github
diff --git a/‎advisories/unreviewed/2022/05/GHSA-63f3-68q8-wr22/GHSA-63f3-68q8-wr22.json‎
Lines changed: 14 additions & 3 deletions b/‎advisories/unreviewed/2022/05/GHSA-63f3-68q8-wr22/GHSA-63f3-68q8-wr22.json‎
Lines changed: 14 additions & 3 deletions
diff --git a/‎advisories/unreviewed/2022/05/GHSA-c9pq-99jp-354g/GHSA-c9pq-99jp-354g.json‎
Lines changed: 14 additions & 3 deletions b/‎advisories/unreviewed/2022/05/GHSA-c9pq-99jp-354g/GHSA-c9pq-99jp-354g.json‎
Lines changed: 14 additions & 3 deletions
diff --git a/‎advisories/unreviewed/2025/07/GHSA-4mqg-q94g-wmfr/GHSA-4mqg-q94g-wmfr.json‎
Lines changed: 11 additions & 4 deletions b/‎advisories/unreviewed/2025/07/GHSA-4mqg-q94g-wmfr/GHSA-4mqg-q94g-wmfr.json‎
Lines changed: 11 additions & 4 deletions
diff --git a/‎advisories/unreviewed/2025/07/GHSA-6787-fm33-h95m/GHSA-6787-fm33-h95m.json‎
Lines changed: 8 additions & 3 deletions b/‎advisories/unreviewed/2025/07/GHSA-6787-fm33-h95m/GHSA-6787-fm33-h95m.json‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎advisories/unreviewed/2025/07/GHSA-7fpf-q83q-74mx/GHSA-7fpf-q83q-74mx.json‎
Lines changed: 11 additions & 4 deletions b/‎advisories/unreviewed/2025/07/GHSA-7fpf-q83q-74mx/GHSA-7fpf-q83q-74mx.json‎
Lines changed: 11 additions & 4 deletions
diff --git a/‎advisories/unreviewed/2025/07/GHSA-8r96-vh27-xgf4/GHSA-8r96-vh27-xgf4.json‎
Lines changed: 11 additions & 4 deletions b/‎advisories/unreviewed/2025/07/GHSA-8r96-vh27-xgf4/GHSA-8r96-vh27-xgf4.json‎
Lines changed: 11 additions & 4 deletions
diff --git a/‎advisories/unreviewed/2025/07/GHSA-979q-6jjc-29jh/GHSA-979q-6jjc-29jh.json‎
Lines changed: 11 additions & 4 deletions b/‎advisories/unreviewed/2025/07/GHSA-979q-6jjc-29jh/GHSA-979q-6jjc-29jh.json‎
Lines changed: 11 additions & 4 deletions
diff --git a/‎advisories/unreviewed/2025/07/GHSA-fr3c-c44p-6638/GHSA-fr3c-c44p-6638.json‎
Lines changed: 8 additions & 3 deletions b/‎advisories/unreviewed/2025/07/GHSA-fr3c-c44p-6638/GHSA-fr3c-c44p-6638.json‎
Lines changed: 8 additions & 3 deletions
@@ -1,19 +1,28 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-63f3-68q8-wr22",
-  "modified": "2022-05-24T17:29:01Z",
+  "modified": "2025-12-22T21:30:27Z",
   "published": "2022-05-24T17:29:01Z",
   "aliases": [
     "CVE-2020-25789"
   ],
   "details": "An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25789"
     },
+    {
+      "type": "WEB",
+      "url": "https://blog.neagaru.com/p/exploiting-tiny-tiny-rss-2020"
+    },
     {
       "type": "WEB",
       "url": "https://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799"
@@ -24,7 +33,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-79"
+    ],
     "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
 
@@ -1,19 +1,28 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c9pq-99jp-354g",
-  "modified": "2022-05-24T17:29:01Z",
+  "modified": "2025-12-22T21:30:27Z",
   "published": "2022-05-24T17:29:01Z",
   "aliases": [
     "CVE-2020-25788"
   ],
   "details": "An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. imgproxy in plugins/af_proxy_http/init.php mishandles $_REQUEST[\"url\"] in an error message.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25788"
     },
+    {
+      "type": "WEB",
+      "url": "https://blog.neagaru.com/p/exploiting-tiny-tiny-rss-2020"
+    },
     {
       "type": "WEB",
       "url": "https://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799"
@@ -24,7 +33,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-829"
+    ],
     "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
 
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4mqg-q94g-wmfr",
-  "modified": "2025-11-03T18:31:31Z",
+  "modified": "2025-12-22T21:30:30Z",
   "published": "2025-07-28T12:30:34Z",
   "aliases": [
     "CVE-2025-38468"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree\n\nhtb_lookup_leaf has a BUG_ON that can trigger with the following:\n\ntc qdisc del dev lo root\ntc qdisc add dev lo root handle 1: htb default 1\ntc class add dev lo parent 1: classid 1:1 htb rate 64bit\ntc qdisc add dev lo parent 1:1 handle 2: netem\ntc qdisc add dev lo parent 2:1 handle 3: blackhole\nping -I lo -c1 -W0.001 127.0.0.1\n\nThe root cause is the following:\n\n1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on\n   the selected leaf qdisc\n2. netem_dequeue calls enqueue on the child qdisc\n3. blackhole_enqueue drops the packet and returns a value that is not\n   just NET_XMIT_SUCCESS\n4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and\n   since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate ->\n   htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase\n5. As this is the only class in the selected hprio rbtree,\n   __rb_change_child in __rb_erase_augmented sets the rb_root pointer to\n   NULL\n6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,\n   which causes htb_dequeue_tree to call htb_lookup_leaf with the same\n   hprio rbtree, and fail the BUG_ON\n\nThe function graph for this scenario is shown here:\n 0)               |  htb_enqueue() {\n 0) + 13.635 us   |    netem_enqueue();\n 0)   4.719 us    |    htb_activate_prios();\n 0) # 2249.199 us |  }\n 0)               |  htb_dequeue() {\n 0)   2.355 us    |    htb_lookup_leaf();\n 0)               |    netem_dequeue() {\n 0) + 11.061 us   |      blackhole_enqueue();\n 0)               |      qdisc_tree_reduce_backlog() {\n 0)               |        qdisc_lookup_rcu() {\n 0)   1.873 us    |          qdisc_match_from_root();\n 0)   6.292 us    |        }\n 0)   1.894 us    |        htb_search();\n 0)               |        htb_qlen_notify() {\n 0)   2.655 us    |          htb_deactivate_prios();\n 0)   6.933 us    |        }\n 0) + 25.227 us   |      }\n 0)   1.983 us    |      blackhole_dequeue();\n 0) + 86.553 us   |    }\n 0) # 2932.761 us |    qdisc_warn_nonwc();\n 0)               |    htb_lookup_leaf() {\n 0)               |      BUG_ON();\n ------------------------------------------\n\nThe full original bug report can be seen here [1].\n\nWe can fix this just by returning NULL instead of the BUG_ON,\nas htb_dequeue_tree returns NULL when htb_lookup_leaf returns\nNULL.\n\n[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -56,8 +61,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-07-28T12:15:28Z"
 
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6787-fm33-h95m",
-  "modified": "2025-11-03T18:31:31Z",
+  "modified": "2025-12-22T21:30:31Z",
   "published": "2025-07-28T12:30:34Z",
   "aliases": [
     "CVE-2025-38474"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: net: sierra: check for no status endpoint\n\nThe driver checks for having three endpoints and\nhaving bulk in and out endpoints, but not that\nthe third endpoint is interrupt input.\nRectify the omission.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -57,7 +62,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-07-28T12:15:29Z"
 
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7fpf-q83q-74mx",
-  "modified": "2025-11-03T18:31:31Z",
+  "modified": "2025-12-22T21:30:31Z",
   "published": "2025-07-28T12:30:35Z",
   "aliases": [
     "CVE-2025-38476"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpl: Fix use-after-free in rpl_do_srh_inline().\n\nRunning lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers\nthe splat below [0].\n\nrpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after\nskb_cow_head(), which is illegal as the header could be freed then.\n\nLet's fix it by making oldhdr to a local struct instead of a pointer.\n\n[0]:\n[root@fedora net]# ./lwt_dst_cache_ref_loop.sh\n...\nTEST: rpl (input)\n[   57.631529] ==================================================================\nBUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\nRead of size 40 at addr ffff888122bf96d8 by task ping6/1543\n\nCPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n <IRQ>\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)\n kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))\n __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))\n rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\n rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)\n lwtunnel_input (net/core/lwtunnel.c:459)\n ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))\n __netif_receive_skb_one_core (net/core/dev.c:5967)\n process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)\n __napi_poll.constprop.0 (net/core/dev.c:7452)\n net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480 (discriminator 20))\n </IRQ>\n <TASK>\n __local_bh_enable_ip (kernel/softirq.c:407)\n __dev_queue_xmit (net/core/dev.c:4740)\n ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)\n ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)\n ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)\n ip6_send_skb (net/ipv6/ip6_output.c:1983)\n rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)\n __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2231)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f68cffb2a06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06\nRDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003\nRBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4\nR13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0\n </TASK>\n\nAllocated by task 1543:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)\n kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)\n kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))\n __alloc_skb (net/core/skbuff.c:669)\n __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))\n ip6_\n---truncated---",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -52,8 +57,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-07-28T12:15:29Z"
 
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8r96-vh27-xgf4",
-  "modified": "2025-11-03T18:31:31Z",
+  "modified": "2025-12-22T21:30:30Z",
   "published": "2025-07-28T12:30:34Z",
   "aliases": [
     "CVE-2025-38471"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: always refresh the queue when reading sock\n\nAfter recent changes in net-next TCP compacts skbs much more\naggressively. This unearthed a bug in TLS where we may try\nto operate on an old skb when checking if all skbs in the\nqueue have matching decrypt state and geometry.\n\n    BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]\n    (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544)\n    Read of size 4 at addr ffff888013085750 by task tls/13529\n\n    CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme\n    Call Trace:\n     kasan_report+0xca/0x100\n     tls_strp_check_rcv+0x898/0x9a0 [tls]\n     tls_rx_rec_wait+0x2c9/0x8d0 [tls]\n     tls_sw_recvmsg+0x40f/0x1aa0 [tls]\n     inet_recvmsg+0x1c3/0x1f0\n\nAlways reload the queue, fast path is to have the record in the queue\nwhen we wake, anyway (IOW the path going down \"if !strp->stm.full_len\").",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -40,8 +45,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-07-28T12:15:28Z"
 
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-979q-6jjc-29jh",
-  "modified": "2025-11-03T18:31:31Z",
+  "modified": "2025-12-22T21:30:31Z",
   "published": "2025-07-28T12:30:34Z",
   "aliases": [
     "CVE-2025-38472"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack: fix crash due to removal of uninitialised entry\n\nA crash in conntrack was reported while trying to unlink the conntrack\nentry from the hash bucket list:\n    [exception RIP: __nf_ct_delete_from_lists+172]\n    [..]\n #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack]\n #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack]\n #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack]\n    [..]\n\nThe nf_conn struct is marked as allocated from slab but appears to be in\na partially initialised state:\n\n ct hlist pointer is garbage; looks like the ct hash value\n (hence crash).\n ct->status is equal to IPS_CONFIRMED|IPS_DYING, which is expected\n ct->timeout is 30000 (=30s), which is unexpected.\n\nEverything else looks like normal udp conntrack entry.  If we ignore\nct->status and pretend its 0, the entry matches those that are newly\nallocated but not yet inserted into the hash:\n  - ct hlist pointers are overloaded and store/cache the raw tuple hash\n  - ct->timeout matches the relative time expected for a new udp flow\n    rather than the absolute 'jiffies' value.\n\nIf it were not for the presence of IPS_CONFIRMED,\n__nf_conntrack_find_get() would have skipped the entry.\n\nTheory is that we did hit following race:\n\ncpu x \t\t\tcpu y\t\t\tcpu z\n found entry E\t\tfound entry E\n E is expired\t\t<preemption>\n nf_ct_delete()\n return E to rcu slab\n\t\t\t\t\tinit_conntrack\n\t\t\t\t\tE is re-inited,\n\t\t\t\t\tct->status set to 0\n\t\t\t\t\treply tuplehash hnnode.pprev\n\t\t\t\t\tstores hash value.\n\ncpu y found E right before it was deleted on cpu x.\nE is now re-inited on cpu z.  cpu y was preempted before\nchecking for expiry and/or confirm bit.\n\n\t\t\t\t\t->refcnt set to 1\n\t\t\t\t\tE now owned by skb\n\t\t\t\t\t->timeout set to 30000\n\nIf cpu y were to resume now, it would observe E as\nexpired but would skip E due to missing CONFIRMED bit.\n\n\t\t\t\t\tnf_conntrack_confirm gets called\n\t\t\t\t\tsets: ct->status |= CONFIRMED\n\t\t\t\t\tThis is wrong: E is not yet added\n\t\t\t\t\tto hashtable.\n\ncpu y resumes, it observes E as expired but CONFIRMED:\n\t\t\t<resumes>\n\t\t\tnf_ct_expired()\n\t\t\t -> yes (ct->timeout is 30s)\n\t\t\tconfirmed bit set.\n\ncpu y will try to delete E from the hashtable:\n\t\t\tnf_ct_delete() -> set DYING bit\n\t\t\t__nf_ct_delete_from_lists\n\nEven this scenario doesn't guarantee a crash:\ncpu z still holds the table bucket lock(s) so y blocks:\n\n\t\t\twait for spinlock held by z\n\n\t\t\t\t\tCONFIRMED is set but there is no\n\t\t\t\t\tguarantee ct will be added to hash:\n\t\t\t\t\t\"chaintoolong\" or \"clash resolution\"\n\t\t\t\t\tlogic both skip the insert step.\n\t\t\t\t\treply hnnode.pprev still stores the\n\t\t\t\t\thash value.\n\n\t\t\t\t\tunlocks spinlock\n\t\t\t\t\treturn NF_DROP\n\t\t\t<unblocks, then\n\t\t\t crashes on hlist_nulls_del_rcu pprev>\n\nIn case CPU z does insert the entry into the hashtable, cpu y will unlink\nE again right away but no crash occurs.\n\nWithout 'cpu y' race, 'garbage' hlist is of no consequence:\nct refcnt remains at 1, eventually skb will be free'd and E gets\ndestroyed via: nf_conntrack_put -> nf_conntrack_destroy -> nf_ct_destroy.\n\nTo resolve this, move the IPS_CONFIRMED assignment after the table\ninsertion but before the unlock.\n\nPablo points out that the confirm-bit-store could be reordered to happen\nbefore hlist add resp. the timeout fixup, so switch to set_bit and\nbefore_atomic memory barrier to prevent this.\n\nIt doesn't matter if other CPUs can observe a newly inserted entry right\nbefore the CONFIRMED bit was set:\n\nSuch event cannot be distinguished from above \"E is the old incarnation\"\ncase: the entry will be skipped.\n\nAlso change nf_ct_should_gc() to first check the confirmed bit.\n\nThe gc sequence is:\n 1. Check if entry has expired, if not skip to next entry\n 2. Obtain a reference to the expired entry.\n 3. Call nf_ct_should_gc() to double-check step 1.\n\nnf_ct_should_gc() is thus called only for entries that already failed an\nexpiry check. After this patch, once the confirmed bit check pas\n---truncated---",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -40,8 +45,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-908"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-07-28T12:15:29Z"
 
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fr3c-c44p-6638",
-  "modified": "2025-11-03T18:31:30Z",
+  "modified": "2025-12-22T21:30:30Z",
   "published": "2025-07-25T18:30:40Z",
   "aliases": [
     "CVE-2025-38466"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Revert to requiring CAP_SYS_ADMIN for uprobes\n\nJann reports that uprobes can be used destructively when used in the\nmiddle of an instruction. The kernel only verifies there is a valid\ninstruction at the requested offset, but due to variable instruction\nlength cannot determine if this is an instruction as seen by the\nintended execution stream.\n\nAdditionally, Mark Rutland notes that on architectures that mix data\nin the text segment (like arm64), a similar things can be done if the\ndata word is 'mistaken' for an instruction.\n\nAs such, require CAP_SYS_ADMIN for uprobes.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -53,7 +58,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-07-25T16:15:32Z"