Overview CVE-2025-58408 describes a vulnerability affecting certain GPU drivers where a non-privileged user application can trigger improper GPU system calls. This allows the application to read stale data, potentially leading to kernel exceptions and, critically, use-after-free conditions within the kernel space. Technical Details The vulnerability stems from insufficient validation and handling of GPU system calls originating from user space. A malicious or compromised application, running with standard user privileges, can manipulate system calls related to GPU operations. This manipulation causes the system to access outdated data related to GPU resources. The stale data can include handles to resources where reference…

Overview CVE-2025-13296 details a Cross-Site Request Forgery (CSRF) vulnerability identified in Tekrom Technology Inc.’s T-Soft E-Commerce platform. This vulnerability allows an attacker to potentially execute unauthorized actions on behalf of a legitimate user without their knowledge or consent. The vulnerability affects T-Soft E-Commerce versions up to and including build 28112025. Technical Details CSRF vulnerabilities arise when a web application does not adequately verify that HTTP requests originate from a legitimate user session. An attacker can exploit this by crafting malicious HTML (often embedded in emails or other websites) that, when visited by an authenticated user, silently triggers requests to the…

Overview CVE-2025-8045 is a use-after-free vulnerability discovered in the Arm Ltd Valhall GPU Kernel Driver and the Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver. This flaw allows a local, non-privileged user process to exploit the GPU by performing improper processing operations that lead to accessing already freed memory. This can potentially lead to system instability, information disclosure, or even arbitrary code execution. The affected versions are Valhall GPU Kernel Driver and Arm 5th Gen GPU Architecture Kernel Driver from r53p0 through r54p1. Technical Details A use-after-free vulnerability occurs when a program attempts to access memory that has already…

Overview CVE-2025-6349 is a critical use-after-free (UAF) vulnerability affecting Arm Ltd Valhall GPU Kernel Driver and Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver. This flaw allows a local, non-privileged user process to potentially gain unauthorized access to already freed memory by performing improper GPU memory processing operations. This vulnerability exists in versions r53p0 through r54p1 of both the Valhall and 5th Gen GPU Kernel Drivers. Technical Details The vulnerability stems from improper handling of GPU memory resources after they have been freed. Specifically, a race condition or incorrect synchronization mechanism allows a user-mode process to continue accessing memory…

Overview CVE-2025-59789 describes an uncontrolled recursion vulnerability in the json2pb component of Apache bRPC versions prior to 1.15.0. This flaw allows remote attackers to potentially crash a server by sending deeply nested JSON data. Exploiting this vulnerability can lead to a denial-of-service (DoS) condition. Technical Details The root cause lies in the way the json2pb component utilizes the rapidjson library to parse incoming JSON data. rapidjson, by default, employs a recursive parsing method. If an attacker crafts a JSON payload with an excessively deep recursive structure, the parsing function can exhaust the server’s stack memory, resulting in a stack overflow…

Overview A Reflected Cross-site Scripting (XSS) vulnerability, identified as CVE-2025-41070, has been discovered in Sanoma’s Clickedu platform. This vulnerability allows an attacker to inject malicious JavaScript code into a victim’s browser by tricking them into clicking a specially crafted link. This is a client-side attack, making it crucial for Clickedu users to understand the risks and mitigation strategies. Technical Details The vulnerability exists in the /students/carpetes_varies.php endpoint of Clickedu. By crafting a malicious URL containing JavaScript code, an attacker can trick a user into executing this code within their browser. The application fails to properly sanitize user-supplied input, leading to…

Overview CVE-2025-2879 describes a vulnerability affecting Arm Ltd’s Valhall GPU Kernel Driver and Arm Ltd’s 5th Gen GPU Architecture Kernel Driver. This vulnerability allows a local, non-privileged user process to perform improper GPU processing operations, potentially exposing sensitive data. This could have serious implications for the security of devices utilizing these GPU drivers. Technical Details The vulnerability resides in how the Arm GPU Kernel Drivers handle certain GPU processing operations. By exploiting this weakness, a malicious local process can manipulate the GPU to leak sensitive information that would otherwise be protected. The specific nature of the improper GPU processing operations…

Overview CVE-2025-41739 describes a medium severity vulnerability affecting the CODESYS Control runtime system, specifically impacting installations on Linux and QNX operating systems. This vulnerability allows an unauthenticated remote attacker to potentially cause a denial-of-service (DoS) condition. The root cause lies in a race condition that can be exploited during socket communication, leading to an out-of-bounds read. Understanding the technical details and implementing the appropriate mitigation steps is crucial for protecting systems running CODESYS. Technical Details The vulnerability stems from a race condition within the communication servers of the CODESYS Control runtime system. An unauthenticated attacker can exploit this race condition…

Overview CVE-2025-41738 is a high-severity vulnerability affecting the visualization server of the CODESYS Control runtime system. This vulnerability allows an unauthenticated remote attacker to trigger a denial-of-service (DoS) condition. The issue stems from the visualization server accessing a resource with a pointer of an incorrect type, leading to potential crashes or instability within the CODESYS environment. This vulnerability was published on 2025-12-01T10:16:01.130. Technical Details The vulnerability exists due to improper handling of data types within the visualization server. Specifically, the server attempts to access a resource using a pointer that does not match the resource’s actual data type. This can…

Overview CVE-2025-41700 is a high-severity vulnerability affecting CODESYS development systems. This vulnerability allows an unauthenticated attacker to execute arbitrary code on a local system by enticing a user to open a maliciously crafted CODESYS project file. The arbitrary code is executed within the security context of the user opening the file. Technical Details The vulnerability stems from insufficient validation of data within CODESYS project files (.project or similar extensions). An attacker can embed malicious code or references to external code within the project file. When a user opens the compromised project file using the CODESYS development system, this malicious code…