVE-2024-50693

    Mié, 26/02/2025 – 21:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-50693

    Descripción en
    SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the userService API model.

    26/02/2025

    26/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://en.sungrowpower.com/security-notice-detail-2/6120

    • Enviar en el boletín
    Off

    CVE-2024-50691

    CVE-2024-50691

    Título es
    CVE-2024-50691

    Mié, 26/02/2025 – 21:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-50691

    Descripción en
    SunGrow iSolarCloud Android app V2.1.6.20241104 and prior suffers from Missing SSL Certificate Validation. The app explicitly ignores certificate errors and is vulnerable to MiTM attacks. Attackers can impersonate the iSolarCloud server and communicate with the Android app.

    26/02/2025

    26/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://en.sungrowpower.com/security-notice-detail-2/6124

    • Enviar en el boletín
    Off

    CVE-2024-50689

    CVE-2024-50689

    Título es
    CVE-2024-50689

    Mié, 26/02/2025 – 21:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-50689

    Descripción en
    SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the orgService API model.

    26/02/2025

    26/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://en.sungrowpower.com/security-notice-detail-2/6116

    • Enviar en el boletín
    Off

    CVE-2024-57423

    CVE-2024-57423

    Título es
    CVE-2024-57423

    Mié, 26/02/2025 – 21:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-57423

    Descripción en
    A Cross Site Scripting vulnerability in CloudClassroom-PHP Project v1.0 allows a remote attacker to execute arbitrary code via the exid parameter of the assessment function.

    26/02/2025

    26/02/2025

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias


  • https://github.com/harshad-alt/CVE/blob/main/CVE-2024-57423.md

    • Enviar en el boletín
    Off