vulnerability

FRRouting's OSPF implementation contains a NULL-pointer dereference that can be triggered by a crafted OSPF packet, allowing remote attackers to crash the OSPF daemon (ospfd) and cause a Denial of Service (DoS) for routers and appliances using vulnerable FRR releases. Background FRRouting (FRR)...

FRRouting has been flagged for a serious Denial-of-Service hole: a NULL pointer dereference in OSPF packet handling (CVE-2025-61107) that can crash the ospfd daemon when a crafted LSA Update containing an opaque LSA is processed, and the problem was patched upstream via a targeted set of checks...

filelock, the widely used platform‑independent file‑locking library for Python, is the subject of a newly public vulnerability — CVE‑2025‑68146 — that exposes a classic Time‑of‑Check‑Time‑of‑Use (TOCTOU) race condition in lock file creation. The flaw allows a local attacker who can create...

A stack-based buffer overflow affecting libcoap’s address-resolution path has been publicly disclosed as CVE-2025-34468; the defect allows attacker-controlled hostnames to overflow a fixed 256-byte stack buffer in certain code paths, producing reliable Denial‑of‑Service and an...

A small but concrete libpcap memory-safety bug—assigned CVE‑2025‑11964—was disclosed at the end of December 2025: on Windows systems, the library’s UTF-16LE → UTF-8 conversion helper can undercount the space consumed by four‑byte UTF‑8 sequences and write past the end of a provided buffer. The...

Libsodium's ed25519 point-validation routine contains a subtle but important bug that can let malformed points slip past validation in niche workflows, a flaw tracked as CVE-2025-69277 and fixed in the commit ad3004e. Background Libsodium has long been the portable, easy-to-use cryptography...

GNU GRUB (GRUB2) contains a timing side‑channel in its cryptographic comparison routine: CVE‑2024‑56738 identifies that versions through 2.12 implement grub_crypto_memcmp in a non‑constant‑time way, which can leak sensitive verification information via timing differences and has prompted vendor...

InfluxDB OSS contains a business‑logic weakness — tracked as CVE‑2024‑30896 — that allowed an authorized user with an allAccess token in the same organization to enumerate and retrieve the administrative operator token, effectively enabling full administrative takeover of affected InfluxDB OSS...

MariaDB servers across multiple release lines are vulnerable to a denial‑of‑service crash (CVE‑2023‑52970) when processing certain queries that exercise the Item_direct_view_ref::derived_field_transformer_for_where logic, and operators should treat this as an immediate patching priority...

A subtle formatting quirk in GnuPG’s clearsign handling lets an attacker append unsigned data to a signed message while still passing GnuPG’s verification routine — a signature‑verification bypass tracked as CVE‑2025‑68972 that affects GnuPG releases up to and including 2.4.8 and has been...

A new Linux kernel vulnerability, tracked as CVE‑2025‑68374, corrects a subtle but serious RCU lifetime bug in the md (multiple‑device / software RAID) subsystem: maintainers attempted to use RCU to protect a pointer named thread, but passed that raw pointer into md_wakeup_thread before entering...

The Linux kernel team has assigned CVE-2025-68724 to a recently patched integer‑overflow bug in the asymmetric_keys subsystem — a defensive fix that uses explicit overflow checks (check_add_overflow/size_add/struct_size) in asymmetric_key_generate_id to prevent a potential buffer overflow when...

A newly assigned CVE — CVE-2025-68371 — tracks a Linux kernel race-condition in the smartpqi SCSI driver where a scheduled LUN reset work item could run after the device it targets has already been removed, creating a use‑after‑free and related resource-access hazards that were patched in the...

A critical memory‑corruption flaw in PyTorch’s low‑level LSTM cell implementation — tracked as CVE‑2025‑3001 — has been publicly disclosed and reproduced, creating an urgent, if narrowly scoped, operational risk for systems that run untrusted or local model code built against the affected...

A newly assigned Linux kernel vulnerability, tracked as CVE‑2025‑68366, affects the Network Block Device (NBD) driver and stems from a race that can produce a use‑after‑free when handling NBD control messages. The short technical summary is simple: code in nbd_genl_connect increments a...

CVE-2024-7883 is a low-severity but meaningful LLVM/Clang compiler issue that can leak a small slice of a Cortex‑M Secure stack into Non‑secure state via floating‑point registers when certain Arm Cortex‑M Security Extensions (CMSE) calling patterns occur — and while Microsoft’s MSRC has attested...

A subtle but important bug in the Linux kernel’s Netfilter flowtable handling has been assigned CVE-2025-38441 and patched across multiple stable trees after syzbot and KMSAN found a potential access to an uninitialized value in nf_flow_pppoe_proto, caused by a commit that forgot to account for...

A null-pointer dereference bug in the Linux kernel’s ATM “clip” code — tracked as CVE-2025-38458 — has been fixed upstream, and Microsoft’s Security Response Center (MSRC) has published a short product-level attestation saying Azure Linux includes this open‑source library and is therefore...

A critical use‑after‑free vulnerability in the X.Org X server and Xwayland — tracked as CVE‑2025‑62229 — has been published and fixed upstream; the flaw arises in the handling of X11 Present extension notifications and can leave dangling pointers that lead to memory corruption or crashes, with...

Elasticsearch operators need to act now: a newly published vulnerability, tracked as CVE-2025-68384, lets an authenticated low-privileged user trigger uncontrolled resource allocation that can crash Elasticsearch processes (an OOM-based denial-of-service), and vendor updates resolving the issue...