SB2025112547 - Multiple vulnerabilities in IBM QRadar SIEM
Published: November 25, 2025 Updated: February 6, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 30 secuirty vulnerabilities.
1) Improper Encoding or Escaping of Output (CVE-ID: CVE-2024-47252)
The vulnerability allows a remote attacker to manipulate data in log files.
The vulnerability exists due to improper input validation in mod_ssl. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files. A remote attacker can manipulate contents of log files.
2) Out-of-bounds read (CVE-ID: CVE-2025-5318)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the sftp_handle() function. A remote user can trigger an out-of-bounds read error and read contents of memory on the system.
3) Improper locking (CVE-ID: CVE-2025-38461)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the EXPORT_SYMBOL_GPL() and vsock_assign_transport() functions in net/vmw_vsock/af_vsock.c. A local user can perform a denial of service (DoS) attack.
4) Improper privilege management (CVE-ID: CVE-2025-38498)
The vulnerability allows a local user to read and manipulate data.
The vulnerability exists due to improperly imposed permissions within the do_change_type() function in fs/namespace.c. A local user can read and manipulate data.
5) Out-of-bounds read (CVE-ID: CVE-2025-38556)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the snto32() function in drivers/hid/hid-core.c. A local user can perform a denial of service (DoS) attack.
6) Path traversal (CVE-ID: CVE-2025-55752)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to input validation error when processing directory traversal sequences passed via Rewrite Valve. A remote attacker can send a specially crafted HTTP PUT request and write arbitrary files to the server, leading to remote code execution.
7) Resource exhaustion (CVE-ID: CVE-2025-61795)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling errors while processing multipart upload. Depending on JVM settings, application memory usage and application load, it is possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.
8) Security features bypass (CVE-ID: CVE-2025-23048)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to access control bypass with session resumption in mod_ssl. A remote attacker can use the TLS 1.3 session resumption to bypass implemented access control.
Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
9) NULL pointer dereference (CVE-ID: CVE-2025-32990)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when the certtool program is invoked with a template file with a number of string pairs for a single keyword. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
10) Resource management error (CVE-ID: CVE-2025-49630)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources in mod_proxy_http2. A remote attacker can send specially crafted requests to the server and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that the reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
11) Cryptographic issues (CVE-ID: CVE-2025-49812)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to he way certain mod_ssl configurations handle TLS upgrades. A remote attacker can launch an HTTP desynchronisation attack, which allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.
Note, only configurations using "SSLEngine optional" to enable TLS upgrades are affected.
12) Use-after-free (CVE-ID: CVE-2023-53373)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the seqiv_aead_encrypt_complete2() function in crypto/seqiv.c. A local user can escalate privileges on the system.
13) Out-of-bounds read (CVE-ID: CVE-2025-39757)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the convert_chmap_v3() and snd_usb_get_audioformat_uac3() functions in sound/usb/stream.c. A local user can perform a denial of service (DoS) attack.
14) Improper neutralization of wildcards or matching symbols (CVE-ID: CVE-2024-47619)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists within the tls_wildcard_match() function when handling host names with wildcards. A remote attacker can bypass expected security restrictions.
15) NULL pointer dereference (CVE-ID: CVE-2025-6395)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when a TLS 1.3 handshake involves a Hello Retry Request and the second Client Hello omits the PSK which was present in the first Client Hello. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
16) Double free (CVE-ID: CVE-2025-32988)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when exporting a certificate with an otherName in the SAN (subject alternative name) extension. A remote attacker can trick the victim into export a specially crafted certificate, trigger a double free error on the ASN.1 structure and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
17) Improper locking (CVE-ID: CVE-2025-38718)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the sctp_rcv() function in net/sctp/input.c. A local user can perform a denial of service (DoS) attack.
18) Use-after-free (CVE-ID: CVE-2025-38527)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the cifs_oplock_break() and cifs_put_tlink() functions in fs/smb/client/file.c. A local user can escalate privileges on the system.
19) Input validation error (CVE-ID: CVE-2025-39730)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the nfs_fh_to_dentry() function in fs/nfs/export.c. A local user can perform a denial of service (DoS) attack.
20) Use-after-free (CVE-ID: CVE-2022-50087)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the scpi_init_versions() and scpi_probe() functions in drivers/firmware/arm_scpi.c. A local user can escalate privileges on the system.
21) Buffer overflow (CVE-ID: CVE-2025-22026)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory corruption within the nfsd_show() function in fs/nfsd/stats.c, within the nfsd_net_init() function in fs/nfsd/nfsctl.c. A local user can perform a denial of service (DoS) attack.
22) Input validation error (CVE-ID: CVE-2025-37797)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the hfsc_change_class() function in net/sched/sch_hfsc.c. A local user can perform a denial of service (DoS) attack.
23) Out-of-bounds read (CVE-ID: CVE-2022-49985)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the record_func_key() function in kernel/bpf/verifier.c. A local user can perform a denial of service (DoS) attack.
24) Improper access control (CVE-ID: CVE-2025-41244)
The vulnerability allows a local user to escalate privileges on the virtual machine.
The vulnerability exists due to improper access restrictions. A local non-privileged user on the virtual machine can execute arbitrary code with superuser privileges on the same virtual machine.
Note, the vulnerability is being exploited in the wild since mid-October 2024.
25) Race condition (CVE-ID: CVE-2025-38352)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition within the run_posix_cpu_timers() function in kernel/time/posix-cpu-timers.c. A local user can escalate privileges on the system.
Note, the vulnerability is being actively exploited in the wild against Android devices.
26) Memory leak (CVE-ID: CVE-2023-53125)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the smsc75xx_rx_fixup() function in drivers/net/usb/smsc75xx.c. A local user can perform a denial of service (DoS) attack.
27) Use-after-free (CVE-ID: CVE-2025-38350)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the qdisc_alloc_handle() and qdisc_tree_reduce_backlog() functions in net/sched/sch_api.c. A local user can escalate privileges on the system.
28) Use-after-free (CVE-ID: CVE-2025-38392)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the idpf_alloc_dma_mem() and idpf_free_dma_mem() functions in drivers/net/ethernet/intel/idpf/idpf_lib.c, within the idpf_ctlq_init_rxq_bufs(), idpf_ctlq_shutdown(), idpf_ctlq_add(), idpf_ctlq_send(), idpf_ctlq_clean_sq(), idpf_ctlq_post_rx_buffs(), wr32() and idpf_ctlq_recv() functions in drivers/net/ethernet/intel/idpf/idpf_controlq.c. A local user can escalate privileges on the system.
29) Improper locking (CVE-ID: CVE-2025-38449)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the drm_gem_fb_destroy() and drm_gem_fb_init_with_funcs() functions in drivers/gpu/drm/drm_gem_framebuffer_helper.c, within the drm_gem_private_object_fini(), drm_gem_object_exported_dma_buf_free(), drm_gem_object_handle_put_unlocked() and drm_gem_handle_create_tail() functions in drivers/gpu/drm/drm_gem.c. A local user can perform a denial of service (DoS) attack.
30) Integer overflow (CVE-ID: CVE-2025-40928)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an integer overflow when parsing JSON data. A remote attacker can pass specially crafted data to the application, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.