CVE-2009-2025
published 2009-06-09CVE-2009-2025: admin/login.php in DM FileManager 3.9.2 allows remote attackers to bypass authentication and gain administrative access by setting the (1) USER, (2) GROUPID…
PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.61%
83.5th percentile
admin/login.php in DM FileManager 3.9.2 allows remote attackers to bypass authentication and gain administrative access by setting the (1) USER, (2) GROUPID, (3) GROUP, and (4) USERID cookies to certain values.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dutchmonkey | dm_filemanager | — | — |
| linux | linux_kernel | >= 3.11.0 < 5.10.248 | 5.10.248 |
| linux | linux_kernel | >= 3.17.0 < 5.10.248 | 5.10.248 |
| linux | linux_kernel | >= 5.11.0 < 5.15.198 | 5.15.198 |
| linux | linux_kernel | >= 5.16.0 < 6.1.160 | 6.1.160 |
| linux | linux_kernel | >= 6.13.0 < 6.18.4 | 6.18.4 |
| linux | linux_kernel | >= 6.13.0 < 6.18.3 | 6.18.3 |
| linux | linux_kernel | >= 6.2.0 < 6.6.120 | 6.6.120 |
| linux | linux_kernel | >= 6.7.0 < 6.12.64 | 6.12.64 |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
team: fix check for port enabled in team_queue_override_port_prio_changed()
osv·2026-01-13·CVSS 7.8
CVE-2025-71091 team: fix check for port enabled in team_queue_override_port_prio_changed()
team: fix check for port enabled in team_queue_override_port_prio_changed()
In the Linux kernel, the following vulnerability has been resolved:
team: fix check for port enabled in team_queue_override_port_prio_changed()
There has been a syzkaller bug reported recently with the following
trace:
list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:59!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f
OSV
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
osv·2026-01-13
CVE-2025-68776 net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
In the Linux kernel, the following vulnerability has been resolved:
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std
but doesn't check if the allocation failed. If __pskb_copy() returns
NULL, skb_clone() is called with a NULL pointer, causing a crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:skb_clone+0xd7/0x3a0
GHSA
GHSA-4vgp-rfx5-254x: admin/login
ghsa_unreviewed·2022-05-02
CVE-2009-2025 [HIGH] GHSA-4vgp-rfx5-254x: admin/login
admin/login.php in DM FileManager 3.9.2 allows remote attackers to bypass authentication and gain administrative access by setting the (1) USER, (2) GROUPID, (3) GROUP, and (4) USERID cookies to certain values.
Red Hat
kernel: Linux kernel: Denial of Service via NULL pointer dereference in HSR
vendor_redhat·2026-01-13·CVSS 5.5
CVE-2025-68776 [MEDIUM] CWE-476 kernel: Linux kernel: Denial of Service via NULL pointer dereference in HSR
kernel: Linux kernel: Denial of Service via NULL pointer dereference in HSR
In the Linux kernel, the following vulnerability has been resolved:
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std
but doesn't check if the allocation failed. If __pskb_copy() returns
NULL, skb_clone() is called with a NULL pointer, causing a crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:skb_clone+0xd
Red Hat
kernel: Linux kernel: Denial of Service via MPTCP race condition
vendor_redhat·2026-01-13·CVSS 5.5
CVE-2025-71088 [MEDIUM] CWE-366 kernel: Linux kernel: Denial of Service via MPTCP race condition
kernel: Linux kernel: Denial of Service via MPTCP race condition
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fallback earlier on simult connection
Syzkaller reports a simult-connect race leading to inconsistent fallback
status:
WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Modules linked in:
CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 a
Red Hat
kernel: iommu/vt-d: debugfs: Fix legacy mode page table dump logic
vendor_redhat·2025-11-12·CVSS 5.5
CVE-2025-40155 [MEDIUM] CWE-704 kernel: iommu/vt-d: debugfs: Fix legacy mode page table dump logic
kernel: iommu/vt-d: debugfs: Fix legacy mode page table dump logic
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: debugfs: Fix legacy mode page table dump logic
In legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTR
maybe uninitialized or zero in that case and may cause oops like:
Oops: general protection fault, probably for non-canonical address
0xf00087d3f000f000: 0000 [#1] SMP NOPTI
CPU: 2 UID: 0 PID: 786 Comm: cat Not tainted 6.16.0 #191 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014
RIP: 0010:pgtable_walk_level+0x98/0x150
RSP: 0018:ffffc90000f279c0 EFLAGS: 00010206
RAX: 0000000040000000 RBX: ffffc90000f27ab0 RCX: 000000000000001e
RDX: 0000000000000003 RSI: f00087d3f000f000 RDI: f00087d
Red Hat
kernel: nbd: fix uaf in nbd_genl_connect() error path
vendor_redhat·2025-07-25·CVSS 7.8
CVE-2025-38443 [HIGH] CWE-416 kernel: nbd: fix uaf in nbd_genl_connect() error path
kernel: nbd: fix uaf in nbd_genl_connect() error path
In the Linux kernel, the following vulnerability has been resolved:
nbd: fix uaf in nbd_genl_connect() error path
There is a use-after-free issue in nbd:
block nbd6: Receive control failed (result -104)
block nbd6: shutting down sockets
BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022
Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67
CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: nbd6-recv recv_work
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_d
Red Hat
kernel: btrfs: avoid NULL pointer dereference if no valid csum tree
vendor_redhat·2025-06-18·CVSS 5.5
CVE-2025-38059 [MEDIUM] CWE-476 kernel: btrfs: avoid NULL pointer dereference if no valid csum tree
kernel: btrfs: avoid NULL pointer dereference if no valid csum tree
In the Linux kernel, the following vulnerability has been resolved:
btrfs: avoid NULL pointer dereference if no valid csum tree
[BUG]
When trying read-only scrub on a btrfs with rescue=idatacsums mount
option, it will crash with the following call trace:
BUG: kernel NULL pointer dereference, address: 0000000000000208
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022
RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs]
Call Trace:
scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs]
scrub_simple_mirror+0x175/0x290 [btrfs]
scrub_s
Red Hat
kernel: smb: client: fix oops due to unset link speed
vendor_redhat·2025-02-27·CVSS 5.5
CVE-2025-21725 [MEDIUM] CWE-369 kernel: smb: client: fix oops due to unset link speed
kernel: smb: client: fix oops due to unset link speed
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix oops due to unset link speed
It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always
be set by the server, so the client must handle any values and then
prevent oopses like below from happening:
Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41
04/01/2014
RIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48
89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8
e7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 f7 74 24 18 48 89
c3 e8 6e cf 1b c1 41 8b 6c 24 28 49 8d 7c 24
RSP
Citrix
Citrix Security Bulletin CTX118770
vendor_citrix·CVSS 6.5
CVE-2009-2213 [MEDIUM] Citrix Security Bulletin CTX118770
Citrix Security Bulletin CTX118770
CVE References: CVE-2009-2213, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
No detection rules found.
Bugzilla
CVE-2025-39857 kernel: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
bugzilla·2025-09-19·CVSS 5.5
CVE-2025-39857 [MEDIUM] CVE-2025-39857 kernel: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
CVE-2025-39857 kernel: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync()
BUG: kernel NULL pointer dereference, address: 00000000000002ec
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Workqueue: smc_hs_wq smc_listen_work [smc]
RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc]
...
Call Trace:
smcr_buf_map_link+0x211/0x2a0 [smc]
__smc_buf_create+0x522/0x970 [smc]
smc_buf_create+0x3a/0x110 [smc]
smc_find_rdma_v2_device_serv+0x18f/
Bugzilla
CVE-2025-38226 kernel: media: vivid: Change the siize of the composing
bugzilla·2025-07-04·CVSS 7.8
CVE-2025-38226 [HIGH] CVE-2025-38226 kernel: media: vivid: Change the siize of the composing
CVE-2025-38226 kernel: media: vivid: Change the siize of the composing
In the Linux kernel, the following vulnerability has been resolved:
media: vivid: Change the siize of the composing
syzkaller found a bug:
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304
CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_
Bugzilla
CVE-2025-21725 kernel: smb: client: fix oops due to unset link speed
bugzilla·2025-02-27·CVSS 5.5
CVE-2025-21725 [MEDIUM] CVE-2025-21725 kernel: smb: client: fix oops due to unset link speed
CVE-2025-21725 kernel: smb: client: fix oops due to unset link speed
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix oops due to unset link speed
It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always
be set by the server, so the client must handle any values and then
prevent oopses like below from happening:
Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41
04/01/2014
RIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48
89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8
e7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 f7 74 24 18 48 89
c3 e8 6e cf 1b c1 41 8b 6c 24
Wiz
CVE-2025-71088 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2025-71088 [MEDIUM] CVE-2025-71088 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-71088 :
Linux Kernel vulnerability analysis and mitigation
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fallback earlier on simult connection
Syzkaller reports a simult-connect race leading to inconsistent fallback
status:
WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Modules linked in:
CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 0b 90 e8 6d 66 3c f6 48 89
2009-06-09
Published