Publish Advisories

GHSA-36x9-553r-v339
GHSA-4rpm-cvm4-wfmq
GHSA-5569-859r-969g
GHSA-f7pq-5grc-hr54
GHSA-r27j-q6q8-cmj7
GHSA-r3wq-5xjj-hj39
GHSA-vh65-g82c-qqrx
GHSA-w497-wqwx-v847
GHSA-2cpf-j432-984q
GHSA-2v4g-65gf-w58f
GHSA-39m5-rg2v-54h9
GHSA-3cq3-cj5m-hm72
GHSA-43w2-q5cj-hwmq
GHSA-4w6g-g6r5-3mgp
GHSA-75hx-6r6j-hw56
GHSA-c3cp-7jp9-c872
GHSA-gfvq-wmqw-q9j2
GHSA-gq25-78jf-v78c
GHSA-m8p9-q9xx-54j2
GHSA-mh75-3225-9wcj
GHSA-px6j-wc84-gwhf
GHSA-qh8p-52f2-hj2c
GHSA-rmf9-x9hc-v3pr
GHSA-rxc6-c5mm-j9vx

Author: advisory-database[bot]

advisories/unreviewed/2025/08/GHSA-36x9-553r-v339/GHSA-36x9-553r-v339.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-36x9-553r-v339",
-  "modified": "2025-08-19T18:31:32Z",
+  "modified": "2025-11-26T21:31:25Z",
   "published": "2025-08-19T18:31:32Z",
   "aliases": [
     "CVE-2025-38567"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: avoid ref leak in nfsd_open_local_fh()\n\nIf two calls to nfsd_open_local_fh() race and both successfully call\nnfsd_file_acquire_local(), they will both get an extra reference to the\nnet to accompany the file reference stored in *pnf.\n\nOne of them will fail to store (using xchg()) the file reference in\n*pnf and will drop that reference but WON'T drop the accompanying\nreference to the net.  This leak means that when the nfs server is shut\ndown it will hang in nfsd_shutdown_net() waiting for\n&nn->nfsd_net_free_done.\n\nThis patch adds the missing nfsd_net_put().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-19T17:15:33Z"

advisories/unreviewed/2025/08/GHSA-4rpm-cvm4-wfmq/GHSA-4rpm-cvm4-wfmq.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4rpm-cvm4-wfmq",
-  "modified": "2025-08-19T18:31:33Z",
+  "modified": "2025-11-26T21:31:25Z",
   "published": "2025-08-19T18:31:32Z",
   "aliases": [
     "CVE-2025-38568"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: mqprio: fix stack out-of-bounds write in tc entry parsing\n\nTCA_MQPRIO_TC_ENTRY_INDEX is validated using\nNLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value\nTC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack\nwrite in the fp[] array, which only has room for 16 elements (0–15).\n\nFix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -36,8 +41,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-19T17:15:33Z"

advisories/unreviewed/2025/08/GHSA-5569-859r-969g/GHSA-5569-859r-969g.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5569-859r-969g",
-  "modified": "2025-08-19T18:31:33Z",
+  "modified": "2025-11-26T21:31:25Z",
   "published": "2025-08-19T18:31:33Z",
   "aliases": [
     "CVE-2025-38582"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix double destruction of rsv_qp\n\nrsv_qp may be double destroyed in error flow, first in free_mr_init(),\nand then in hns_roce_exit(). Fix it by moving the free_mr_init() call\ninto hns_roce_v2_init().\n\nlist_del corruption, ffff589732eb9b50->next is LIST_POISON1 (dead000000000100)\nWARNING: CPU: 8 PID: 1047115 at lib/list_debug.c:53 __list_del_entry_valid+0x148/0x240\n...\nCall trace:\n __list_del_entry_valid+0x148/0x240\n hns_roce_qp_remove+0x4c/0x3f0 [hns_roce_hw_v2]\n hns_roce_v2_destroy_qp_common+0x1dc/0x5f4 [hns_roce_hw_v2]\n hns_roce_v2_destroy_qp+0x22c/0x46c [hns_roce_hw_v2]\n free_mr_exit+0x6c/0x120 [hns_roce_hw_v2]\n hns_roce_v2_exit+0x170/0x200 [hns_roce_hw_v2]\n hns_roce_exit+0x118/0x350 [hns_roce_hw_v2]\n __hns_roce_hw_v2_init_instance+0x1c8/0x304 [hns_roce_hw_v2]\n hns_roce_hw_v2_reset_notify_init+0x170/0x21c [hns_roce_hw_v2]\n hns_roce_hw_v2_reset_notify+0x6c/0x190 [hns_roce_hw_v2]\n hclge_notify_roce_client+0x6c/0x160 [hclge]\n hclge_reset_rebuild+0x150/0x5c0 [hclge]\n hclge_reset+0x10c/0x140 [hclge]\n hclge_reset_subtask+0x80/0x104 [hclge]\n hclge_reset_service_task+0x168/0x3ac [hclge]\n hclge_service_task+0x50/0x100 [hclge]\n process_one_work+0x250/0x9a0\n worker_thread+0x324/0x990\n kthread+0x190/0x210\n ret_from_fork+0x10/0x18",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-415"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-19T17:15:35Z"

advisories/unreviewed/2025/08/GHSA-f7pq-5grc-hr54/GHSA-f7pq-5grc-hr54.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f7pq-5grc-hr54",
-  "modified": "2025-08-19T18:31:33Z",
+  "modified": "2025-11-26T21:31:25Z",
   "published": "2025-08-19T18:31:33Z",
   "aliases": [
     "CVE-2025-38580"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix inode use after free in ext4_end_io_rsv_work()\n\nIn ext4_io_end_defer_completion(), check if io_end->list_vec is empty to\navoid adding an io_end that requires no conversion to the\ni_rsv_conversion_list, which in turn prevents starting an unnecessary\nworker. An ext4_emergency_state() check is also added to avoid attempting\nto abort the journal in an emergency state.\n\nAdditionally, ext4_put_io_end_defer() is refactored to call\next4_io_end_defer_completion() directly instead of being open-coded.\nThis also prevents starting an unnecessary worker when EXT4_IO_END_FAILED\nis set but data_err=abort is not enabled.\n\nThis ensures that the check in ext4_put_io_end_defer() is consistent with\nthe check in ext4_end_bio(). Otherwise, we might add an io_end to the\ni_rsv_conversion_list and then call ext4_finish_bio(), after which the\ninode could be freed before ext4_end_io_rsv_work() is called, triggering\na use-after-free issue.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-19T17:15:35Z"

advisories/unreviewed/2025/08/GHSA-r27j-q6q8-cmj7/GHSA-r27j-q6q8-cmj7.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r27j-q6q8-cmj7",
-  "modified": "2025-08-19T18:31:33Z",
+  "modified": "2025-11-26T21:31:25Z",
   "published": "2025-08-19T18:31:33Z",
   "aliases": [
     "CVE-2025-38573"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cs42l43: Property entry should be a null-terminated array\n\nThe software node does not specify a count of property entries, so the\narray must be null-terminated.\n\nWhen unterminated, this can lead to a fault in the downstream cs35l56\namplifier driver, because the node parse walks off the end of the\narray into unknown memory.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -33,7 +38,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-19T17:15:34Z"

advisories/unreviewed/2025/08/GHSA-r3wq-5xjj-hj39/GHSA-r3wq-5xjj-hj39.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r3wq-5xjj-hj39",
-  "modified": "2025-08-19T18:31:33Z",
+  "modified": "2025-11-26T21:31:25Z",
   "published": "2025-08-19T18:31:33Z",
   "aliases": [
     "CVE-2025-38571"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix client side handling of tls alerts\n\nA security exploit was discovered in NFS over TLS in tls_alert_recv\ndue to its assumption that there is valid data in the msghdr's\niterator's kvec.\n\nInstead, this patch proposes the rework how control messages are\nsetup and used by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a kvec\nbacked control buffer and read in the control message such as a TLS\nalert. Scott found that a msg iterator can advance the kvec pointer\nas a part of the copy process thus we need to revert the iterator\nbefore calling into the tls_alert_recv.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -37,7 +42,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-19T17:15:33Z"

advisories/unreviewed/2025/08/GHSA-vh65-g82c-qqrx/GHSA-vh65-g82c-qqrx.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vh65-g82c-qqrx",
-  "modified": "2025-08-19T18:31:33Z",
+  "modified": "2025-11-26T21:31:25Z",
   "published": "2025-08-19T18:31:33Z",
   "aliases": [
     "CVE-2025-38570"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: fbnic: unlink NAPIs from queues on error to open\n\nCI hit a UaF in fbnic in the AF_XDP portion of the queues.py test.\nThe UaF is in the __sk_mark_napi_id_once() call in xsk_bind(),\nNAPI has been freed. Looks like the device failed to open earlier,\nand we lack clearing the NAPI pointer from the queue.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-08-19T17:15:33Z"

advisories/unreviewed/2025/10/GHSA-w497-wqwx-v847/GHSA-w497-wqwx-v847.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w497-wqwx-v847",
-  "modified": "2025-11-05T00:31:29Z",
+  "modified": "2025-11-26T21:31:25Z",
   "published": "2025-10-15T15:30:27Z",
   "aliases": [
     "CVE-2025-9640"
@@ -27,6 +27,10 @@
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391698"
     },
+    {
+      "type": "WEB",
+      "url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00027.html"
+    },
     {
       "type": "WEB",
       "url": "https://www.samba.org/samba/history/security.html"

advisories/unreviewed/2025/11/GHSA-2cpf-j432-984q/GHSA-2cpf-j432-984q.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2cpf-j432-984q",
+  "modified": "2025-11-26T21:31:26Z",
+  "published": "2025-11-26T21:31:26Z",
+  "aliases": [
+    "CVE-2025-6195"
+  ],
+  "details": "GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6195"
+    },
+    {
+      "type": "WEB",
+      "url": "https://hackerone.com/reports/3155693"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/549937"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-425"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-26T20:15:50Z"
+  }
+}

advisories/unreviewed/2025/11/GHSA-2v4g-65gf-w58f/GHSA-2v4g-65gf-w58f.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2v4g-65gf-w58f",
+  "modified": "2025-11-26T21:31:26Z",
+  "published": "2025-11-26T21:31:26Z",
+  "aliases": [
+    "CVE-2025-12653"
+  ],
+  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12653"
+    },
+    {
+      "type": "WEB",
+      "url": "https://hackerone.com/reports/3370245"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/579372"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-290"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-26T20:15:49Z"
+  }
+}