LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-1999-0656 CVE STATUS: Unpatched CVE SUMMARY: The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user and group names. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2006-2932 CVE STATUS: Unpatched CVE SUMMARY: A regression error in the restore_all code path of the 4/4GB split support for non-hugemem Linux kernels on Red Hat Linux Desktop and Enterprise Linux 4 allows local users to cause a denial of service (panic) via unspecified vectors. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2007-2764 CVE STATUS: Unpatched CVE SUMMARY: The embedded Linux kernel in certain Sun-Brocade SilkWorm switches before 20070516 does not properly handle a situation in which a non-root user creates a kernel process, which allows attackers to cause a denial of service (oops and device reboot) via unspecified vectors. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2007-4998 CVE STATUS: Unpatched CVE SUMMARY: cp, when running with an option to preserve symlinks on multiple OSes, allows local, user-assisted attackers to overwrite arbitrary files via a symlink attack using crafted directories containing multiple source files that are copied to the same destination. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2008-2544 CVE STATUS: Unpatched CVE SUMMARY: Mounting /proc filesystem via chroot command silently mounts it in read-write mode. The user could bypass the chroot environment and gain write access to files, he would never have otherwise. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2011-1763 CVE STATUS: Unpatched CVE SUMMARY: The get_free_port function in Xen allows local authenticated DomU users to cause a denial of service or possibly gain privileges via unspecified vectors involving a new event channel port. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2011-1936 CVE STATUS: Unpatched CVE SUMMARY: Xen, when using x86 Intel processors and the VMX virtualization extension is enabled, does not properly handle cpuid instruction emulation when exiting the VM, which allows local guest users to cause a denial of service (guest crash) via unspecified vectors. LAYER: meta-xilinx-core PACKAGE NAME: qemu-xilinx PACKAGE VERSION: 8.2.7+git CVE: CVE-2011-3346 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs. -- LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2011-3346 CVE STATUS: Unpatched CVE SUMMARY: Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2014-2580 CVE STATUS: Unpatched CVE SUMMARY: The netback driver in Xen, when using certain Linux versions that do not allow sleeping in softirq context, allows local guest administrators to cause a denial of service ("scheduling while atomic" error and host crash) via a malformed packet, which causes a mutex to be taken when trying to disable the interface. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2014-3672 CVE STATUS: Unpatched CVE SUMMARY: The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2014-8171 CVE STATUS: Unpatched CVE SUMMARY: The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of service (deadlock) by spawning new processes within a memory-constrained cgroup. LAYER: meta-xilinx-core PACKAGE NAME: qemu-xilinx PACKAGE VERSION: 8.2.7+git CVE: CVE-2015-7504 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. -- LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2015-7504 CVE STATUS: Unpatched CVE SUMMARY: Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2015-8550 CVE STATUS: Unpatched CVE SUMMARY: Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2015-8553 CVE STATUS: Unpatched CVE SUMMARY: Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2016-0774 CVE STATUS: Unpatched CVE SUMMARY: The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a certain Linux kernel backport in the linux package before 3.2.73-2+deb7u3 on Debian wheezy and the kernel package before 3.10.0-229.26.2 on Red Hat Enterprise Linux (RHEL) 7.1 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun." NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-1805. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2016-3695 CVE STATUS: Unpatched CVE SUMMARY: The einj_error_inject function in drivers/acpi/apei/einj.c in the Linux kernel allows local users to simulate hardware errors and consequently cause a denial of service by leveraging failure to disable APEI error injection through EINJ when securelevel is set. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2016-3699 CVE STATUS: Unpatched CVE SUMMARY: The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute untrusted code by appending ACPI tables to the initrd. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2016-3960 CVE STATUS: Unpatched CVE SUMMARY: Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2016-7092 CVE STATUS: Unpatched CVE SUMMARY: The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2016-9379 CVE STATUS: Unpatched CVE SUMMARY: The pygrub boot loader emulator in Xen, when S-expression output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via string quotes and S-expressions in the bootloader configuration file. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2016-9380 CVE STATUS: Unpatched CVE SUMMARY: The pygrub boot loader emulator in Xen, when nul-delimited output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via NUL bytes in the bootloader configuration file. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2016-9383 CVE STATUS: Unpatched CVE SUMMARY: Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to modify arbitrary memory and consequently obtain sensitive information, cause a denial of service (host crash), or execute arbitrary code on the host by leveraging broken emulation of bit test instructions. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2016-9386 CVE STATUS: Unpatched CVE SUMMARY: The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, which might allow local HVM guest users to gain privileges via vectors involving "unexpected" base/limit values. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2017-1000255 CVE STATUS: Unpatched CVE SUMMARY: On Linux running on PowerPC hardware (Power8 or later) a user process can craft a signal frame and then do a sigreturn so that the kernel will take an exception (interrupt), and use the r1 value *from the signal frame* as the kernel stack pointer. As part of the exception entry the content of the signal frame is written to the kernel stack, allowing an attacker to overwrite arbitrary locations with arbitrary values. The exception handling does produce an oops, and a panic if panic_on_oops=1, but only after kernel memory has been over written. This flaw was introduced in commit: "5d176f751ee3 (powerpc: tm: Enable transactional memory (TM) lazily for userspace)" which was merged upstream into v4.9-rc1. Please note that kernels built with CONFIG_PPC_TRANSACTIONAL_MEM=n are not vulnerable. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2017-1000377 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in the size of the default stack guard page on PAX Linux (originally from GRSecurity but shipped by other Linux vendors), specifically the default stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects PAX Linux Kernel versions as of June 19, 2017 (specific version information is not available at this time). LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2017-12134 CVE STATUS: Unpatched CVE SUMMARY: The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2017-12135 CVE STATUS: Unpatched CVE SUMMARY: Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2017-12137 CVE STATUS: Unpatched CVE SUMMARY: arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2017-6264 CVE STATUS: Unpatched CVE SUMMARY: An elevation of privilege vulnerability exists in the NVIDIA GPU driver (gm20b_clk_throt_set_cdev_state), where an out of bound memory read is used as a function pointer could lead to code execution in the kernel.This issue is rated as high because it could allow a local malicious application to execute arbitrary code within the context of a privileged process. Product: Android. Version: N/A. Android ID: A-34705430. References: N-CVE-2017-6264. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2017-7228 CVE STATUS: Unpatched CVE SUMMARY: An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2018-10840 CVE STATUS: Unpatched CVE SUMMARY: Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2018-10876 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2018-10882 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2018-10902 CVE STATUS: Unpatched CVE SUMMARY: It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2018-14625 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients. LAYER: meta-ros-common PACKAGE NAME: yaml-cpp PACKAGE VERSION: 0.6.2 CVE: CVE-2018-20573 CVE STATUS: Unpatched CVE SUMMARY: The Scanner::EnsureTokensInQueue function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. LAYER: meta-ros-common PACKAGE NAME: yaml-cpp PACKAGE VERSION: 0.6.2 CVE: CVE-2018-20574 CVE STATUS: Unpatched CVE SUMMARY: The SingleDocParser::HandleFlowMap function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2018-5244 CVE STATUS: Unpatched CVE SUMMARY: In Xen 4.10, new infrastructure was introduced as part of an overhaul to how MSR emulation happens for guests. Unfortunately, one tracking structure isn't freed when a vcpu is destroyed. This allows guest OS administrators to cause a denial of service (host OS memory consumption) by rebooting many times. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2018-6559 CVE STATUS: Unpatched CVE SUMMARY: The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows local users to obtain names of files in which they would not normally be able to access via an overlayfs mount inside of a user namespace. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2018-8897 CVE STATUS: Unpatched CVE SUMMARY: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2019-14899 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2019-3016 CVE STATUS: Unpatched CVE SUMMARY: In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2019-3819 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ("root") can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2019-3887 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the way KVM hypervisor handled x2APIC Machine Specific Rregister (MSR) access with nested(=1) virtualization enabled. In that, L1 guest could access L0's APIC register values via L2 guest, when 'virtualize x2APIC mode' is enabled. A guest could use this flaw to potentially crash the host kernel resulting in DoS issue. Kernel versions from 4.16 and newer are vulnerable to this issue. LAYER: meta-ros-common PACKAGE NAME: yaml-cpp PACKAGE VERSION: 0.6.2 CVE: CVE-2019-6285 CVE STATUS: Unpatched CVE SUMMARY: The SingleDocParser::HandleFlowSequence function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. LAYER: meta-ros-common PACKAGE NAME: yaml-cpp PACKAGE VERSION: 0.6.2 CVE: CVE-2019-6292 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in singledocparser.cpp in yaml-cpp (aka LibYaml-C++) 0.6.2. Stack Exhaustion occurs in YAML::SingleDocParser, and there is a stack consumption problem caused by recursive stack frames: HandleCompactMap, HandleMap, HandleFlowSequence, HandleSequence, HandleNode. Remote attackers could leverage this vulnerability to cause a denial-of-service via a cpp file. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2020-10742 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2020-16119 CVE STATUS: Unpatched CVE SUMMARY: Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released. Fixed in Ubuntu Linux kernel 5.4.0-51.56, 5.3.0-68.63, 4.15.0-121.123, 4.4.0-193.224, 3.13.0.182.191 and 3.2.0-149.196. LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.12 CVE: CVE-2020-17498 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could crash. This was addressed in epan/dissectors/packet-kafka.c by avoiding a double free during LZ4 decompression. -- LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2020-1749 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. LAYER: meta-oe PACKAGE NAME: dhrystone PACKAGE VERSION: 2.1 CVE: CVE-2020-23026 CVE STATUS: Unpatched CVE SUMMARY: A NULL pointer dereference in the main() function dhry_1.c of dhrystone 2.1 causes a denial of service (DoS). LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2020-25672 CVE STATUS: Unpatched CVE SUMMARY: A memory leak vulnerability was found in Linux kernel in llcp_sock_connect LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2020-27815 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2020-8834 CVE STATUS: Unpatched CVE SUMMARY: KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to panic. There were two commits that, according to the reporter, introduced the vulnerability: f024ee098476 ("KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures") 87a11bb6a7f7 ("KVM: PPC: Book3S HV: Work around XER[SO] bug in fake suspend mode") The former landed in 4.8, the latter in 4.17. This was fixed without realizing the impact in 4.18 with the following three commits, though it's believed the first is the only strictly necessary commit: 6f597c6b63b6 ("KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_save_tm()/kvmppc_restore_tm()") 7b0e827c6970 ("KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm") 009c872a8bc4 ("KVM: PPC: Book3S PR: Move kvmppc_save_tm/kvmppc_restore_tm to separate file") LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2021-20194 CVE STATUS: Unpatched CVE SUMMARY: There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2021-20265 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-26313 CVE STATUS: Unpatched CVE SUMMARY: Potential speculative code store bypass in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution of overwritten instructions, may cause an incorrect speculation and could result in data leakage. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-26314 CVE STATUS: Unpatched CVE SUMMARY: Potential floating point value injection in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution with incorrect floating point results, may cause the use of incorrect data from FPVI and may result in data leakage. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2021-28039 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFIG_XEN_UNPOPULATED_ALLOC but not CONFIG_XEN_BALLOON_MEMORY_HOTPLUG. -- LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28039 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFIG_XEN_UNPOPULATED_ALLOC but not CONFIG_XEN_BALLOON_MEMORY_HOTPLUG. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28692 CVE STATUS: Unpatched CVE SUMMARY: inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the most recently issued command(s). Some of these waiting loops try to apply a timeout to fail overly-slow commands. The course of action upon a perceived timeout actually being detected is inappropriate: - on Intel hardware guests which did not originally cause the timeout may be marked as crashed, - on AMD hardware higher layer callers would not be notified of the issue, making them continue as if the IOMMU operation succeeded. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28694 CVE STATUS: Unpatched CVE SUMMARY: IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696). LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28695 CVE STATUS: Unpatched CVE SUMMARY: IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696). LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28696 CVE STATUS: Unpatched CVE SUMMARY: IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696). LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28698 CVE STATUS: Unpatched CVE SUMMARY: long running loops in grant table handling In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In the process of carrying out certain actions, Xen would iterate over all such entries, including ones which aren't in use anymore and some which may have been created but never used. If the number of entries for a given domain is large enough, this iterating of the entire table may tie up a CPU for too long, starving other domains or causing issues in the hypervisor itself. Note that a domain may map its own grants, i.e. there is no need for multiple domains to be involved here. A pair of "cooperating" guests may, however, cause the effects to be more severe. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28699 CVE STATUS: Unpatched CVE SUMMARY: inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28700 CVE STATUS: Unpatched CVE SUMMARY: xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator originally configured. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28701 CVE STATUS: Unpatched CVE SUMMARY: Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28703 CVE STATUS: Unpatched CVE SUMMARY: grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes. This bug was fortuitously fixed by code cleanup in Xen 4.14, and backported to security-supported Xen branches as a prerequisite of the fix for XSA-378. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28711 CVE STATUS: Unpatched CVE SUMMARY: Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28712 CVE STATUS: Unpatched CVE SUMMARY: Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2021-28713 CVE STATUS: Unpatched CVE SUMMARY: Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713 LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2021-3564 CVE STATUS: Unpatched CVE SUMMARY: A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13. LAYER: meta PACKAGE NAME: sqlite3 PACKAGE VERSION: 3_3.45.3 CVE: CVE-2021-36690 CVE STATUS: Patched CVE SUMMARY: A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library. -- LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2021-3669 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux kernel. Measuring usage of the shared memory does not scale with large shared memory segment counts which could lead to resource exhaustion and DoS. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2021-3714 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux kernels memory deduplication mechanism. Previous work has shown that memory deduplication can be attacked via a local exploitation mechanism. The same technique can be used if an attacker can upload page sized files and detect the change in access time from a networked service to determine if the page has been merged. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2021-3759 CVE STATUS: Unpatched CVE SUMMARY: A memory overflow vulnerability was found in the Linux kernel’s ipc functionality of the memcg subsystem, in the way a user calls the semget function multiple times, creating semaphores. This flaw allows a local user to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2021-3864 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2021-4218 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux kernel’s implementation of reading the SVC RDMA counters. Reading the counter sysctl panics the system. This flaw allows a local attacker with local access to cause a denial of service while the system reboots. The issue is specific to CentOS/RHEL. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-0286 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux kernel. A null pointer dereference in bond_ipsec_add_sa() may lead to local denial of service. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-0400 CVE STATUS: Unpatched CVE SUMMARY: An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-1247 CVE STATUS: Unpatched CVE SUMMARY: An issue found in linux-kernel that leads to a race condition in rose_connect(). The rose driver uses rose_neigh->use to represent how many objects are using the rose_neigh. When a user wants to delete a rose_route via rose_ioctl(), the rose driver calls rose_del_node() and removes neighbours only if their “count” and “use” are zero. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-1462 CVE STATUS: Unpatched CVE SUMMARY: An out-of-bounds read flaw was found in the Linux kernel’s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-21123 CVE STATUS: Unpatched CVE SUMMARY: Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-21125 CVE STATUS: Unpatched CVE SUMMARY: Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-21127 CVE STATUS: Unpatched CVE SUMMARY: Incomplete cleanup in specific special register read operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-21166 CVE STATUS: Unpatched CVE SUMMARY: Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-23033 CVE STATUS: Unpatched CVE SUMMARY: arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-23035 CVE STATUS: Unpatched CVE SUMMARY: Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-23036 CVE STATUS: Unpatched CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-23037 CVE STATUS: Unpatched CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-23038 CVE STATUS: Unpatched CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-23039 CVE STATUS: Unpatched CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-23040 CVE STATUS: Unpatched CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-23041 CVE STATUS: Unpatched CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-23042 CVE STATUS: Unpatched CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-2308 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-2327 CVE STATUS: Unpatched CVE SUMMARY: io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP. Some operations are missing some types, which can lead to incorrect reference counts which can then lead to a double free. We recommend upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-23824 CVE STATUS: Unpatched CVE SUMMARY: IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-23960 CVE STATUS: Unpatched CVE SUMMARY: Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-26358 CVE STATUS: Unpatched CVE SUMMARY: IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-26359 CVE STATUS: Unpatched CVE SUMMARY: IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-26360 CVE STATUS: Unpatched CVE SUMMARY: IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-26361 CVE STATUS: Unpatched CVE SUMMARY: IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-26362 CVE STATUS: Unpatched CVE SUMMARY: x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-26363 CVE STATUS: Unpatched CVE SUMMARY: x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-26364 CVE STATUS: Unpatched CVE SUMMARY: x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-26365 CVE STATUS: Patched CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). -- LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-26365 CVE STATUS: Unpatched CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-2663 CVE STATUS: Unpatched CVE SUMMARY: An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-2785 CVE STATUS: Unpatched CVE SUMMARY: There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-29900 CVE STATUS: Unpatched CVE SUMMARY: Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-29901 CVE STATUS: Unpatched CVE SUMMARY: Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-33740 CVE STATUS: Patched CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). -- LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-33740 CVE STATUS: Unpatched CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-33741 CVE STATUS: Patched CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). -- LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-33741 CVE STATUS: Unpatched CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-33742 CVE STATUS: Patched CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). -- LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-33742 CVE STATUS: Unpatched CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-33743 CVE STATUS: Patched CVE SUMMARY: network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. -- LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-33743 CVE STATUS: Unpatched CVE SUMMARY: network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-33745 CVE STATUS: Unpatched CVE SUMMARY: insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-33747 CVE STATUS: Unpatched CVE SUMMARY: Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-33748 CVE STATUS: Unpatched CVE SUMMARY: lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, but in respectively opposite order. With suitable timing between the involved grant copy operations this may result in the locking up of a CPU. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3435 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3523 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211020. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3534 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability classified as critical has been found in Linux Kernel. Affected is the function btf_dump_name_dups of the file tools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211032. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3566 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3567 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3619 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211918 is the identifier assigned to this vulnerability. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3621 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3624 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in Linux Kernel and classified as problematic. Affected by this issue is the function rlb_arp_xmit of the file drivers/net/bonding/bond_alb.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211928. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3629 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak. The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3630 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in Linux Kernel. It has been rated as problematic. This issue affects some unknown processing of the file fs/fscache/cookie.c of the component IPsec. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211931. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3633 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function j1939_session_destroy of the file net/can/j1939/transport.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211932. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3636 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability, which was classified as critical, was found in Linux Kernel. This affects the function __mtk_ppe_check_skb of the file drivers/net/ethernet/mediatek/mtk_ppe.c of the component Ethernet Handler. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211935. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-36402 CVE STATUS: Unpatched CVE SUMMARY: An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-3646 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-38096 CVE STATUS: Unpatched CVE SUMMARY: A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-40982 CVE STATUS: Unpatched CVE SUMMARY: Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42309 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the guest e.g. by exceeding the quota value of maximum nodes per domain. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42311 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42312 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42313 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42314 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42315 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42316 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42317 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42318 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42319 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: Guests can cause Xenstore to not free temporary memory When working on a request of a guest, xenstored might need to allocate quite large amounts of memory temporarily. This memory is freed only after the request has been finished completely. A request is regarded to be finished only after the guest has read the response message of the request from the ring page. Thus a guest not reading the response can cause xenstored to not free the temporary memory. This can result in memory shortages causing Denial of Service (DoS) of xenstored. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42320 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: Guests can get access to Xenstore nodes of deleted domains Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is normally no problem, as those access right entries will be corrected when such a node is written later. There is a small time window when a new domain is created, where the access rights of a past domain with the same domid as the new one will be regarded to be still valid, leading to the new domain being able to get access to a node which was meant to be accessible by the removed domain. For this to happen another domain needs to write the node before the newly created domain is being introduced to Xenstore by dom0. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42321 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using recursion for some Xenstore operations (e.g. for deleting a sub-tree of Xenstore nodes). With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42322 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42323 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42324 CVE STATUS: Unpatched CVE SUMMARY: Oxenstored 32->31 bit integer truncation issues Integers in Ocaml are 63 or 31 bits of signed precision. The Ocaml Xenbus library takes a C uint32_t out of the ring and casts it directly to an Ocaml integer. In 64-bit Ocaml builds this is fine, but in 32-bit builds, it truncates off the most significant bit, and then creates unsigned/signed confusion in the remainder. This in turn can feed a negative value into logic not expecting a negative value, resulting in unexpected exceptions being thrown. The unexpected exception is not handled suitably, creating a busy-loop trying (and failing) to take the bad packet out of the xenstore ring. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42325 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42326 CVE STATUS: Unpatched CVE SUMMARY: Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-42332 CVE STATUS: Unpatched CVE SUMMARY: x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxiliary data structures. To migrate or snapshot guests, Xen additionally runs them in so called log-dirty mode. The data structures needed by the log-dirty tracking are part of aformentioned auxiliary data. In order to keep error handling efforts within reasonable bounds, for operations which may require memory allocations shadow mode logic ensures up front that enough memory is available for the worst case requirements. Unfortunately, while page table memory is properly accounted for on the code path requiring the potential establishing of new shadows, demands by the log-dirty infrastructure were not taken into consideration. As a result, just established shadow page tables could be freed again immediately, while other code is still accessing them on the assumption that they would remain allocated. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-42895 CVE STATUS: Unpatched CVE SUMMARY: There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-4382 CVE STATUS: Unpatched CVE SUMMARY: A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-4543 CVE STATUS: Unpatched CVE SUMMARY: A flaw named "EntryBleed" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-49490 CVE STATUS: Patched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: -- LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-49491 CVE STATUS: Patched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: -- LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-49492 CVE STATUS: Patched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: -- LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-49493 CVE STATUS: Patched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: -- LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-49494 CVE STATUS: Patched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: -- LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-49495 CVE STATUS: Patched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: -- LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-49496 CVE STATUS: Patched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: -- LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-49497 CVE STATUS: Patched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: -- LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-49498 CVE STATUS: Patched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: -- LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2022-49499 CVE STATUS: Patched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: -- LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2022-4949 CVE STATUS: Unpatched CVE SUMMARY: The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers with Contributor+ level privileges to upload arbitrary files on the affected sites server which makes remote code execution possible. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-1073 CVE STATUS: Unpatched CVE SUMMARY: A memory corruption flaw was found in the Linux kernel’s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-1074 CVE STATUS: Unpatched CVE SUMMARY: A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-1075 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-1076 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2023-20588 CVE STATUS: Unpatched CVE SUMMARY: LAYER: meta-tpm PACKAGE NAME: tpm2-tss PACKAGE VERSION: 4.0.2 CVE: CVE-2023-22745 CVE STATUS: Unpatched CVE SUMMARY: tpm2-tss is an open source software implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). In affected versions `Tss2_RC_SetHandler` and `Tss2_RC_Decode` both index into `layer_handler` with an 8 bit layer number, but the array only has `TPM2_ERROR_TSS2_RC_LAYER_COUNT` entries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. This Buffer overrun, could result in arbitrary code execution. An example attack would be a MiTM bus attack that returns 0xFFFFFFFF for the RC. Given the common use case of TPM modules an attacker must have local access to the target machine with local system privileges which allows access to the TPM system. Usually TPM access requires administrative privilege. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-2898 CVE STATUS: Unpatched CVE SUMMARY: There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-3079 CVE STATUS: Unpatched CVE SUMMARY: Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32573 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled. -- LAYER: meta-qt5 PACKAGE NAME: qtwayland PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32573 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols2 PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32573 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled. -- LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32573 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32573 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled. -- LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32573 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled. LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32762 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match. -- LAYER: meta-qt5 PACKAGE NAME: qtwayland PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32762 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols2 PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32762 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match. -- LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32762 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32762 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match. -- LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32762 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match. LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32763 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered. -- LAYER: meta-qt5 PACKAGE NAME: qtwayland PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32763 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols2 PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32763 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered. -- LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32763 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32763 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered. -- LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32763 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-3397 CVE STATUS: Unpatched CVE SUMMARY: A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-34319 CVE STATUS: Patched CVE SUMMARY: The fix for XSA-423 added logic to Linux'es netback driver to deal with -- LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2023-34319 CVE STATUS: Unpatched CVE SUMMARY: The fix for XSA-423 added logic to Linux'es netback driver to deal with LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2023-34320 CVE STATUS: Unpatched CVE SUMMARY: Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-34324 CVE STATUS: Patched CVE SUMMARY: Closing of an event channel in the Linux kernel can result in a deadlock. -- LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2023-34324 CVE STATUS: Unpatched CVE SUMMARY: Closing of an event channel in the Linux kernel can result in a deadlock. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2023-34325 CVE STATUS: Unpatched CVE SUMMARY: LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2023-34326 CVE STATUS: Unpatched CVE SUMMARY: The caching invalidation guidelines from the AMD-Vi specification (48882—Rev LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2023-34327 CVE STATUS: Unpatched CVE SUMMARY: LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-34410 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. -- LAYER: meta-qt5 PACKAGE NAME: qtwayland PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-34410 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols2 PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-34410 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. -- LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-34410 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-34410 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. -- LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-34410 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-3640 CVE STATUS: Unpatched CVE SUMMARY: A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system. LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-37369 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. -- LAYER: meta-qt5 PACKAGE NAME: qtwayland PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-37369 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols2 PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-37369 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. -- LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-37369 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-37369 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. -- LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-37369 CVE STATUS: Patched CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-3772 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-3773 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace. LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-38197 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. -- LAYER: meta-qt5 PACKAGE NAME: qtwayland PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-38197 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols2 PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-38197 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. -- LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-38197 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-38197 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. -- LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-38197 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-39176 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found within the parsing of SMB2 requests that have a transform header in the kernel ksmbd module. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this to disclose sensitive information on affected installations of Linux. Only systems with ksmbd enabled are vulnerable to this CVE. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-39179 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found within the handling of SMB2 read requests in the kernel ksmbd module. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this to disclose sensitive information on affected installations of Linux. Only systems with ksmbd enabled are vulnerable to this CVE. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-39180 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found within the handling of SMB2_READ commands in the kernel ksmbd module. The issue results from not releasing memory after its effective lifetime. An attacker can leverage this to create a denial-of-service condition on affected installations of Linux. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable. LAYER: meta-oe PACKAGE NAME: openjpeg PACKAGE VERSION: 2.5.3 CVE: CVE-2023-39327 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in OpenJPEG. Maliciously constructed pictures can cause the program to enter a large loop and continuously print warning messages on the terminal. LAYER: meta-oe PACKAGE NAME: openjpeg PACKAGE VERSION: 2.5.3 CVE: CVE-2023-39328 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in OpenJPEG similar to CVE-2019-6988. This flaw allows an attacker to bypass existing protections and cause an application crash through a maliciously crafted file. LAYER: meta-oe PACKAGE NAME: openjpeg PACKAGE VERSION: 2.5.3 CVE: CVE-2023-39329 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in OpenJPEG. A resource exhaustion can occur in the opj_t1_decode_cblks function in tcd.c through a crafted image file, causing a denial of service. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-4010 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-4155 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`). LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-43114 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks. -- LAYER: meta-qt5 PACKAGE NAME: qtwayland PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-43114 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols2 PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-43114 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks. -- LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-43114 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-43114 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks. -- LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-43114 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks. LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2023-46835 CVE STATUS: Unpatched CVE SUMMARY: The current setup of the quarantine page tables assumes that the LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2023-46836 CVE STATUS: Unpatched CVE SUMMARY: The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2023-46841 CVE STATUS: Unpatched CVE SUMMARY: Recent x86 CPUs offer functionality named Control-flow Enforcement LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.20.0+stable-xilinx+git CVE: CVE-2023-4949 CVE STATUS: Unpatched CVE SUMMARY: An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub’s XFS file system implementation. LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.3 CVE: CVE-2023-49502 CVE STATUS: Unpatched CVE SUMMARY: Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the ff_bwdif_filter_intra_c function in the libavfilter/bwdifdsp.c:125:5 component. LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.3 CVE: CVE-2023-50007 CVE STATUS: Unpatched CVE SUMMARY: FFmpeg v.n6.1-3-g466799d4f5 allows an attacker to trigger use of a parameter of negative size in the av_samples_set_silence function in thelibavutil/samplefmt.c:260:9 component. LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.3 CVE: CVE-2023-50008 CVE STATUS: Unpatched CVE SUMMARY: FFmpeg v.n6.1-3-g466799d4f5 allows memory consumption when using the colorcorrect filter, in the av_malloc function in libavutil/mem.c:105:9 component. LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.3 CVE: CVE-2023-50009 CVE STATUS: Unpatched CVE SUMMARY: FFmpeg v.n6.1-3-g466799d4f5 allows a heap-based buffer overflow via the ff_gaussian_blur_8 function in libavfilter/edge_template.c:116:5 component. LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.3 CVE: CVE-2023-50010 CVE STATUS: Unpatched CVE SUMMARY: FFmpeg v.n6.1-3-g466799d4f5 allows a buffer over-read at ff_gradfun_blur_line_movdqa_sse2, as demonstrated by a call to the set_encoder_id function in /fftools/ffmpeg_enc.c component. LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-51714 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. -- LAYER: meta-qt5 PACKAGE NAME: qtwayland PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-51714 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols2 PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-51714 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. -- LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-51714 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-51714 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. -- LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-51714 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-52904 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-6176 CVE STATUS: Unpatched CVE SUMMARY: A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-6238 CVE STATUS: Unpatched CVE SUMMARY: A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in the Linux kernel. Only privileged user could specify a small meta buffer and let the device perform larger Direct Memory Access (DMA) into the same buffer, overwriting unrelated kernel memory, causing random kernel crashes and memory corruption. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-6240 CVE STATUS: Unpatched CVE SUMMARY: A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-6535 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-6610 CVE STATUS: Unpatched CVE SUMMARY: An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-6679 CVE STATUS: Unpatched CVE SUMMARY: A null pointer dereference vulnerability was found in dpll_pin_parent_pin_set() in drivers/dpll/dpll_netlink.c in the Digital Phase Locked Loop (DPLL) subsystem in the Linux kernel. This issue could be exploited to trigger a denial of service. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2023-7042 CVE STATUS: Unpatched CVE SUMMARY: A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2024-0193 CVE STATUS: Unpatched CVE SUMMARY: A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system. LAYER: meta PACKAGE NAME: pulseaudio PACKAGE VERSION: 17.0 CVE: CVE-2024-11586 CVE STATUS: Unpatched CVE SUMMARY: Ubuntu's implementation of pulseaudio can be crashed by a malicious program if a bluetooth headset is connected. LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2024-13978 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as problematic. Affected by this vulnerability is the function t2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The patch is named 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply a patch to fix this issue. LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-25580 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. -- LAYER: meta-qt5 PACKAGE NAME: qtwayland PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-25580 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols2 PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-25580 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. -- LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-25580 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-25580 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. -- LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-25580 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.3+gitf417435e5f6216828dec57958c490c4f8bae4f98 CVE: CVE-2024-29018 CVE STATUS: Unpatched CVE SUMMARY: Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well. LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.3 CVE: CVE-2024-31578 CVE STATUS: Unpatched CVE SUMMARY: FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function. LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.3 CVE: CVE-2024-31582 CVE STATUS: Unpatched CVE SUMMARY: FFmpeg version n6.1 was discovered to contain a heap buffer overflow vulnerability in the draw_block_rectangle function of libavfilter/vf_codecview.c. This vulnerability allows attackers to cause undefined behavior or a Denial of Service (DoS) via crafted input. LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.3 CVE: CVE-2024-31585 CVE STATUS: Unpatched CVE SUMMARY: FFmpeg version n5.1 to n6.1 was discovered to contain an Off-by-one Error vulnerability in libavfilter/avf_showspectrum.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-36048 CVE STATUS: Unpatched CVE SUMMARY: QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. -- LAYER: meta-qt5 PACKAGE NAME: qtwayland PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-36048 CVE STATUS: Unpatched CVE SUMMARY: QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols2 PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-36048 CVE STATUS: Unpatched CVE SUMMARY: QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. -- LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-36048 CVE STATUS: Unpatched CVE SUMMARY: QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-36048 CVE STATUS: Unpatched CVE SUMMARY: QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. -- LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-36048 CVE STATUS: Unpatched CVE SUMMARY: QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.3+gitf417435e5f6216828dec57958c490c4f8bae4f98 CVE: CVE-2024-36623 CVE STATUS: Unpatched CVE SUMMARY: moby through v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes. LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-39936 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. -- LAYER: meta-qt5 PACKAGE NAME: qtwayland PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-39936 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols2 PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-39936 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. -- LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-39936 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-39936 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. -- LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-39936 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. LAYER: meta-oe PACKAGE NAME: linuxptp PACKAGE VERSION: 4.1 CVE: CVE-2024-42861 CVE STATUS: Unpatched CVE SUMMARY: An issue in IEEE 802.1AS linuxptp v.4.2 and before allowing a remote attacker to cause a denial of service via a crafted Pdelay_Req message to the time synchronization function LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47606 CVE STATUS: Unpatched CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10. LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2024-50613 CVE STATUS: Unpatched CVE SUMMARY: libsndfile through 1.2.2 has a reachable assertion, that may lead to application exit, in mpeg_l3_encode.c mpeg_l3_encoder_close. LAYER: meta-oe PACKAGE NAME: libvpx PACKAGE VERSION: 1.14.0 CVE: CVE-2024-5197 CVE STATUS: Unpatched CVE SUMMARY: There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2024-52560 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-oe PACKAGE NAME: iptraf-ng PACKAGE VERSION: 1.2.1 CVE: CVE-2024-52949 CVE STATUS: Unpatched CVE SUMMARY: iptraf-ng 1.2.1 has a stack-based buffer overflow. In src/ifaces.c, the strcpy function consistently fails to control the size, and it is consequently possible to overflow memory on the stack. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2024-57995 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2024-58015 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2024-58074 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2024-58093 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2024-58094 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2024-58095 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2024-58096 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2024-58097 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-21709 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-21751 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-21752 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-21807 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-21833 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-21884 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-21949 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22103 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22104 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22105 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22106 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22107 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22108 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22109 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22111 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22113 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22116 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22117 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22121 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22124 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22125 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-22127 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-23129 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-23130 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-23131 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-23132 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-23133 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-23135 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-23137 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-2759 CVE STATUS: Unpatched CVE SUMMARY: GStreamer Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of GStreamer. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2912 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in HDF5 up to 1.14.6. It has been declared as problematic. Affected by this vulnerability is the function H5O_msg_flush of the file src/H5Omessage.c. The manipulation of the argument oh leads to heap-based buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2913 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in HDF5 up to 1.14.6. It has been rated as critical. Affected by this issue is the function H5FL__blk_gc_list of the file src/H5FL.c. The manipulation of the argument H5FL_blk_head_t leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2914 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability classified as problematic has been found in HDF5 up to 1.14.6. This affects the function H5FS__sinfo_Srialize_Sct_cb of the file src/H5FScache.c. The manipulation of the argument sect leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2915 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability classified as problematic was found in HDF5 up to 1.14.6. This vulnerability affects the function H5F__accum_free of the file src/H5Faccum.c. The manipulation of the argument overlap_size leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2923 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability, which was classified as problematic, has been found in HDF5 up to 1.14.6. Affected by this issue is the function H5F_addr_encode_len of the file src/H5Fint.c. The manipulation of the argument pp leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2924 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability, which was classified as problematic, was found in HDF5 up to 1.14.6. This affects the function H5HL__fl_deserialize of the file src/H5HLcache.c. The manipulation of the argument free_block leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2925 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability has been found in HDF5 up to 1.14.6 and classified as problematic. This vulnerability affects the function H5MM_realloc of the file src/H5MM.c. The manipulation of the argument mem leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2926 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in HDF5 up to 1.14.6 and classified as problematic. This issue affects the function H5O__cache_chk_serialize of the file src/H5Ocache.c. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-30348 CVE STATUS: Unpatched CVE SUMMARY: encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data). -- LAYER: meta-qt5 PACKAGE NAME: qtwayland PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-30348 CVE STATUS: Unpatched CVE SUMMARY: encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data). -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols2 PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-30348 CVE STATUS: Unpatched CVE SUMMARY: encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data). -- LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-30348 CVE STATUS: Unpatched CVE SUMMARY: encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data). -- LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-30348 CVE STATUS: Unpatched CVE SUMMARY: encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data). -- LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-30348 CVE STATUS: Unpatched CVE SUMMARY: encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data). LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-37743 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-37746 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-37803 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-37860 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-37880 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-37925 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-38029 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-38036 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-38041 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-38042 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-38064 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-3887 CVE STATUS: Unpatched CVE SUMMARY: GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-40325 CVE STATUS: Unpatched CVE SUMMARY: In the Linux kernel, the following vulnerability has been resolved: LAYER: meta-xilinx-core PACKAGE NAME: linux-xlnx PACKAGE VERSION: 6.12.40+git+v2025.2 CVE: CVE-2025-4598 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. -- LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2025-4598 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. LAYER: meta PACKAGE NAME: busybox PACKAGE VERSION: 1.36.1 CVE: CVE-2025-46394 CVE STATUS: Unpatched CVE SUMMARY: In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-47183 CVE STATUS: Unpatched CVE SUMMARY: In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_tree function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure. LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-47219 CVE STATUS: Unpatched CVE SUMMARY: In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure. LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-47806 CVE STATUS: Unpatched CVE SUMMARY: In GStreamer through 1.26.1, the subparse plugin's parse_subrip_time function may write data past the bounds of a stack buffer, leading to a crash. LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-47807 CVE STATUS: Unpatched CVE SUMMARY: In GStreamer through 1.26.1, the subparse plugin's subrip_unescape_formatting function may dereference a NULL pointer while parsing a subtitle file, leading to a crash. LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-47808 CVE STATUS: Unpatched CVE SUMMARY: In GStreamer through 1.26.1, the subparse plugin's tmplayer_parse_line function may dereference a NULL pointer while parsing a subtitle file, leading to a crash. LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2025-52194 CVE STATUS: Unpatched CVE SUMMARY: A buffer overflow vulnerability exists in libsndfile version 1.2.2 and potentially earlier versions when processing malformed IRCAM audio files. The vulnerability occurs in the ircam_read_header function at src/ircam.c:164 during sample rate processing, leading to memory corruption and potential code execution. LAYER: meta-oe PACKAGE NAME: iperf3 PACKAGE VERSION: 3.18 CVE: CVE-2025-54350 CVE STATUS: Unpatched CVE SUMMARY: In iperf before 3.19.1, iperf_auth.c has a Base64Decode assertion failure and application exit upon a malformed authentication attempt. LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.3+gitf417435e5f6216828dec57958c490c4f8bae4f98 CVE: CVE-2025-54410 CVE STATUS: Unpatched CVE SUMMARY: Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fails to re-create iptables rules that isolate bridge networks, allowing any container to access all ports on any other container across different bridge networks on the same host. This breaks network segmentation between containers that should be isolated, creating significant risk in multi-tenant environments. Only containers in --internal networks remain protected. LAYER: meta-oe PACKAGE NAME: openjpeg PACKAGE VERSION: 2.5.3 CVE: CVE-2025-54874 CVE STATUS: Unpatched CVE SUMMARY: OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG from 2.5.1 through 2.5.3, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized. LAYER: meta-oe PACKAGE NAME: cjson PACKAGE VERSION: 1.7.18 CVE: CVE-2025-57052 CVE STATUS: Unpatched CVE SUMMARY: cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters. LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2025-59375 CVE STATUS: Unpatched CVE SUMMARY: libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. LAYER: meta PACKAGE NAME: libmicrohttpd PACKAGE VERSION: 1.0.1 CVE: CVE-2025-59777 CVE STATUS: Unpatched CVE SUMMARY: NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition. LAYER: meta PACKAGE NAME: ghostscript PACKAGE VERSION: 10.05.1 CVE: CVE-2025-59798 CVE STATUS: Unpatched CVE SUMMARY: Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdf_write_cmap in devices/vector/gdevpdtw.c. LAYER: meta PACKAGE NAME: ghostscript PACKAGE VERSION: 10.05.1 CVE: CVE-2025-59799 CVE STATUS: Unpatched CVE SUMMARY: Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdfmark_coerce_dest in devices/vector/gdevpdfm.c via a large size value. LAYER: meta PACKAGE NAME: ghostscript PACKAGE VERSION: 10.05.1 CVE: CVE-2025-59800 CVE STATUS: Unpatched CVE SUMMARY: In Artifex Ghostscript through 10.05.1, ocr_begin_page in devices/gdevpdfocr.c has an integer overflow that leads to a heap-based buffer overflow in ocr_line8. LAYER: meta PACKAGE NAME: libmicrohttpd PACKAGE VERSION: 1.0.1 CVE: CVE-2025-62689 CVE STATUS: Unpatched CVE SUMMARY: NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition. LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6269 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability classified as critical was found in HDF5 up to 1.14.6. Affected by this vulnerability is the function H5C__reconstruct_cache_entry of the file H5Cimage.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6270 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability, which was classified as critical, has been found in HDF5 up to 1.14.6. Affected by this issue is the function H5FS__sect_find_node of the file H5FSsection.c. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6516 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability has been found in HDF5 up to 1.14.6 and classified as critical. This vulnerability affects the function H5F_addr_decode_len of the file /hdf5/src/H5Fint.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2025-7424 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior. LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-8176 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue. LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-8177 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer. LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-8534 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability classified as problematic was found in libtiff 4.6.0. This vulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.c of the component tiff2ps. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It is recommended to apply a patch to fix this issue. One of the maintainers explains, that "[t]his error only occurs if DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD") option is used."