好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。用户的要求很明确,不需要特定的开头,直接写描述。 首先,我看看文章内容。文章主要讲美国CISA机构将Google Chromium和Sierra Wireless AirLink ALEOS的漏洞加入到已知被利用的漏洞目录中。这两个漏洞分别是CVE-2025-14174和CVE-2018-4063。 接下来,我需要提取关键信息:CISA、Google Chromium、Sierra Wireless、漏洞、加入目录、修复截止日期(2026年1月2日)。同时,文章提到这些漏洞已经被用于实际攻击,所以修复很重要。 现在我要把这些信息浓缩到100字以内。确保涵盖CISA的动作、涉及的公司和漏洞名称、以及修复的时间要求。 可能的结构是:CISA将两个高危漏洞加入目录,并要求联邦机构在特定日期前修复。这样既简洁又全面。 检查一下是否符合用户的要求,没有使用“文章总结”之类的开头,直接描述内容。字数也要控制好,不超过限制。 最后,确保语言通顺,信息准确无误。 </think> 美国网络安全与基础设施安全局(CISA)将Google Chromium和Sierra Wireless AirLink ALEOS的两个高危漏洞加入已知被利用的漏洞目录,并要求联邦机构在2026年1月2日前修复这些漏洞以应对潜在攻击。 2025-12-13 10:48:52 Author: securityaffairs.com(查看原文) 阅读量:17 收藏
U.S. CISA adds Google Chromium and Sierra Wireless AirLink ALEOS flaws to its Known Exploited Vulnerabilities catalog
Pierluigi Paganini
December 13, 2025
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium and Sierra Wireless AirLink ALEOS flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added [1, 2] Microsoft Windows and WinRAR flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2025-14174 Google Chromium Out-of-Bounds Memory Access Vulnerability;
- CVE-2018-4063 Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability;
CVE-2025-14174 is an out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110. A remote attacker can exploit the flaw to perform out of bounds memory access via a crafted HTML page.
This week Google released security updates to fix three vulnerabilities in the Chrome browser, including this high-severity flaw that threat actors are already exploiting in real-world attacks.
“Google is aware that an exploit for 466192044 exists in the wild,” reads the advisory published by Google.
Google tracked the high-severity vulnerability as Chromium issue 466192044, but the IT giant did not share technical details about the bug. A related GitHub commit, however, reveals the bug lies in the ANGLE graphics library, specifically its Metal renderer, where buffer sizes were incorrectly calculated using pixelsDepthPitch, derived from GL_UNPACK_IMAGE_HEIGHT. Because this value may be smaller than the actual image height, it can cause buffer overflows, leading to memory corruption, crashes, or potentially arbitrary code execution.
CVE-2018-4063 is a remote code execution flaw in Sierra Wireless AirLink ES450 FW 4.9.3 that affects the upload.cgi component. An authenticated attacker can send a crafted HTTP request to upload and execute malicious code on the device’s web server.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by January 2nd, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft Patch Tuesday)
如有侵权请联系:admin#unsafe.sh