Nicholas Carlini

**Name of the Vulnerable Software and Affected Versions** OpenSC versions prior to 0.27.0 **Description** A stack and heap buffer overrun occurs in the `do key value()` function within src/pkcs15init/profile.c. This issue allows memory corruption when a crafted profile configuration file is supplied. During the invocation of pkcs15-init, a key value entry starting with '=' followed by more than the size of `keybuf` is copied into `keybuf` using memcpy without a length check. **Recommendations** Update to version 0.27.0 or apply the fix from commit 0358817.

**Name of the Vulnerable Software and Affected Versions** OpenSC versions prior to 0.27.0-rc1 **Description** A stack buffer overflow exists in the `piv process history()` function within `src/libopensc/card-piv.c`. This issue allows a physically present attacker to cause memory corruption by using a specially crafted PIV smart card or USB device. The trigger occurs when the device returns a URL field exceeding 118 bytes in the Key History Object ASN.1 response. **Recommendations** Update to version 0.27.0-rc1 or apply the fix from commit 3f24f0b.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 26.5 iPadOS versions prior to 26.5 macOS Tahoe versions prior to 26.5 tvOS versions prior to 26.5 visionOS versions prior to 26.5 watchOS versions prior to 26.5 **Description** A use-after-free issue, which occurs when a program continues to use a pointer after it has been freed, can lead to an unexpected Safari crash when processing maliciously crafted web content. **Recommendations** Update iOS to version 26.5. Update iPadOS to version 26.5. Update macOS Tahoe to version 26.5. Update tvOS to version 26.5. Update visionOS to version 26.5. Update watchOS to version 26.5.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** The implementation of TIOCNOTTY fails to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process exits, the terminal structure may retain a pointer to freed memory, creating a dangling pointer. A malicious process can exploit this condition to obtain root privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw exists in the kernel's handling of protection keys for address ranges. The subroutine responsible for updating page table entries fails to account for 1GB largepage mappings created via the `shm create largepage(3)` interface, incorrectly treating page directory page entries as pointers to other page table pages. An unprivileged user can exploit this by causing the `pmap pkru update range()` function to treat userspace memory as a page table page, allowing the overwrite of memory that should otherwise be inaccessible. This issue is under active exploitation and can lead to unauthorized access and data breaches. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Botan versions prior to 3.11.1 Description The Botan cryptography library contains a flaw in the `Certificate Store::certificate known` function. This function incorrectly identifies certificates, returning true if any certificate in the store has a matching Distinguished Name (DN) and Subject Key Identifier (SKI) with the provided certificate, without verifying if the certificates are identical. A subsequent extension of path validation logic incorrectly assumed that `certificate known` only returned true for identical certificates. This allows an end entity certificate to be accepted as a trusted root if its DN and SKI match those of a trusted root certificate. Recommendations Update to version 3.11.1 or later.

**Name of the Vulnerable Software and Affected Versions** wolfSSL versions prior to 5.9.1 **Description** Missing hash/digest size and Object Identifier (OID) checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than appropriate for the relevant key type, to be accepted by signature verification functions. This flaw enables the acceptance of forged digital identities, potentially allowing a malicious server, file, or connection to be trusted. The issue affects ECDSA/ECC verification when EdDSA or ML-DSA is also enabled, specifically impacting the library's handling of signatures in ECDSA, DSA, ML-DSA, Ed25519, and Ed448. It is estimated that over 5 billion devices worldwide are potentially affected, including embedded systems, IoT devices, routers, automotive systems, power grid infrastructure, and military systems. **Recommendations** Update to version 5.9.1.

**Name of the Vulnerable Software and Affected Versions** FreeBSD (affected versions not specified) **Description** A stack overflow exists in the `kgssapi.ko` kernel module and the `librpcgss sec` library during the validation of RPCSEC GSS data packets. The routine responsible for checking the packet signature copies a portion of the packet into a stack buffer without verifying if the buffer is sufficiently large. This flaw allows a malicious client to trigger a stack overflow without prior authentication. In the kernel, this can lead to remote code execution if an authenticated user sends packets to the kernel's NFS server while `kgssapi.ko` is loaded. In userspace, any application that runs an RPC server and has `librpcgss sec` loaded is vulnerable to remote code execution from any client capable of sending packets. **Recommendations** As a temporary workaround, consider restricting access to the kernel's NFS server or avoiding the use of the `kgssapi.ko` module until a patch is applied. Restrict the use of the `librpcgss sec` library in userspace RPC applications to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 149 Thunderbird versions prior to 149 **Description** An undefined behavior issue exists in the Audio/Video component. This can lead to unexpected program behavior. **Recommendations** Update Firefox to version 149 or later. Update Thunderbird to version 149 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 149 Thunderbird versions prior to 149 **Description** A use-after-free issue exists in the JavaScript Engine component. This condition may allow for unexpected behavior. **Recommendations** Update Firefox to version 149 or later. Update Thunderbird to version 149 or later.

**Name of the Vulnerable Software and Affected Versions** Ghost versions 3.24.0 through 6.19.0 **Description** Ghost, a Node.js content management system, contains a blind SQL injection flaw in its Content API. This issue arises because the software uses string concatenation instead of parameterized queries, allowing unauthenticated attackers to execute arbitrary database reads. Specifically, attackers can send disguised SQL commands via the `slug` variable to retrieve sensitive information, such as the master Admin API key. In real-world incidents, this flaw was used in a large-scale automated campaign affecting over 700 domains, including high-profile institutions like Harvard, Oxford, and DuckDuckGo. Attackers exploited the '/ghost/api/content/tags/' endpoint to steal Admin API keys, which were then used to inject malicious JavaScript into articles. This JavaScript facilitated ClickFix attacks, where visitors were deceived by fake Cloudflare verification prompts into executing harmful commands on their local Windows systems, leading to the installation of malware such as Rust-based DLLs and malicious Electron applications. **Recommendations** Update Ghost to version 6.19.1 or later. Rotate all Admin API keys. Manually inspect article content at the database level to identify and remove injected scripts. Review Admin API call logs for unauthorized bulk article modifications. As a temporary mitigation, use a reverse proxy or WAF rule to block Content API requests containing `slug%3A%5B` or `slug:[` in the query string filter parameter.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 149 Firefox ESR versions prior to 140.9 Thunderbird versions prior to 149 Thunderbird versions prior to 140.9 **Description** An undefined behavior exists within the WebRTC: Signaling component. This issue impacts the listed versions of Firefox and Thunderbird. **Recommendations** Update Firefox to version 149 or later. Update Firefox ESR to version 140.9 or later. Update Thunderbird to version 149 or later. Update Thunderbird to version 140.9 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 149 Firefox ESR versions prior to 140.9 Thunderbird versions prior to 149 Thunderbird versions prior to 140.9 **Description** An undefined behavior exists within the WebRTC: Signaling component. This issue impacts the listed software. **Recommendations** Update Firefox to version 149 or later. Update Firefox ESR to version 140.9 or later. Update Thunderbird to version 149 or later. Update Thunderbird to version 140.9 or later.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 149 Firefox ESR versions prior to 140.9 Thunderbird versions prior to 149 Thunderbird versions prior to 140.9 **Description** A denial-of-service issue exists in the WebRTC: Signaling component. **Recommendations** Update Firefox to version 149 or later. Update Firefox ESR to version 140.9 or later. Update Thunderbird to version 149 or later. Update Thunderbird to version 140.9 or later.