CVE-2014-1996
published 2014-07-20CVE-2014-1996: Cybozu Garoon 3.7 before SP4 allows remote authenticated users to bypass intended access restrictions, and execute arbitrary code or cause a denial of service…
PriorityP338high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
2.64%
83.7th percentile
Cybozu Garoon 3.7 before SP4 allows remote authenticated users to bypass intended access restrictions, and execute arbitrary code or cause a denial of service, via an API call.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cybozu | garoon | — | — |
| cybozu | garoon | — | — |
| linux | linux_kernel | >= 3.18.0 < 5.10.248 | 5.10.248 |
| linux | linux_kernel | >= 5.11.0 < 5.15.198 | 5.15.198 |
| linux | linux_kernel | >= 5.16.0 < 6.1.160 | 6.1.160 |
| linux | linux_kernel | >= 6.13.0 < 6.18.4 | 6.18.4 |
| linux | linux_kernel | >= 6.2.0 < 6.6.120 | 6.6.120 |
| linux | linux_kernel | >= 6.2.0 < 6.2.11 | 6.2.11 |
| linux | linux_kernel | >= 6.7.0 < 6.12.64 | 6.12.64 |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.1HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
e1000: fix OOB in e1000_tbi_should_accept()
osv·2026-01-13·CVSS 7.1
CVE-2025-71093 e1000: fix OOB in e1000_tbi_should_accept()
e1000: fix OOB in e1000_tbi_should_accept()
In the Linux kernel, the following vulnerability has been resolved:
e1000: fix OOB in e1000_tbi_should_accept()
In e1000_tbi_should_accept() we read the last byte of the frame via
'data[length - 1]' to evaluate the TBI workaround. If the descriptor-
reported length is zero or larger than the actual RX buffer size, this
read goes out of bounds and can hit unrelated slab objects. The issue
is observed from the NAPI receive path (e1000_clean_rx_irq):
BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790
Read of size 1 at addr ffff888014114e54 by task sshd/363
CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Ca
OSV
iommufd: Check for uptr overflow
osv·2025-12-30
CVE-2023-54239 iommufd: Check for uptr overflow
iommufd: Check for uptr overflow
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Check for uptr overflow
syzkaller found that setting up a map with a user VA that wraps past zero
can trigger WARN_ONs, particularly from pin_user_pages weirdly returning 0
due to invalid arguments.
Prevent creating a pages with a uptr and size that would math overflow.
WARNING: CPU: 0 PID: 518 at drivers/iommu/iommufd/pages.c:793 pfn_reader_user_pin+0x2e6/0x390
Modules linked in:
CPU: 0 PID: 518 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:pfn_reader_user_pin+0x2e6/0x390
Code: b1 11 e9 25 fe ff ff e8 28 e4 0f ff 31 ff 48 89 de e8 2e e6 0f ff 48 8
GHSA
GHSA-92hc-f3ff-7hwj: Cybozu Garoon 3
ghsa_unreviewed·2022-05-17
CVE-2014-1996 [HIGH] GHSA-92hc-f3ff-7hwj: Cybozu Garoon 3
Cybozu Garoon 3.7 before SP4 allows remote authenticated users to bypass intended access restrictions, and execute arbitrary code or cause a denial of service, via an API call.
Red Hat
kernel: f2fs: prevent kernel warning due to negative i_nlink from corrupted image
vendor_redhat·2025-07-04·CVSS 5.5
CVE-2025-38219 [MEDIUM] kernel: f2fs: prevent kernel warning due to negative i_nlink from corrupted image
kernel: f2fs: prevent kernel warning due to negative i_nlink from corrupted image
In the Linux kernel, the following vulnerability has been resolved:
f2fs: prevent kernel warning due to negative i_nlink from corrupted image
WARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0
home/cc/linux/fs/inode.c:417
Modules linked in:
CPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted
6.14.0-12627-g94d471a4f428 #2 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417
Code: 48 8b 5d 28 be 08 00 00 00 48 8d bb 70 07 00 00 e8 f9 67 e6 ff
f0 48 ff 83 70 07 00 00 5b 5d e9 9a 12 82 ff e8 95 12 82 ff 90
0b 90 c7 45 48 ff ff ff ff 5b 5d e9 83 12 82 ff e8 fe 5f e6
ff
RSP: 0018:ffffc9
Red Hat
kernel: media: mceusb: Use new usb_control_msg_*() routines
vendor_redhat·2025-06-18·CVSS 5.5
CVE-2022-49937 [MEDIUM] CWE-20 kernel: media: mceusb: Use new usb_control_msg_*() routines
kernel: media: mceusb: Use new usb_control_msg_*() routines
In the Linux kernel, the following vulnerability has been resolved:
media: mceusb: Use new usb_control_msg_*() routines
Automatic kernel fuzzing led to a WARN about invalid pipe direction in
the mceusb driver:
------------[ cut here ]------------
usb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40
WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410
usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410
Modules linked in:
CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-00208-g69cb6c6556ad #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410
Code: 7c 24 40 e8 ac
Red Hat
kernel: tracing/timerlat: Fix a race during cpuhp processing
vendor_redhat·2024-10-21·CVSS 4.7
CVE-2024-49866 [MEDIUM] CWE-362 kernel: tracing/timerlat: Fix a race during cpuhp processing
kernel: tracing/timerlat: Fix a race during cpuhp processing
In the Linux kernel, the following vulnerability has been resolved:
tracing/timerlat: Fix a race during cpuhp processing
There is another found exception that the "timerlat/1" thread was
scheduled on CPU0, and lead to timer corruption finally:
```
ODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220
WARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0
Modules linked in:
CPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainted 6.11.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:debug_print_object+0x7d/0xb0
...
Call Trace:
? __warn+0x7c/0x110
? debug_print_object+0x7d/0xb0
? report_bug+0x
Red Hat
kernel: nfc: fix segfault in nfc_genl_dump_devices_done
vendor_redhat·2024-06-19·CVSS 5.5
CVE-2021-47612 [MEDIUM] CWE-476 kernel: nfc: fix segfault in nfc_genl_dump_devices_done
kernel: nfc: fix segfault in nfc_genl_dump_devices_done
In the Linux kernel, the following vulnerability has been resolved:
nfc: fix segfault in nfc_genl_dump_devices_done
When kmalloc in nfc_genl_dump_devices() fails then
nfc_genl_dump_devices_done() segfaults as below
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014
Workqueue: events netlink_sock_destruct_work
RIP: 0010:klist_iter_exit+0x26/0x80
Call Trace:
class_dev_iter_exit+0x15/0x20
nfc_genl_dump_devices_done+0x3b/0x50
genl_lock_done+0x84/0xd0
netlink_sock_destruct+0x8f/0x270
__sk_destruct+0x64/0x3b0
sk_destruct+0xa8/0xd0
__sk_free+0x2e8/0x3d0
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-39983 kernel: Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
bugzilla·2025-10-15
CVE-2025-39983 [MEDIUM] CVE-2025-39983 kernel: Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
CVE-2025-39983 kernel: Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue
This fixes the following UAF caused by not properly locking hdev when
processing HCI_EV_NUM_COMP_PKTS:
BUG: KASAN: slab-use-after-free in hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036
Read of size 4 at addr ffff8880740f0940 by task kworker/u11:0/54
CPU: 1 UID: 0 PID: 54 Comm: kworker/u11:0 Not tainted 6.16.0-rc7 #3 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: hci1 hci_rx_work
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/
Bugzilla
CVE-2025-39974 kernel: tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit()
bugzilla·2025-10-15
CVE-2025-39974 [LOW] CVE-2025-39974 kernel: tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit()
CVE-2025-39974 kernel: tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit()
In the Linux kernel, the following vulnerability has been resolved:
tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit()
When config osnoise cpus by write() syscall, the following KASAN splat may
be observed:
BUG: KASAN: slab-out-of-bounds in _parse_integer_limit+0x103/0x130
Read of size 1 at addr ffff88810121e3a1 by task test/447
CPU: 1 UID: 0 PID: 447 Comm: test Not tainted 6.17.0-rc6-dirty #288 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x55/0x70
print_report+0xcb/0x610
kasan_report+0xb8/0xf0
_parse_integer_limit+0x103/0x130
bitmap_parselist+0x16d/0x6f0
osnoise_cpus_write+0x116/0x2d0
vfs_write+0x21e/
Bugzilla
CVE-2022-50543 kernel: RDMA/rxe: Fix mr->map double free
bugzilla·2025-10-07·CVSS 7.8
CVE-2022-50543 [HIGH] CVE-2022-50543 kernel: RDMA/rxe: Fix mr->map double free
CVE-2022-50543 kernel: RDMA/rxe: Fix mr->map double free
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix mr->map double free
rxe_mr_cleanup() which tries to free mr->map again will be called when
rxe_mr_init_user() fails:
CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x45/0x5d
panic+0x19e/0x349
end_report.part.0+0x54/0x7c
kasan_report.cold+0xa/0xf
rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]
__rxe_cleanup+0x10a/0x1e0 [rdma_rxe]
rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]
ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]
ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]
ib_
Bugzilla
CVE-2022-50068 kernel: drm/ttm: Fix dummy res NULL ptr deref bug
bugzilla·2025-06-18·CVSS 5.5
CVE-2022-50068 [MEDIUM] CVE-2022-50068 kernel: drm/ttm: Fix dummy res NULL ptr deref bug
CVE-2022-50068 kernel: drm/ttm: Fix dummy res NULL ptr deref bug
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Fix dummy res NULL ptr deref bug
Check the bo->resource value before accessing the resource
mem_type.
v2: Fix commit description unwrapped warning
[ 40.191227][ T184] general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI
[ 40.192995][ T184] KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
[ 40.194411][ T184] CPU: 1 PID: 184 Comm: systemd-udevd Not tainted 5.19.0-rc4-00721-gb297c22b7070 #1
[ 40.196063][ T184] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 40.199605][ T184] RIP: 0010:ttm_bo_validate+0x1b3/0x240 [ttm]
[ 40.2007
Bugzilla
CVE-2022-50070 kernel: mptcp: do not queue data on closed subflows
bugzilla·2025-06-18·CVSS 7.8
CVE-2022-50070 [HIGH] CVE-2022-50070 kernel: mptcp: do not queue data on closed subflows
CVE-2022-50070 kernel: mptcp: do not queue data on closed subflows
In the Linux kernel, the following vulnerability has been resolved:
mptcp: do not queue data on closed subflows
Dipanjan reported a syzbot splat at close time:
WARNING: CPU: 1 PID: 10818 at net/ipv4/af_inet.c:153
inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153
Modules linked in: uio_ivshmem(OE) uio(E)
CPU: 1 PID: 10818 Comm: kworker/1:16 Tainted: G OE
5.19.0-rc6-g2eae0556bb9d #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153
Code: 21 02 00 00 41 8b 9c 24 28 02 00 00 e9 07 ff ff ff e8 34 4d 91
f9 89 ee 4c 89 e7 e8 4a 47 60 ff e9 a6 fc ff ff e8 20 4d 91 f9 0b
e9 84 fe ff ff e8 14 4
Bugzilla
CVE-2022-49444 kernel: module: fix [e_shstrndx].sh_size=0 OOB access
bugzilla·2025-02-26·CVSS 7.1
CVE-2022-49444 [HIGH] CVE-2022-49444 kernel: module: fix [e_shstrndx].sh_size=0 OOB access
CVE-2022-49444 kernel: module: fix [e_shstrndx].sh_size=0 OOB access
In the Linux kernel, the following vulnerability has been resolved:
module: fix [e_shstrndx].sh_size=0 OOB access
It is trivial to craft a module to trigger OOB access in this line:
if (info->secstrings[strhdr->sh_size - 1] != '\0') {
BUG: unable to handle page fault for address: ffffc90000aa0fff
PGD 100000067 P4D 100000067 PUD 100066067 PMD 10436f067 PTE 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 7 PID: 1215 Comm: insmod Not tainted 5.18.0-rc5-00007-g9bf578647087-dirty #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014
RIP: 0010:load_module+0x19b/0x2391
[rebased patch onto modules-next]
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022658-CVE-2022-
2014-07-20
Published