CVE-2025-13042 - Google Chrome Heap Corruption Vulnerability
CVE ID : CVE-2025-13042
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.166 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13042
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.166 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-2843 - Observability-operator: observability operator privilege escalation
CVE ID : CVE-2025-2843
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2843
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52331 - WinRAR XSS Report Generator
CVE ID : CVE-2025-52331
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation in the HTML report, which allows potentially malicious HTML tags to be injected into the report. User interaction is required. User must use the "generate report" functionality and open the report.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52331
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation in the HTML report, which allows potentially malicious HTML tags to be injected into the report. User interaction is required. User must use the "generate report" functionality and open the report.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59088 - Python-kdcproxy: unauthenticated ssrf via realm‑controlled dns srv
CVE ID : CVE-2025-59088
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59088
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59089 - Python-kdcproxy: remote dos via unbounded tcp upstream buffering
CVE ID : CVE-2025-59089
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59089
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59491 - CentralSquare Community Development XSS
CVE ID : CVE-2025-59491
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : Cross Site Scripting vulnerability in CentralSquare Community Development 19.5.7 via form fields.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59491
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : Cross Site Scripting vulnerability in CentralSquare Community Development 19.5.7 via form fields.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63419 - CrushFTP HTML Injection
CVE ID : CVE-2025-63419
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63419
Published : Nov. 12, 2025, 5:15 p.m. | 1 hour, 42 minutes ago
Description : Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-20378 - Open Redirect on Web Login endpoint in Splunk Enterprise
CVE ID : CVE-2025-20378
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will.
Severity: 3.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-20378
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will.
Severity: 3.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-20379 - Risky command safeguards bypass using the “/services/streams/search“ REST endpoint through “q“ parameter in Splunk Enterprise
CVE ID : CVE-2025-20379
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search“ endpoint through its “q“ parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-20379
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search“ endpoint through its “q“ parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
Severity: 3.5 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-25236 - VMware Workspace ONE UEM Information Disclosure
CVE ID : CVE-2025-25236
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-25236
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60645 - xxl-api CSRF Add User Vulnerability
CVE ID : CVE-2025-60645
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : A Cross-Site Request Forgery (CSRF) in xxl-api v1.3.0 allows attackers to arbitrarily add users to the management module via a crafted GET request.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60645
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : A Cross-Site Request Forgery (CSRF) in xxl-api v1.3.0 allows attackers to arbitrarily add users to the management module via a crafted GET request.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-63811 - "Jose2go JSON Web Encryption Denial-of-Service"
CVE ID : CVE-2025-63811
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-63811
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65001 - Fujitsu fbiosdrv.sys Privilege Escalation Vulnerability
CVE ID : CVE-2025-65001
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : Fujitsu fbiosdrv.sys before 2.5.0.0 allows an attacker to potentially affect system confidentiality, integrity, and availability.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65001
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : Fujitsu fbiosdrv.sys before 2.5.0.0 allows an attacker to potentially affect system confidentiality, integrity, and availability.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65002 - Fujitsu iRMC S6 Redfish/WebUI Username Length Overflow Vulnerability
CVE ID : CVE-2025-65002
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : Fujitsu iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65002
Published : Nov. 12, 2025, 6:15 p.m. | 42 minutes ago
Description : Fujitsu iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-45301 - ZDI-CAN-24744: Mintty Path Conversion Improper Input Validation Information Disclosure Vulnerability
CVE ID : CVE-2024-45301
Published : Nov. 12, 2025, 6:26 p.m. | 31 minutes ago
Description : Mintty is a terminal emulator for Cygwin, MSYS, and WSL. In versions 2.3.6 through 3.7.4, several escape sequences can cause the mintty process to access a file in a specific path. It is triggered by simply printing them out on bash. An attacker can specify an arbitrary network path, negotiate an ntlm hash out of the victim's machine to an attacker controlled remote host. An attacker can use password cracking tools or NetNTLMv2 hashes to Pass the Hash. Version 3.7.5 fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-45301
Published : Nov. 12, 2025, 6:26 p.m. | 31 minutes ago
Description : Mintty is a terminal emulator for Cygwin, MSYS, and WSL. In versions 2.3.6 through 3.7.4, several escape sequences can cause the mintty process to access a file in a specific path. It is triggered by simply printing them out on bash. An attacker can specify an arbitrary network path, negotiate an ntlm hash out of the victim's machine to an attacker controlled remote host. An attacker can use password cracking tools or NetNTLMv2 hashes to Pass the Hash. Version 3.7.5 fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-47866 - RGW DoS attack with empty HTTP header in S3 object copy
CVE ID : CVE-2024-47866
Published : Nov. 12, 2025, 6:28 p.m. | 30 minutes ago
Description : Ceph is a distributed object, block, and file storage platform. In versions up to and including 19.2.3, using the argument `x-amz-copy-source` to put an object and specifying an empty string as its content leads to the RGW daemon crashing, resulting in a DoS attack. As of time of publication, no known patched versions exist.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-47866
Published : Nov. 12, 2025, 6:28 p.m. | 30 minutes ago
Description : Ceph is a distributed object, block, and file storage platform. In versions up to and including 19.2.3, using the argument `x-amz-copy-source` to put an object and specifying an empty string as its content leads to the RGW daemon crashing, resulting in a DoS attack. As of time of publication, no known patched versions exist.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13057 - Campcodes School Fees Payment Management System ajax.php sql injection
CVE ID : CVE-2025-13057
Published : Nov. 12, 2025, 6:32 p.m. | 26 minutes ago
Description : A vulnerability was identified in Campcodes School Fees Payment Management System 1.0. Impacted is an unknown function of the file /ajax.php?action=save_student. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13057
Published : Nov. 12, 2025, 6:32 p.m. | 26 minutes ago
Description : A vulnerability was identified in Campcodes School Fees Payment Management System 1.0. Impacted is an unknown function of the file /ajax.php?action=save_student. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-40191 - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping
CVE ID : CVE-2025-40191
Published : Nov. 12, 2025, 10:15 p.m. | 42 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix kfd process ref leaking when userptr unmapping kfd_lookup_process_by_pid hold the kfd process reference to ensure it doesn't get destroyed while sending the segfault event to user space. Calling kfd_lookup_process_by_pid as function parameter leaks the kfd process refcount and miss the NULL pointer check if app process is already destroyed.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-40191
Published : Nov. 12, 2025, 10:15 p.m. | 42 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix kfd process ref leaking when userptr unmapping kfd_lookup_process_by_pid hold the kfd process reference to ensure it doesn't get destroyed while sending the segfault event to user space. Calling kfd_lookup_process_by_pid as function parameter leaks the kfd process refcount and miss the NULL pointer check if app process is already destroyed.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-40192 - Revert "ipmi: fix msg stack when IPMI is disconnected"
CVE ID : CVE-2025-40192
Published : Nov. 12, 2025, 10:15 p.m. | 42 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved: Revert "ipmi: fix msg stack when IPMI is disconnected" This reverts commit c608966f3f9c2dca596967501d00753282b395fc. This patch has a subtle bug that can cause the IPMI driver to go into an infinite loop if the BMC misbehaves in a certain way. Apparently certain BMCs do misbehave this way because several reports have come in recently about this.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-40192
Published : Nov. 12, 2025, 10:15 p.m. | 42 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved: Revert "ipmi: fix msg stack when IPMI is disconnected" This reverts commit c608966f3f9c2dca596967501d00753282b395fc. This patch has a subtle bug that can cause the IPMI driver to go into an infinite loop if the BMC misbehaves in a certain way. Apparently certain BMCs do misbehave this way because several reports have come in recently about this.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-40193 - xtensa: simdisk: add input size check in proc_write_simdisk
CVE ID : CVE-2025-40193
Published : Nov. 12, 2025, 10:15 p.m. | 42 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved: xtensa: simdisk: add input size check in proc_write_simdisk A malicious user could pass an arbitrarily bad value to memdup_user_nul(), potentially causing kernel crash. This follows the same pattern as commit ee76746387f6 ("netdevsim: prevent bad user input in nsim_dev_health_break_write()")
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-40193
Published : Nov. 12, 2025, 10:15 p.m. | 42 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved: xtensa: simdisk: add input size check in proc_write_simdisk A malicious user could pass an arbitrarily bad value to memdup_user_nul(), potentially causing kernel crash. This follows the same pattern as commit ee76746387f6 ("netdevsim: prevent bad user input in nsim_dev_health_break_write()")
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-40194 - cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()
CVE ID : CVE-2025-40194
Published : Nov. 12, 2025, 10:15 p.m. | 42 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-40194
Published : Nov. 12, 2025, 10:15 p.m. | 42 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...