Total
8618 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-55695 | 1 Microsoft | 30 Windows, Windows 10, Windows 10 1507 and 27 more | 2026-01-02 | 5.5 Medium |
| Out-of-bounds read in Windows WLAN Auto Config Service allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-50152 | 1 Microsoft | 25 Windows, Windows 10, Windows 10 1507 and 22 more | 2026-01-02 | 7.8 High |
| Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59235 | 1 Microsoft | 19 365, 365 Apps, Access and 16 more | 2026-01-02 | 7.1 High |
| Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | ||||
| CVE-2025-58717 | 1 Microsoft | 30 Windows, Windows 10, Windows 10 1507 and 27 more | 2026-01-02 | 6.5 Medium |
| Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2025-55700 | 1 Microsoft | 26 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 23 more | 2026-01-02 | 6.5 Medium |
| Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2025-55681 | 1 Microsoft | 22 Windows, Windows 10, Windows 10 1809 and 19 more | 2026-01-02 | 7 High |
| Out-of-bounds read in Windows DWM allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-55339 | 1 Microsoft | 12 Windows 11 22h2, Windows 11 22h2, Windows 11 23h2 and 9 more | 2026-01-02 | 7.8 High |
| Out-of-bounds read in Windows NDIS allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-62202 | 1 Microsoft | 13 365, 365 Apps, Excel and 10 more | 2026-01-02 | 7.1 High |
| Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | ||||
| CVE-2025-60728 | 1 Microsoft | 8 365, 365 Apps, Office and 5 more | 2026-01-02 | 4.3 Medium |
| Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2025-60727 | 1 Microsoft | 13 365, 365 Apps, Excel and 10 more | 2026-01-02 | 7.8 High |
| Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-60726 | 1 Microsoft | 13 365, 365 Apps, Excel and 10 more | 2026-01-02 | 7.1 High |
| Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | ||||
| CVE-2025-60709 | 1 Microsoft | 27 Windows, Windows 10, Windows 10 1607 and 24 more | 2026-01-02 | 7.8 High |
| Out-of-bounds read in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-60706 | 1 Microsoft | 23 Hyper-v, Windows, Windows 10 and 20 more | 2026-01-02 | 5.5 Medium |
| Out-of-bounds read in Windows Hyper-V allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-59513 | 1 Microsoft | 25 Windows, Windows 10, Windows 10 1607 and 22 more | 2026-01-02 | 5.5 Medium |
| Out-of-bounds read in Windows Bluetooth RFCOM Protocol Driver allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-64656 | 1 Microsoft | 2 Azure App Gateway, Azure Application Gateway | 2026-01-02 | 9.4 Critical |
| Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2025-68118 | 2 Freerdp, Microsoft | 2 Freerdp, Windows | 2026-01-02 | 9.1 Critical |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, `_snprintf` does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue. | ||||
| CVE-2025-39744 | 1 Linux | 1 Linux Kernel | 2026-01-02 | 7.1 High |
| In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to IRQ work During rcu_read_unlock_special(), if this happens during irq_exit(), we can lockup if an IPI is issued. This is because the IPI itself triggers the irq_exit() path causing a recursive lock up. This is precisely what Xiongfeng found when invoking a BPF program on the trace_tick_stop() tracepoint As shown in the trace below. Fix by managing the irq_work state correctly. irq_exit() __irq_exit_rcu() /* in_hardirq() returns false after this */ preempt_count_sub(HARDIRQ_OFFSET) tick_irq_exit() tick_nohz_irq_exit() tick_nohz_stop_sched_tick() trace_tick_stop() /* a bpf prog is hooked on this trace point */ __bpf_trace_tick_stop() bpf_trace_run2() rcu_read_unlock_special() /* will send a IPI to itself */ irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu); A simple reproducer can also be obtained by doing the following in tick_irq_exit(). It will hang on boot without the patch: static inline void tick_irq_exit(void) { + rcu_read_lock(); + WRITE_ONCE(current->rcu_read_unlock_special.b.need_qs, true); + rcu_read_unlock(); + [neeraj: Apply Frederic's suggested fix for PREEMPT_RT] | ||||
| CVE-2025-38204 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2026-01-02 | 7.1 High |
| In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds read in add_missing_indices stbl is s8 but it must contain offsets into slot which can go from 0 to 127. Added a bound check for that error and return -EIO if the check fails. Also make jfs_readdir return with error if add_missing_indices returns with an error. | ||||
| CVE-2025-37879 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2026-01-02 | 7.1 High |
| In the Linux kernel, the following vulnerability has been resolved: 9p/net: fix improper handling of bogus negative read/write replies In p9_client_write() and p9_client_read_once(), if the server incorrectly replies with success but a negative write/read count then we would consider written (negative) <= rsize (positive) because both variables were signed. Make variables unsigned to avoid this problem. The reproducer linked below now fails with the following error instead of a null pointer deref: 9pnet: bogus RWRITE count (4294967295 > 3) | ||||
| CVE-2025-21993 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2026-01-02 | 7.1 High |
| In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message. | ||||