Total
6546 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-33253 | 1 Qualcomm | 322 Aqt1000, Aqt1000 Firmware, Ar8035 and 319 more | 2025-04-09 | N/A | 5.5 MEDIUM |
| Transient DOS due to buffer over-read in WLAN while parsing corrupted NAN frames. | |||||
| CVE-2022-22079 | 1 Qualcomm | 92 Apq8009, Apq8009 Firmware, Apq8009w and 89 more | 2025-04-09 | N/A | 4.6 MEDIUM |
| Denial of service while processing fastboot flash command on mmc due to buffer over read | |||||
| CVE-2025-20655 | 2 Google, Mediatek | 2 Android, Mt9972 | 2025-04-09 | N/A | N/A |
| In keymaster, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: DTV04427687; Issue ID: MSV-3183. | |||||
| CVE-2022-33285 | 1 Qualcomm | 556 Apq8009, Apq8009 Firmware, Apq8017 and 553 more | 2025-04-09 | N/A | 6.5 MEDIUM |
| Transient DOS due to buffer over-read in WLAN while parsing WLAN CSA action frames. | |||||
| CVE-2022-40518 | 1 Qualcomm | 320 Aqt1000, Aqt1000 Firmware, Ar8031 and 317 more | 2025-04-09 | N/A | 5.5 MEDIUM |
| Information disclosure due to buffer overread in Core | |||||
| CVE-2022-33255 | 1 Qualcomm | 184 Apq8009, Apq8009 Firmware, Ar8031 and 181 more | 2025-04-09 | N/A | 6.5 MEDIUM |
| Information disclosure due to buffer over-read in Bluetooth HOST while processing GetFolderItems and GetItemAttribute Cmds from peer device. | |||||
| CVE-2022-40519 | 1 Qualcomm | 386 Aqt1000, Aqt1000 Firmware, Ar8031 and 383 more | 2025-04-09 | N/A | 5.5 MEDIUM |
| Information disclosure due to buffer overread in Core | |||||
| CVE-2022-33286 | 1 Qualcomm | 562 Apq8009, Apq8009 Firmware, Apq8017 and 559 more | 2025-04-09 | N/A | 6.5 MEDIUM |
| Transient DOS due to buffer over-read in WLAN while processing 802.11 management frames. | |||||
| CVE-2021-46768 | 1 Amd | 4 Milanpi, Milanpi Firmware, Romepi and 1 more | 2025-04-09 | N/A | 5.5 MEDIUM |
| Insufficient input validation in SEV firmware may allow an attacker to perform out-of-bounds memory reads within the ASP boot loader, potentially leading to a denial of service. | |||||
| CVE-2022-33283 | 1 Qualcomm | 268 Ar8035, Ar8035 Firmware, Ar9380 and 265 more | 2025-04-09 | N/A | 6.5 MEDIUM |
| Information disclosure due to buffer over-read in WLAN while WLAN frame parsing due to missing frame length check. | |||||
| CVE-2022-33284 | 1 Qualcomm | 352 Aqt1000, Aqt1000 Firmware, Ar8035 and 349 more | 2025-04-09 | N/A | 6.5 MEDIUM |
| Information disclosure due to buffer over-read in WLAN while parsing BTM action frame. | |||||
| CVE-2022-47630 | 1 Arm | 1 Trusted Firmware-a | 2025-04-08 | N/A | 7.4 HIGH |
| Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger dangerous read side effects or obtain sensitive information about microarchitectural state. | |||||
| CVE-2024-26980 | 1 Linux | 1 Linux Kernel | 2025-04-08 | N/A | N/A |
| In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size validation could be skipped. if request size is smaller than sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in smb2_allocate_rsp_buf(). This patch allocate response buffer after decrypting transform request. smb3_decrypt_req() will validate transform request size and avoid slab-out-of-bound in smb2_allocate_rsp_buf(). | |||||
| CVE-2024-26991 | 1 Linux | 1 Linux Kernel | 2025-04-08 | N/A | N/A |
| In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: x86: Don't overflow lpage_info when checking attributes Fix KVM_SET_MEMORY_ATTRIBUTES to not overflow lpage_info array and trigger KASAN splat, as seen in the private_mem_conversions_test selftest. When memory attributes are set on a GFN range, that range will have specific properties applied to the TDP. A huge page cannot be used when the attributes are inconsistent, so they are disabled for those the specific huge pages. For internal KVM reasons, huge pages are also not allowed to span adjacent memslots regardless of whether the backing memory could be mapped as huge. What GFNs support which huge page sizes is tracked by an array of arrays 'lpage_info' on the memslot, of ‘kvm_lpage_info’ structs. Each index of lpage_info contains a vmalloc allocated array of these for a specific supported page size. The kvm_lpage_info denotes whether a specific huge page (GFN and page size) on the memslot is supported. These arrays include indices for unaligned head and tail huge pages. Preventing huge pages from spanning adjacent memslot is covered by incrementing the count in head and tail kvm_lpage_info when the memslot is allocated, but disallowing huge pages for memory that has mixed attributes has to be done in a more complicated way. During the KVM_SET_MEMORY_ATTRIBUTES ioctl KVM updates lpage_info for each memslot in the range that has mismatched attributes. KVM does this a memslot at a time, and marks a special bit, KVM_LPAGE_MIXED_FLAG, in the kvm_lpage_info for any huge page. This bit is essentially a permanently elevated count. So huge pages will not be mapped for the GFN at that page size if the count is elevated in either case: a huge head or tail page unaligned to the memslot or if KVM_LPAGE_MIXED_FLAG is set because it has mixed attributes. To determine whether a huge page has consistent attributes, the KVM_SET_MEMORY_ATTRIBUTES operation checks an xarray to make sure it consistently has the incoming attribute. Since level - 1 huge pages are aligned to level huge pages, it employs an optimization. As long as the level - 1 huge pages are checked first, it can just check these and assume that if each level - 1 huge page contained within the level sized huge page is not mixed, then the level size huge page is not mixed. This optimization happens in the helper hugepage_has_attrs(). Unfortunately, although the kvm_lpage_info array representing page size 'level' will contain an entry for an unaligned tail page of size level, the array for level - 1 will not contain an entry for each GFN at page size level. The level - 1 array will only contain an index for any unaligned region covered by level - 1 huge page size, which can be a smaller region. So this causes the optimization to overflow the level - 1 kvm_lpage_info and perform a vmalloc out of bounds read. In some cases of head and tail pages where an overflow could happen, callers skip the operation completely as KVM_LPAGE_MIXED_FLAG is not required to prevent huge pages as discussed earlier. But for memslots that are smaller than the 1GB page size, it does call hugepage_has_attrs(). In this case the huge page is both the head and tail page. The issue can be observed simply by compiling the kernel with CONFIG_KASAN_VMALLOC and running the selftest “private_mem_conversions_test”, which produces the output like the following: BUG: KASAN: vmalloc-out-of-bounds in hugepage_has_attrs+0x7e/0x110 Read of size 4 at addr ffffc900000a3008 by task private_mem_con/169 Call Trace: dump_stack_lvl print_report ? __virt_addr_valid ? hugepage_has_attrs ? hugepage_has_attrs kasan_report ? hugepage_has_attrs hugepage_has_attrs kvm_arch_post_set_memory_attributes kvm_vm_ioctl It is a little ambiguous whether the unaligned head page (in the bug case also the tail page) should be expected to have KVM_LPAGE_MIXED_FLAG set. It is not functionally required, as the unal ---truncated--- | |||||
| CVE-2025-3406 | 2025-04-08 | N/A | 4.3 MEDIUM | ||
| A vulnerability was found in Nothings stb up to f056911. It has been classified as problematic. Affected is the function stbhw_build_tileset_from_image of the component Header Array Handler. The manipulation of the argument w leads to out-of-bounds read. It is possible to launch the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3407 | 2025-04-08 | N/A | 6.3 MEDIUM | ||
| A vulnerability was found in Nothings stb up to f056911. It has been declared as critical. Affected by this vulnerability is the function stbhw_build_tileset_from_image. The manipulation of the argument h_count/v_count leads to out-of-bounds read. The attack can be launched remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-2137 | 1 Google | 1 Chrome | 2025-04-07 | N/A | N/A |
| Out of bounds read in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2025-21438 | 2025-04-07 | N/A | 7.8 HIGH | ||
| Memory corruption while IOCTL call is invoked from user-space to read board data. | |||||
| CVE-2025-20102 | 2025-04-07 | N/A | N/A | ||
| in OpenHarmony v5.0.2 and prior versions allow a local attacker cause DOS through out-of-bounds read. | |||||
| CVE-2025-22452 | 2025-04-07 | N/A | N/A | ||
| in OpenHarmony v5.0.2 and prior versions allow a local attacker cause DOS through out-of-bounds read. | |||||