Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/08/GHSA-24xm-58mr-jc27/GHSA-24xm-58mr-jc27.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-24xm-58mr-jc27",
-  "modified": "2025-08-22T18:31:22Z",
+  "modified": "2025-11-26T18:31:01Z",
   "published": "2025-08-22T18:31:22Z",
   "aliases": [
     "CVE-2025-38655"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: canaan: k230: add NULL check in DT parse\n\nAdd a NULL check for the return value of of_get_property() when\nretrieving the \"pinmux\" property in the group parser. This avoids\na potential NULL pointer dereference if the property is missing\nfrom the device tree node.\n\nAlso fix a typo (\"sintenel\") in the device ID match table comment,\ncorrecting it to \"sentinel\".",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-22T16:15:40Z"

advisories/unreviewed/2025/08/GHSA-255m-8v4r-mcgr/GHSA-255m-8v4r-mcgr.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-255m-8v4r-mcgr",
-  "modified": "2025-08-22T15:33:05Z",
+  "modified": "2025-11-26T18:30:58Z",
   "published": "2025-08-22T15:33:05Z",
   "aliases": [
     "CVE-2024-58239"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: stop recv() if initial process_rx_list gave us non-DATA\n\nIf we have a non-DATA record on the rx_list and another record of the\nsame type still on the queue, we will end up merging them:\n - process_rx_list copies the non-DATA record\n - we start the loop and process the first available record since it's\n   of the same type\n - we break out of the loop since the record was not DATA\n\nJust check the record type and jump to the end in case process_rx_list\ndid some work.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -45,7 +50,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-22T14:15:45Z"

advisories/unreviewed/2025/08/GHSA-2hfg-pw5c-5cwc/GHSA-2hfg-pw5c-5cwc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2hfg-pw5c-5cwc",
-  "modified": "2025-08-19T18:31:33Z",
+  "modified": "2025-11-26T18:30:58Z",
   "published": "2025-08-19T18:31:33Z",
   "aliases": [
     "CVE-2025-38606"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon miss\n\nDuring beacon miss handling, ath12k driver iterates over active virtual\ninterfaces (vifs) and attempts to access the radio object (ar) via\narvif->deflink->ar.\n\nHowever, after commit aa80f12f3bed (\"wifi: ath12k: defer vdev creation for\nMLO\"), arvif is linked to a radio only after vdev creation, typically when\na channel is assigned or a scan is requested.\nFor P2P capable devices, a default P2P interface is created by\nwpa_supplicant along with regular station interfaces, these serve as dummy\ninterfaces for P2P-capable stations, lack an associated netdev and initiate\nfrequent scans to discover neighbor p2p devices. When a scan is initiated\non such P2P vifs, driver selects destination radio (ar) based on scan\nfrequency, creates a scan vdev, and attaches arvif to the radio. Once the\nscan completes or is aborted, the scan vdev is deleted, detaching arvif\nfrom the radio and leaving arvif->ar uninitialized.\n\nWhile handling beacon miss for station interfaces, P2P interface is also\nencountered in the vif iteration and ath12k_mac_handle_beacon_miss_iter()\ntries to dereference the uninitialized arvif->deflink->ar.\n\nFix this by verifying that vdev is created for the arvif before accessing\nits ar during beacon miss handling and similar vif iterator callbacks.\n\n==========================================================================\n wlp6s0: detected beacon loss from AP (missed 7 beacons) - probing\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n\n CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full)\n RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k]\n Call Trace:\n  __iterate_interfaces+0x11a/0x410 [mac80211]\n  ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211]\n  ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k]\n  ath12k_roam_event+0x393/0x560 [ath12k]\n  ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k]\n  ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k]\n  ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k]\n  ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k]\n  ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k]\n  ath12k_pci_ce_workqueue+0x69/0x120 [ath12k]\n  process_one_work+0xe3a/0x1430\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-19T17:15:38Z"

advisories/unreviewed/2025/08/GHSA-2pph-66px-9x3w/GHSA-2pph-66px-9x3w.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2pph-66px-9x3w",
-  "modified": "2025-08-22T18:31:21Z",
+  "modified": "2025-11-26T18:30:59Z",
   "published": "2025-08-22T18:31:21Z",
   "aliases": [
     "CVE-2025-38619"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ti: j721e-csi2rx: fix list_del corruption\n\nIf ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is\nmarked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue.\nThis causes the same buffer to be retried in the next iteration, resulting\nin a double list_del() and eventual list corruption.\n\nFix this by removing the buffer from the queue before calling\nvb2_buffer_done() on error.\n\nThis resolves a crash due to list_del corruption:\n[   37.811243] j721e-csi2rx 30102000.ticsi2rx: Failed to queue the next buffer for DMA\n[   37.832187]  slab kmalloc-2k start ffff00000255b000 pointer offset 1064 size 2048\n[   37.839761] list_del corruption. next->prev should be ffff00000255bc28, but was ffff00000255d428. (next=ffff00000255b428)\n[   37.850799] ------------[ cut here ]------------\n[   37.855424] kernel BUG at lib/list_debug.c:65!\n[   37.859876] Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP\n[   37.866061] Modules linked in: i2c_dev usb_f_rndis u_ether libcomposite dwc3 udc_core usb_common aes_ce_blk aes_ce_cipher ghash_ce gf128mul sha1_ce cpufreq_dt dwc3_am62 phy_gmii_sel sa2ul\n[   37.882830] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc3+ #28 VOLUNTARY\n[   37.890851] Hardware name: Bosch STLA-GSRV2-B0 (DT)\n[   37.895737] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[   37.902703] pc : __list_del_entry_valid_or_report+0xdc/0x114\n[   37.908390] lr : __list_del_entry_valid_or_report+0xdc/0x114\n[   37.914059] sp : ffff800080003db0\n[   37.917375] x29: ffff800080003db0 x28: 0000000000000007 x27: ffff800080e50000\n[   37.924521] x26: 0000000000000000 x25: ffff0000016abb50 x24: dead000000000122\n[   37.931666] x23: ffff0000016abb78 x22: ffff0000016ab080 x21: ffff800080003de0\n[   37.938810] x20: ffff00000255bc00 x19: ffff00000255b800 x18: 000000000000000a\n[   37.945956] x17: 20747562202c3832 x16: 6362353532303030 x15: 0720072007200720\n[   37.953101] x14: 0720072007200720 x13: 0720072007200720 x12: 00000000ffffffea\n[   37.960248] x11: ffff800080003b18 x10: 00000000ffffefff x9 : ffff800080f5b568\n[   37.967396] x8 : ffff800080f5b5c0 x7 : 0000000000017fe8 x6 : c0000000ffffefff\n[   37.974542] x5 : ffff00000fea6688 x4 : 0000000000000000 x3 : 0000000000000000\n[   37.981686] x2 : 0000000000000000 x1 : ffff800080ef2b40 x0 : 000000000000006d\n[   37.988832] Call trace:\n[   37.991281]  __list_del_entry_valid_or_report+0xdc/0x114 (P)\n[   37.996959]  ti_csi2rx_dma_callback+0x84/0x1c4\n[   38.001419]  udma_vchan_complete+0x1e0/0x344\n[   38.005705]  tasklet_action_common+0x118/0x310\n[   38.010163]  tasklet_action+0x30/0x3c\n[   38.013832]  handle_softirqs+0x10c/0x2e0\n[   38.017761]  __do_softirq+0x14/0x20\n[   38.021256]  ____do_softirq+0x10/0x20\n[   38.024931]  call_on_irq_stack+0x24/0x60\n[   38.028873]  do_softirq_own_stack+0x1c/0x40\n[   38.033064]  __irq_exit_rcu+0x130/0x15c\n[   38.036909]  irq_exit_rcu+0x10/0x20\n[   38.040403]  el1_interrupt+0x38/0x60\n[   38.043987]  el1h_64_irq_handler+0x18/0x24\n[   38.048091]  el1h_64_irq+0x6c/0x70\n[   38.051501]  default_idle_call+0x34/0xe0 (P)\n[   38.055783]  do_idle+0x1f8/0x250\n[   38.059021]  cpu_startup_entry+0x34/0x3c\n[   38.062951]  rest_init+0xb4/0xc0\n[   38.066186]  console_on_rootfs+0x0/0x6c\n[   38.070031]  __primary_switched+0x88/0x90\n[   38.074059] Code: b00037e0 91378000 f9400462 97e9bf49 (d4210000)\n[   38.080168] ---[ end trace 0000000000000000 ]---\n[   38.084795] Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt\n[   38.092197] SMP: stopping secondary CPUs\n[   38.096139] Kernel Offset: disabled\n[   38.099631] CPU features: 0x0000,00002000,02000801,0400420b\n[   38.105202] Memory Limit: none\n[   38.108260] ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt ]---",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-22T16:15:35Z"

advisories/unreviewed/2025/08/GHSA-2qfm-24x8-gwfp/GHSA-2qfm-24x8-gwfp.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2qfm-24x8-gwfp",
-  "modified": "2025-08-22T18:31:22Z",
+  "modified": "2025-11-26T18:30:59Z",
   "published": "2025-08-22T18:31:22Z",
   "aliases": [
     "CVE-2025-38628"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa/mlx5: Fix release of uninitialized resources on error path\n\nThe commit in the fixes tag made sure that mlx5_vdpa_free()\nis the single entrypoint for removing the vdpa device resources\nadded in mlx5_vdpa_dev_add(), even in the cleanup path of\nmlx5_vdpa_dev_add().\n\nThis means that all functions from mlx5_vdpa_free() should be able to\nhandle uninitialized resources. This was not the case though:\nmlx5_vdpa_destroy_mr_resources() and mlx5_cmd_cleanup_async_ctx()\nwere not able to do so. This caused the splat below when adding\na vdpa device without a MAC address.\n\nThis patch fixes these remaining issues:\n\n- Makes mlx5_vdpa_destroy_mr_resources() return early if called on\n  uninitialized resources.\n\n- Moves mlx5_cmd_init_async_ctx() early on during device addition\n  because it can't fail. This means that mlx5_cmd_cleanup_async_ctx()\n  also can't fail. To mirror this, move the call site of\n  mlx5_cmd_cleanup_async_ctx() in mlx5_vdpa_free().\n\nAn additional comment was added in mlx5_vdpa_free() to document\nthe expectations of functions called from this context.\n\nSplat:\n\n  mlx5_core 0000:b5:03.2: mlx5_vdpa_dev_add:3950:(pid 2306) warning: No mac address provisioned?\n  ------------[ cut here ]------------\n  WARNING: CPU: 13 PID: 2306 at kernel/workqueue.c:4207 __flush_work+0x9a/0xb0\n  [...]\n  Call Trace:\n   <TASK>\n   ? __try_to_del_timer_sync+0x61/0x90\n   ? __timer_delete_sync+0x2b/0x40\n   mlx5_vdpa_destroy_mr_resources+0x1c/0x40 [mlx5_vdpa]\n   mlx5_vdpa_free+0x45/0x160 [mlx5_vdpa]\n   vdpa_release_dev+0x1e/0x50 [vdpa]\n   device_release+0x31/0x90\n   kobject_cleanup+0x37/0x130\n   mlx5_vdpa_dev_add+0x327/0x890 [mlx5_vdpa]\n   vdpa_nl_cmd_dev_add_set_doit+0x2c1/0x4d0 [vdpa]\n   genl_family_rcv_msg_doit+0xd8/0x130\n   genl_family_rcv_msg+0x14b/0x220\n   ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]\n   genl_rcv_msg+0x47/0xa0\n   ? __pfx_genl_rcv_msg+0x10/0x10\n   netlink_rcv_skb+0x53/0x100\n   genl_rcv+0x24/0x40\n   netlink_unicast+0x27b/0x3b0\n   netlink_sendmsg+0x1f7/0x430\n   __sys_sendto+0x1fa/0x210\n   ? ___pte_offset_map+0x17/0x160\n   ? next_uptodate_folio+0x85/0x2b0\n   ? percpu_counter_add_batch+0x51/0x90\n   ? filemap_map_pages+0x515/0x660\n   __x64_sys_sendto+0x20/0x30\n   do_syscall_64+0x7b/0x2c0\n   ? do_read_fault+0x108/0x220\n   ? do_pte_missing+0x14a/0x3e0\n   ? __handle_mm_fault+0x321/0x730\n   ? count_memcg_events+0x13f/0x180\n   ? handle_mm_fault+0x1fb/0x2d0\n   ? do_user_addr_fault+0x20c/0x700\n   ? syscall_exit_work+0x104/0x140\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f0c25b0feca\n  [...]\n  ---[ end trace 0000000000000000 ]---",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-908"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-22T16:15:36Z"

advisories/unreviewed/2025/08/GHSA-377f-vp77-9jq4/GHSA-377f-vp77-9jq4.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-377f-vp77-9jq4",
-  "modified": "2025-08-19T18:31:34Z",
+  "modified": "2025-11-26T18:30:58Z",
   "published": "2025-08-19T18:31:34Z",
   "aliases": [
     "CVE-2025-38613"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: gpib: fix unset padding field copy back to userspace\n\nThe introduction of a padding field in the gpib_board_info_ioctl is\nshowing up as initialized data on the stack frame being copyied back\nto userspace in function board_info_ioctl. The simplest fix is to\ninitialize the entire struct to zero to ensure all unassigned padding\nfields are zero'd before being copied back to userspace.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-908"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-19T17:15:39Z"

advisories/unreviewed/2025/08/GHSA-3p7j-wq4m-3p8j/GHSA-3p7j-wq4m-3p8j.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3p7j-wq4m-3p8j",
-  "modified": "2025-08-19T18:31:33Z",
+  "modified": "2025-11-26T18:30:57Z",
   "published": "2025-08-19T18:31:33Z",
   "aliases": [
     "CVE-2025-38594"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix UAF on sva unbind with pending IOPFs\n\nCommit 17fce9d2336d (\"iommu/vt-d: Put iopf enablement in domain attach\npath\") disables IOPF on device by removing the device from its IOMMU's\nIOPF queue when the last IOPF-capable domain is detached from the device.\nUnfortunately, it did this in a wrong place where there are still pending\nIOPFs. As a result, a use-after-free error is potentially triggered and\neventually a kernel panic with a kernel trace similar to the following:\n\n refcount_t: underflow; use-after-free.\n WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0\n Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf\n Call Trace:\n   <TASK>\n   iopf_free_group+0xe/0x20\n   process_one_work+0x197/0x3d0\n   worker_thread+0x23a/0x350\n   ? rescuer_thread+0x4a0/0x4a0\n   kthread+0xf8/0x230\n   ? finish_task_switch.isra.0+0x81/0x260\n   ? kthreads_online_cpu+0x110/0x110\n   ? kthreads_online_cpu+0x110/0x110\n   ret_from_fork+0x13b/0x170\n   ? kthreads_online_cpu+0x110/0x110\n   ret_from_fork_asm+0x11/0x20\n   </TASK>\n  ---[ end trace 0000000000000000 ]---\n\nThe intel_pasid_tear_down_entry() function is responsible for blocking\nhardware from generating new page faults and flushing all in-flight\nones. Therefore, moving iopf_for_domain_remove() after this function\nshould resolve this.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-19T17:15:37Z"