Publish Advisories

GHSA-2c4x-c2pm-jgmw
GHSA-gjjr-vrfh-q64m
GHSA-gwcc-2364-w9p4
GHSA-h728-7p3p-f89q
GHSA-hfqv-q55m-258p
GHSA-mfv9-f458-cw96
GHSA-x485-rhg3-cqr4
GHSA-53xm-w39p-m328
GHSA-hvjq-6cc4-mmg6
GHSA-p4ww-hfqg-jmvc
GHSA-v49x-f2vh-6pj7
GHSA-vf58-ggx8-pwp7
GHSA-wc22-wv2f-7f64
GHSA-49pm-cgmh-hw25
GHSA-892r-x96w-jh76
GHSA-h4r4-6hvf-34r8
GHSA-4xh6-3w83-666c
GHSA-c39c-9w23-7vmg
GHSA-fxpm-h77m-v8vc
GHSA-g6mh-6454-qm24
GHSA-pvxc-5v6m-8cm2
GHSA-xmfq-xm97-g58p

Author: advisory-database[bot]

advisories/unreviewed/2025/06/GHSA-2c4x-c2pm-jgmw/GHSA-2c4x-c2pm-jgmw.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2c4x-c2pm-jgmw",
-  "modified": "2025-06-18T12:30:52Z",
+  "modified": "2025-11-25T15:31:32Z",
   "published": "2025-06-18T12:30:51Z",
   "aliases": [
     "CVE-2022-50158"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: partitions: Fix refcount leak in parse_redboot_of\n\nof_get_child_by_name() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -41,7 +46,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-06-18T11:15:45Z"

advisories/unreviewed/2025/06/GHSA-gjjr-vrfh-q64m/GHSA-gjjr-vrfh-q64m.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gjjr-vrfh-q64m",
-  "modified": "2025-06-18T12:30:51Z",
+  "modified": "2025-11-25T15:31:32Z",
   "published": "2025-06-18T12:30:51Z",
   "aliases": [
     "CVE-2022-50159"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: check previous kernel's ima-kexec-buffer against memory bounds\n\nPresently ima_get_kexec_buffer() doesn't check if the previous kernel's\nima-kexec-buffer lies outside the addressable memory range. This can result\nin a kernel panic if the new kernel is booted with 'mem=X' arg and the\nima-kexec-buffer was allocated beyond that range by the previous kernel.\nThe panic is usually of the form below:\n\n$ sudo kexec --initrd initrd vmlinux --append='mem=16G'\n\n<snip>\n BUG: Unable to handle kernel data access on read at 0xc000c01fff7f0000\n Faulting instruction address: 0xc000000000837974\n Oops: Kernel access of bad area, sig: 11 [#1]\n<snip>\n NIP [c000000000837974] ima_restore_measurement_list+0x94/0x6c0\n LR [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160\n Call Trace:\n [c00000000371fa80] [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160\n [c00000000371fb00] [c0000000020512c4] ima_init+0x80/0x108\n [c00000000371fb70] [c0000000020514dc] init_ima+0x4c/0x120\n [c00000000371fbf0] [c000000000012240] do_one_initcall+0x60/0x2c0\n [c00000000371fcc0] [c000000002004ad0] kernel_init_freeable+0x344/0x3ec\n [c00000000371fda0] [c0000000000128a4] kernel_init+0x34/0x1b0\n [c00000000371fe10] [c00000000000ce64] ret_from_kernel_thread+0x5c/0x64\n Instruction dump:\n f92100b8 f92100c0 90e10090 910100a0 4182050c 282a0017 3bc00000 40810330\n 7c0802a6 fb610198 7c9b2378 f80101d0 <a1240000> 2c090001 40820614 e9240010\n ---[ end trace 0000000000000000 ]---\n\nFix this issue by checking returned PFN range of previous kernel's\nima-kexec-buffer with page_is_ram() to ensure correct memory bounds.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -33,7 +38,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-06-18T11:15:46Z"

advisories/unreviewed/2025/06/GHSA-gwcc-2364-w9p4/GHSA-gwcc-2364-w9p4.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gwcc-2364-w9p4",
-  "modified": "2025-06-18T12:30:52Z",
+  "modified": "2025-11-25T15:31:32Z",
   "published": "2025-06-18T12:30:51Z",
   "aliases": [
     "CVE-2022-50156"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: cp2112: prevent a buffer overflow in cp2112_xfer()\n\nSmatch warnings:\ndrivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy()\n'data->block[1]' too small (33 vs 255)\ndrivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() 'buf' too\nsmall (64 vs 255)\n\nThe 'read_length' variable is provided by 'data->block[0]' which comes\nfrom user and it(read_length) can take a value between 0-255. Add an\nupper bound to 'read_length' variable to prevent a buffer overflow in\nmemcpy().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -44,8 +49,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-06-18T11:15:45Z"

advisories/unreviewed/2025/06/GHSA-h728-7p3p-f89q/GHSA-h728-7p3p-f89q.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h728-7p3p-f89q",
-  "modified": "2025-06-18T12:30:51Z",
+  "modified": "2025-11-25T15:31:32Z",
   "published": "2025-06-18T12:30:51Z",
   "aliases": [
     "CVE-2022-50154"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: mediatek-gen3: Fix refcount leak in mtk_pcie_init_irq_domains()\n\nof_get_child_by_name() returns a node pointer with refcount incremented, so\nwe should use of_node_put() on it when we don't need it anymore.\n\nAdd missing of_node_put() to avoid refcount leak.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -33,7 +38,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-06-18T11:15:45Z"

advisories/unreviewed/2025/06/GHSA-hfqv-q55m-258p/GHSA-hfqv-q55m-258p.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hfqv-q55m-258p",
-  "modified": "2025-06-18T12:30:51Z",
+  "modified": "2025-11-25T15:31:32Z",
   "published": "2025-06-18T12:30:51Z",
   "aliases": [
     "CVE-2022-50153"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: Fix refcount leak in ehci_hcd_ppc_of_probe\n\nof_find_compatible_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when done.\nAdd missing of_node_put() to avoid refcount leak.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -49,7 +54,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-06-18T11:15:45Z"

advisories/unreviewed/2025/06/GHSA-mfv9-f458-cw96/GHSA-mfv9-f458-cw96.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mfv9-f458-cw96",
-  "modified": "2025-06-18T12:30:51Z",
+  "modified": "2025-11-25T15:31:32Z",
   "published": "2025-06-18T12:30:51Z",
   "aliases": [
     "CVE-2022-50157"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: microchip: Fix refcount leak in mc_pcie_init_irq_domains()\n\nof_get_next_child() returns a node pointer with refcount incremented, so we\nshould use of_node_put() on it when we don't need it anymore.\n\nmc_pcie_init_irq_domains() only calls of_node_put() in the normal path,\nmissing it in some error paths.  Add missing of_node_put() to avoid\nrefcount leak.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -33,7 +38,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-06-18T11:15:45Z"

advisories/unreviewed/2025/08/GHSA-x485-rhg3-cqr4/GHSA-x485-rhg3-cqr4.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-x485-rhg3-cqr4",
-  "modified": "2025-09-24T00:30:41Z",
+  "modified": "2025-11-25T15:31:33Z",
   "published": "2025-08-20T18:30:21Z",
   "aliases": [
     "CVE-2011-10026"

advisories/unreviewed/2025/09/GHSA-53xm-w39p-m328/GHSA-53xm-w39p-m328.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-53xm-w39p-m328",
-  "modified": "2025-09-12T18:31:09Z",
+  "modified": "2025-11-25T15:31:33Z",
   "published": "2025-09-12T18:31:09Z",
   "aliases": [
     "CVE-2025-39793"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/memmap: cast nr_pages to size_t before shifting\n\nIf the allocated size exceeds UINT_MAX, then it's necessary to cast\nthe mr->nr_pages value to size_t to prevent it from overflowing. In\npractice this isn't much of a concern as the required memory size will\nhave been validated upfront, and accounted to the user. And > 4GB sizes\nwill be necessary to make the lack of a cast a problem, which greatly\nexceeds normal user locked_vm settings that are generally in the kb to\nmb range. However, if root is used, then accounting isn't done, and\nthen it's possible to hit this issue.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -29,7 +34,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-12T16:15:33Z"

advisories/unreviewed/2025/09/GHSA-hvjq-6cc4-mmg6/GHSA-hvjq-6cc4-mmg6.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hvjq-6cc4-mmg6",
-  "modified": "2025-09-15T15:31:22Z",
+  "modified": "2025-11-25T15:31:33Z",
   "published": "2025-09-15T15:31:22Z",
   "aliases": [
     "CVE-2022-50249"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: of: Fix refcount leak bug in of_get_ddr_timings()\n\nWe should add the of_node_put() when breaking out of\nfor_each_child_of_node() as it will automatically increase\nand decrease the refcount.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -53,7 +58,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-15T14:15:35Z"

advisories/unreviewed/2025/09/GHSA-p4ww-hfqg-jmvc/GHSA-p4ww-hfqg-jmvc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-p4ww-hfqg-jmvc",
-  "modified": "2025-09-15T15:31:22Z",
+  "modified": "2025-11-25T15:31:33Z",
   "published": "2025-09-15T15:31:22Z",
   "aliases": [
     "CVE-2022-50248"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: fix double free on tx path.\n\nWe see kernel crashes and lockups and KASAN errors related to ax210\nfirmware crashes.  One of the KASAN dumps pointed at the tx path,\nand it appears there is indeed a way to double-free an skb.\n\nIf iwl_mvm_tx_skb_sta returns non-zero, then the 'skb' sent into the\nmethod will be freed.  But, in case where we build TSO skb buffer,\nthe skb may also be freed in error case.  So, return 0 in that particular\nerror case and do cleanup manually.\n\nBUG: KASAN: use-after-free in __list_del_entry_valid+0x12/0x90\niwlwifi 0000:06:00.0: 0x00000000 | tsf hi\nRead of size 8 at addr ffff88813cfa4ba0 by task btserver/9650\n\nCPU: 4 PID: 9650 Comm: btserver Tainted: G        W         5.19.8+ #5\niwlwifi 0000:06:00.0: 0x00000000 | time gp1\nHardware name: Default string Default string/SKYBAY, BIOS 5.12 02/19/2019\nCall Trace:\n <TASK>\n dump_stack_lvl+0x55/0x6d\n print_report.cold.12+0xf2/0x684\niwlwifi 0000:06:00.0: 0x1D0915A8 | time gp2\n ? __list_del_entry_valid+0x12/0x90\n kasan_report+0x8b/0x180\niwlwifi 0000:06:00.0: 0x00000001 | uCode revision type\n ? __list_del_entry_valid+0x12/0x90\n __list_del_entry_valid+0x12/0x90\niwlwifi 0000:06:00.0: 0x00000048 | uCode version major\n tcp_update_skb_after_send+0x5d/0x170\n __tcp_transmit_skb+0xb61/0x15c0\niwlwifi 0000:06:00.0: 0xDAA05125 | uCode version minor\n ? __tcp_select_window+0x490/0x490\niwlwifi 0000:06:00.0: 0x00000420 | hw version\n ? trace_kmalloc_node+0x29/0xd0\n ? __kmalloc_node_track_caller+0x12a/0x260\n ? memset+0x1f/0x40\n ? __build_skb_around+0x125/0x150\n ? __alloc_skb+0x1d4/0x220\n ? skb_zerocopy_clone+0x55/0x230\niwlwifi 0000:06:00.0: 0x00489002 | board version\n ? kmalloc_reserve+0x80/0x80\n ? rcu_read_lock_bh_held+0x60/0xb0\n tcp_write_xmit+0x3f1/0x24d0\niwlwifi 0000:06:00.0: 0x034E001C | hcmd\n ? __check_object_size+0x180/0x350\niwlwifi 0000:06:00.0: 0x24020000 | isr0\n tcp_sendmsg_locked+0x8a9/0x1520\niwlwifi 0000:06:00.0: 0x01400000 | isr1\n ? tcp_sendpage+0x50/0x50\niwlwifi 0000:06:00.0: 0x48F0000A | isr2\n ? lock_release+0xb9/0x400\n ? tcp_sendmsg+0x14/0x40\niwlwifi 0000:06:00.0: 0x00C3080C | isr3\n ? lock_downgrade+0x390/0x390\n ? do_raw_spin_lock+0x114/0x1d0\niwlwifi 0000:06:00.0: 0x00200000 | isr4\n ? rwlock_bug.part.2+0x50/0x50\niwlwifi 0000:06:00.0: 0x034A001C | last cmd Id\n ? rwlock_bug.part.2+0x50/0x50\n ? lockdep_hardirqs_on_prepare+0xe/0x200\niwlwifi 0000:06:00.0: 0x0000C2F0 | wait_event\n ? __local_bh_enable_ip+0x87/0xe0\n ? inet_send_prepare+0x220/0x220\niwlwifi 0000:06:00.0: 0x000000C4 | l2p_control\n tcp_sendmsg+0x22/0x40\n sock_sendmsg+0x5f/0x70\niwlwifi 0000:06:00.0: 0x00010034 | l2p_duration\n __sys_sendto+0x19d/0x250\niwlwifi 0000:06:00.0: 0x00000007 | l2p_mhvalid\n ? __ia32_sys_getpeername+0x40/0x40\niwlwifi 0000:06:00.0: 0x00000000 | l2p_addr_match\n ? rcu_read_lock_held_common+0x12/0x50\n ? rcu_read_lock_sched_held+0x5a/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? rcu_read_lock_sched_held+0x5a/0xd0\n ? rcu_read_lock_sched_held+0x5a/0xd0\n ? lock_release+0xb9/0x400\n ? lock_downgrade+0x390/0x390\n ? ktime_get+0x64/0x130\n ? ktime_get+0x8d/0x130\n ? rcu_read_lock_held_common+0x12/0x50\n ? rcu_read_lock_sched_held+0x5a/0xd0\n ? rcu_read_lock_held_common+0x12/0x50\n ? rcu_read_lock_sched_held+0x5a/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n __x64_sys_sendto+0x6f/0x80\n do_syscall_64+0x34/0xb0\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f1d126e4531\nCode: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 35 80 0c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 55 48 83 ec 20 48 89\nRSP: 002b:00007ffe21a679d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 000000000000ffdc RCX: 00007f1d126e4531\nRDX: 0000000000010000 RSI: 000000000374acf0 RDI: 0000000000000014\nRBP: 00007ffe21a67ac0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R\n---truncated---",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -40,8 +45,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-415"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-15T14:15:35Z"