A 9.8 kernel memory corruption, a libssh2 buffer overwrite, and broken TLS in Node.js undici

An out-of-bounds write in libssh2's transport layer lets an attacker send a packet with an unchecked length field, writing past the buffer boundary. This can lead to remote code execution or a crash. The EPSS percentile of ~56% signals meaningful exploit probability in the next 30 days, so don't sit on this one.

Included because

remotely exploitable; common library; CVSS 8.1; EPSS percentile ~56% signals elevated exploit likelihood

Affected estate

Azure Linux 3.0 systems with libssh 0.10.6-8, libssh2 1.11.1-2 or 1.11.1-3, or nmap 7.95-3 installed.

How to check

Run `rpm -qa | grep -E 'libssh|nmap'` to check installed versions.

Action

Update libssh2, libssh, and nmap packages to their patched versions.

Urgency

Patch within 24 hours

Why it matters

Any service or tool using libssh2 for SSH connections could be exploited remotely to execute code or crash.

Source

NVD

When Node.js's undici HTTP client connects through a SOCKS5 proxy, it silently drops the TLS certificate validation settings. That means your app thinks it's verifying the remote server's certificate, but it isn't. An attacker in a network position to intercept traffic (man-in-the-middle) can impersonate any TLS endpoint your app connects to through that proxy.

Included because

TLS bypass; requires network position (MITM); common runtime; CVSS 7.4

Affected estate

Azure Linux 3.0 systems running nodejs 24.14.1-3 where applications use undici's SOCKS5 ProxyAgent.

How to check

Run `rpm -q nodejs` to check the version. Review application code for SOCKS5 ProxyAgent usage in undici.

Action

Update the nodejs package to the patched version.

Urgency

Patch this week

Why it matters

TLS validation is silently bypassed, so an attacker with network access can intercept supposedly encrypted traffic.

Source

NVD

Opening a specially crafted file in Vim and triggering Python omni-completion can execute arbitrary code through malicious docstrings. This requires a user to open a malicious file and invoke completion, so it's not a drive-by exploit, but it's still code execution at the user's privilege level. If your team uses Vim on production servers, update it.

Included because

code execution; requires user interaction (opening file, triggering completion); common tool on servers; CVSS 7.8

Affected estate

Azure Linux 3.0 systems with vim 9.2.0488-1 or 9.2.0620-1 installed.

How to check

Run `rpm -q vim` or `vim --version | head -1` to check the installed version.

Action

Update the vim package to the patched version.

Urgency

Patch this week

Why it matters

A user opening a crafted file and using Python completion could unknowingly execute attacker-controlled code.

Source

NVD

A heap buffer overflow in QEMU's virtio-snd audio device (the PCM input callback) lets a guest VM corrupt host memory. This is an incomplete fix for CVE-2024-7730. If you use QEMU VMs with virtio-snd audio passthrough on Azure Linux, a malicious guest could potentially escape the VM or crash the host.

Included because

guest-to-host escape potential; incomplete prior fix; CVSS 7.4; requires virtio-snd enabled

Affected estate

Azure Linux 3.0 hosts running qemu 9.1.0-7 or 9.1.0-8 with VMs configured to use the virtio-snd audio device.

How to check

Run `rpm -q qemu` to check the version. Review VM configs for virtio-snd device definitions.

Action

Update the qemu package to the patched version, or remove the virtio-snd device from VM configurations as a workaround.

Urgency

Patch this week

Why it matters

A malicious VM guest can trigger a heap overflow on the host, risking host compromise or denial of service.

Source

NVD