MontaVista CVE List and Response
MontaVista continually monitors the security community and customers for threats. We follow the community on CVE scoring (NVD) and set fix priority accordingly for affected products. Please view the following CVEs that have been remediated or are in process by clicking the CVE Year to the left or use the CVE Filters below.
For inquiries regarding Security Vulnerabilities, please see our Vulnerability Response Policy or email our PSIRT team security@mvista.com. Email messages and attachments can be encrypted using PGP and a MontaVista PSIRT PGP key, which is available for download here.
| CVE | Score | Severity | Package | Description | Published | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2023-24540 |
9.8 (i)
| CRITICAL | go | Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. | 2023-05-11 | |||||||
| CVE-2023-2610 |
7.8 (i)
| HIGH | vim | Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. | 2023-05-09 | |||||||
| CVE-2023-2513 |
6.7 (i)
| MEDIUM | kernel | A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors. | 2023-05-08 | |||||||
| CVE-2023-32233 |
7.8 (i)
| HIGH | kernel | In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled. | 2023-05-08 | |||||||
| CVE-2023-32269 |
6.7 (i)
| MEDIUM | kernel | An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. | 2023-05-05 | |||||||
| CVE-2023-2235 |
7.8 (i)
| HIGH | kernel | A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation.The perf_group_detach function did not check the event's siblings' attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2. | 2023-05-01 | |||||||
| CVE-2023-2236 |
7.8 (i)
| HIGH | kernel | A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.Both io_install_fixed_file and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4. | 2023-05-01 | |||||||
| CVE-2023-2426 |
5.5 (i)
| MEDIUM | vim | Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499. | 2023-04-29 | |||||||
| CVE-2023-31436 |
7.8 (i)
| HIGH | kernel | qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. | 2023-04-27 | |||||||
| CVE-2023-0458 |
4.7 (i)
| MEDIUM | kernel | A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 | 2023-04-26 |