CVE-2025-1102
published 2025-02-12CVE-2025-1102: A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker…
PriorityP433high7.1CVSS 3.1
AVLACLPRNUIRSUCHIHAN
EPSS
0.14%
3.5th percentile
A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability via crafted URLs or HTTP requests.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 5.11.0 < 5.15.198 | 5.15.198 |
| linux | linux_kernel | >= 5.16.0 < 6.1.160 | 6.1.160 |
| linux | linux_kernel | >= 5.5.0 < 5.10.248 | 5.10.248 |
| linux | linux_kernel | >= 6.13.0 < 6.17.12 | 6.17.12 |
| linux | linux_kernel | >= 6.18.0 < 6.18.1 | 6.18.1 |
| linux | linux_kernel | >= 6.2.0 < 6.6.120 | 6.6.120 |
| linux | linux_kernel | >= 6.7.0 < 6.12.62 | 6.12.62 |
| q-free | maxtime | <= 2.11.0 | — |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
locking/spinlock/debug: Fix data-race in do_raw_write_lock
osv·2025-12-22
CVE-2025-68336 locking/spinlock/debug: Fix data-race in do_raw_write_lock
locking/spinlock/debug: Fix data-race in do_raw_write_lock
In the Linux kernel, the following vulnerability has been resolved:
locking/spinlock/debug: Fix data-race in do_raw_write_lock
KCSAN reports:
BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock
write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:
do_raw_write_lock+0x120/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:
do_raw_write_lock+0x88/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
value changed: 0xffffffff -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111
Commit 1a365e822372 ("locking/spinlock/debug: Fix various dat
GHSA
GHSA-657f-qvvx-wqv4: A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2
ghsa_unreviewed·2025-02-12
CVE-2025-1102 [MEDIUM] CWE-346 GHSA-657f-qvvx-wqv4: A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2
A CWE-346 "Origin Validation Error" in the CORS configuration in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability via crafted URLs or HTTP requests.
Red Hat
kernel: locking/spinlock/debug: Fix data-race in do_raw_write_lock
vendor_redhat·2025-12-22·CVSS 5.5
CVE-2025-68336 [LOW] kernel: locking/spinlock/debug: Fix data-race in do_raw_write_lock
kernel: locking/spinlock/debug: Fix data-race in do_raw_write_lock
In the Linux kernel, the following vulnerability has been resolved:
locking/spinlock/debug: Fix data-race in do_raw_write_lock
KCSAN reports:
BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock
write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:
do_raw_write_lock+0x120/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:
do_raw_write_lock+0x88/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
value changed: 0xffffffff -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111
Commit 1a365e822372 ("locking/spinlock/debug: Fix various dat
Red Hat
kernel: btrfs: fix assertion when building free space tree
vendor_redhat·2025-08-16·CVSS 5.5
CVE-2025-38503 [MEDIUM] CWE-253 kernel: btrfs: fix assertion when building free space tree
kernel: btrfs: fix assertion when building free space tree
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix assertion when building free space tree
When building the free space tree with the block group tree feature
enabled, we can hit an assertion failure like this:
BTRFS info (device loop0 state M): rebuilding free space tree
assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102
------------[ cut here ]------------
kernel BUG at fs/btrfs/free-space-tree.c:1102!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
Modules linked in:
CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 60400005 (nZCv da
Red Hat
nodejs: libuv: Out-of-Bounds Access Due to Inconsistent off_t Size in libuv and Node.js Build on i386
vendor_redhat·2025-05-01·CVSS 6.5
CVE-2025-47153 [MEDIUM] CWE-1102 nodejs: libuv: Out-of-Bounds Access Due to Inconsistent off_t Size in libuv and Node.js Build on i386
nodejs: libuv: Out-of-Bounds Access Due to Inconsistent off_t Size in libuv and Node.js Build on i386
Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to out-of-bounds access. NOTE: this is not a problem in the Node.js software itself. In particular, the Node.js website's download page does not offer prebuilt Node.js for Linux on i386.
A flaw was found in the build process of libuv and Node.js on 32-bit systems. This vulnerability allows out-of-bounds memory access via m
No detection rules found.
No public exploits indexed.
2025-02-12
Published