Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-856v-8qm2-9wjv",
-  "modified": "2025-12-17T18:31:32Z",
+  "modified": "2025-12-17T21:30:32Z",
   "published": "2025-08-07T21:31:08Z",
   "aliases": [
     "CVE-2025-7195"
@@ -56,6 +56,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:23542"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23529"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:23528"

advisories/unreviewed/2024/05/GHSA-2q67-rw6p-rcj4/GHSA-2q67-rw6p-rcj4.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2q67-rw6p-rcj4",
-  "modified": "2024-06-27T15:30:39Z",
+  "modified": "2025-12-17T21:30:28Z",
   "published": "2024-05-17T15:31:10Z",
   "aliases": [
     "CVE-2024-35822"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: udc: remove warning when queue disabled ep\n\nIt is possible trigger below warning message from mass storage function,\n\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\npc : usb_ep_queue+0x7c/0x104\nlr : fsg_main_thread+0x494/0x1b3c\n\nRoot cause is mass storage function try to queue request from main thread,\nbut other thread may already disable ep when function disable.\n\nAs there is no function failure in the driver, in order to avoid effort\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -61,7 +66,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-17T14:15:17Z"

advisories/unreviewed/2024/05/GHSA-9vv7-jc87-x8x5/GHSA-9vv7-jc87-x8x5.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9vv7-jc87-x8x5",
-  "modified": "2024-06-27T15:30:39Z",
+  "modified": "2025-12-17T21:30:27Z",
   "published": "2024-05-17T12:31:00Z",
   "aliases": [
     "CVE-2024-27410"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: reject iftype change with mesh ID change\n\nIt's currently possible to change the mesh ID when the\ninterface isn't yet in mesh mode, at the same time as\nchanging it into mesh mode. This leads to an overwrite\nof data in the wdev->u union for the interface type it\ncurrently has, causing cfg80211_change_iface() to do\nwrong things when switching.\n\nWe could probably allow setting an interface to mesh\nwhile setting the mesh ID at the same time by doing a\ndifferent order of operations here, but realistically\nthere's no userspace that's going to do this, so just\ndisallow changes in iftype when setting mesh ID.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -57,7 +62,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-17T12:15:11Z"

advisories/unreviewed/2024/05/GHSA-cv2p-mqwj-vfxc/GHSA-cv2p-mqwj-vfxc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cv2p-mqwj-vfxc",
-  "modified": "2024-06-27T15:30:39Z",
+  "modified": "2025-12-17T21:30:28Z",
   "published": "2024-05-17T12:31:00Z",
   "aliases": [
     "CVE-2024-27413"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi/capsule-loader: fix incorrect allocation size\n\ngcc-14 notices that the allocation with sizeof(void) on 32-bit architectures\nis not enough for a 64-bit phys_addr_t:\n\ndrivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open':\ndrivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size]\n  295 |         cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL);\n      |                        ^\n\nUse the correct type instead here.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -57,7 +62,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-17T12:15:12Z"

advisories/unreviewed/2024/05/GHSA-fr98-f486-jr22/GHSA-fr98-f486-jr22.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fr98-f486-jr22",
-  "modified": "2024-06-27T12:30:46Z",
+  "modified": "2025-12-17T21:30:28Z",
   "published": "2024-05-17T15:31:10Z",
   "aliases": [
     "CVE-2024-35830"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tc358743: register v4l2 async device only after successful setup\n\nEnsure the device has been setup correctly before registering the v4l2\nasync device, thus allowing userspace to access.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -61,7 +66,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-17T14:15:19Z"

advisories/unreviewed/2024/05/GHSA-h5gp-hg4c-hvvx/GHSA-h5gp-hg4c-hvvx.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h5gp-hg4c-hvvx",
-  "modified": "2024-06-27T15:30:39Z",
+  "modified": "2025-12-17T21:30:28Z",
   "published": "2024-05-17T15:31:09Z",
   "aliases": [
     "CVE-2024-35807"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n  dev=/dev/<some_dev> # should be >= 16 GiB\n  mkdir -p /corruption\n  /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n  mount -t ext4 $dev /corruption\n\n  dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n  sha1sum /corruption/test\n  # 79d2658b39dcfd77274e435b0934028adafaab11  /corruption/test\n\n  /sbin/resize2fs $dev $((2*2**21))\n  # drop page cache to force reload the block from disk\n  echo 1 > /proc/sys/vm/drop_caches\n\n  sha1sum /corruption/test\n  # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3  /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -61,7 +66,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-17T14:15:14Z"

advisories/unreviewed/2024/05/GHSA-h9q8-5vjp-c6cg/GHSA-h9q8-5vjp-c6cg.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h9q8-5vjp-c6cg",
-  "modified": "2024-06-26T00:31:41Z",
+  "modified": "2025-12-17T21:30:28Z",
   "published": "2024-05-17T12:31:00Z",
   "aliases": [
     "CVE-2024-27414"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back\n\nIn the commit d73ef2d69c0d (\"rtnetlink: let rtnl_bridge_setlink checks\nIFLA_BRIDGE_MODE length\"), an adjustment was made to the old loop logic\nin the function `rtnl_bridge_setlink` to enable the loop to also check\nthe length of the IFLA_BRIDGE_MODE attribute. However, this adjustment\nremoved the `break` statement and led to an error logic of the flags\nwriting back at the end of this function.\n\nif (have_flags)\n    memcpy(nla_data(attr), &flags, sizeof(flags));\n    // attr should point to IFLA_BRIDGE_FLAGS NLA !!!\n\nBefore the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS.\nHowever, this is not necessarily true fow now as the updated loop will let\nthe attr point to the last NLA, even an invalid NLA which could cause\noverflow writes.\n\nThis patch introduces a new variable `br_flag` to save the NLA pointer\nthat points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned\nerror logic.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -49,7 +54,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-17T12:15:12Z"

advisories/unreviewed/2024/05/GHSA-jg5m-33hj-57xc/GHSA-jg5m-33hj-57xc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jg5m-33hj-57xc",
-  "modified": "2024-06-26T00:31:43Z",
+  "modified": "2025-12-17T21:30:29Z",
   "published": "2024-05-17T15:31:10Z",
   "aliases": [
     "CVE-2024-35837"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: clear BM pool before initialization\n\nRegister value persist after booting the kernel using\nkexec which results in kernel panic. Thus clear the\nBM pool registers before initialisation to fix the issue.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -45,7 +50,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-17T14:15:20Z"

advisories/unreviewed/2024/05/GHSA-pcfp-3pw8-73vr/GHSA-pcfp-3pw8-73vr.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pcfp-3pw8-73vr",
-  "modified": "2024-11-05T12:30:59Z",
+  "modified": "2025-12-17T21:30:28Z",
   "published": "2024-05-17T15:31:10Z",
   "aliases": [
     "CVE-2024-35825"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Fix handling of zero block length packets\n\nWhile connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX\nset to 65536, it has been observed that we receive short packets,\nwhich come at interval of 5-10 seconds sometimes and have block\nlength zero but still contain 1-2 valid datagrams present.\n\nAccording to the NCM spec:\n\n\"If wBlockLength = 0x0000, the block is terminated by a\nshort packet. In this case, the USB transfer must still\nbe shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If\nexactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,\nand the size is a multiple of wMaxPacketSize for the\ngiven pipe, then no ZLP shall be sent.\n\nwBlockLength= 0x0000 must be used with extreme care, because\nof the possibility that the host and device may get out of\nsync, and because of test issues.\n\nwBlockLength = 0x0000 allows the sender to reduce latency by\nstarting to send a very large NTB, and then shortening it when\nthe sender discovers that there’s not sufficient data to justify\nsending a large NTB\"\n\nHowever, there is a potential issue with the current implementation,\nas it checks for the occurrence of multiple NTBs in a single\ngiveback by verifying if the leftover bytes to be processed is zero\nor not. If the block length reads zero, we would process the same\nNTB infintely because the leftover bytes is never zero and it leads\nto a crash. Fix this by bailing out if block length reads zero.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -57,7 +62,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-17T14:15:18Z"

advisories/unreviewed/2024/05/GHSA-pjwx-p5wv-785h/GHSA-pjwx-p5wv-785h.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pjwx-p5wv-785h",
-  "modified": "2024-06-27T15:30:39Z",
+  "modified": "2025-12-17T21:30:28Z",
   "published": "2024-05-17T15:31:10Z",
   "aliases": [
     "CVE-2024-35819"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\n\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\n\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\"net: dpaa: Adjust queue depth on rate change\")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -61,7 +66,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-17T14:15:16Z"