CVE-2025-41278
published 2026-05-29CVE-2025-41278: Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7.10.0.0 R2601141040 that allows attackers with access to…
PriorityP343high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.12%
2.2th percentile
Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7.10.0.0 R2601141040 that allows attackers with access to the TX Host to execute code on the RX Host.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| waterfall-security | wf-500_firmware | <= 7.9.1.0_r2502171040 | — |
| waterfall | wf-500 | <= 7.10.0.0 R2601141040 | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.5HIGHCVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-68g4-7798-227f: Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7
ghsa_unreviewed·2026-05-29
CVE-2025-41278 [HIGH] CWE-125 GHSA-68g4-7798-227f: Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7
Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7.10.0.0 R2601141040 that allows attackers with access to the TX Host to execute code on the RX Host.
Red Hat
kernel: hwmon: (ibmpex) fix use-after-free in high/low store
vendor_redhat·2026-01-13
CVE-2025-68789 CWE-367 kernel: hwmon: (ibmpex) fix use-after-free in high/low store
kernel: hwmon: (ibmpex) fix use-after-free in high/low store
No description is available for this CVE.
Statement: This CVE has been marked as Rejected by the assigning CNA.
Mitigation: To mitigate this issue, prevent the ibmpex module from being loaded if IBM PowerExecutive hardware monitoring is not required. See https://access.redhat.com/solutions/41278 for instructions on how to blacklist a kernel module.
Package: kernel (Red Hat Enterprise Linux 10) - Affected
Package: kernel (Red Hat Enterprise Linux 6) - Out of support scope
Package: kernel (Red Hat Enterprise Linux 7) - Affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Affected
Package: kernel (Red Hat Enterprise Linux 8) - Affected
Package: kernel-rt (Red Hat Enterprise Linux 8) - Affected
Package: kernel (Red Ha
Red Hat
kernel: iwlwifi: Add missing check for alloc_ordered_workqueue
vendor_redhat·2025-08-19·CVSS 5.5
CVE-2025-38602 [MEDIUM] CWE-252 kernel: iwlwifi: Add missing check for alloc_ordered_workqueue
kernel: iwlwifi: Add missing check for alloc_ordered_workqueue
In the Linux kernel, the following vulnerability has been resolved:
iwlwifi: Add missing check for alloc_ordered_workqueue
Add check for the return value of alloc_ordered_workqueue since it may
return NULL pointer.
Statement: In iwlwifi (DVM), the return value of alloc_ordered_workqueue() wasn’t checked; under memory pressure it can return NULL, and subsequent use causes a kernel NULL dereference during driver init. Exploitation requires the driver to be loaded (typically root/boot-time), so this is a local DoS.
Mitigation: To mitigate this issue, prevent modules iwlcore, iwlwifi from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatical
Red Hat
kernel: USB: wdm: close race between wdm_open and wdm_wwan_port_stop
vendor_redhat·2025-05-20·CVSS 4.7
CVE-2025-37985 [MEDIUM] CWE-826 kernel: USB: wdm: close race between wdm_open and wdm_wwan_port_stop
kernel: USB: wdm: close race between wdm_open and wdm_wwan_port_stop
In the Linux kernel, the following vulnerability has been resolved:
USB: wdm: close race between wdm_open and wdm_wwan_port_stop
Clearing WDM_WWAN_IN_USE must be the last action or
we can open a chardev whose URBs are still poisoned
Statement: The bug actual only if WMC Device Management functionality being used (that is for the cell phones compliant to the CDC WMC specification). It is about possibility of incorrect access to the device (can access after release of the device). It doesn't lead to kernel crash or other possibilities of attack, so the security impact is limited.
Mitigation: To mitigate this issue, prevent module cdc-wdm from being loaded. Please see https://access.redhat.com/solutions/41278 for how to b
Red Hat
kernel: openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
vendor_redhat·2025-02-27·CVSS 7.8
CVE-2025-21761 [HIGH] CWE-416 kernel: openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
kernel: openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
ovs_vport_cmd_fill_info() can be called without RTNL or RCU.
Use RCU protection and dev_net_rcu() to avoid potential UAF.
Statement: The bug could happen only if vSwitch (that is a multilayer Ethernet switch) being used. The security impact is limited, because no known way how unprivileged user can trigger it.
Mitigation: To mitigate this issue, prevent module openvswitch from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Package: kernel (Red Hat Enterprise Linux 6) - Out of support scope
Pac
Red Hat
kernel: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
vendor_redhat·2025-02-12·CVSS 5.5
CVE-2025-21699 [MEDIUM] kernel: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
kernel: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag:
depending on that flag, the pages in the address space will either use
buffer heads or iomap_folio_state structs, and we cannot mix the two.
Statement: The bug could happen only if cluster of computers to simultaneously use a block device that is shared between them using gfs2 file system. The security impact is limited, because only corruption of this file-system could happen.
Mitigation: To mitigate this issue, prevent module gfs2 from being loaded. Please see https://access.redhat.com/solutions/41278 for how to bl
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-29
Published