CVE and Zero-Day General - Because there's so many at this rate there may as well be a general thread for it

[Sperg_rancher]

Glad to see you got the CUPS vulnerability here. I saw yesterday that there was a 9.9 in linux, but there was no leak yet.

TL;DR: block port 631 (UDP) and you'll be fine.

 

[HahaYes]

NVIDIA in the books this time with two critical severity container escape vulnerabilities in its container toolkit. This impacts versions 1.16.1 and earlier as well as GPU Operator 24.6.1 and older in their default configuration

As a couple of unix sockets(.sock) including docker and containerd are writable compared to a lot of other file systems which are set to read only, these two set the way they do (writable) allow for direct interaction with the endpoint it's hosted on which naturally includes execution of commands and other techniques. Due to the container GPUs lack of correct/secure isolation from the host it's on, naturally being able to run commands on the endpoint via the .sock files which aren't set to read only allows for an adversary to escape the container after using a particular crafted container image (and in the case of 1033 create empty files on the host file system), which leads to the attacker gaining full control of the host

CVE-2024-0132 | Archive
CVE-2024-0133 | Archive
NVIDIA September 2024 security bulletin | archive

 

[HahaYes]

Firefox bros... we have a 0 day. It's over

CVE-2024-9680 (Archive) allows for code execution in the content process by exploiting something called a "use after free" flaw within animation timelines of firefox. This is memory that was meant to be freed which is actually still in use by the application, in this case the attacker can add their own naff data to the memory region and perform said code execution. Animation timelines are used by Firefox as part of the web animations API, controlling animations on webpages.

It is being actively exploited, patch now by updating to the following versions, everything before these versions is vulnerable:

• Firefox 131.0.2
• Firefox ESR 115.16.1
• Firefox ESR 128.3.1

NIST | Archive
Mozilla Advisory | Archive

 

[306h4Ge5eJUJ]

Firefox bros... we have a 0 day. It's over

CVE-2024-9680 (Archive) allows for code execution in the content process by exploiting something called a "use after free" flaw within animation timelines of firefox. This is memory that was meant to be freed which is actually still in use by the application, in this case the attacker can add their own naff data to the memory region and perform said code execution. Animation timelines are used by Firefox as part of the web animations API, controlling animations on webpages.

It is being actively exploited, patch now by updating to the following versions, everything before these versions is vulnerable:

• Firefox 131.0.2
• Firefox ESR 115.16.1
• Firefox ESR 128.3.1

NIST | Archive
Mozilla Advisory | Archive

Pretty spooky. This affects a CSS feature so chances are good it can hit you even if you have Javascript disabled. Almost every other browser CVE requires Javascript.

Also obligatory: "No way to prevent this" say users of only language where this regularly happens.

 

[young chestnut]

Also obligatory: "No way to prevent this" say users of only language where this regularly happens.

How's them Rust browsers comin

 

[306h4Ge5eJUJ]

How's them Rust browsers comin

There's no way to say this without coming off like a smug asshole, but this bug was in the C++ part of Firefox:

Spoiler

--- a/firefox-115.16.0/browser/config/version.txt
+++ b/firefox-115.16.1/browser/config/version.txt
@@ -1,1 +1,1 @@
-115.16.0
+115.16.1
--- a/firefox-115.16.0/browser/config/version_display.txt
+++ b/firefox-115.16.1/browser/config/version_display.txt
@@ -1,1 +1,1 @@
-115.16.0esr
+115.16.1esr
--- a/firefox-115.16.0/config/milestone.txt
+++ b/firefox-115.16.1/config/milestone.txt
@@ -10,4 +10,4 @@
 # hardcoded milestones in the tree from these two files.
 #--------------------------------------------------------
 
-115.16.0
+115.16.1
--- a/firefox-115.16.0/dom/animation/AnimationTimeline.cpp
+++ b/firefox-115.16.1/dom/animation/AnimationTimeline.cpp
@@ -41,41 +41,33 @@ AnimationTimeline::~AnimationTimeline() { mAnimationOrder.clear(); }
 bool AnimationTimeline::Tick() {
   bool needsTicks = false;
 
-  nsTArray<Animation*> animationsToRemove;
-
-  for (Animation* animation = mAnimationOrder.getFirst(); animation;
-       animation =
-           static_cast<LinkedListElement<Animation>*>(animation)->getNext()) {
+  AutoTArray<RefPtr<Animation>, 32> animationsToTick;
+  for (Animation* animation : mAnimationOrder) {
     MOZ_ASSERT(mAnimations.Contains(animation),
                "The sampling order list should be a subset of the hashset");
     MOZ_ASSERT(!animation->IsHiddenByContentVisibility(),
                "The sampling order list should not contain any animations "
                "that are hidden by content-visibility");
+    animationsToTick.AppendElement(animation);
+  }
 
+  for (Animation* animation : animationsToTick) {
     // Skip any animations that are longer need associated with this timeline.
     if (animation->GetTimeline() != this) {
-      // If animation has some other timeline, it better not be also in the
-      // animation list of this timeline object!
-      MOZ_ASSERT(!animation->GetTimeline());
-      animationsToRemove.AppendElement(animation);
+      RemoveAnimation(animation);
       continue;
     }
 
     needsTicks |= animation->NeedsTicks();
-    // Even if |animation| doesn't need future ticks, we should still
-    // Tick it this time around since it might just need a one-off tick in
-    // order to dispatch events.
+    // Even if |animation| doesn't need future ticks, we should still Tick it
+    // this time around since it might just need a one-off tick in order to
+    // dispatch events.
     animation->Tick();
-
     if (!animation->NeedsTicks()) {
-      animationsToRemove.AppendElement(animation);
+      RemoveAnimation(animation);
     }
   }
 
-  for (Animation* animation : animationsToRemove) {
-    RemoveAnimation(animation);
-  }
-
   return needsTicks;
 }
 
@@ -91,11 +83,12 @@ void AnimationTimeline::NotifyAnimationUpdated(Animation& aAnimation) {
 }
 
 void AnimationTimeline::RemoveAnimation(Animation* aAnimation) {
-  MOZ_ASSERT(!aAnimation->GetTimeline() || aAnimation->GetTimeline() == this);
-  if (static_cast<LinkedListElement<Animation>*>(aAnimation)->isInList()) {
+  if (static_cast<LinkedListElement<Animation>*>(aAnimation)->isInList() &&
+      MOZ_LIKELY(!aAnimation->GetTimeline() ||
+                 aAnimation->GetTimeline() == this)) {
+    static_cast<LinkedListElement<Animation>*>(aAnimation)->remove();
     MOZ_ASSERT(mAnimations.Contains(aAnimation),
                "The sampling order list should be a subset of the hashset");
-    static_cast<LinkedListElement<Animation>*>(aAnimation)->remove();
   }
   mAnimations.Remove(aAnimation);
 }
--- a/firefox-115.16.0/dom/animation/ScrollTimelineAnimationTracker.cpp
+++ b/firefox-115.16.1/dom/animation/ScrollTimelineAnimationTracker.cpp
@@ -13,13 +13,10 @@ namespace mozilla {
 NS_IMPL_CYCLE_COLLECTION(ScrollTimelineAnimationTracker, mPendingSet, mDocument)
 
 void ScrollTimelineAnimationTracker::TriggerPendingAnimations() {
-  for (auto iter = mPendingSet.begin(), end = mPendingSet.end(); iter != end;
-       ++iter) {
-    dom::Animation* animation = *iter;
-
+  for (RefPtr<dom::Animation>& animation :
+       ToTArray<AutoTArray<RefPtr<dom::Animation>, 32>>(mPendingSet)) {
     MOZ_ASSERT(animation->GetTimeline() &&
                !animation->GetTimeline()->IsMonotonicallyIncreasing());
-
     // FIXME: Trigger now may not be correct because the spec says:
     // If a user agent determines that animation is immediately ready, it may
     // schedule the task (i.e. ResumeAt()) as a microtask such that it runs at
@@ -39,9 +36,7 @@ void ScrollTimelineAnimationTracker::TriggerPendingAnimations() {
       // inactive, and this also matches the current spec definition.
       continue;
     }
-
-    // Note: Remove() is legitimately called once per entry during the loop.
-    mPendingSet.Remove(iter);
+    mPendingSet.Remove(animation);
   }
 }
 
--- a/firefox-115.16.0/sourcestamp.txt
+++ b/firefox-115.16.1/sourcestamp.txt
@@ -1,2 +1,2 @@
-20240923113403
-https://hg.mozilla.org/releases/mozilla-esr115/rev/6644fb42021841f02be5bbaf8208b352114c7b3b
+20241008180508
+https://hg.mozilla.org/releases/mozilla-esr115/rev/9454a22771781a9221cfcbd0bef29504b7347cc9
--- a/firefox-115.16.0/testing/tools/websocketprocessbridge/websocketprocessbridge_requirements_3.txt
+++ b/firefox-115.16.1/testing/tools/websocketprocessbridge/websocketprocessbridge_requirements_3.txt
@@ -17,5 +17,5 @@ psutil>=5.9.0
 ipaddr>=2.2.0
 passlib==1.7.4
 
-pyOpenSSL
+pyOpenSSL==23.2.0
 service_identity

 

[young chestnut]

There's no way to say this without coming off like a smug asshole, but this bug was in the C++ part of Firefox:

I don't have a dog in this fight. I just want a browser that's safe but also doesn't eat up all of my memory. If it can be built in Rust I'm all for it. Idk what it takes to build a browser or that particular feature but as I understand it, some of the things that systems programmers need C for can only be done in Rust with features of Rust that aren't memory safe anyway.

 

[HahaYes]

A new variant of CVE-2024-38030 (Archive) and CVE-2024-21320 (Archive), both well known windows theme spoofing vulnerabilities which affects all versions of Windows from 7 through to 11, is now classed as a zero day

This is an NTLM authentication capture vulnerability where a device is tricked into sending NTLM hashes to an attackers endpoint by abusing the way Windows theme files handle the pathing to "BrandImage" and "Wallpaper" resources. Should these incorrectly validated paths be manipulated, said adversary can direct sent an unauthorised request alongside the users NTLM hash to wherever said attacker tells it to go and pinch your credentials

While this is far more likely to be used by threat actors in a campaign targeting enterprise environments, it could still affect the average sped in two instances:

1. Most likely to be of concern. If a website you visit is compromised and used to deliver the infected file straight to your downloads folder automatically. This does require you to actually view said downloads folder after it's completed, but once you view that it's ggs
2. The far less likely scenario. If you copy said already infected theme file to another folder, then open that folder with file explorer while using a view which actually renders the icons (so anything which loads your chosen theme)

No CVE or patch has been released at this stage. It is recommended for corporate environments to disable NTLM wherever possible (which it at times isn't) but for standard end users just don't be retarded and you'll be fine

Further reading:
DarkReading Article | Archive

Maybe microsoft will get their patches correct on the third try right?

 

[Patrick Bait-man]

RCE discovered for pre-24.07 7-Zip releases:

RCE vun in 7zip found.

 

[HahaYes]

RCE discovered for pre-24.07 7-Zip releases:

Bloody hell that's a dicey one, at least it's not non-interactive though so that's something. Here's a few more links as well:

CVE-2024-11477 | Archive
NVD | Archive
Trustwave Advisory | Archive

 

[Darkholme's Dungeon]

CVE-2024-53008​

Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.

Versions 2.6.8-3.0.2. Not yet analyzed by NVD
JVN
@Null this affect you or is kiwiflare off HAProxy?

 

[Null]

>HAProxy HTTP/3 implementation
no

 

[Darkholme's Dungeon]

NVIDIA in the books this time with two critical severity container escape vulnerabilities in its container toolkit. This impacts versions 1.16.1 and earlier as well as GPU Operator 24.6.1 and older in their default configuration

As a couple of unix sockets(.sock) including docker and containerd are writable compared to a lot of other file systems which are set to read only, these two set the way they do (writable) allow for direct interaction with the endpoint it's hosted on which naturally includes execution of commands and other techniques. Due to the container GPUs lack of correct/secure isolation from the host it's on, naturally being able to run commands on the endpoint via the .sock files which aren't set to read only allows for an adversary to escape the container after using a particular crafted container image (and in the case of 1033 create empty files on the host file system), which leads to the attacker gaining full control of the host

CVE-2024-0132 | Archive
CVE-2024-0133 | Archive
NVIDIA September 2024 security bulletin | archive

They got a new one boys!

https://nvidia.custhelp.com/app/answers/detail/a_id/5586

https://ghostarchive.org/archive/tPgm2

CVE-2024-0126, CVE‑2024‑0117, CVE‑2024‑0118, CVE‑2024‑0119, CVE‑2024‑0120, CVE‑2024‑0121 (Windows specific)
CVE‑2024‑0127, CVE‑2024‑0128 (Virtual driver)
Unaffected versions:
>= 535.216.01
>= 550.127.05

Highest is rated 8.2. All are either RCE, DOS, or privilege escalation issues. Looks like the majority are out of bound read or other improper perms or failure to validate inputs. Someone fucked up (or didn't bother, hello Intel) on the input sanitation and sanity checks I guess.

NVIDIA GPU Display Driver for Windows contains a vulnerability in the user mode layer, where an unprivileged regular user can cause an out-of-bounds read. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

There's a two hypervisor ones that appear not to be windows specific.

NVIDIA vGPU software contains a vulnerability in the GPU kernel driver of the vGPU Manager for all supported hypervisors, where a user of the guest OS can cause an improper input validation by compromising the guest OS kernel. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure.

TBH Nvidia's descriptions are a bit lacking. I wonder how these got found out.

 

[HahaYes]

Someone fucked up on the sanitation and sanity checks I guess.

Many such cases. Also here's the mitre links and archives:
CVE-2024-0126 | A
CVE‑2024‑0117 | A
CVE‑2024‑0118 | A
CVE‑2024‑0119 | A
CVE‑2024‑0120 | A
CVE‑2024‑0121 | A
CVE‑2024‑0127 | A
CVE‑2024‑0128 | A

 

[HahaYes]

Bit of a niche one but it's funny. In early December of last year buffer overflow CVE-2024-49415 with a CVSS score of 8.1 was disclosed for any Samsung device running Android versions 12, 13, and 14. It has the potential to allow for RCE if a local attacker sends a particularly crafted audio message via google messages (lmao) to target any device that has RCS (rich communication services) enabled. This leads to samsung.software.media.c2 crashing, as the in built transcription service locally decodes incoming audio before the user interacts with said audio message, and can open the pathway to arbitrary code execution

CVE.org | Archive
NIST | Archive
Samsung security updates bulleten - December 2024 | Archive

 

[Darkholme's Dungeon]

Vim got one, guess Emacs wins this round:
CVE-2025-22134
CVE.org (Archive)
Github (Archive)

When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because Vim does not properly end visual mode and therefore may try to access beyond the end of a line in a buffer. In Patch 9.1.1003 Vim will correctly reset the visual mode before opening other windows and buffers and therefore fix this bug. In addition it does verify that it won't try to access a position if the position is greater than the corresponding buffer line. Impact is medium since the user must have switched on visual mode when executing the :all ex command. The Vim project would like to thank github user gandalf4a for reporting this issue. The issue has been fixed as of Vim patch v9.1.1003

Minecraft players beware?
CVE-2025-22144
NVD (archive)
CVE.org (archive)

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/&c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

 

[HahaYes]

7zip has been felted with another high severity vulnerability as a result of a bug, allowing attackers to bypass MoTW security checks on Windows operating systems, then execute code on the host, it's over

Note this is different to CVE-2024-11477, which was an issue with lack of validation of supplied data resulting in potential integer underflow. CVE-2025-0411 is a lack of MoTW propogation to extracted files. It does require user interaction for successful exploitation, which can be executed by having said user visit a malicious webpage or open a malicious file

NIST haven't got the page up just yet as it's relatively new and Mitre are still setting their page up as well, so patch your shit if you haven't already (a fix was made available at the end of November (archive) last year with version 24.09 being released) if this affects you and reference this in the meantime:

BleepingComputer write up | Archive
CVE.org page | Archive

 

[Darkholme's Dungeon]

Roblox has a bible module...?
CVE (archive)
Github (archive)

Bible Module is a tool designed for ROBLOX developers to integrate Bible functionality into their games. The `FetchVerse` and `FetchPassage` functions in the Bible Module are susceptible to injection attacks due to the absence of input validation. This vulnerability could allow an attacker to manipulate the API request URLs, potentially leading to unauthorized access or data tampering. This issue has been addressed in version 0.0.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

 

[HahaYes]

Lmao well done brave
CVE-2025-23086 (Archive) is a vulnerability affecting the desktop versions 1.70.x through 1.73.x of brave. Malicious websites can, when combined with an open redirect vulnerability on a supposedly safe page, pose as a trusted domain and trick a user into downloading malicious content to their host by exploiting the open redirect vuln to falsify where the malicious page has originated from. This is caused by the brave download window showing the referrer header value over the actual source of the file, hence the relatively easy exploit

A fix has been provided in version 1.74.48, so update to that if you're currently using a vulnerable version
Cybersecuritynews article | Archive
Hackerone report | Archive
NIST page | Archive

 

[Sic Semper Tyrannosaurus]

CVE-2025-29927 webdevs are a plague upon the earth and should be purged as soon as possible.

Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops. The security report showed it was possible to skip running Middleware, which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes.

nextjs blog
jfrog blog

---

The NGINX ingress controller for kubernetes also dropped a bunch of cves this week and supposedly makes up like 40% of ingress controllers deployed. The main one everyone is concerned about: CVE-2025-1974

The most serious of today’s vulnerabilities, CVE-2025-1974, rated 9.8 CVSS, allows anything on the Pod network to exploit configuration injection vulnerabilities via the Validating Admission Controller feature of ingress-nginx. This makes such vulnerabilities far more dangerous: ordinarily one would need to be able to create an Ingress object in the cluster, which is a fairly privileged action. When combined with today’s other vulnerabilities, CVE-2025-1974 means that anything on the Pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required.

kubernetes blog