Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2025/11/GHSA-cgrx-mc8f-2prm/GHSA-cgrx-mc8f-2prm.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cgrx-mc8f-2prm",
-  "modified": "2025-11-05T18:40:40Z",
+  "modified": "2025-11-06T21:31:52Z",
   "published": "2025-11-05T18:40:40Z",
   "aliases": [
     "CVE-2025-52881"
@@ -102,6 +102,10 @@
     }
   ],
   "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw"
@@ -110,6 +114,14 @@
       "type": "WEB",
       "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52881"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/opencontainers/selinux/pull/237"
@@ -178,6 +190,10 @@
       "type": "WEB",
       "url": "https://github.com/opencontainers/runc/commit/3f925525b44d247e390e529e772a0dc0c0bc3557"
     },
+    {
+      "type": "WEB",
+      "url": "https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
+    },
     {
       "type": "WEB",
       "url": "https://youtu.be/tGseJW_uBB8"
@@ -188,11 +204,19 @@
     },
     {
       "type": "WEB",
-      "url": "https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
+      "url": "https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/opencontainers/runc"
+    },
+    {
+      "type": "WEB",
+      "url": "http://github.com/opencontainers/runc/commit/a41366e74080fa9f26a2cd3544e2801449697322"
+    },
+    {
+      "type": "WEB",
+      "url": "http://github.com/opencontainers/runc/commit/fdcc9d3cad2f85954a241ccb910a61aaa1ef47f3"
     }
   ],
   "database_specific": {
@@ -203,6 +227,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2025-11-05T18:40:40Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-11-06T21:15:42Z"
   }
 }

advisories/unreviewed/2025/03/GHSA-73c4-6c6c-c5p3/GHSA-73c4-6c6c-c5p3.json

@@ -42,7 +42,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-284"
+      "CWE-284",
+      "CWE-434"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2025/03/GHSA-jr7q-wv4c-3c65/GHSA-jr7q-wv4c-3c65.json

@@ -38,7 +38,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-326"
+      "CWE-326",
+      "CWE-916"
     ],
     "severity": "LOW",
     "github_reviewed": false,

advisories/unreviewed/2025/05/GHSA-7pwg-2v7p-j53q/GHSA-7pwg-2v7p-j53q.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7pwg-2v7p-j53q",
-  "modified": "2025-05-01T15:31:44Z",
+  "modified": "2025-11-06T21:31:17Z",
   "published": "2025-05-01T15:31:44Z",
   "aliases": [
     "CVE-2025-37779"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/iov_iter: fix to increase non slab folio refcount\n\nWhen testing EROFS file-backed mount over v9fs on qemu, I encountered a\nfolio UAF issue.  The page sanity check reports the following call trace. \nThe root cause is that pages in bvec are coalesced across a folio bounary.\nThe refcount of all non-slab folios should be increased to ensure\np9_releas_pages can put them correctly.\n\nBUG: Bad page state in process md5sum  pfn:18300\npage: refcount:0 mapcount:0 mapping:00000000d5ad8e4e index:0x60 pfn:0x18300\nhead: order:0 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\naops:z_erofs_aops ino:30b0f dentry name(?):\"GoogleExtServicesCn.apk\"\nflags: 0x100000000000041(locked|head|node=0|zone=1)\nraw: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0\nraw: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000\nhead: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0\nhead: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000\nhead: 0100000000000000 0000000000000000 ffffffffffffffff 0000000000000000\nhead: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\nCall Trace:\n dump_stack_lvl+0x53/0x70\n bad_page+0xd4/0x220\n __free_pages_ok+0x76d/0xf30\n __folio_put+0x230/0x320\n p9_release_pages+0x179/0x1f0\n p9_virtio_zc_request+0xa2a/0x1230\n p9_client_zc_rpc.constprop.0+0x247/0x700\n p9_client_read_once+0x34d/0x810\n p9_client_read+0xf3/0x150\n v9fs_issue_read+0x111/0x360\n netfs_unbuffered_read_iter_locked+0x927/0x1390\n netfs_unbuffered_read_iter+0xa2/0xe0\n vfs_iocb_iter_read+0x2c7/0x460\n erofs_fileio_rq_submit+0x46b/0x5b0\n z_erofs_runqueue+0x1203/0x21e0\n z_erofs_readahead+0x579/0x8b0\n read_pages+0x19f/0xa70\n page_cache_ra_order+0x4ad/0xb80\n filemap_readahead.isra.0+0xe7/0x150\n filemap_get_pages+0x7aa/0x1890\n filemap_read+0x320/0xc80\n vfs_read+0x6c6/0xa30\n ksys_read+0xf9/0x1c0\n do_syscall_64+0x9e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x71/0x79",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-415"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-01T14:15:41Z"

advisories/unreviewed/2025/05/GHSA-c68q-vr86-8r23/GHSA-c68q-vr86-8r23.json

@@ -42,7 +42,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-74"
+      "CWE-74",
+      "CWE-89"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2025/05/GHSA-hvr4-ppmm-c7fp/GHSA-hvr4-ppmm-c7fp.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hvr4-ppmm-c7fp",
-  "modified": "2025-11-03T21:33:47Z",
+  "modified": "2025-11-06T21:31:17Z",
   "published": "2025-05-02T15:31:48Z",
   "aliases": [
     "CVE-2025-37797"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a UAF vulnerability in class handling\n\nThis patch fixes a Use-After-Free vulnerability in the HFSC qdisc class\nhandling. The issue occurs due to a time-of-check/time-of-use condition\nin hfsc_change_class() when working with certain child qdiscs like netem\nor codel.\n\nThe vulnerability works as follows:\n1. hfsc_change_class() checks if a class has packets (q.qlen != 0)\n2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,\n   codel, netem) might drop packets and empty the queue\n3. The code continues assuming the queue is still non-empty, adding\n   the class to vttree\n4. This breaks HFSC scheduler assumptions that only non-empty classes\n   are in vttree\n5. Later, when the class is destroyed, this can lead to a Use-After-Free\n\nThe fix adds a second queue length check after qdisc_peek_len() to verify\nthe queue wasn't emptied.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -56,8 +61,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-02T15:15:48Z"

advisories/unreviewed/2025/05/GHSA-jfrj-r763-gv36/GHSA-jfrj-r763-gv36.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jfrj-r763-gv36",
-  "modified": "2025-05-01T15:31:43Z",
+  "modified": "2025-11-06T21:31:17Z",
   "published": "2025-05-01T15:31:42Z",
   "aliases": [
     "CVE-2025-37755"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: libwx: handle page_pool_dev_alloc_pages error\n\npage_pool_dev_alloc_pages could return NULL. There was a WARN_ON(!page)\nbut it would still proceed to use the NULL pointer and then crash.\n\nThis is similar to commit 001ba0902046\n(\"net: fec: handle page_pool_dev_alloc_pages error\").\n\nThis is found by our static analysis tool KNighter.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -36,8 +41,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-01T13:15:54Z"

advisories/unreviewed/2025/05/GHSA-mmr7-75gg-rpc3/GHSA-mmr7-75gg-rpc3.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mmr7-75gg-rpc3",
-  "modified": "2025-05-01T15:31:42Z",
+  "modified": "2025-11-06T21:31:17Z",
   "published": "2025-05-01T15:31:42Z",
   "aliases": [
     "CVE-2025-37754"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/huc: Fix fence not released on early probe errors\n\nHuC delayed loading fence, introduced with commit 27536e03271da\n(\"drm/i915/huc: track delayed HuC load with a fence\"), is registered with\nobject tracker early on driver probe but unregistered only from driver\nremove, which is not called on early probe errors.  Since its memory is\nallocated under devres, then released anyway, it may happen to be\nallocated again to the fence and reused on future driver probes, resulting\nin kernel warnings that taint the kernel:\n\n<4> [309.731371] ------------[ cut here ]------------\n<3> [309.731373] ODEBUG: init destroyed (active state 0) object: ffff88813d7dd2e0 object type: i915_sw_fence hint: sw_fence_dummy_notify+0x0/0x20 [i915]\n<4> [309.731575] WARNING: CPU: 2 PID: 3161 at lib/debugobjects.c:612 debug_print_object+0x93/0xf0\n...\n<4> [309.731693] CPU: 2 UID: 0 PID: 3161 Comm: i915_module_loa Tainted: G     U             6.14.0-CI_DRM_16362-gf0fd77956987+ #1\n...\n<4> [309.731700] RIP: 0010:debug_print_object+0x93/0xf0\n...\n<4> [309.731728] Call Trace:\n<4> [309.731730]  <TASK>\n...\n<4> [309.731949]  __debug_object_init+0x17b/0x1c0\n<4> [309.731957]  debug_object_init+0x34/0x50\n<4> [309.732126]  __i915_sw_fence_init+0x34/0x60 [i915]\n<4> [309.732256]  intel_huc_init_early+0x4b/0x1d0 [i915]\n<4> [309.732468]  intel_uc_init_early+0x61/0x680 [i915]\n<4> [309.732667]  intel_gt_common_init_early+0x105/0x130 [i915]\n<4> [309.732804]  intel_root_gt_init_early+0x63/0x80 [i915]\n<4> [309.732938]  i915_driver_probe+0x1fa/0xeb0 [i915]\n<4> [309.733075]  i915_pci_probe+0xe6/0x220 [i915]\n<4> [309.733198]  local_pci_probe+0x44/0xb0\n<4> [309.733203]  pci_device_probe+0xf4/0x270\n<4> [309.733209]  really_probe+0xee/0x3c0\n<4> [309.733215]  __driver_probe_device+0x8c/0x180\n<4> [309.733219]  driver_probe_device+0x24/0xd0\n<4> [309.733223]  __driver_attach+0x10f/0x220\n<4> [309.733230]  bus_for_each_dev+0x7d/0xe0\n<4> [309.733236]  driver_attach+0x1e/0x30\n<4> [309.733239]  bus_add_driver+0x151/0x290\n<4> [309.733244]  driver_register+0x5e/0x130\n<4> [309.733247]  __pci_register_driver+0x7d/0x90\n<4> [309.733251]  i915_pci_register_driver+0x23/0x30 [i915]\n<4> [309.733413]  i915_init+0x34/0x120 [i915]\n<4> [309.733655]  do_one_initcall+0x62/0x3f0\n<4> [309.733667]  do_init_module+0x97/0x2a0\n<4> [309.733671]  load_module+0x25ff/0x2890\n<4> [309.733688]  init_module_from_file+0x97/0xe0\n<4> [309.733701]  idempotent_init_module+0x118/0x330\n<4> [309.733711]  __x64_sys_finit_module+0x77/0x100\n<4> [309.733715]  x64_sys_call+0x1f37/0x2650\n<4> [309.733719]  do_syscall_64+0x91/0x180\n<4> [309.733763]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n<4> [309.733792]  </TASK>\n...\n<4> [309.733806] ---[ end trace 0000000000000000 ]---\n\nThat scenario is most easily reproducible with\nigt@i915_module_load@reload-with-fault-injection.\n\nFix the issue by moving the cleanup step to driver release path.\n\n(cherry picked from commit 795dbde92fe5c6996a02a5b579481de73035e7bf)",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -37,7 +42,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-01T13:15:54Z"

advisories/unreviewed/2025/05/GHSA-qfpx-fgcv-pjx6/GHSA-qfpx-fgcv-pjx6.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qfpx-fgcv-pjx6",
-  "modified": "2025-11-03T21:33:47Z",
+  "modified": "2025-11-06T21:31:17Z",
   "published": "2025-05-02T15:31:48Z",
   "aliases": [
     "CVE-2025-37798"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncodel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()\n\nAfter making all ->qlen_notify() callbacks idempotent, now it is safe to\nremove the check of qlen!=0 from both fq_codel_dequeue() and\ncodel_qdisc_dequeue().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -61,7 +66,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-02T15:15:48Z"

advisories/unreviewed/2025/05/GHSA-w595-4hr6-r5fv/GHSA-w595-4hr6-r5fv.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w595-4hr6-r5fv",
-  "modified": "2025-11-03T21:33:46Z",
+  "modified": "2025-11-06T21:31:17Z",
   "published": "2025-05-01T15:31:44Z",
   "aliases": [
     "CVE-2025-37780"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: Prevent the use of too small fid\n\nsyzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1]\n\nThe handle_bytes value passed in by the reproducing program is equal to 12.\nIn handle_to_path(), only 12 bytes of memory are allocated for the structure\nfile_handle->f_handle member, which causes an out-of-bounds access when\naccessing the member parent_block of the structure isofs_fid in isofs,\nbecause accessing parent_block requires at least 16 bytes of f_handle.\nHere, fh_len is used to indirectly confirm that the value of handle_bytes\nis greater than 3 before accessing parent_block.\n\n[1]\nBUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183\nRead of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466\nCPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0x198/0x550 mm/kasan/report.c:521\n kasan_report+0xd8/0x138 mm/kasan/report.c:634\n __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380\n isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183\n exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523\n do_handle_to_path+0xa0/0x198 fs/fhandle.c:257\n handle_to_path fs/fhandle.c:385 [inline]\n do_handle_open+0x8cc/0xb8c fs/fhandle.c:403\n __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]\n __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]\n __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nAllocated by task 6466:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4294 [inline]\n __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306\n kmalloc_noprof include/linux/slab.h:905 [inline]\n handle_to_path fs/fhandle.c:357 [inline]\n do_handle_open+0x5a4/0xb8c fs/fhandle.c:403\n __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]\n __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]\n __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -56,8 +61,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-05-01T14:15:41Z"