V4Bel

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to May 13, 2026 **Description** A local privilege escalation issue exists in the Linux kernel networking stack, specifically within the XFRM ESP-in-TCP subsystem. The problem stems from a logical error in several functions, including `skb try coalesce()`, ` pskb copy fclone()`, `skb shift()`, `skb gro receive()`, `skb gro receive list()`, `tcp clone payload()`, and `skb segment()`, which fail to correctly propagate the `SKBFL SHARED FRAG` flag when moving paged fragments between socket buffers. This flag is used to identify fragments that are externally owned or backed by the page cache. When this marker is lost, the system may incorrectly report `skb has shared frag()` as false. This allows in-place writers, such as ESP input (`esp4.c`, `esp6.c`), to skip the `skb cow data()` function and perform decryption directly over shared page-cache pages. An unprivileged local user can exploit this to achieve arbitrary byte writes into the kernel page cache of read-only files, such as `/usr/bin/su` or `/etc/passwd`, without requiring a race condition. This enables the attacker to corrupt protected system binaries in memory and escalate privileges to root. A variant of this issue also exists where `skb segment()` fails to merge flags from the `frag list` members, allowing a similar bypass of the `skip cow()` check inside `esp input()`. **Recommendations** Update the Linux kernel to a version released after May 13, 2026. As a temporary mitigation, disable the `esp4`, `esp6`, and `rxrpc` modules by running `sudo modprobe -r esp4 esp6 rxrpc` and blacklisting them.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An issue exists in the RxRPC module due to incorrect handling of fragmented packets and data copying mechanisms in socket buffers. The DATA-packet handler in `rxrpc input call event()` and the RESPONSE handler in `rxrpc verify response()` only copy the socket buffer (skb) to a linear one when `skb cloned()` is true. If an skb is not cloned but contains externally-owned paged fragments—such as those set by `splice()` into a UDP socket via ` ip append data` or a chained `skb has frag list()`—it proceeds to the in-place decryption path. This path binds the fragment pages directly into the AEAD/skcipher SGL (Scatter-Gather List) via `skb to sgvec()`. This flaw can be exploited to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Spring AI versions 1.0.0 through 1.0.5 Spring AI versions 1.1.0 through 1.1.4 **Description** Various `FilterExpressionConverter` implementations fail to properly escape keys and values when translating filter expression objects into specific vector store query languages. This improper escaping allows for query injection, which can enable attackers to alter vector store queries, potentially leading to data exposure and tampering. **Recommendations** Update versions 1.0.0 through 1.0.5 to 1.0.6. Update versions 1.1.0 through 1.1.4 to 1.1.5.

Name of the Vulnerable Software and Affected Versions: Spring Cloud versions 3.1.X through 3.1.12, 4.1.X through 4.1.8, 4.2.X through 4.2.2, 4.3.X through 4.3.1, and 5.0.X through 5.0.1. Description: A flaw exists in Spring Cloud Config when substituting the profile parameter from a request to the Spring Cloud Config Server configured to use the native file system as a backend. This allows an attacker to access files outside of the configured search directories. The issue is due to improper path restriction. Recommendations: Update Spring Cloud to version 3.1.13, 4.1.9, 4.2.3, 4.3.2, or 5.0.2.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.8 **Description** An issue in the Linux kernel is related to a use-after-free condition due to a race condition in the atalk recvmsg function. This issue affects the atalk ioctl function in the net/appletalk/ddp.c module, which is part of the Appletalk protocol implementation. The exploitation of this issue may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For versions prior to 6.6.8, update to version 6.6.8 or later to resolve the issue. As a temporary workaround, consider disabling the `atalk ioctl()` function until a patch is available. Restrict access to the `net/appletalk/ddp.c` module to minimize the risk of exploitation. Avoid using the `atalk recvmsg` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.8 **Description** The issue is related to a use-after-free condition in the do vcc ioctl function in the net/atm/ioctl.c module of the Linux kernel, caused by a vcc recvmsg race condition. This could potentially allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For versions prior to 6.6.8, update to version 6.6.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `do vcc ioctl()` function in the net/atm/ioctl.c module until a patch is available.