Hyunwoo Kim

**Name of the Vulnerable Software and Affected Versions** Apache OFBiz versions prior to 24.09.06 **Description** Improper Control of Generation of Code allows for code injection within the email services of the software. **Recommendations** Upgrade to version 24.09.06.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An issue exists in the RxRPC module due to incorrect handling of fragmented packets and data copying mechanisms in socket buffers. The DATA-packet handler in `rxrpc input call event()` and the RESPONSE handler in `rxrpc verify response()` only copy the socket buffer (skb) to a linear one when `skb cloned()` is true. If an skb is not cloned but contains externally-owned paged fragments—such as those set by `splice()` into a UDP socket via ` ip append data` or a chained `skb has frag list()`—it proceeds to the in-place decryption path. This path binds the fragment pages directly into the AEAD/skcipher SGL (Scatter-Gather List) via `skb to sgvec()`. This flaw can be exploited to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Spring AI versions 1.0.0 through 1.0.5 Spring AI versions 1.1.0 through 1.1.4 **Description** Various `FilterExpressionConverter` implementations fail to properly escape keys and values when translating filter expression objects into specific vector store query languages. This improper escaping allows for query injection, which can enable attackers to alter vector store queries, potentially leading to data exposure and tampering. **Recommendations** Update versions 1.0.0 through 1.0.5 to 1.0.6. Update versions 1.1.0 through 1.1.4 to 1.1.5.

CVE-2026-33454 The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filt… https://t.co/aFcj2mALO4

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified) Description The Linux kernel contains a flaw in its netfilter component related to conntrack and missing netlink policy validations. Specifically, the `nlattr to sctp()` function improperly handles user-supplied `CTA PROTOINFO SCTP STATE` values, potentially leading to an out-of-bounds access. This issue can occur when processing netlink attributes without proper validation, resulting in a slab-out-of-bounds read. The vulnerability affects the `ctnetlink` functionality. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Spring Cloud versions 3.1.X through 3.1.12, 4.1.X through 4.1.8, 4.2.X through 4.2.2, 4.3.X through 4.3.1, and 5.0.X through 5.0.1. Description: A flaw exists in Spring Cloud Config when substituting the profile parameter from a request to the Spring Cloud Config Server configured to use the native file system as a backend. This allows an attacker to access files outside of the configured search directories. The issue is due to improper path restriction. Recommendations: Update Spring Cloud to version 3.1.13, 4.1.9, 4.2.3, 4.3.2, or 5.0.2.

**Name of the Vulnerable Software and Affected Versions** Apache Camel versions 4.14.0 through 4.14.5 Apache Camel versions prior to 4.18.1 Apache Camel version 4.19.0 **Description** The camel-coap component is susceptible to message header injection. The `CamelCoapResource.handleRequest()` function iterates over `OptionSet.getUriQuery()` and calls `camelExchange.getIn().setHeader(...)` for every query parameter without applying a HeaderFilterStrategy. This allows an unauthenticated remote attacker to inject arbitrary internal headers (prefixed with Camel*) by sending a single CoAP UDP packet to a route consuming from 'coap://'. If the route forwards the request to header-sensitive producers such as 'camel-exec', 'camel-sql', 'camel-bean', 'camel-file', or template components ('camel-freemarker', 'camel-velocity'), the injected headers can alter the producer's behavior. Specifically, using 'camel-exec', the `CamelExecCommandExecutable` and `CamelExecCommandArgs` headers can override configured settings to achieve arbitrary OS command execution under the privileges of the Camel process. The output is returned in the CoAP response payload, providing an interactive remote code execution channel. **Recommendations** Upgrade to version 4.18.1. Upgrade to version 4.19.0.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a NULL pointer dereference in the Linux kernel's vsock/virtio module. This can occur when the socket has been de-assigned or assigned to another transport, and packets are received that are not expected, causing issues when accessing `vsk->transport`. A possible scenario involves a first connect() interrupted by a signal, and a second connect() failed, leading to `vsk->transport` being NULL. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.12.0 **Description** A vulnerability has been resolved in the Linux kernel related to the hv sock module. The issue arises when the `vsk->trans` variable is not initialized to NULL upon the release of hvs, potentially leading to a dangling pointer. This problem is addressed by ensuring `vsk->trans` is initialized to NULL. **Recommendations** For Linux kernel versions prior to 6.12.0, upgrade to version 6.12.0 or later to resolve the issue. As a temporary workaround, consider initializing `vsk->trans` to NULL manually until a patch is applied. Restrict access to the hv sock module to minimize the risk of exploitation. Avoid using the `vsk->trans` variable in sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the initialization of a dangling pointer in the vsock/virtio module, potentially leading to a Use-After-Free condition. This could allow an attacker to cause a denial of service or possibly execute arbitrary code. The vulnerability is resolved by initializing the pointer to NULL. It is estimated that over 55.7 million services may be affected. The vulnerability has been exploited in real-world incidents, including a demonstration at Zer0Con 2025 using the kernel-hack-drill open-source project. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use after free (UAF) vulnerability in the Linux kernel. It occurs when an active old-style ingress or clsact qdisc with a shared tc block is later replaced by another ingress or clsact instance, causing the tcx entry to be released too early. The sequence to trigger the UAF involves creating a network namespace, allocating a tcx entry, and then replacing the qdisc, which frees the previously linked tcx entry. Later, when the network namespace is closed, it accesses the already freed tcx entry, leading to the UAF. The correct fix is to turn the miniq active boolean into a counter, ensuring the tcx entry is freed at the correct time. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a Use-After-Free vulnerability in the `gtp dellink` function. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The problem arises because `call rcu`, which is called in the `hlist for each entry rcu` traversal of `gtp dellink`, is not part of the RCU read critical section. As a result, the RCU grace period may pass during the traversal, and the key may be freed. To prevent this, it should be changed to `hlist for each entry safe`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a Use-After-Free vulnerability in the `ovs ct limit exit()` function in the Linux kernel's net/openvswitch/conntrack.c module. This vulnerability can be exploited to cause a denial of service. The problem arises because `kfree rcu`, which is called in the `hlist for each entry rcu` traversal of `ovs ct limit exit`, is not part of the RCU read critical section, allowing the RCU grace period to pass during the traversal and the key to be freed. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a Use-After-Free vulnerability in the `tcp ao connect init` function. This vulnerability is caused by a race condition in the RCU API, where the `call rcu` function is not part of the RCU read critical section, allowing the RCU grace period to pass during traversal and the key to be freed. To prevent this, it should be changed to `hlist for each entry safe`. The vulnerability can be exploited to cause a denial of service. It has been reported that this issue is being actively exploited. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.8 **Description** An issue in the Linux kernel is related to a use-after-free condition due to a race condition in the atalk recvmsg function. This issue affects the atalk ioctl function in the net/appletalk/ddp.c module, which is part of the Appletalk protocol implementation. The exploitation of this issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For versions prior to 6.6.8, update to version 6.6.8 or later to resolve the issue. As a temporary workaround, consider disabling the `atalk ioctl()` function until a patch is available. Restrict access to the `net/appletalk/ddp.c` module to minimize the risk of exploitation. Avoid using the `atalk recvmsg` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.8 **Description** The issue is related to a use-after-free condition in the do vcc ioctl function in the net/atm/ioctl.c module of the Linux kernel, caused by a vcc recvmsg race condition. This could potentially allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For versions prior to 6.6.8, update to version 6.6.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `do vcc ioctl()` function in the net/atm/ioctl.c module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 6.0.9 **Description** An issue was discovered in the Linux kernel, where the `xillyusb.c` file in the `drivers/char/xillybus` directory has a race condition and use-after-free during physical removal of a USB device. This issue is related to concurrent access to a shared resource with incorrect synchronization, which may allow an attacker to execute arbitrary code. **Recommendations** For Linux kernel versions through 6.0.9, consider disabling the `xillyusb.c` driver or restricting its use until a patch is available. As a temporary workaround, avoid physically removing USB devices while the system is in use to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 6.0.9 **Description** An issue in the Linux kernel is related to a memory leak in the drivers/media/usb/ttusb-dec/ttusb dec.c component due to the lack of a `dvb frontend detach` call. This can potentially allow an attacker to perform a denial-of-service attack. **Recommendations** For Linux kernel versions through 6.0.9, consider updating to a version that includes a fix for the memory leak issue in the drivers/media/usb/ttusb-dec/ttusb dec.c component. As a temporary workaround, restricting access to the vulnerable component may help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.0.10 **Description** The issue is related to a use-after-free condition in the Linux kernel's DVB driver, specifically in the drivers/media/dvb-core/dvb ca en50221.c module. This occurs when a device is closed after being disconnected, due to the lack of a wait event. Exploitation of this issue could allow an attacker to cause a denial of service or elevate their privileges. **Recommendations** For Linux kernel versions prior to 6.0.10, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the vulnerable module drivers/media/dvb-core/dvb ca en50221.c to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.0.9 **Description** The issue is related to a race condition in the Linux kernel's DVB driver, specifically in the `dvb frontend.c` file. This condition can cause a use-after-free error when a device is disconnected, potentially allowing an attacker to cause a denial of service or elevate their privileges. The estimated number of potentially affected devices is not provided. **Recommendations** For Linux kernel versions prior to 6.0.9, update to a version 6.0.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `dvb frontend.c` driver to minimize the risk of exploitation.