π¨ CVE-2019-18860
Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.
π@cveNotify
Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.
π@cveNotify
π¨ CVE-2025-54574
Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions.
π@cveNotify
Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions.
π@cveNotify
GitHub
Remove serialized HTTP headers from storeClientCopy() (#1335) Β· squid-cache/squid@a27bf4b
Do not send serialized HTTP response header bytes in storeClientCopy()
answers. Ignore serialized header size when calling storeClientCopy().
This complex change adjusts storeClientCopy() API to a...
answers. Ignore serialized header size when calling storeClientCopy().
This complex change adjusts storeClientCopy() API to a...
π¨ CVE-2025-62168
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
π@cveNotify
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.
π@cveNotify
GitHub
Bug 3390: Proxy auth data visible to scripts (#2249) Β· squid-cache/squid@0951a06
Original changes to redact credentials from error page %R code
expansion output was incomplete. It missed the parse failure
case where ErrorState::request_hdrs raw buffer contained
sensitive inform...
expansion output was incomplete. It missed the parse failure
case where ErrorState::request_hdrs raw buffer contained
sensitive inform...
π¨ CVE-2025-27064
Information disclosure while registering commands from clients with diag through diagHal.
π@cveNotify
Information disclosure while registering commands from clients with diag through diagHal.
π@cveNotify
π¨ CVE-2025-27070
Memory corruption while performing encryption and decryption commands.
π@cveNotify
Memory corruption while performing encryption and decryption commands.
π@cveNotify
π¨ CVE-2025-47357
Information Disclosure when a user-level driver performs QFPROM read or write operations on Fuse regions.
π@cveNotify
Information Disclosure when a user-level driver performs QFPROM read or write operations on Fuse regions.
π@cveNotify
π¨ CVE-2025-47360
Memory corruption while processing client message during device management.
π@cveNotify
Memory corruption while processing client message during device management.
π@cveNotify
π¨ CVE-2025-47361
Memory corruption when triggering a subsystem crash with an out-of-range identifier.
π@cveNotify
Memory corruption when triggering a subsystem crash with an out-of-range identifier.
π@cveNotify
π¨ CVE-2025-47362
Information disclosure while processing message from client with invalid payload.
π@cveNotify
Information disclosure while processing message from client with invalid payload.
π@cveNotify
π¨ CVE-2025-47365
Memory corruption while processing large input data from a remote source via a communication interface.
π@cveNotify
Memory corruption while processing large input data from a remote source via a communication interface.
π@cveNotify
π¨ CVE-2025-47367
Memory corruption while accessing a buffer during IOCTL processing.
π@cveNotify
Memory corruption while accessing a buffer during IOCTL processing.
π@cveNotify
π¨ CVE-2025-47368
Memory corruption when dereferencing an invalid userspace address in a user buffer during MCDM IOCTL processing.
π@cveNotify
Memory corruption when dereferencing an invalid userspace address in a user buffer during MCDM IOCTL processing.
π@cveNotify
π¨ CVE-2025-47370
Transient DOS when a remote device sends an invalid connection request during BT connectable LE scan.
π@cveNotify
Transient DOS when a remote device sends an invalid connection request during BT connectable LE scan.
π@cveNotify
π¨ CVE-2025-23157
In the Linux kernel, the following vulnerability has been resolved:
media: venus: hfi_parser: add check to avoid out of bound access
There is a possibility that init_codecs is invoked multiple times during
manipulated payload from video firmware. In such case, if codecs_count
can get incremented to value more than MAX_CODEC_NUM, there can be OOB
access. Reset the count so that it always starts from beginning.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
media: venus: hfi_parser: add check to avoid out of bound access
There is a possibility that init_codecs is invoked multiple times during
manipulated payload from video firmware. In such case, if codecs_count
can get incremented to value more than MAX_CODEC_NUM, there can be OOB
access. Reset the count so that it always starts from beginning.
π@cveNotify
π¨ CVE-2024-50623
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
π@cveNotify
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.
π@cveNotify
Cleo
Cleo Product Security Advisory - CVE-2024-50623
Cleo has identified an unrestricted file upload and download vulnerability (CVE-2024-50623) that could lead to remote code execution.
The vulnerability affects the following products:
Cleo Harmony...
The vulnerability affects the following products:
Cleo Harmony...
π¨ CVE-2025-23145
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix NULL pointer in can_accept_new_subflow
When testing valkey benchmark tool with MPTCP, the kernel panics in
'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.
Call trace:
mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)
subflow_syn_recv_sock (./net/mptcp/subflow.c:854)
tcp_check_req (./net/ipv4/tcp_minisocks.c:863)
tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)
ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)
ip_local_deliver_finish (./net/ipv4/ip_input.c:234)
ip_local_deliver (./net/ipv4/ip_input.c:254)
ip_rcv_finish (./net/ipv4/ip_input.c:449)
...
According to the debug log, the same req received two SYN-ACK in a very
short time, very likely because the client retransmits the syn ack due
to multiple reasons.
Even if the packets are transmitted with a relevant time interval, they
can be processed by the server on different CPUs concurrently). The
'subflow_req->msk' ownership is transferred to the subflow the first,
and there will be a risk of a null pointer dereference here.
This patch fixes this issue by moving the 'subflow_req->msk' under the
`own_req == true` conditional.
Note that the !msk check in subflow_hmac_valid() can be dropped, because
the same check already exists under the own_req mpj branch where the
code has been moved to.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix NULL pointer in can_accept_new_subflow
When testing valkey benchmark tool with MPTCP, the kernel panics in
'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.
Call trace:
mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)
subflow_syn_recv_sock (./net/mptcp/subflow.c:854)
tcp_check_req (./net/ipv4/tcp_minisocks.c:863)
tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)
ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)
ip_local_deliver_finish (./net/ipv4/ip_input.c:234)
ip_local_deliver (./net/ipv4/ip_input.c:254)
ip_rcv_finish (./net/ipv4/ip_input.c:449)
...
According to the debug log, the same req received two SYN-ACK in a very
short time, very likely because the client retransmits the syn ack due
to multiple reasons.
Even if the packets are transmitted with a relevant time interval, they
can be processed by the server on different CPUs concurrently). The
'subflow_req->msk' ownership is transferred to the subflow the first,
and there will be a risk of a null pointer dereference here.
This patch fixes this issue by moving the 'subflow_req->msk' under the
`own_req == true` conditional.
Note that the !msk check in subflow_hmac_valid() can be dropped, because
the same check already exists under the own_req mpj branch where the
code has been moved to.
π@cveNotify
π¨ CVE-2025-23146
In the Linux kernel, the following vulnerability has been resolved:
mfd: ene-kb3930: Fix a potential NULL pointer dereference
The off_gpios could be NULL. Add missing check in the kb3930_probe().
This is similar to the issue fixed in commit b1ba8bcb2d1f
("backlight: hx8357: Fix potential NULL pointer dereference").
This was detected by our static analysis tool.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
mfd: ene-kb3930: Fix a potential NULL pointer dereference
The off_gpios could be NULL. Add missing check in the kb3930_probe().
This is similar to the issue fixed in commit b1ba8bcb2d1f
("backlight: hx8357: Fix potential NULL pointer dereference").
This was detected by our static analysis tool.
π@cveNotify
π¨ CVE-2025-23147
In the Linux kernel, the following vulnerability has been resolved:
i3c: Add NULL pointer check in i3c_master_queue_ibi()
The I3C master driver may receive an IBI from a target device that has not
been probed yet. In such cases, the master calls `i3c_master_queue_ibi()`
to queue an IBI work task, leading to "Unable to handle kernel read from
unreadable memory" and resulting in a kernel panic.
Typical IBI handling flow:
1. The I3C master scans target devices and probes their respective drivers.
2. The target device driver calls `i3c_device_request_ibi()` to enable IBI
and assigns `dev->ibi = ibi`.
3. The I3C master receives an IBI from the target device and calls
`i3c_master_queue_ibi()` to queue the target device driverβs IBI
handler task.
However, since target device events are asynchronous to the I3C probe
sequence, step 3 may occur before step 2, causing `dev->ibi` to be `NULL`,
leading to a kernel panic.
Add a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing
an uninitialized `dev->ibi`, ensuring stability.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
i3c: Add NULL pointer check in i3c_master_queue_ibi()
The I3C master driver may receive an IBI from a target device that has not
been probed yet. In such cases, the master calls `i3c_master_queue_ibi()`
to queue an IBI work task, leading to "Unable to handle kernel read from
unreadable memory" and resulting in a kernel panic.
Typical IBI handling flow:
1. The I3C master scans target devices and probes their respective drivers.
2. The target device driver calls `i3c_device_request_ibi()` to enable IBI
and assigns `dev->ibi = ibi`.
3. The I3C master receives an IBI from the target device and calls
`i3c_master_queue_ibi()` to queue the target device driverβs IBI
handler task.
However, since target device events are asynchronous to the I3C probe
sequence, step 3 may occur before step 2, causing `dev->ibi` to be `NULL`,
leading to a kernel panic.
Add a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing
an uninitialized `dev->ibi`, ensuring stability.
π@cveNotify