Threats Tagged 'ghsa'

MessagePack-CSharp's UnsafeBlitFormatterBase<T>.Deserialize method in Unity blit resolvers improperly allocates memory based on an attacker-controlled byte length without validating it against the actual payload size. This can lead to excessive memory allocation and potential out-of-memory exceptions or process termination on memory-constrained platforms when deserializing untrusted data. The vulnerability affects the MessagePack.UnityClient package and specific resolvers prior to patched versions. The issue is mitigated by upgrading to patched versions or avoiding use of vulnerable resolvers with untrusted input.

MessagePack-CSharp contains a vulnerability in its multi-dimensional array formatters where dimension lengths are read from untrusted payloads and used to allocate arrays before validating that the total element count matches the encoded data. This can lead to excessive memory allocation and potential out-of-memory conditions when deserializing untrusted data into multi-dimensional arrays such as T[,], T[,,], or T[,,,]. The issue affects versions prior to 2.5.301 and versions 3.0 up to but not including 3.1.7. Fixes are prepared but not yet released. Until patched, users should avoid deserializing untrusted payloads into multi-dimensional arrays and prefer safer data shapes.

MessagePack-CSharp's InterfaceLookupFormatter<TKey,TElement> constructs an internal dictionary using the default equality comparer instead of the security-aware comparer when deserializing ILookup<TKey,TElement>. This omission allows an attacker to craft payloads with colliding keys that degrade dictionary insertion performance, causing a CPU denial of service even when the application opts into untrusted-data security settings. The vulnerability affects versions of MessagePack prior to 2.5.301 and versions 3.0 up to but not including 3.1.7.

MessagePack-CSharp's typeless deserialization feature has a vulnerability where type restrictions do not recursively inspect array element types or generic type arguments. This allows an attacker to bypass outer-type blocklist checks by wrapping disallowed types inside arrays or generic containers. The issue affects applications that deserialize untrusted data using typeless serialization APIs. Fixes are available in versions 2.5.301 and 3.1.7. Users are advised to upgrade and avoid typeless deserialization of untrusted data or use explicit recursive allowlists.

A vulnerability in the Linux kernel related to the use of WARN_ON_ONCE when accessing the forward path array has been resolved. The issue involved a warning that could be triggered if userspace constructed a sufficiently long forward path, particularly with recent IPIP tunnel support. The warning was removed to address this unlikely but possible condition.

A use-after-free vulnerability exists in the Linux kernel's power supply driver for act8945a. The issue arises from the order of resource allocation and deallocation, where the interrupt request (IRQ) is requested before the power_supply handle is registered. This can cause a race condition during device removal or probe, leading to the IRQ handler invoking power_supply_changed() with a freed or uninitialized power_supply handle, potentially causing system crashes or memory corruption.

A vulnerability in the Linux kernel's NTFS3 filesystem driver involves the use of uninitialized memory in newly allocated folios. Specifically, some folios may remain partially uninitialized when certain initialization steps are skipped, leading to potential memory integrity issues. This issue has been resolved by ensuring folios are properly initialized before use.

A vulnerability in the Linux kernel's drm/panthor component could cause a NULL pointer dereference during the panthor_fw_unplug() function. This occurs because the firmware may not be loaded or initialized, and the existing code waits for the MCU to halt, which can lead to dereferencing a NULL pointer. The patch removes the MCU halt and wait procedures to prevent this issue by disabling the MCU directly on unplug.

A vulnerability in the Linux kernel's mctp i2c driver caused uninitialized stack bytes to be returned during i2c read operations. This was due to missing initialization of event handler read bytes, resulting in potentially unpredictable data being read. The issue was fixed by setting read bytes to 0xff, ensuring consistent and safe read values.

A vulnerability in the Linux kernel's crypto subsystem related to the inside-secure/eip93 driver has been resolved. The issue involves improper unregistration of cryptographic algorithms based on hardware support indicated by the EIP93 options register. Currently, all algorithms are unregistered regardless of hardware support, causing a system panic on platforms lacking full silicon implementation of these options.