24h | 7d | 30d

Overview

  • Linux
  • Linux

04 Jul 2026
Published
06 Jul 2026
Updated

CVSS
Pending
EPSS
0.18%

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected role Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixed a shadow paging mismatch between stored and computed GFNs; the bug could be triggered by changing a PDE mapping from outside the guest, and then deleting a memslot. The rmap_remove() call would miss entries created after the PDE change because the GFN of the leaf SPTE does not match the GFN of the struct kvm_mmu_page. A similar hole however remains if the modified PDE points to a non-leaf page. In this case the gfn can be made to match, but the role does not match: the original large 2MB page creates a kvm_mmu_page with direct=1, while the new 4KB needs a kvm_mmu_page with direct=0. However, kvm_mmu_get_child_sp() does not compare the role, and therefore reuses the page. The next step is installing a leaf (4KB) SPTE on the new path which records an rmap entry under the gfn resolved by the walk. But when that child is zapped its parent kvm_mmu_page has direct=1 and kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[] in older kernels). It therefore fails to remove the recorded entry. When the memslot is dropped the shadow page is freed but the rmap entry survives, as in the scenario that was already fixed. Code that later walks that gfn (dirty logging, MMU notifier invalidation, and so on) dereferences an sptep that lies in the freed page, causing the use-after-free.

Statistics

  • 3 Posts
  • 4 Interactions

Last activity: Last hour

Bluesky

Profile picture fallback
Linux Kernelの脆弱性(Januscape: CVE-2026-53359) #security #vulnerability #セキュリティ #脆弱性 #linux #kernel #kvm security.sios.jp/vulnerabilit...
  • 0
  • 2
  • 0
  • 6h ago
Profile picture fallback
Januscape: Guest-to-Host Escape in KVM/x86 github.com -> CVE-2026-53359 Original->
  • 0
  • 0
  • 0
  • Last hour
Profile picture fallback
We have patched kernels ready for testing for two Linux kernel vulnerabilities: Januscape (CVE-2026-53359) and Bad Epoll (CVE-2026-46242). Learn more and help with testing: https://almalinux.org/blog/2026-07-06-januscape-bad-epoll/?utm_medium=social&utm_source=bluesky
  • 1
  • 1
  • 0
  • 5h ago

Overview

  • Microsoft
  • Microsoft SharePoint Enterprise Server 2016

22 May 2026
Published
02 Jul 2026
Updated

CVSS v3.1
HIGH (8.8)
EPSS
3.22%

Description

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Statistics

  • 2 Posts

Last activity: 7 hours ago

Bluesky

Profile picture fallback
CISA、SharePoint Serverの脆弱性 CVE-2026-45659をサイバー攻撃への悪用実績ありとしてKEVに追加 rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #security #securitynews
  • 0
  • 0
  • 0
  • 7h ago
Profile picture fallback
🚨 Guía de remediación urgente: #Vulnerabilidad RCE en #SharePoint (CVE-2026-45659) www.newstecnicas.com/2026/05/guia...
  • 0
  • 0
  • 0
  • 7h ago

Overview

  • Linux
  • Linux

30 May 2026
Published
04 Jul 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.12%

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file UAF ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free(). For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed kmalloc-192 memory. In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache. Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs. If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there. A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.

Statistics

  • 2 Posts
  • 5 Interactions

Last activity: 5 hours ago

Fediverse

Profile picture fallback

A critical Bad Epoll vulnerability (CVE-2026-46242) allows local users to gain root access on Linux and Android devices. Patch your systems immediately.

meterpreter.org/bad-epoll-vuln

  • 2
  • 1
  • 0
  • 23h ago

Bluesky

Profile picture fallback
We have patched kernels ready for testing for two Linux kernel vulnerabilities: Januscape (CVE-2026-53359) and Bad Epoll (CVE-2026-46242). Learn more and help with testing: https://almalinux.org/blog/2026-07-06-januscape-bad-epoll/?utm_medium=social&utm_source=bluesky
  • 1
  • 1
  • 0
  • 5h ago

Overview

  • Linux
  • Linux

08 May 2026
Published
11 May 2026
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.16%

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: bonding: fix type confusion in bond_setup_by_slave() kernel BUG at net/core/skbuff.c:2306! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780 R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0 Call Trace: <TASK> ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900 dev_hard_header include/linux/netdevice.h:3439 [inline] packet_snd net/packet/af_packet.c:3028 [inline] packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 __sys_sendmsg+0x170/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe1a0e6c1a9 When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond, bond_setup_by_slave() directly copies the slave's header_ops to the bond device: bond_dev->header_ops = slave_dev->header_ops; This causes a type confusion when dev_hard_header() is later called on the bond device. Functions like ipgre_header(), ip6gre_header(),all use netdev_priv(dev) to access their device-specific private data. When called with the bond device, netdev_priv() returns the bond's private data (struct bonding) instead of the expected type (e.g. struct ip_tunnel), leading to garbage values being read and kernel crashes. Fix this by introducing bond_header_ops with wrapper functions that delegate to the active slave's header_ops using the slave's own device. This ensures netdev_priv() in the slave's header functions always receives the correct device. The fix is placed in the bonding driver rather than individual device drivers, as the root cause is bond blindly inheriting header_ops from the slave without considering that these callbacks expect a specific netdev_priv() layout. The type confusion can be observed by adding a printk in ipgre_header() and running the following commands: ip link add dummy0 type dummy ip addr add 10.0.0.1/24 dev dummy0 ip link set dummy0 up ip link add gre1 type gre local 10.0.0.1 ip link add bond1 type bond mode active-backup ip link set gre1 master bond1 ip link set gre1 up ip link set bond1 up ip addr add fe80::1/64 dev bond1

Statistics

  • 1 Post

Last activity: 6 hours ago

Bluesky

Profile picture fallback
19年以上見過ごされていたLinux kernelのゼロデイ脆弱性を報告した話:CVE-2026-43456 | セキュリティブログ | 脆弱性診断(セキュリティ診断)のGMOサイバーセキュリティ byイエラエ gmo-cybersecurity.com/blog/19-year...
  • 0
  • 0
  • 0
  • 6h ago

Overview

  • Adobe
  • ColdFusion

30 Jun 2026
Published
01 Jul 2026
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
1.02%

KEV

Description

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Statistics

  • 1 Post

Last activity: 6 hours ago

Bluesky

Profile picture fallback
Hackers Begin Exploiting Critical Adobe ColdFusion Flaw Just Hours After Patch Release Cybersecurity researchers have confirmed that attackers are actively exploiting a critical vulnerability in Adobe ColdFusion, tracked as CVE-2026-48282, only hours after Adobe released security updates.
  • 0
  • 0
  • 0
  • 6h ago

Overview

  • PROG MIS
  • Prog Management System

06 Jul 2026
Published
06 Jul 2026
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

Prog Management System developed by PROG MIS has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to view a specific page and obtain the database account and password.

Statistics

  • 1 Post

Last activity: 23 hours ago

Fediverse

Profile picture fallback

PROG MIS Prog Management System hit with CRITICAL vuln (CVE-2026-14808): unauthenticated attackers can access DB user & password. No patch yet — limit access & monitor systems. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 23h ago

Overview

  • Gitea
  • Gitea Open Source Git Server

03 Jul 2026
Published
05 Jul 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.78%

KEV

Description

Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.

Statistics

  • 1 Post

Last activity: 2 hours ago

Bluesky

Profile picture fallback
Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...
  • 0
  • 0
  • 0
  • 2h ago
Showing 1 to 7 of 7 CVEs