Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2024/07/GHSA-36gh-mcf5-3vpm/GHSA-36gh-mcf5-3vpm.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-36gh-mcf5-3vpm",
-  "modified": "2024-07-29T15:30:45Z",
+  "modified": "2025-10-09T18:30:25Z",
   "published": "2024-07-29T15:30:44Z",
   "aliases": [
     "CVE-2024-41067"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: scrub: handle RST lookup error correctly\n\n[BUG]\nWhen running btrfs/060 with forced RST feature, it would crash the\nfollowing ASSERT() inside scrub_read_endio():\n\n\tASSERT(sector_nr < stripe->nr_sectors);\n\nBefore that, we would have tree dump from\nbtrfs_get_raid_extent_offset(), as we failed to find the RST entry for\nthe range.\n\n[CAUSE]\nInside scrub_submit_extent_sector_read() every time we allocated a new\nbbio we immediately called btrfs_map_block() to make sure there was some\nRST range covering the scrub target.\n\nBut if btrfs_map_block() fails, we immediately call endio for the bbio,\nwhile the bbio is newly allocated, it's completely empty.\n\nThen inside scrub_read_endio(), we go through the bvecs to find\nthe sector number (as bi_sector is no longer reliable if the bio is\nsubmitted to lower layers).\n\nAnd since the bio is empty, such bvecs iteration would not find any\nsector matching the sector, and return sector_nr == stripe->nr_sectors,\ntriggering the ASSERT().\n\n[FIX]\nInstead of calling btrfs_map_block() after allocating a new bbio, call\nbtrfs_map_block() first.\n\nSince our only objective of calling btrfs_map_block() is only to update\nstripe_len, there is really no need to do that after btrfs_alloc_bio().\n\nThis new timing would avoid the problem of handling empty bbio\ncompletely, and in fact fixes a possible race window for the old code,\nwhere if the submission thread is the only owner of the pending_io, the\nscrub would never finish (since we didn't decrease the pending_io\ncounter).\n\nAlthough the root cause of RST lookup failure still needs to be\naddressed.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -25,7 +30,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-07-29T15:15:14Z"

advisories/unreviewed/2024/07/GHSA-3g2p-rjfc-78cj/GHSA-3g2p-rjfc-78cj.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3g2p-rjfc-78cj",
-  "modified": "2024-07-29T15:30:46Z",
+  "modified": "2025-10-09T18:30:25Z",
   "published": "2024-07-29T15:30:46Z",
   "aliases": [
     "CVE-2024-41072"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: wext: add extra SIOCSIWSCAN data check\n\nIn 'cfg80211_wext_siwscan()', add extra check whether number of\nchannels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed\nIW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -49,7 +54,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-07-29T15:15:14Z"

advisories/unreviewed/2024/07/GHSA-5mx3-q822-9r57/GHSA-5mx3-q822-9r57.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5mx3-q822-9r57",
-  "modified": "2024-07-29T15:30:48Z",
+  "modified": "2025-10-09T18:30:25Z",
   "published": "2024-07-29T15:30:48Z",
   "aliases": [
     "CVE-2024-41082"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fabrics: use reserved tag for reg read/write command\n\nIn some scenarios, if too many commands are issued by nvme command in\nthe same time by user tasks, this may exhaust all tags of admin_q. If\na reset (nvme reset or IO timeout) occurs before these commands finish,\nreconnect routine may fail to update nvme regs due to insufficient tags,\nwhich will cause kernel hang forever. In order to workaround this issue,\nmaybe we can let reg_read32()/reg_read64()/reg_write32() use reserved\ntags. This maybe safe for nvmf:\n\n1. For the disable ctrl path,  we will not issue connect command\n2. For the enable ctrl / fw activate path, since connect and reg_xx()\n   are called serially.\n\nSo the reserved tags may still be enough while reg_xx() use reserved tags.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -25,7 +30,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-07-29T15:15:15Z"

advisories/unreviewed/2024/07/GHSA-5p8g-h9f2-v3vj/GHSA-5p8g-h9f2-v3vj.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5p8g-h9f2-v3vj",
-  "modified": "2024-07-29T15:30:47Z",
+  "modified": "2025-10-09T18:30:25Z",
   "published": "2024-07-29T15:30:47Z",
   "aliases": [
     "CVE-2024-41075"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: add consistency check for copen/cread\n\nThis prevents malicious processes from completing random copen/cread\nrequests and crashing the system. Added checks are listed below:\n\n  * Generic, copen can only complete open requests, and cread can only\n    complete read requests.\n  * For copen, ondemand_id must not be 0, because this indicates that the\n    request has not been read by the daemon.\n  * For cread, the object corresponding to fd and req should be the same.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -33,7 +38,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-07-29T15:15:15Z"

advisories/unreviewed/2024/07/GHSA-966p-c3x9-6gp2/GHSA-966p-c3x9-6gp2.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-966p-c3x9-6gp2",
-  "modified": "2024-07-29T18:30:38Z",
+  "modified": "2025-10-09T18:30:25Z",
   "published": "2024-07-29T18:30:38Z",
   "aliases": [
     "CVE-2024-41086"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: Fix sb_field_downgrade validation\n\n- bch2_sb_downgrade_validate() wasn't checking for a downgrade entry\n  extending past the end of the superblock section\n\n- for_each_downgrade_entry() is used in to_text() and needs to work on\n  malformed input; it also was missing a check for a field extending\n  past the end of the section",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -25,7 +30,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-07-29T16:15:04Z"

advisories/unreviewed/2024/07/GHSA-9w68-2pr9-7g2r/GHSA-9w68-2pr9-7g2r.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9w68-2pr9-7g2r",
-  "modified": "2024-07-29T15:30:45Z",
+  "modified": "2025-10-09T18:30:24Z",
   "published": "2024-07-29T15:30:44Z",
   "aliases": [
     "CVE-2024-41065"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Whitelist dtl slub object for copying to userspace\n\nReading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*\nresults in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as\nshown below.\n\n    kernel BUG at mm/usercopy.c:102!\n    Oops: Exception in kernel mode, sig: 5 [#1]\n    LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n    Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc\n    scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse\n    CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85\n    Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries\n    NIP:  c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8\n    REGS: c000000120c078c0 TRAP: 0700   Not tainted  (6.10.0-rc3)\n    MSR:  8000000000029033 <SF,EE,ME,IR,DR,RI,LE>  CR: 2828220f  XER: 0000000e\n    CFAR: c0000000001fdc80 IRQMASK: 0\n    [ ... GPRs omitted ... ]\n    NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0\n    LR [c0000000005d23d0] usercopy_abort+0x74/0xb0\n    Call Trace:\n     usercopy_abort+0x74/0xb0 (unreliable)\n     __check_heap_object+0xf8/0x120\n     check_heap_object+0x218/0x240\n     __check_object_size+0x84/0x1a4\n     dtl_file_read+0x17c/0x2c4\n     full_proxy_read+0x8c/0x110\n     vfs_read+0xdc/0x3a0\n     ksys_read+0x84/0x144\n     system_call_exception+0x124/0x330\n     system_call_vectored_common+0x15c/0x2ec\n    --- interrupt: 3000 at 0x7fff81f3ab34\n\nCommit 6d07d1cd300f (\"usercopy: Restrict non-usercopy caches to size 0\")\nrequires that only whitelisted areas in slab/slub objects can be copied to\nuserspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.\nDtl contains hypervisor dispatch events which are expected to be read by\nprivileged users. Hence mark this safe for user access.\nSpecify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the\nentire object.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -45,7 +50,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-07-29T15:15:14Z"

advisories/unreviewed/2024/07/GHSA-f6q4-wr98-4jf5/GHSA-f6q4-wr98-4jf5.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f6q4-wr98-4jf5",
-  "modified": "2024-07-29T15:30:44Z",
+  "modified": "2025-10-09T18:30:24Z",
   "published": "2024-07-29T15:30:44Z",
   "aliases": [
     "CVE-2024-41062"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbluetooth/l2cap: sync sock recv cb and release\n\nThe problem occurs between the system call to close the sock and hci_rx_work,\nwhere the former releases the sock and the latter accesses it without lock protection.\n\n           CPU0                       CPU1\n           ----                       ----\n           sock_close                 hci_rx_work\n\t   l2cap_sock_release         hci_acldata_packet\n\t   l2cap_sock_kill            l2cap_recv_frame\n\t   sk_free                    l2cap_conless_channel\n\t                              l2cap_sock_recv_cb\n\nIf hci_rx_work processes the data that needs to be received before the sock is\nclosed, then everything is normal; Otherwise, the work thread may access the\nreleased sock when receiving data.\n\nAdd a chan mutex in the rx callback of the sock to achieve synchronization between\nthe sock release and recv cb.\n\nSock is dead, so set chan data to NULL, avoid others use invalid sock pointer.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -33,7 +38,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-07-29T15:15:14Z"

advisories/unreviewed/2024/07/GHSA-f8pw-vxv3-v5xv/GHSA-f8pw-vxv3-v5xv.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f8pw-vxv3-v5xv",
-  "modified": "2024-07-29T15:30:42Z",
+  "modified": "2025-10-09T18:30:24Z",
   "published": "2024-07-29T15:30:42Z",
   "aliases": [
     "CVE-2024-41044"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: reject claimed-as-LCP but actually malformed packets\n\nSince 'ppp_async_encode()' assumes valid LCP packets (with code\nfrom 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that\nLCP packet has an actual body beyond PPP_LCP header bytes, and\nreject claimed-as-LCP but actually malformed data otherwise.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -49,7 +54,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-07-29T15:15:12Z"

advisories/unreviewed/2024/07/GHSA-j624-93rx-49pr/GHSA-j624-93rx-49pr.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j624-93rx-49pr",
-  "modified": "2024-07-29T15:30:42Z",
+  "modified": "2025-10-09T18:30:24Z",
   "published": "2024-07-29T15:30:42Z",
   "aliases": [
     "CVE-2024-41047"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix XDP program unloading while removing the driver\n\nThe commit 6533e558c650 (\"i40e: Fix reset path while removing\nthe driver\") introduced a new PF state \"__I40E_IN_REMOVE\" to block\nmodifying the XDP program while the driver is being removed.\nUnfortunately, such a change is useful only if the \".ndo_bpf()\"\ncallback was called out of the rmmod context because unloading the\nexisting XDP program is also a part of driver removing procedure.\nIn other words, from the rmmod context the driver is expected to\nunload the XDP program without reporting any errors. Otherwise,\nthe kernel warning with callstack is printed out to dmesg.\n\nExample failing scenario:\n 1. Load the i40e driver.\n 2. Load the XDP program.\n 3. Unload the i40e driver (using \"rmmod\" command).\n\nThe example kernel warning log:\n\n[  +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[  +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[  +0.002726] Call Trace:\n[  +0.002457]  <TASK>\n[  +0.002119]  ? __warn+0x80/0x120\n[  +0.003245]  ? unregister_netdevice_many_notify+0x7a9/0x870\n[  +0.005586]  ? report_bug+0x164/0x190\n[  +0.003678]  ? handle_bug+0x3c/0x80\n[  +0.003503]  ? exc_invalid_op+0x17/0x70\n[  +0.003846]  ? asm_exc_invalid_op+0x1a/0x20\n[  +0.004200]  ? unregister_netdevice_many_notify+0x7a9/0x870\n[  +0.005579]  ? unregister_netdevice_many_notify+0x3cc/0x870\n[  +0.005586]  unregister_netdevice_queue+0xf7/0x140\n[  +0.004806]  unregister_netdev+0x1c/0x30\n[  +0.003933]  i40e_vsi_release+0x87/0x2f0 [i40e]\n[  +0.004604]  i40e_remove+0x1a1/0x420 [i40e]\n[  +0.004220]  pci_device_remove+0x3f/0xb0\n[  +0.003943]  device_release_driver_internal+0x19f/0x200\n[  +0.005243]  driver_detach+0x48/0x90\n[  +0.003586]  bus_remove_driver+0x6d/0xf0\n[  +0.003939]  pci_unregister_driver+0x2e/0xb0\n[  +0.004278]  i40e_exit_module+0x10/0x5f0 [i40e]\n[  +0.004570]  __do_sys_delete_module.isra.0+0x197/0x310\n[  +0.005153]  do_syscall_64+0x85/0x170\n[  +0.003684]  ? syscall_exit_to_user_mode+0x69/0x220\n[  +0.004886]  ? do_syscall_64+0x95/0x170\n[  +0.003851]  ? exc_page_fault+0x7e/0x180\n[  +0.003932]  entry_SYSCALL_64_after_hwframe+0x71/0x79\n[  +0.005064] RIP: 0033:0x7f59dc9347cb\n[  +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83\nc8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f\n05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48\n[  +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n[  +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb\n[  +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748\n[  +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000\n[  +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000\n[  +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000\n[  +0.007151]  </TASK>\n[  +0.002204] ---[ end trace 0000000000000000 ]---\n\nFix this by checking if the XDP program is being loaded or unloaded.\nThen, block only loading a new program while \"__I40E_IN_REMOVE\" is set.\nAlso, move testing \"__I40E_IN_REMOVE\" flag to the beginning of XDP_SETUP\ncallback to avoid unnecessary operations and checks.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -37,7 +42,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-07-29T15:15:13Z"

advisories/unreviewed/2024/07/GHSA-q7ch-p7wx-7pf8/GHSA-q7ch-p7wx-7pf8.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q7ch-p7wx-7pf8",
-  "modified": "2024-07-29T15:30:48Z",
+  "modified": "2025-10-09T18:30:25Z",
   "published": "2024-07-29T15:30:48Z",
   "aliases": [
     "CVE-2024-41081"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: block BH in ila_output()\n\nAs explained in commit 1378817486d6 (\"tipc: block BH\nbefore using dst_cache\"), net/core/dst_cache.c\nhelpers need to be called with BH disabled.\n\nila_output() is called from lwtunnel_output()\npossibly from process context, and under rcu_read_lock().\n\nWe might be interrupted by a softirq, re-enter ila_output()\nand corrupt dst_cache data structures.\n\nFix the race by using local_bh_disable().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -49,7 +54,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-07-29T15:15:15Z"