Luigino Camastra

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 26.5 iPadOS versions prior to 26.5 macOS Tahoe versions prior to 26.5 tvOS versions prior to 26.5 visionOS versions prior to 26.5 watchOS versions prior to 26.5 **Description** Processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling. **Recommendations** Update iOS to version 26.5. Update iPadOS to version 26.5. Update macOS Tahoe to version 26.5. Update tvOS to version 26.5. Update visionOS to version 26.5. Update watchOS to version 26.5.

**Name of the Vulnerable Software and Affected Versions** wolfSSHd (affected versions not specified) **Description** A read out of bounds issue exists in wolfSSHd on Windows when handling a terminal resize request. An authenticated user can trigger this condition after establishing a connection, resulting in the leakage of adjacent stack memory to the pseudo-console output. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** erlang otp versions 1.0 through 6.9 erlang otp version 17.0 erlang otp versions prior to 7.0 **Description** The software contains a Relative Path Traversal and Improper Isolation or Compartmentalization issue. The issue is associated with program files `lib/tftp/src/tftp file.erl` and `src/tftp file.erl`. The vulnerability affects the `tftp file` modules within erlang/otp, inets, and tftp. **Recommendations** erlang otp versions 1.0 through 6.9: At the moment, there is no information about a newer version that contains a fix for this vulnerability. erlang otp version 17.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. erlang otp versions prior to 7.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wolfSSH (affected versions not specified) **Description** A heap buffer over-read issue exists in the `wolfSSH CleanPath()` function within wolfSSH. A remote attacker with authentication can trigger this by providing specially crafted SCP path input that includes '/./' sequences. This results in a heap over-read of 1 byte. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.0.2 through 3.6 **Description** A type confusion issue exists in the signature verification of signed PKCS#7 data. This occurs when an ASN1 TYPE union member is accessed without first validating the type, potentially leading to an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Exploiting this requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of exploitation is a denial-of-service. The vulnerable code is within the `PKCS7 digest from attributes()` function, which accesses the message digest attribute value without validating its type. This can result in accessing invalid memory through the ASN1 TYPE union, causing a crash. The PKCS7 API is considered legacy, and applications should use the CMS API instead. **Recommendations** OpenSSL version 1.0.2: Update to a newer version. OpenSSL versions 1.1.1 through 3.6: Update to the latest version.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.1.1, 3.0, 3.3, 3.4, and 3.5 OpenSSL versions 3.6 through 3.6.0 **Description** An invalid or NULL pointer dereference can occur in applications processing malformed PKCS#12 files. This can lead to a denial of service when an application attempts to read from an invalid or NULL pointer in memory. The issue stems from a type confusion in the PKCS#12 parsing code, where an ASN1 TYPE union member is accessed without prior type validation, resulting in an invalid pointer read. The vulnerability is constrained to a 1-byte address space, which typically results in a crash due to unmapped memory on modern operating systems. Exploitation requires processing a maliciously crafted PKCS#12 file. **Recommendations** OpenSSL version 1.1.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL versions 3.0, 3.3, and 3.4: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL versions 3.5 through 3.5.4: Update to version 3.5.5. OpenSSL versions 3.6 through 3.6.0: Update to version 3.6.1.

**Name of the Vulnerable Software and Affected Versions** Versions prior to 2025-11931 **Description** An integer underflow can lead to out-of-bounds access during decryption using XChaCha20-Poly1305. This occurs specifically when calling the `wc XChaCha20Poly1305 Decrypt()` function, which is utilized by direct application calls and not through TLS connections. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** versions prior to 2.3 **Description** The server previously verified the TLS 1.3 PSK binder using a non-constant time method, which could potentially leak information about the PSK binder. The TLS 1.3 PSK binder is a cryptographic element used to establish a secure connection. A non-constant time verification method can be exploited to reveal information about the binder, potentially compromising the security of the connection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tomcat versions (affected versions not specified) FortiCup Administrative Interface (affected versions not specified) **Description** The issue is related to a Denial of Service (DoS) condition that can be triggered by a specially crafted HTTP request, potentially causing the service to crash. It is also described as a "Coffee Overflow" in the context of the FortiCup Administrative Interface, though the exact nature of this overflow is not specified. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For Tomcat, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For FortiCup Administrative Interface, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.0.2 through 3.6 OpenSSL version 1.1.1 **Description** A malformed PKCS#12 file can cause a NULL pointer dereference in the `PKCS12 item decrypt d2i ex()` function. This can lead to a denial of service, causing an application crash when processing PKCS#12 files. The issue occurs because the `PKCS12 item decrypt d2i ex()` function does not validate if the `oct` parameter is NULL before dereferencing it. When called from `PKCS12 unpack p7encdata()` with a crafted PKCS#12 file, this parameter can be NULL, resulting in a crash. The vulnerability is limited to denial of service and cannot be used for code execution or memory disclosure. Exploitation requires an attacker to provide a malformed PKCS#12 file to an application that processes it. **Recommendations** OpenSSL version 1.0.2: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 1.1.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL versions 3.0 through 3.6: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows versions prior to the August 2024 update microsoft windows 10 1507 (<10.0.10240.20751) microsoft windows 10 1607 (<10.0.14393.7259) microsoft windows 10 1809 (<10.0.17763.6189) microsoft windows 10 21h2 (<10.0.19044.4780) microsoft windows 10 22h2 (<10.0.19045.4780) **Description** The issue is related to a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock. It has been actively exploited by the Lazarus Group, a North Korea-linked APT group, to gain SYSTEM privileges on the latest Windows operating systems. The vulnerability allows attackers to manipulate kernel structures, gaining read and write access. It is a use-after-free flaw in the AFD.sys driver, which is installed by default on all Windows devices, making it a significant threat. The estimated number of potentially affected devices worldwide is not specified, but it is considered a major threat due to the widespread use of Windows devices. **Recommendations** As a temporary workaround, consider disabling the `afd.sys` driver until a patch is available. Restrict access to the vulnerable module `AFD.sys` to minimize the risk of exploitation. Apply the August 2024 updates released by Microsoft to patch the vulnerability. Update Microsoft Windows to a version that includes the fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** The issue is related to an elevation-of-privilege vulnerability in the Win32k component of Windows operating systems. This vulnerability is associated with errors in processing objects in memory. Exploitation of this vulnerability can allow an attacker to elevate their privileges. The vulnerability can be exploited by opening a specially crafted RTF file, which can lead to local privilege escalation (LPE) to system level. There have been reports of this vulnerability being actively exploited in the wild. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.