CVSS: 8.1EPSS: 0%CPEs: 11EXPL: 1CVE-2021-46143 – expat: Integer overflow in doProlog in xmlparse.c
https://notcve.org/view.php?id=CVE-2021-46143
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. En la función doProlog en el archivo xmlparse.c en Expat (también se conoce como libexpat) versiones anteriores a 2.4.3, se presenta un desbordamiento de enteros para m_groupSize. expat (libexpat) is susceptible to a software flaw that causes process interruption. When processing a large number of prefixed XML attributes on a single tag can libexpat can terminate unexpectedly due to integer overflow. The highest threat from this vulnerability is to availability, confidentiality and integrity. • http://www.openwall.com/lists/oss-security/2022/01/17/3 https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf https://github.com/libexpat/libexpat/issues/532 https://github.com/libexpat/libexpat/pull/538 https://security.gentoo.org/glsa/202209-24 https://security.netapp.com/advisory/ntap-20220121-0006 https://www.debian.org/security/2022/dsa-5073 https://www.tenable.com/security/tns-2022-05 https://access.redhat.com/security/cve/CVE-2021-46143 https://bu • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.0EPSS: 1%CPEs: 12EXPL: 2CVE-2021-45960 – expat: Large number of prefixed XML attributes on a single tag can crash libexpat
https://notcve.org/view.php?id=CVE-2021-45960
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). En Expat (también se conoce como libexpat) versiones anteriores a 2.4.3, un desplazamiento a la izquierda por 29 (o más) lugares en la función storeAtts en el archivo xmlparse.c puede conllevar a un comportamiento incorrecto de reasignación (por ejemplo, asignar muy pocos bytes, o sólo liberar memoria). expat (libexpat) is susceptible to a software flaw that causes process interruption. When processing a large number of prefixed XML attributes on a single tag can libexpat can terminate unexpectedly due to buffer overrun. The highest threat from this vulnerability is to availability. • http://www.openwall.com/lists/oss-security/2022/01/17/3 https://bugzilla.mozilla.org/show_bug.cgi?id=1217609 https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf https://github.com/libexpat/libexpat/issues/531 https://github.com/libexpat/libexpat/pull/534 https://security.gentoo.org/glsa/202209-24 https://security.netapp.com/advisory/ntap-20220121-0004 https://www.debian.org/security/2022/dsa-5073 https://www.tenable.com/security/tns-2022-05 https://acces • CWE-130: Improper Handling of Length Parameter Inconsistency CWE-682: Incorrect Calculation •
CVSS: 7.2EPSS: 0%CPEs: 17EXPL: 1CVE-2020-12659 – kernel: xdp_umem_reg in net/xdp/xdp_umem.c has an out-of-bounds write which could result in crash and data coruption
https://notcve.org/view.php?id=CVE-2020-12659
An issue was discovered in the Linux kernel before 5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) because of a lack of headroom validation. Se detectó un problema en el kernel de Linux versiones anteriores a 5.6.7. En la función xdp_umem_reg en el archivo net/xdp/xdp_umem.c se presenta una escritura fuera de límites (por un usuario con la capacidad CAP_NET_ADMIN) debido a una falta de comprobación del headroom. An out-of-bounds (OOB) memory access flaw was found in the Network XDP (the eXpress Data Path) module in the Linux kernel's xdp_umem_reg function in net/xdp/xdp_umem.c. When a user with special user privilege of CAP_NET_ADMIN (or root) calls setsockopt to register umem ring on XDP socket, passing the headroom value larger than the available space in the chunk, it leads to an out-of-bounds write, causing panic or possible memory corruption. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00022.html https://bugzilla.kernel.org/show_bug.cgi?id=207225 https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.7 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=99e3a236dd43d06c65af0a2ef9cb44306aef6e02 https://github.com/torvalds/linux/commit/99e3a236dd43d06c65af0a2ef9cb44306aef6e02 https://security.netapp.com/advisory/ntap-20200608-0001 https://usn.ubuntu.com/4387-1 https://usn.ubuntu.com/4388- • CWE-787: Out-of-bounds Write •
CVSS: 7.2EPSS: 0%CPEs: 18EXPL: 0CVE-2020-12465 – kernel: buffer overflow in mt76_add_fragment function in drivers/net/wireless/mediatek/mt76/dma.c
https://notcve.org/view.php?id=CVE-2020-12465
An array overflow was discovered in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c in the Linux kernel before 5.5.10, aka CID-b102f0c522cf. An oversized packet with too many rx fragments can corrupt memory of adjacent pages. Se descubrió un desbordamiento de matriz en la función mt76_add_fragment en el archivo drivers/net/wireless/mediatek/mt76/dma.c en el kernel de Linux versiones anteriores a la versión 5.5.10, también se conoce como CID-b102f0c522cf. Un paquete de gran tamaño con muchos fragmentos rx puede corromper la memoria de páginas adyacentes. A memory overflow and data corruption flaw were found in the Mediatek MT76 driver module for WiFi in mt76_add_fragment in drivers/net/wireless/mediatek/mt76/dma.c. • https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.10 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b102f0c522cf668c8382c56a4f771b37d011cda2 https://github.com/torvalds/linux/commit/b102f0c522cf668c8382c56a4f771b37d011cda2 https://security.netapp.com/advisory/ntap-20200608-0001 https://access.redhat.com/security/cve/CVE-2020-12465 https://bugzilla.redhat.com/show_bug.cgi?id=1831699 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.2EPSS: 0%CPEs: 23EXPL: 1CVE-2020-12464 – kernel: use-after-free in usb_sg_cancel function in drivers/usb/core/message.c
https://notcve.org/view.php?id=CVE-2020-12464
usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925. a función usb_sg_cancel en el archivo drivers/usb/core/message.c en el kernel de Linux versiones anteriores a la versión 5.6.8, tiene un uso de la memoria previamente liberada porque se produce una transferencia sin una referencia, también se conoce como CID-056ad39ee925. A use-after-free flaw was found in usb_sg_cancel in drivers/usb/core/message.c in the USB core subsystem. This flaw allows a local attacker with a special user or root privileges to crash the system due to a race problem in the scatter-gather cancellation and transfer completion in usb_sg_wait. This vulnerability can also lead to a leak of internal kernel information. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00022.html https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.8 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=056ad39ee9253873522f6469c3364964a322912b https://github.com/torvalds/linux/commit/056ad39ee9253873522f6469c3364964a322912b https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html https://lists.debian.org/debian-lts-announce/2020/06/msg00012.html https://lists.debian.org/debian-lts-a • CWE-416: Use After Free •