Development

CVE-2022-50221 – Linux Kernel DRM/FB-Helper Out-of-Bounds Access Vulnerability

CVE ID : CVE-2022-50221

Published : June 18, 2025, 11:15 a.m. | 3 hours, 16 minutes ago

Description : In the Linux kernel, the following vulnerability has been resolved:

drm/fb-helper: Fix out-of-bounds access

Clip memory range to screen-buffer size to avoid out-of-bounds access
in fbdev deferred I/O’s damage handling.

Fbdev’s deferred I/O can only track pages. From the range of pages, the
damage handler computes the clipping rectangle for the display update.
If the fbdev screen buffer ends near the beginning of a page, that page
could contain more scanlines. The damage handler would then track these
non-existing scanlines as dirty and provoke an out-of-bounds access
during the screen update. Hence, clip the maximum memory range to the
size of the screen buffer.

While at it, rename the variables min/max to min_off/max_off in
drm_fb_helper_deferred_io(). This avoids confusion with the macros of
the same name.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2022-50230 – Linux Kernel Arm64 Uxn Inconsistent Page Table Vulnerability

CVE ID : CVE-2022-50230

Published : June 18, 2025, 11:15 a.m. | 3 hours, 16 minutes ago

Description : In the Linux kernel, the following vulnerability has been resolved:

arm64: set UXN on swapper page tables

[ This issue was fixed upstream by accident in c3cee924bd85 (“arm64:
head: cover entire kernel image in initial ID map”) as part of a
large refactoring of the arm64 boot flow. This simple fix is therefore
preferred for -stable backporting ]

On a system that implements FEAT_EPAN, read/write access to the idmap
is denied because UXN is not set on the swapper PTEs. As a result,
idmap_kpti_install_ng_mappings panics the kernel when accessing
__idmap_kpti_flag. Fix it by setting UXN on these PTEs.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2022-50231 – Huawei Crypto Poly1305 Arm64 Out-of-Bounds Read Vulnerability

CVE ID : CVE-2022-50231

Published : June 18, 2025, 11:15 a.m. | 3 hours, 16 minutes ago

Description : In the Linux kernel, the following vulnerability has been resolved:

crypto: arm64/poly1305 – fix a read out-of-bound

A kasan error was reported during fuzzing:

BUG: KASAN: slab-out-of-bounds in neon_poly1305_blocks.constprop.0+0x1b4/0x250 [poly1305_neon]
Read of size 4 at addr ffff0010e293f010 by task syz-executor.5/1646715
CPU: 4 PID: 1646715 Comm: syz-executor.5 Kdump: loaded Not tainted 5.10.0.aarch64 #1
Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.59 01/31/2019
Call trace:
dump_backtrace+0x0/0x394
show_stack+0x34/0x4c arch/arm64/kernel/stacktrace.c:196
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x158/0x1e4 lib/dump_stack.c:118
print_address_description.constprop.0+0x68/0x204 mm/kasan/report.c:387
__kasan_report+0xe0/0x140 mm/kasan/report.c:547
kasan_report+0x44/0xe0 mm/kasan/report.c:564
check_memory_region_inline mm/kasan/generic.c:187 [inline]
__asan_load4+0x94/0xd0 mm/kasan/generic.c:252
neon_poly1305_blocks.constprop.0+0x1b4/0x250 [poly1305_neon]
neon_poly1305_do_update+0x6c/0x15c [poly1305_neon]
neon_poly1305_update+0x9c/0x1c4 [poly1305_neon]
crypto_shash_update crypto/shash.c:131 [inline]
shash_finup_unaligned+0x84/0x15c crypto/shash.c:179
crypto_shash_finup+0x8c/0x140 crypto/shash.c:193
shash_digest_unaligned+0xb8/0xe4 crypto/shash.c:201
crypto_shash_digest+0xa4/0xfc crypto/shash.c:217
crypto_shash_tfm_digest+0xb4/0x150 crypto/shash.c:229
essiv_skcipher_setkey+0x164/0x200 [essiv]
crypto_skcipher_setkey+0xb0/0x160 crypto/skcipher.c:612
skcipher_setkey+0x3c/0x50 crypto/algif_skcipher.c:305
alg_setkey+0x114/0x2a0 crypto/af_alg.c:220
alg_setsockopt+0x19c/0x210 crypto/af_alg.c:253
__sys_setsockopt+0x190/0x2e0 net/socket.c:2123
__do_sys_setsockopt net/socket.c:2134 [inline]
__se_sys_setsockopt net/socket.c:2131 [inline]
__arm64_sys_setsockopt+0x78/0x94 net/socket.c:2131
__invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
invoke_syscall+0x64/0x100 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x220/0x230 arch/arm64/kernel/syscall.c:155
do_el0_svc+0xb4/0xd4 arch/arm64/kernel/syscall.c:217
el0_svc+0x24/0x3c arch/arm64/kernel/entry-common.c:353
el0_sync_handler+0x160/0x164 arch/arm64/kernel/entry-common.c:369
el0_sync+0x160/0x180 arch/arm64/kernel/entry.S:683

This error can be reproduced by the following code compiled as ko on a
system with kasan enabled:

#include
#include
#include
#include

char test_data[] = “x00x01x02x03x04x05x06x07”
“x08x09x0ax0bx0cx0dx0ex0f”
“x10x11x12x13x14x15x16x17”
“x18x19x1ax1bx1cx1dx1e”;

int init(void)
{
struct crypto_shash *tfm = NULL;
char *data = NULL, *out = NULL;

tfm = crypto_alloc_shash(“poly1305”, 0, 0);
data = kmalloc(POLY1305_KEY_SIZE – 1, GFP_KERNEL);
out = kmalloc(POLY1305_DIGEST_SIZE, GFP_KERNEL);
memcpy(data, test_data, POLY1305_KEY_SIZE – 1);
crypto_shash_tfm_digest(tfm, data, POLY1305_KEY_SIZE – 1, out);

kfree(data);
kfree(out);
return 0;
}

void deinit(void)
{
}

module_init(init)
module_exit(deinit)
MODULE_LICENSE(“GPL”);

The root cause of the bug sits in neon_poly1305_blocks. The logic
neon_poly1305_blocks() performed is that if it was called with both s[]
and r[] uninitialized, it will first try to initialize them with the
data from the first “block” that it believed to be 32 bytes in length.
First 16 bytes are used as the key and the next 16 bytes for s[]. This
would lead to the aforementioned read out-of-bound. However, after
calling poly1305_init_arch(), only 16 bytes were deducted from the input
and s[] is initialized yet again with the following 16 bytes. The second
initialization of s[] is certainly redundent which indicates that the
first initialization should be for r[] only.

This patch fixes the issue by calling poly1305_init_arm64() instead o
—truncated—

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2022-50232 – Linux Kernel ARM64 UXN Set Vulnerability

CVE ID : CVE-2022-50232

Published : June 18, 2025, 11:15 a.m. | 3 hours, 16 minutes ago

Description : In the Linux kernel, the following vulnerability has been resolved:

arm64: set UXN on swapper page tables

[ This issue was fixed upstream by accident in c3cee924bd85 (“arm64:
head: cover entire kernel image in initial ID map”) as part of a
large refactoring of the arm64 boot flow. This simple fix is therefore
preferred for -stable backporting ]

On a system that implements FEAT_EPAN, read/write access to the idmap
is denied because UXN is not set on the swapper PTEs. As a result,
idmap_kpti_install_ng_mappings panics the kernel when accessing
__idmap_kpti_flag. Fix it by setting UXN on these PTEs.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-6220 – “Ultra Addons for Contact Form 7 Arbitrary File Upload Vulnerability”

CVE ID : CVE-2025-6220

Published : June 18, 2025, 12:15 p.m. | 2 hours, 16 minutes ago

Description : The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘save_options’ function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

Severity: 7.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-45661 – miniTCG XSS

CVE ID : CVE-2025-45661

Published : June 18, 2025, 2:15 p.m. | 16 minutes ago

Description : A cross-site scripting (XSS) vulnerability in miniTCG v1.3.1 beta allows attackers to execute abritrary web scripts or HTML via injecting a crafted payload into the id parameter at /members/edit.php.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-45784 – D-Link DPH-400S/SE VoIP Phone Hardcoded Credentials Vulnerability

CVE ID : CVE-2025-45784

Published : June 18, 2025, 2:15 p.m. | 16 minutes ago

Description : D-Link DPH-400S/SE VoIP Phone v1.01 contains hardcoded provisioning variables, including PROVIS_USER_PASSWORD, which may expose sensitive user credentials. An attacker with access to the firmware image can extract these credentials using static analysis tools such as strings or xxd, potentially leading to unauthorized access to device functions or user accounts. This vulnerability exists due to insecure storage of sensitive information in the firmware binary.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-46157 – EfroTech Time Trax Remote Code Execution Vulnerability

CVE ID : CVE-2025-46157

Published : June 18, 2025, 2:15 p.m. | 16 minutes ago

Description : An issue in EfroTech Time Trax v.1.0 allows a remote attacker to execute arbitrary code via the file attachment function in the leave request form

Severity: 9.9 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-49015 – “Couchbase .NET SDK TLS Hostname Verification Weakness”

CVE ID : CVE-2025-49015

Published : June 18, 2025, 2:15 p.m. | 16 minutes ago

Description : The Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also using IP addresses instead of hostnames due to a configuration option that was incorrectly enabled by default.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

pdphilip/elasticsearch

An Elasticsearch implementation of Laravel’s Eloquent ORM Source: Read MoreÂ