Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2025/11/GHSA-93vm-mqpw-8wh3/GHSA-93vm-mqpw-8wh3.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-93vm-mqpw-8wh3",
-  "modified": "2025-12-19T21:27:08Z",
+  "modified": "2025-12-23T21:30:23Z",
   "published": "2025-11-25T18:32:22Z",
   "withdrawn": "2025-12-19T21:27:08Z",
   "aliases": [],
@@ -51,6 +51,18 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:22088"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22089"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22090"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22091"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-13467"

advisories/unreviewed/2024/02/GHSA-384m-rpvv-4rw6/GHSA-384m-rpvv-4rw6.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-384m-rpvv-4rw6",
-  "modified": "2024-08-27T12:30:44Z",
+  "modified": "2025-12-23T21:30:15Z",
   "published": "2024-02-23T09:30:38Z",
   "aliases": [
     "CVE-2024-0563"

advisories/unreviewed/2024/04/GHSA-77mf-44mv-3m36/GHSA-77mf-44mv-3m36.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-77mf-44mv-3m36",
-  "modified": "2024-06-25T21:31:12Z",
+  "modified": "2025-12-23T21:30:16Z",
   "published": "2024-04-25T06:30:35Z",
   "aliases": [
     "CVE-2024-26925"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\n\nThe commit mutex should not be released during the critical section\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\nworker could collect expired objects and get the released commit lock\nwithin the same GC sequence.\n\nnf_tables_module_autoload() temporarily releases the mutex to load\nmodule dependencies, then it goes back to replay the transaction again.\nMove it at the end of the abort phase after nft_gc_seq_end() is called.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -56,8 +61,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-667"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-04-25T06:15:57Z"

advisories/unreviewed/2024/04/GHSA-8f6m-26fj-7fm5/GHSA-8f6m-26fj-7fm5.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8f6m-26fj-7fm5",
-  "modified": "2024-06-27T12:30:45Z",
+  "modified": "2025-12-23T21:30:16Z",
   "published": "2024-04-25T06:30:35Z",
   "aliases": [
     "CVE-2024-26923"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs == inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -56,8 +61,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-04-25T06:15:57Z"

advisories/unreviewed/2024/04/GHSA-96gr-7mgw-2637/GHSA-96gr-7mgw-2637.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-96gr-7mgw-2637",
-  "modified": "2024-06-26T00:31:37Z",
+  "modified": "2025-12-23T21:30:16Z",
   "published": "2024-04-17T12:32:05Z",
   "aliases": [
     "CVE-2024-26897"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete\n\nThe ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data\nstructures have been fully initialised by the time it runs. However, because of\nthe order in which things are initialised, this is not guaranteed to be the\ncase, because the device is exposed to the USB subsystem before the ath9k driver\ninitialisation is completed.\n\nWe already committed a partial fix for this in commit:\n8b3046abc99e (\"ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()\")\n\nHowever, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event\ntasklet, pairing it with an \"initialisation complete\" bit in the TX struct. It\nseems syzbot managed to trigger the race for one of the other commands as well,\nso let's just move the existing synchronisation bit to cover the whole\ntasklet (setting it at the end of ath9k_htc_probe_device() instead of inside\nath9k_tx_init()).",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -48,8 +53,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-04-17T11:15:10Z"

advisories/unreviewed/2024/04/GHSA-g993-hcw2-pmmf/GHSA-g993-hcw2-pmmf.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g993-hcw2-pmmf",
-  "modified": "2024-06-26T00:31:38Z",
+  "modified": "2025-12-23T21:30:16Z",
   "published": "2024-04-25T06:30:35Z",
   "aliases": [
     "CVE-2024-26926"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: check offset alignment in binder_get_object()\n\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\n\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\n\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -49,7 +54,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-04-25T06:15:57Z"

advisories/unreviewed/2024/04/GHSA-hpjm-r5wj-2jq3/GHSA-hpjm-r5wj-2jq3.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hpjm-r5wj-2jq3",
-  "modified": "2024-06-27T12:30:45Z",
+  "modified": "2025-12-23T21:30:16Z",
   "published": "2024-04-23T15:30:34Z",
   "aliases": [
     "CVE-2024-26922"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\n\nVerify the parameters of\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -69,7 +74,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-04-23T13:15:46Z"

advisories/unreviewed/2024/04/GHSA-j68j-2qh2-c4cq/GHSA-j68j-2qh2-c4cq.json

@@ -65,7 +65,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-476"
+    ],
     "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,

advisories/unreviewed/2024/04/GHSA-rhmf-jxfm-48px/GHSA-rhmf-jxfm-48px.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rhmf-jxfm-48px",
-  "modified": "2024-06-26T00:31:37Z",
+  "modified": "2025-12-23T21:30:16Z",
   "published": "2024-04-17T12:32:04Z",
   "aliases": [
     "CVE-2024-26877"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: xilinx - call finalize with bh disabled\n\nWhen calling crypto_finalize_request, BH should be disabled to avoid\ntriggering the following calltrace:\n\n    ------------[ cut here ]------------\n    WARNING: CPU: 2 PID: 74 at crypto/crypto_engine.c:58 crypto_finalize_request+0xa0/0x118\n    Modules linked in: cryptodev(O)\n    CPU: 2 PID: 74 Comm: firmware:zynqmp Tainted: G           O       6.8.0-rc1-yocto-standard #323\n    Hardware name: ZynqMP ZCU102 Rev1.0 (DT)\n    pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n    pc : crypto_finalize_request+0xa0/0x118\n    lr : crypto_finalize_request+0x104/0x118\n    sp : ffffffc085353ce0\n    x29: ffffffc085353ce0 x28: 0000000000000000 x27: ffffff8808ea8688\n    x26: ffffffc081715038 x25: 0000000000000000 x24: ffffff880100db00\n    x23: ffffff880100da80 x22: 0000000000000000 x21: 0000000000000000\n    x20: ffffff8805b14000 x19: ffffff880100da80 x18: 0000000000010450\n    x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n    x14: 0000000000000003 x13: 0000000000000000 x12: ffffff880100dad0\n    x11: 0000000000000000 x10: ffffffc0832dcd08 x9 : ffffffc0812416d8\n    x8 : 00000000000001f4 x7 : ffffffc0830d2830 x6 : 0000000000000001\n    x5 : ffffffc082091000 x4 : ffffffc082091658 x3 : 0000000000000000\n    x2 : ffffffc7f9653000 x1 : 0000000000000000 x0 : ffffff8802d20000\n    Call trace:\n     crypto_finalize_request+0xa0/0x118\n     crypto_finalize_aead_request+0x18/0x30\n     zynqmp_handle_aes_req+0xcc/0x388\n     crypto_pump_work+0x168/0x2d8\n     kthread_worker_fn+0xfc/0x3a0\n     kthread+0x118/0x138\n     ret_from_fork+0x10/0x20\n    irq event stamp: 40\n    hardirqs last  enabled at (39): [<ffffffc0812416f8>] _raw_spin_unlock_irqrestore+0x70/0xb0\n    hardirqs last disabled at (40): [<ffffffc08122d208>] el1_dbg+0x28/0x90\n    softirqs last  enabled at (36): [<ffffffc080017dec>] kernel_neon_begin+0x8c/0xf0\n    softirqs last disabled at (34): [<ffffffc080017dc0>] kernel_neon_begin+0x60/0xf0\n    ---[ end trace 0000000000000000 ]---",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -49,7 +54,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-04-17T11:15:09Z"

advisories/unreviewed/2024/05/GHSA-3cw9-m9j6-m7jf/GHSA-3cw9-m9j6-m7jf.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3cw9-m9j6-m7jf",
-  "modified": "2025-03-29T00:31:32Z",
+  "modified": "2025-12-23T21:30:19Z",
   "published": "2024-05-20T12:30:27Z",
   "aliases": [
     "CVE-2024-35949"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: make sure that WRITTEN is set on all metadata blocks\n\nWe previously would call btrfs_check_leaf() if we had the check\nintegrity code enabled, which meant that we could only run the extended\nleaf checks if we had WRITTEN set on the header flags.\n\nThis leaves a gap in our checking, because we could end up with\ncorruption on disk where WRITTEN isn't set on the leaf, and then the\nextended leaf checks don't get run which we rely on to validate all of\nthe item pointers to make sure we don't access memory outside of the\nextent buffer.\n\nHowever, since 732fab95abe2 (\"btrfs: check-integrity: remove\nCONFIG_BTRFS_FS_CHECK_INTEGRITY option\") we no longer call\nbtrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only\never call it on blocks that are being written out, and thus have WRITTEN\nset, or that are being read in, which should have WRITTEN set.\n\nAdd checks to make sure we have WRITTEN set appropriately, and then make\nsure __btrfs_check_leaf() always does the item checking.  This will\nprotect us from file systems that have been corrupted and no longer have\nWRITTEN set on some of the blocks.\n\nThis was hit on a crafted image tweaking the WRITTEN bit and reported by\nKASAN as out-of-bound access in the eb accessors. The example is a dir\nitem at the end of an eb.\n\n  [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2\n  [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n  [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]\n  [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1\n  [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n  [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0\n  [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206\n  [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0\n  [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748\n  [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9\n  [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a\n  [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8\n  [2.621] FS:  00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\n  [2.621] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0\n  [2.621] Call Trace:\n  [2.621]  <TASK>\n  [2.621]  ? show_regs+0x74/0x80\n  [2.621]  ? die_addr+0x46/0xc0\n  [2.621]  ? exc_general_protection+0x161/0x2a0\n  [2.621]  ? asm_exc_general_protection+0x26/0x30\n  [2.621]  ? btrfs_get_16+0x33a/0x6d0\n  [2.621]  ? btrfs_get_16+0x34b/0x6d0\n  [2.621]  ? btrfs_get_16+0x33a/0x6d0\n  [2.621]  ? __pfx_btrfs_get_16+0x10/0x10\n  [2.621]  ? __pfx_mutex_unlock+0x10/0x10\n  [2.621]  btrfs_match_dir_item_name+0x101/0x1a0\n  [2.621]  btrfs_lookup_dir_item+0x1f3/0x280\n  [2.621]  ? __pfx_btrfs_lookup_dir_item+0x10/0x10\n  [2.621]  btrfs_get_tree+0xd25/0x1910\n\n[ copy more details from report ]",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-05-20T10:15:10Z"