Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/02/GHSA-v8m7-99rg-xp5c/GHSA-v8m7-99rg-xp5c.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v8m7-99rg-xp5c",
-  "modified": "2025-02-22T03:30:37Z",
+  "modified": "2025-12-18T21:31:32Z",
   "published": "2025-02-21T15:32:02Z",
   "aliases": [
     "CVE-2025-26794"
@@ -39,6 +39,10 @@
       "type": "WEB",
       "url": "https://exim.org"
     },
+    {
+      "type": "WEB",
+      "url": "https://exim.org/static/doc/security/EXIM-Security-2025-12-09.1/report.txt"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/Exim/exim/wiki/EximSecurity"

advisories/unreviewed/2025/05/GHSA-3g6h-mcpv-p279/GHSA-3g6h-mcpv-p279.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3g6h-mcpv-p279",
-  "modified": "2025-11-03T21:33:55Z",
+  "modified": "2025-12-18T21:31:32Z",
   "published": "2025-05-20T18:30:56Z",
   "aliases": [
     "CVE-2025-37948"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: bpf: Add BHB mitigation to the epilogue for cBPF programs\n\nA malicious BPF program may manipulate the branch history to influence\nwhat the hardware speculates will happen next.\n\nOn exit from a BPF program, emit the BHB mititgation sequence.\n\nThis is only applied for 'classic' cBPF programs that are loaded by\nseccomp.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -53,7 +58,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-20T16:15:32Z"

advisories/unreviewed/2025/06/GHSA-35hv-9h7x-xw9j/GHSA-35hv-9h7x-xw9j.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-35hv-9h7x-xw9j",
-  "modified": "2025-11-03T18:31:19Z",
+  "modified": "2025-12-18T21:31:32Z",
   "published": "2025-06-18T12:30:33Z",
   "aliases": [
     "CVE-2025-38062"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie\n\nThe IOMMU translation for MSI message addresses has been a 2-step process,\nseparated in time:\n\n 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address\n    is stored in the MSI descriptor when an MSI interrupt is allocated.\n\n 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a\n    translated message address.\n\nThis has an inherent lifetime problem for the pointer stored in the cookie\nthat must remain valid between the two steps. However, there is no locking\nat the irq layer that helps protect the lifetime. Today, this works under\nthe assumption that the iommu domain is not changed while MSI interrupts\nbeing programmed. This is true for normal DMA API users within the kernel,\nas the iommu domain is attached before the driver is probed and cannot be\nchanged while a driver is attached.\n\nClassic VFIO type1 also prevented changing the iommu domain while VFIO was\nrunning as it does not support changing the \"container\" after starting up.\n\nHowever, iommufd has improved this so that the iommu domain can be changed\nduring VFIO operation. This potentially allows userspace to directly race\nVFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and\nVFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()).\n\nThis potentially causes both the cookie pointer and the unlocked call to\niommu_get_domain_for_dev() on the MSI translation path to become UAFs.\n\nFix the MSI cookie UAF by removing the cookie pointer. The translated IOVA\naddress is already known during iommu_dma_prepare_msi() and cannot change.\nThus, it can simply be stored as an integer in the MSI descriptor.\n\nThe other UAF related to iommu_get_domain_for_dev() will be addressed in\npatch \"iommu: Make iommu_dma_prepare_msi() into a generic operation\" by\nusing the IOMMU group mutex.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -41,7 +46,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-06-18T10:15:39Z"

advisories/unreviewed/2025/06/GHSA-53c4-pm56-gg9x/GHSA-53c4-pm56-gg9x.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-53c4-pm56-gg9x",
-  "modified": "2025-11-03T21:34:04Z",
+  "modified": "2025-12-18T21:31:32Z",
   "published": "2025-06-18T12:30:31Z",
   "aliases": [
     "CVE-2025-38027"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: max20086: fix invalid memory access\n\nmax20086_parse_regulators_dt() calls of_regulator_match() using an\narray of struct of_regulator_match allocated on the stack for the\nmatches argument.\n\nof_regulator_match() calls devm_of_regulator_put_matches(), which calls\ndevres_alloc() to allocate a struct devm_of_regulator_matches which will\nbe de-allocated using devm_of_regulator_put_matches().\n\nstruct devm_of_regulator_matches is populated with the stack allocated\nmatches array.\n\nIf the device fails to probe, devm_of_regulator_put_matches() will be\ncalled and will try to call of_node_put() on that stack pointer,\ngenerating the following dmesg entries:\n\nmax20086 6-0028: Failed to read DEVICE_ID reg: -121\nkobject: '\\xc0$\\xa5\\x03' (000000002cebcb7a): is not initialized, yet\nkobject_put() is being called.\n\nFollowed by a stack trace matching the call flow described above.\n\nSwitch to allocating the matches array using devm_kcalloc() to\navoid accessing the stack pointer long after it's out of scope.\n\nThis also has the advantage of allowing multiple max20086 to probe\nwithout overriding the data stored inside the global of_regulator_match.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -40,8 +45,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-06-18T10:15:34Z"

advisories/unreviewed/2025/06/GHSA-5q6f-wm2q-mpgg/GHSA-5q6f-wm2q-mpgg.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5q6f-wm2q-mpgg",
-  "modified": "2025-11-03T18:31:19Z",
+  "modified": "2025-12-18T21:31:32Z",
   "published": "2025-06-28T09:30:23Z",
   "aliases": [
     "CVE-2025-38085"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race\n\nhuge_pmd_unshare() drops a reference on a page table that may have\npreviously been shared across processes, potentially turning it into a\nnormal page table used in another process in which unrelated VMAs can\nafterwards be installed.\n\nIf this happens in the middle of a concurrent gup_fast(), gup_fast() could\nend up walking the page tables of another process.  While I don't see any\nway in which that immediately leads to kernel memory corruption, it is\nreally weird and unexpected.\n\nFix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),\njust like we do in khugepaged when removing page tables for a THP\ncollapse.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -56,8 +61,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-06-28T08:15:24Z"

advisories/unreviewed/2025/06/GHSA-mfp4-4cfm-v388/GHSA-mfp4-4cfm-v388.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mfp4-4cfm-v388",
-  "modified": "2025-11-03T18:31:19Z",
+  "modified": "2025-12-18T21:31:32Z",
   "published": "2025-06-28T09:30:22Z",
   "aliases": [
     "CVE-2025-38084"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: unshare page tables during VMA split, not before\n\nCurrently, __split_vma() triggers hugetlb page table unsharing through\nvm_ops->may_split().  This happens before the VMA lock and rmap locks are\ntaken - which is too early, it allows racing VMA-locked page faults in our\nprocess and racing rmap walks from other processes to cause page tables to\nbe shared again before we actually perform the split.\n\nFix it by explicitly calling into the hugetlb unshare logic from\n__split_vma() in the same place where THP splitting also happens.  At that\npoint, both the VMA and the rmap(s) are write-locked.\n\nAn annoying detail is that we can now call into the helper\nhugetlb_unshare_pmds() from two different locking contexts:\n\n1. from hugetlb_split(), holding:\n    - mmap lock (exclusively)\n    - VMA lock\n    - file rmap lock (exclusively)\n2. hugetlb_unshare_all_pmds(), which I think is designed to be able to\n   call us with only the mmap lock held (in shared mode), but currently\n   only runs while holding mmap lock (exclusively) and VMA lock\n\nBackporting note:\nThis commit fixes a racy protection that was introduced in commit\nb30c14cd6102 (\"hugetlb: unshare some PMDs when splitting VMAs\"); that\ncommit claimed to fix an issue introduced in 5.13, but it should actually\nalso go all the way back.\n\n[[email protected]: v2]",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -57,7 +62,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-06-28T08:15:23Z"

advisories/unreviewed/2025/07/GHSA-28ww-ch52-w98x/GHSA-28ww-ch52-w98x.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-28ww-ch52-w98x",
-  "modified": "2025-11-03T18:31:21Z",
+  "modified": "2025-12-18T21:31:32Z",
   "published": "2025-07-03T09:30:34Z",
   "aliases": [
     "CVE-2025-38146"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix the dead loop of MPLS parse\n\nThe unexpected MPLS packet may not end with the bottom label stack.\nWhen there are many stacks, The label count value has wrapped around.\nA dead loop occurs, soft lockup/CPU stuck finally.\n\nstack backtrace:\nUBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26\nindex -1 is out of range for type '__be32 [3]'\nCPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G           OE   5.15.0-121-generic #131-Ubuntu\nHardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021\nCall Trace:\n <IRQ>\n show_stack+0x52/0x5c\n dump_stack_lvl+0x4a/0x63\n dump_stack+0x10/0x16\n ubsan_epilogue+0x9/0x36\n __ubsan_handle_out_of_bounds.cold+0x44/0x49\n key_extract_l3l4+0x82a/0x840 [openvswitch]\n ? kfree_skbmem+0x52/0xa0\n key_extract+0x9c/0x2b0 [openvswitch]\n ovs_flow_key_extract+0x124/0x350 [openvswitch]\n ovs_vport_receive+0x61/0xd0 [openvswitch]\n ? kernel_init_free_pages.part.0+0x4a/0x70\n ? get_page_from_freelist+0x353/0x540\n netdev_port_receive+0xc4/0x180 [openvswitch]\n ? netdev_port_receive+0x180/0x180 [openvswitch]\n netdev_frame_hook+0x1f/0x40 [openvswitch]\n __netif_receive_skb_core.constprop.0+0x23a/0xf00\n __netif_receive_skb_list_core+0xfa/0x240\n netif_receive_skb_list_internal+0x18e/0x2a0\n napi_complete_done+0x7a/0x1c0\n bnxt_poll+0x155/0x1c0 [bnxt_en]\n __napi_poll+0x30/0x180\n net_rx_action+0x126/0x280\n ? bnxt_msix+0x67/0x80 [bnxt_en]\n handle_softirqs+0xda/0x2d0\n irq_exit_rcu+0x96/0xc0\n common_interrupt+0x8e/0xa0\n </IRQ>",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -52,8 +57,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-129"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-07-03T09:15:29Z"

advisories/unreviewed/2025/07/GHSA-2q26-8g6x-6rr4/GHSA-2q26-8g6x-6rr4.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2q26-8g6x-6rr4",
-  "modified": "2025-11-03T18:31:22Z",
+  "modified": "2025-12-18T21:31:34Z",
   "published": "2025-07-04T15:31:10Z",
   "aliases": [
     "CVE-2025-38226"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vivid: Change the siize of the composing\n\nsyzkaller found a bug:\n\nBUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]\nBUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705\nWrite of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304\n\nCPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]\n tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705\n vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]\n vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629\n vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767\n kthread+0x7a9/0x920 kernel/kthread.c:464\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>\n\nThe composition size cannot be larger than the size of fmt_cap_rect.\nSo execute v4l2_rect_map_inside() even if has_compose_cap == 0.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -56,8 +61,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-07-04T14:15:31Z"

advisories/unreviewed/2025/07/GHSA-2v3f-mxwm-3xrj/GHSA-2v3f-mxwm-3xrj.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2v3f-mxwm-3xrj",
-  "modified": "2025-11-03T18:31:21Z",
+  "modified": "2025-12-18T21:31:33Z",
   "published": "2025-07-04T15:31:09Z",
   "aliases": [
     "CVE-2025-38197"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell_rbu: Fix list usage\n\nPass the correct list head to list_for_each_entry*() when looping through\nthe packet list.\n\nWithout this patch, reading the packet data via sysfs will show the data\nincorrectly (because it starts at the wrong packet), and clearing the\npacket list will result in a NULL pointer dereference.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -52,8 +57,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-07-04T14:15:26Z"

advisories/unreviewed/2025/07/GHSA-2v92-8hh5-248m/GHSA-2v92-8hh5-248m.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2v92-8hh5-248m",
-  "modified": "2025-11-03T18:31:21Z",
+  "modified": "2025-12-18T21:31:33Z",
   "published": "2025-07-04T15:31:09Z",
   "aliases": [
     "CVE-2025-38198"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Make sure modelist not set on unregistered console\n\nIt looks like attempting to write to the \"store_modes\" sysfs node will\nrun afoul of unregistered consoles:\n\nUBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28\nindex -1 is out of range for type 'fb_info *[32]'\n...\n fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122\n fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048\n fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673\n store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113\n dev_attr_store+0x55/0x80 drivers/base/core.c:2439\n\nstatic struct fb_info *fbcon_registered_fb[FB_MAX];\n...\nstatic signed char con2fb_map[MAX_NR_CONSOLES];\n...\nstatic struct fb_info *fbcon_info_from_console(int console)\n...\n        return fbcon_registered_fb[con2fb_map[console]];\n\nIf con2fb_map contains a -1 things go wrong here. Instead, return NULL,\nas callers of fbcon_info_from_console() are trying to compare against\nexisting \"info\" pointers, so error handling should kick in correctly.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -40,8 +45,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-129"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-07-04T14:15:27Z"