Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/11/GHSA-r6gx-fcg6-8hhj/GHSA-r6gx-fcg6-8hhj.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r6gx-fcg6-8hhj",
-  "modified": "2025-11-25T09:31:24Z",
+  "modified": "2025-12-08T03:31:00Z",
   "published": "2025-11-25T09:31:24Z",
   "aliases": [
     "CVE-2025-13502"
@@ -19,6 +19,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13502"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22790"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-13502"

advisories/unreviewed/2025/12/GHSA-23g6-rffg-7f3p/GHSA-23g6-rffg-7f3p.json

@@ -0,0 +1,45 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-23g6-rffg-7f3p",
+  "modified": "2025-12-08T03:31:00Z",
+  "published": "2025-12-08T03:31:00Z",
+  "aliases": [
+    "CVE-2025-40294"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()\n\nIn the parse_adv_monitor_pattern() function, the value of\nthe 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).\nThe size of the 'value' array in the mgmt_adv_pattern structure is 31.\nIf the value of 'pattern[i].length' is set in the user space\nand exceeds 31, the 'patterns[i].value' array can be accessed\nout of bound when copied.\n\nIncreasing the size of the 'value' array in\nthe 'mgmt_adv_pattern' structure will break the userspace.\nConsidering this, and to avoid OOB access revert the limits for 'offset'\nand 'length' back to the value of HCI_MAX_AD_LENGTH.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40294"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/3a50d59b3781bc3a4e96533612509546a4c309a7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/4b7d4aa5399b5a64caee639275615c63c008540d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/5f7350ff2b179764a4f40ba4161b60b8aaef857b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/8d59fba49362c65332395789fd82771f1028d87e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/96616530f524a0a76248cd44201de0a9e8526190"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T01:16:01Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-286m-g766-wcgx/GHSA-286m-g766-wcgx.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-286m-g766-wcgx",
+  "modified": "2025-12-08T03:31:03Z",
+  "published": "2025-12-08T03:31:03Z",
+  "aliases": [
+    "CVE-2023-53747"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF\n\nAfter a call to console_unlock() in vcs_write() the vc_data struct can be\nfreed by vc_port_destruct(). Because of that, the struct vc_data pointer\nmust be reloaded in the while loop in vcs_write() after console_lock() to\navoid a UAF when vcs_size() is called.\n\nSyzkaller reported a UAF in vcs_size().\n\nBUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)\nRead of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119\n\nCall Trace:\n <TASK>\n__asan_report_load4_noabort (mm/kasan/report_generic.c:380)\nvcs_size (drivers/tty/vt/vc_screen.c:215)\nvcs_write (drivers/tty/vt/vc_screen.c:664)\nvfs_write (fs/read_write.c:582 fs/read_write.c:564)\n...\n <TASK>\n\nAllocated by task 1213:\nkmalloc_trace (mm/slab_common.c:1064)\nvc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680\n    drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)\ncon_install (drivers/tty/vt/vt.c:3334)\ntty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415\n    drivers/tty/tty_io.c:1392)\ntty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)\nchrdev_open (fs/char_dev.c:415)\ndo_dentry_open (fs/open.c:921)\nvfs_open (fs/open.c:1052)\n...\n\nFreed by task 4116:\nkfree (mm/slab_common.c:1016)\nvc_port_destruct (drivers/tty/vt/vt.c:1044)\ntty_port_destructor (drivers/tty/tty_port.c:296)\ntty_port_put (drivers/tty/tty_port.c:312)\nvt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))\nvt_ioctl (drivers/tty/vt/vt_ioctl.c:903)\ntty_ioctl (drivers/tty/tty_io.c:2778)\n...\n\nThe buggy address belongs to the object at ffff8880beab8800\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 424 bytes inside of\n freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)\n\nThe buggy address belongs to the physical page:\npage:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000\n    index:0x0 pfn:0xbeab8\nhead:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0\n    pincount:0\nflags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)\npage_type: 0xffffffff()\nraw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002\nraw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n>ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                  ^\n ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\nDisabling lock debugging due to kernel taint",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53747"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/0deff678157333d775af190f84696336cdcccd6d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/11dddfbb7a4e62489b01074d6c04d9d1b42e4047"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/1de42e7653d6714a7507ba6696151a1fa028c69f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/3338d0b9acde770ee588eead5cac32c25e7048fc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/934de9a9b659785fed3e820bc0c813a460c71fea"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/a4e3c4c65ae8510e01352c9a4347e05c035b2ce2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/e3d1adcad5b73c7ed0c7edb35ab68abcaa45cf67"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T02:15:50Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-2989-gqx8-wgwx/GHSA-2989-gqx8-wgwx.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2989-gqx8-wgwx",
+  "modified": "2025-12-08T03:31:04Z",
+  "published": "2025-12-08T03:31:03Z",
+  "aliases": [
+    "CVE-2023-53766"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nFS: JFS: Check for read-only mounted filesystem in txBegin\n\n This patch adds a check for read-only mounted filesystem\n in txBegin before starting a transaction potentially saving\n from NULL pointer deref.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53766"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/2a8807f9f511c64de0c7cc9900a1683e3d72a3e5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/2febd5f81e4bfba61d9f374dcca628aff374cc56"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/5c094ca994824e038b6a97835ded4e5d1d808504"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/95e2b352c03b0a86c5717ba1d24ea20969abcacc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/97c1f26e4d4af55e8584e4646dd5c5fa7baf62c7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/a88efca805bea93cea9187dfd00835aa7093bf1b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/aa7cdf487ab3fa47284daaccc3d7d5de01c6a84c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/b0ed8ed0428ee96092da6fefa5cfacbe4abed701"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T02:15:52Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-2c7r-cgw2-h422/GHSA-2c7r-cgw2-h422.json

@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2c7r-cgw2-h422",
+  "modified": "2025-12-08T03:31:01Z",
+  "published": "2025-12-08T03:31:01Z",
+  "aliases": [
+    "CVE-2025-40313"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: pretend $Extend records as regular files\n\nSince commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\")\nrequires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/\nS_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40313"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/17249b2a65274f73ed68bcd1604e08a60fd8a278"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/4e8011ffec79717e5fdac43a7e79faf811a384b7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/57534db1bbc4ca772393bb7d92e69d5e7b9051cf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/63eb6730ce0604d3eacf036c2f68ea70b068317c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/78d46f5276ed3589aaaa435580068c5b62efc921"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T01:16:03Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-2g6j-xgp9-7mhx/GHSA-2g6j-xgp9-7mhx.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2g6j-xgp9-7mhx",
+  "modified": "2025-12-08T03:31:01Z",
+  "published": "2025-12-08T03:31:01Z",
+  "aliases": [
+    "CVE-2025-40296"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: int3472: Fix double free of GPIO device during unregister\n\nregulator_unregister() already frees the associated GPIO device. On\nThinkPad X9 (Lunar Lake), this causes a double free issue that leads to\nrandom failures when other drivers (typically Intel THC) attempt to\nallocate interrupts. The root cause is that the reference count of the\npinctrl_intel_platform module unexpectedly drops to zero when this\ndriver defers its probe.\n\nThis behavior can also be reproduced by unloading the module directly.\n\nFix the issue by removing the redundant release of the GPIO device\nduring regulator unregistration.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40296"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/b8113bb56c45bd17bac5144b55591f9cdbd6aabe"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/f0f7a3f542c1698edb69075f25a3f846207facba"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T01:16:01Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-2vg8-pj5q-762f/GHSA-2vg8-pj5q-762f.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2vg8-pj5q-762f",
+  "modified": "2025-12-08T03:31:01Z",
+  "published": "2025-12-08T03:31:01Z",
+  "aliases": [
+    "CVE-2025-40320"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential cfid UAF in smb2_query_info_compound\n\nWhen smb2_query_info_compound() retries, a previously allocated cfid may\nhave been freed in the first attempt.\nBecause cfid wasn't reset on replay, later cleanup could act on a stale\npointer, leading to a potential use-after-free.\n\nReinitialize cfid to NULL under the replay label.\n\nExample trace (trimmed):\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110\n[...]\nRIP: 0010:refcount_warn_saturate+0x9c/0x110\n[...]\nCall Trace:\n <TASK>\n smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n ? step_into+0x10d/0x690\n ? __legitimize_path+0x28/0x60\n smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n ? kmem_cache_alloc+0x18a/0x340\n ? getname_flags+0x46/0x1e0\n cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n statfs_by_dentry+0x67/0x90\n vfs_statfs+0x16/0xd0\n user_statfs+0x54/0xa0\n __do_sys_statfs+0x20/0x50\n do_syscall_64+0x58/0x80",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40320"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/327f89c21601ebb7889f8c97754b76f08ce95a0c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/5c76f9961c170552c1d07c830b5e145475151600"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/939c4e33005e2a56ea8fcedddf0da92df864bd3b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/b556c278d43f4707a9073ca74d55581b4f279806"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T01:16:04Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-383p-pcrh-7q28/GHSA-383p-pcrh-7q28.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-383p-pcrh-7q28",
+  "modified": "2025-12-08T03:31:03Z",
+  "published": "2025-12-08T03:31:03Z",
+  "aliases": [
+    "CVE-2023-53750"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: freescale: Fix a memory out of bounds when num_configs is 1\n\nThe config passed in by pad wakeup is 1, when num_configs is 1,\nConfiguration [1] should not be fetched, which will be detected\nby KASAN as a memory out of bounds condition. Modify to get\nconfigs[1] when num_configs is 2.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53750"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/27d9a7585b594bb2f9bb1f65e0003814fcc69c75"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/9063777ca1e2e895c5fdd493ee0c3f18fa710ed4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/f85d3cb10f4df5ae3bdb9a9357315c28d781651f"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T02:15:50Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-3c64-vv99-p2qr/GHSA-3c64-vv99-p2qr.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3c64-vv99-p2qr",
+  "modified": "2025-12-08T03:31:02Z",
+  "published": "2025-12-08T03:31:02Z",
+  "aliases": [
+    "CVE-2025-40326"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Define actions for the new time_deleg FATTR4 attributes\n\nNFSv4 clients won't send legitimate GETATTR requests for these new\nattributes because they are intended to be used only with CB_GETATTR\nand SETATTR. But NFSD has to do something besides crashing if it\never sees a GETATTR request that queries these attributes.\n\nRFC 8881 Section 18.7.3 states:\n\n> The server MUST return a value for each attribute that the client\n> requests if the attribute is supported by the server for the\n> target file system. If the server does not support a particular\n> attribute on the target file system, then it MUST NOT return the\n> attribute value and MUST NOT set the attribute bit in the result\n> bitmap. The server MUST return an error if it supports an\n> attribute on the target but cannot obtain its value. In that case,\n> no attribute values will be returned.\n\nFurther, RFC 9754 Section 5 states:\n\n> These new attributes are invalid to be used with GETATTR, VERIFY,\n> and NVERIFY, and they can only be used with CB_GETATTR and SETATTR\n> by a client holding an appropriate delegation.\n\nThus there does not appear to be a specific server response mandated\nby specification. Taking the guidance that querying these attributes\nvia GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the\nrequest entirely.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40326"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/4f76435fd517981f01608678c06ad9718a86ee98"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/d8f3f94dc950e7c62c96af432c26745885b0a18a"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-08T01:16:05Z"
+  }
+}