Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/09/GHSA-3m82-8cm9-hcf4/GHSA-3m82-8cm9-hcf4.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3m82-8cm9-hcf4",
-  "modified": "2025-09-17T15:30:39Z",
+  "modified": "2025-12-11T21:31:25Z",
   "published": "2025-09-17T15:30:39Z",
   "aliases": [
     "CVE-2023-53364"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9063: better fix null deref with partial DT\n\nTwo versions of the original patch were sent but V1 was merged instead\nof V2 due to a mistake.\n\nSo update to V2.\n\nThe advantage of V2 is that it completely avoids dereferencing the pointer,\neven just to take the address, which may fix problems with some compilers.\nBoth versions work on my gcc 9.4 but use the safer one.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-17T15:15:40Z"

advisories/unreviewed/2025/09/GHSA-4v4w-685q-cqmx/GHSA-4v4w-685q-cqmx.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4v4w-685q-cqmx",
-  "modified": "2025-09-17T15:30:39Z",
+  "modified": "2025-12-11T21:31:25Z",
   "published": "2025-09-17T15:30:38Z",
   "aliases": [
     "CVE-2023-53360"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2: Rework scratch handling for READ_PLUS (again)\n\nI found that the read code might send multiple requests using the same\nnfs_pgio_header, but nfs4_proc_read_setup() is only called once. This is\nhow we ended up occasionally double-freeing the scratch buffer, but also\nmeans we set a NULL pointer but non-zero length to the xdr scratch\nbuffer. This results in an oops the first time decoding needs to copy\nsomething to scratch, which frequently happens when decoding READ_PLUS\nhole segments.\n\nI fix this by moving scratch handling into the pageio read code. I\nprovide a function to allocate scratch space for decoding read replies,\nand free the scratch buffer when the nfs_pgio_header is freed.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-415"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-17T15:15:40Z"

advisories/unreviewed/2025/09/GHSA-589j-8g5m-4cxh/GHSA-589j-8g5m-4cxh.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-589j-8g5m-4cxh",
-  "modified": "2025-09-17T15:30:38Z",
+  "modified": "2025-12-11T21:31:25Z",
   "published": "2025-09-17T15:30:38Z",
   "aliases": [
     "CVE-2022-50370"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: designware: Fix handling of real but unexpected device interrupts\n\nCommit c7b79a752871 (\"mfd: intel-lpss: Add Intel Alder Lake PCH-S PCI\nIDs\") caused a regression on certain Gigabyte motherboards for Intel\nAlder Lake-S where system crashes to NULL pointer dereference in\ni2c_dw_xfer_msg() when system resumes from S3 sleep state (\"deep\").\n\nI was able to debug the issue on Gigabyte Z690 AORUS ELITE and made\nfollowing notes:\n\n- Issue happens when resuming from S3 but not when resuming from\n  \"s2idle\"\n- PCI device 00:15.0 == i2c_designware.0 is already in D0 state when\n  system enters into pci_pm_resume_noirq() while all other i2c_designware\n  PCI devices are in D3. Devices were runtime suspended and in D3 prior\n  entering into suspend\n- Interrupt comes after pci_pm_resume_noirq() when device interrupts are\n  re-enabled\n- According to register dump the interrupt really comes from the\n  i2c_designware.0. Controller is enabled, I2C target address register\n  points to a one detectable I2C device address 0x60 and the\n  DW_IC_RAW_INTR_STAT register START_DET, STOP_DET, ACTIVITY and\n  TX_EMPTY bits are set indicating completed I2C transaction.\n\nMy guess is that the firmware uses this controller to communicate with\nan on-board I2C device during resume but does not disable the controller\nbefore giving control to an operating system.\n\nI was told the UEFI update fixes this but never the less it revealed the\ndriver is not ready to handle TX_EMPTY (or RX_FULL) interrupt when device\nis supposed to be idle and state variables are not set (especially the\ndev->msgs pointer which may point to NULL or stale old data).\n\nIntroduce a new software status flag STATUS_ACTIVE indicating when the\ncontroller is active in driver point of view. Now treat all interrupts\nthat occur when is not set as unexpected and mask all interrupts from\nthe controller.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-17T15:15:35Z"

advisories/unreviewed/2025/09/GHSA-5m54-qph5-4wvp/GHSA-5m54-qph5-4wvp.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5m54-qph5-4wvp",
-  "modified": "2025-09-22T21:30:18Z",
+  "modified": "2025-12-11T21:31:26Z",
   "published": "2025-09-22T21:30:18Z",
   "aliases": [
     "CVE-2025-39856"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for ndev\n\nIn the TX completion packet stage of TI SoCs with CPSW2G instance, which\nhas single external ethernet port, ndev is accessed without being\ninitialized if no TX packets have been processed. It results into null\npointer dereference, causing kernel to crash. Fix this by having a check\non the number of TX packets which have been processed.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-19T16:15:44Z"

advisories/unreviewed/2025/09/GHSA-67c3-x939-573c/GHSA-67c3-x939-573c.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-67c3-x939-573c",
-  "modified": "2025-09-18T15:30:34Z",
+  "modified": "2025-12-11T21:31:26Z",
   "published": "2025-09-18T15:30:34Z",
   "aliases": [
     "CVE-2023-53401"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()\n\nKCSAN found an issue in obj_stock_flush_required():\nstock->cached_objcg can be reset between the check and dereference:\n\n==================================================================\nBUG: KCSAN: data-race in drain_all_stock / drain_obj_stock\n\nwrite to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0:\n drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306\n refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340\n obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408\n memcg_slab_free_hook mm/slab.h:587 [inline]\n __cache_free mm/slab.c:3373 [inline]\n __do_kmem_cache_free mm/slab.c:3577 [inline]\n kmem_cache_free+0x105/0x280 mm/slab.c:3602\n __d_free fs/dcache.c:298 [inline]\n dentry_free fs/dcache.c:375 [inline]\n __dentry_kill+0x422/0x4a0 fs/dcache.c:621\n dentry_kill+0x8d/0x1e0\n dput+0x118/0x1f0 fs/dcache.c:913\n __fput+0x3bf/0x570 fs/file_table.c:329\n ____fput+0x15/0x20 fs/file_table.c:349\n task_work_run+0x123/0x160 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171\n exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296\n do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1:\n obj_stock_flush_required mm/memcontrol.c:3319 [inline]\n drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361\n try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703\n try_charge mm/memcontrol.c:2837 [inline]\n mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290\n sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025\n sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525\n udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692\n udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817\n sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668\n __sys_setsockopt+0x1c3/0x230 net/socket.c:2271\n __do_sys_setsockopt net/socket.c:2282 [inline]\n __se_sys_setsockopt net/socket.c:2279 [inline]\n __x64_sys_setsockopt+0x66/0x80 net/socket.c:2279\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0xffff8881382d52c0 -> 0xffff888138893740\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023\n\nFix it by using READ_ONCE()/WRITE_ONCE() for all accesses to\nstock->cached_objcg.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-18T14:15:43Z"

advisories/unreviewed/2025/09/GHSA-8gwc-c833-gwmc/GHSA-8gwc-c833-gwmc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8gwc-c833-gwmc",
-  "modified": "2025-09-29T12:30:26Z",
+  "modified": "2025-12-11T21:31:26Z",
   "published": "2025-09-18T15:30:33Z",
   "aliases": [
     "CVE-2022-50396"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix memory leak in tcindex_set_parms\n\nSyzkaller reports a memory leak as follows:\n====================================\nBUG: memory leak\nunreferenced object 0xffff88810c287f00 (size 256):\n  comm \"syz-executor105\", pid 3600, jiffies 4294943292 (age 12.990s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [<ffffffff814cf9f0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046\n    [<ffffffff839c9e07>] kmalloc include/linux/slab.h:576 [inline]\n    [<ffffffff839c9e07>] kmalloc_array include/linux/slab.h:627 [inline]\n    [<ffffffff839c9e07>] kcalloc include/linux/slab.h:659 [inline]\n    [<ffffffff839c9e07>] tcf_exts_init include/net/pkt_cls.h:250 [inline]\n    [<ffffffff839c9e07>] tcindex_set_parms+0xa7/0xbe0 net/sched/cls_tcindex.c:342\n    [<ffffffff839caa1f>] tcindex_change+0xdf/0x120 net/sched/cls_tcindex.c:553\n    [<ffffffff8394db62>] tc_new_tfilter+0x4f2/0x1100 net/sched/cls_api.c:2147\n    [<ffffffff8389e91c>] rtnetlink_rcv_msg+0x4dc/0x5d0 net/core/rtnetlink.c:6082\n    [<ffffffff839eba67>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2540\n    [<ffffffff839eab87>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n    [<ffffffff839eab87>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n    [<ffffffff839eb046>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n    [<ffffffff8383e796>] sock_sendmsg_nosec net/socket.c:714 [inline]\n    [<ffffffff8383e796>] sock_sendmsg+0x56/0x80 net/socket.c:734\n    [<ffffffff8383eb08>] ____sys_sendmsg+0x178/0x410 net/socket.c:2482\n    [<ffffffff83843678>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536\n    [<ffffffff838439c5>] __sys_sendmmsg+0x105/0x330 net/socket.c:2622\n    [<ffffffff83843c14>] __do_sys_sendmmsg net/socket.c:2651 [inline]\n    [<ffffffff83843c14>] __se_sys_sendmmsg net/socket.c:2648 [inline]\n    [<ffffffff83843c14>] __x64_sys_sendmmsg+0x24/0x30 net/socket.c:2648\n    [<ffffffff84605fd5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n    [<ffffffff84605fd5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n    [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n====================================\n\nKernel uses tcindex_change() to change an existing\nfilter properties.\n\nYet the problem is that, during the process of changing,\nif `old_r` is retrieved from `p->perfect`, then\nkernel uses tcindex_alloc_perfect_hash() to newly\nallocate filter results, uses tcindex_filter_result_init()\nto clear the old filter result, without destroying\nits tcf_exts structure, which triggers the above memory leak.\n\nTo be more specific, there are only two source for the `old_r`,\naccording to the tcindex_lookup(). `old_r` is retrieved from\n`p->perfect`, or `old_r` is retrieved from `p->h`.\n\n  * If `old_r` is retrieved from `p->perfect`, kernel uses\ntcindex_alloc_perfect_hash() to newly allocate the\nfilter results. Then `r` is assigned with `cp->perfect + handle`,\nwhich is newly allocated. So condition `old_r && old_r != r` is\ntrue in this situation, and kernel uses tcindex_filter_result_init()\nto clear the old filter result, without destroying\nits tcf_exts structure\n\n  * If `old_r` is retrieved from `p->h`, then `p->perfect` is NULL\naccording to the tcindex_lookup(). Considering that `cp->h`\nis directly copied from `p->h` and `p->perfect` is NULL,\n`r` is assigned with `tcindex_lookup(cp, handle)`, whose value\nshould be the same as `old_r`, so condition `old_r && old_r != r`\nis false in this situation, kernel ignores using\ntcindex_filter_result_init() to clear the old filter result.\n\nSo only when `old_r` is retrieved from `p->perfect` does kernel use\ntcindex_filter_result_init() to clear the old filter result, which\ntriggers the above memory leak.\n\nConsidering that there already exists a tc_filter_wq workqueue\nto destroy the old tcindex_d\n---truncated---",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -68,8 +73,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-401"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-18T14:15:38Z"

advisories/unreviewed/2025/09/GHSA-9x65-r873-476c/GHSA-9x65-r873-476c.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9x65-r873-476c",
-  "modified": "2025-09-17T15:30:39Z",
+  "modified": "2025-12-11T21:31:25Z",
   "published": "2025-09-17T15:30:38Z",
   "aliases": [
     "CVE-2023-53359"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time.  To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic at\nonce.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-401"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-17T15:15:40Z"

advisories/unreviewed/2025/09/GHSA-c3cm-22v6-7j92/GHSA-c3cm-22v6-7j92.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c3cm-22v6-7j92",
-  "modified": "2025-09-18T15:30:33Z",
+  "modified": "2025-12-11T21:31:26Z",
   "published": "2025-09-18T15:30:33Z",
   "aliases": [
     "CVE-2022-50387"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hinic: fix the issue of CMDQ memory leaks\n\nWhen hinic_set_cmdq_depth() fails in hinic_init_cmdqs(), the cmdq memory is\nnot released correctly. Fix it.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-401"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-18T14:15:37Z"

advisories/unreviewed/2025/09/GHSA-gmpx-hjjv-xj6f/GHSA-gmpx-hjjv-xj6f.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gmpx-hjjv-xj6f",
-  "modified": "2025-09-18T15:30:33Z",
+  "modified": "2025-12-11T21:31:26Z",
   "published": "2025-09-18T15:30:33Z",
   "aliases": [
     "CVE-2022-50389"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak\n\nIn crb_acpi_add(), we get the TPM2 table to retrieve information\nlike start method, and then assign them to the priv data, so the\nTPM2 table is not used after the init, should be freed, call\nacpi_put_table() to fix the memory leak.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -48,8 +53,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-401"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-18T14:15:37Z"

advisories/unreviewed/2025/09/GHSA-h2wv-j9q6-hqmc/GHSA-h2wv-j9q6-hqmc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h2wv-j9q6-hqmc",
-  "modified": "2025-09-23T06:30:27Z",
+  "modified": "2025-12-11T21:31:26Z",
   "published": "2025-09-23T06:30:27Z",
   "aliases": [
     "CVE-2025-39875"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Fix NULL pointer dereference in ethtool loopback test\n\nThe igb driver currently causes a NULL pointer dereference when executing\nthe ethtool loopback test. This occurs because there is no associated\nq_vector for the test ring when it is set up, as interrupts are typically\nnot added to the test rings.\n\nSince commit 5ef44b3cb43b removed the napi_id assignment in\n__xdp_rxq_info_reg(), there is no longer a need to pass a napi_id to it.\nTherefore, simply use 0 as the last parameter.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-23T06:15:46Z"