CPE Details
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
CPE Name: cpe:2.3:o:freebsd:freebsd:14.0:rc4-p1:*:*:*:*:*:*
Informations
Vendor
freebsdProduct
freebsdVersion
14.0Update
rc4-p1Related CVE
| CVE ID | Published | Description | Score | Severity |
|---|---|---|---|---|
04h54 +00:00 |
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape. | 10 |
Critical |
|
04h42 +00:00 |
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. | 8.2 |
High |
|
04h31 +00:00 |
The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. | 9.8 |
Critical |
|
04h31 +00:00 |
The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. | 8.8 |
High |
|
04h31 +00:00 |
The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. | 8.8 |
High |
|
04h31 +00:00 |
The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. | 9.3 |
Critical |
|
03h18 +00:00 |
A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. | 9.1 |
Critical |
|
03h15 +00:00 |
A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD. As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root. | 8.1 |
High |
|
02h45 +00:00 |
When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. The lack of validation described above gives rise to a confused deputy problem. For example, a program copying files from an NFS mount could be tricked into copying from outside the intended source directory, and/or to a location outside the intended destination directory. | 5.3 |
Medium |
|
02h40 +00:00 |
A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs. The bug may be used by an unprivileged user to read the contents of files to which they would not otherwise have access, such as the local password database. | 7.5 |
High |
|
12h37 +00:00 |
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. | 8.1 |
High |
|
08h23 +00:00 |
When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever data had been in the packet buffer previously. Thus, an unprivileged user with access to an affected system may abuse the bug to trigger disclosure of sensitive information. In particular, the leak is limited to data previously stored in mbufs, which are used for network transmission and reception, and for certain types of inter-process communication. The bug can also be triggered unintentionally by system applications, in which case the data written by the application to an NFS mount may be corrupted. Corrupted data is written over the network to the NFS server, and thus also susceptible to being snooped by other hosts on the network. Note that the bug exists only in the NFS client; the version and implementation of the server has no effect on whether a given system is affected by the problem. | 6.5 |
Medium |
|
08h12 +00:00 |
In versions of FreeBSD 14.0-RELEASE before 14-RELEASE-p2, FreeBSD 13.2-RELEASE before 13.2-RELEASE-p7 and FreeBSD 12.4-RELEASE before 12.4-RELEASE-p9, the pf(4) packet filter incorrectly validates TCP sequence numbers. This could allow a malicious actor to execute a denial-of-service attack against hosts behind the firewall. | 7.5 |
High |
|
23h53 +00:00 |
grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, does not validate the address provided as part of a memrw command (read_* or write_*) by a guest through a grub2.cfg file. This allows an untrusted guest to perform arbitrary read or write operations in the context of the grub-bhyve process, resulting in code execution as root on the host OS. | 7.8 |
High |
|
23h52 +00:00 |
grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, mishandles font loading by a guest through a grub2.cfg file, leading to a buffer overflow. | 7.8 |
High |
|
11h00 +00:00 |
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients. | 5.3 |
Medium |
|
11h00 +00:00 |
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients. | 5.3 |
Medium |
|
11h00 +00:00 |
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients. | 5.3 |
Medium |
|
11h00 +00:00 |
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients. | 5.3 |
Medium |
|
11h00 +00:00 |
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. | 8.1 |
High |
|
11h00 +00:00 |
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Station-To-Station-Link (STSL) Transient Key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. | 6.8 |
Medium |
|
11h00 +00:00 |
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. | 6.8 |
Medium |
|
11h00 +00:00 |
Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients. | 5.3 |
Medium |
|
11h00 +00:00 |
Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients. | 5.3 |
Medium |
|
00h00 +00:00 |
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames. | 6.8 |
Medium |
|
22h00 +00:00 |
The NVIDIA GPU driver for FreeBSD R352 before 352.09, 346 before 346.72, R349 before 349.16, R343 before 343.36, R340 before 340.76, R337 before 337.25, R334 before 334.21, R331 before 331.113, and R304 before 304.125 allows local users with certain permissions to read or write arbitrary kernel memory via unspecified vectors that trigger an untrusted pointer dereference. | 7.2 |
||
18h00 +00:00 |
The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. | 5 |
||
18h00 +00:00 |
softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. | 5 |
||
17h00 +00:00 |
The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in FreeBSD, NetBSD, and possibly other BSD-based operating systems allows remote attackers to cause a denial of service (CPU consumption and device hang) by sending many Router Advertisement (RA) messages with different source addresses, a similar vulnerability to CVE-2010-4670. | 7.8 |
||
15h00 +00:00 |
The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896. | 9.3 |
||
17h00 +00:00 |
mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 through 4.1, and VMware ESX 3.0.3 through 4.1, when a Solaris or FreeBSD guest OS is used, allows guest OS users to modify arbitrary guest OS files via unspecified vectors, related to a "procedural error." | 6.3 |
||
15h00 +00:00 |
Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd. | 4.3 |
||
21h00 +00:00 |
crontab.c in crontab in FreeBSD and Apple Mac OS X allows local users to (1) determine the existence of arbitrary files via a symlink attack on a /tmp/crontab.XXXXXXXXXX temporary file and (2) perform MD5 checksum comparisons on arbitrary pairs of files via two symlink attacks on /tmp/crontab.XXXXXXXXXX temporary files. | 1.9 |
||
21h00 +00:00 |
crontab.c in crontab in FreeBSD allows local users to determine the existence of arbitrary directories via a command-line argument composed of a directory name concatenated with a directory traversal sequence that leads to the /etc/crontab pathname. | 1.9 |
||
14h00 +00:00 |
Balabit syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE, when running on FreeBSD or HP-UX, does not properly perform cast operations, which causes syslog-ng to use a default value of -1 to create log files with insecure permissions (07777), which allows local users to read and write to these log files. | 6.9 |
||
16h00 +00:00 |
Multiple integer signedness errors in smb_subr.c in the netsmb module in the kernel in NetBSD 5.0.2 and earlier, FreeBSD, and Apple Mac OS X allow local users to cause a denial of service (panic) via a negative size value in a /dev/nsmb ioctl operation, as demonstrated by a (1) SMBIOC_LOOKUP or (2) SMBIOC_OPENSESSION ioctl call. | 4.9 |
||
17h00 +00:00 |
The Coda filesystem kernel module, as used in NetBSD and FreeBSD, when Coda is loaded and Venus is running with /coda mounted, allows local users to read sensitive heap memory via a large out_size value in a ViceIoctl struct to a Coda ioctl, which triggers a buffer over-read. | 1.2 |
||
18h00 +00:00 |
The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses. | 9.3 |
||
15h00 +00:00 |
Opera before 10.00 on Linux, Solaris, and FreeBSD does not properly implement the "INPUT TYPE=file" functionality, which allows remote attackers to trick a user into uploading an unintended file via vectors involving a "dropped file." | 4.3 |
||
19h00 +00:00 |
Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-Windows platforms allows local users to cause a denial of service (application crash) via format string specifiers in the HOME environment variable. | 2.1 |
||
15h00 +00:00 |
The mld_input function in sys/netinet6/mld6.c in the kernel in NetBSD 4.0, FreeBSD, and KAME, when INET6 is enabled, allows remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ICMPv6 Multicast Listener Discovery (MLD) query with a certain Maximum Response Delay value. | 7.1 |
||
17h00 +00:00 |
Stack-based buffer overflow in NConvert 4.92, GFL SDK 2.82, and XnView 1.93.6 on Windows and 1.70 on Linux and FreeBSD allows user-assisted remote attackers to execute arbitrary code via a crafted format keyword in a Sun TAAC file. | 9.3 |
||
14h00 +00:00 |
The ULE process scheduler in the FreeBSD kernel gives preference to "interactive" processes that perform voluntary sleeps, which allows local users to cause a denial of service (CPU consumption), as described in "Secretly Monopolizing the CPU Without Superuser Privileges." | 2.1 |
||
14h00 +00:00 |
The 4BSD process scheduler in the FreeBSD kernel performs scheduling based on CPU billing gathered from periodic process sampling ticks, which allows local users to cause a denial of service (CPU consumption) by performing voluntary nanosecond sleeps that result in the process not being active during a clock interrupt, as described in "Secretly Monopolizing the CPU Without Superuser Privileges." | 2.1 |
||
08h00 +00:00 |
The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-relevant fashion that was not addressed by the kernels. | 2.1 |
2025©
tesweb SA
