Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/09/GHSA-qc8j-wvjf-7jfj/GHSA-qc8j-wvjf-7jfj.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qc8j-wvjf-7jfj",
-  "modified": "2025-10-28T03:30:14Z",
+  "modified": "2025-10-28T12:30:14Z",
   "published": "2025-09-23T18:30:24Z",
   "aliases": [
     "CVE-2025-9900"
@@ -47,6 +47,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:19113"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19156"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-9900"

advisories/unreviewed/2025/10/GHSA-24rq-hg3c-whf7/GHSA-24rq-hg3c-whf7.json

@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-24rq-hg3c-whf7",
+  "modified": "2025-10-28T12:30:17Z",
+  "published": "2025-10-28T12:30:17Z",
+  "aliases": [
+    "CVE-2025-40070"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: fix warning in pps_register_cdev when register device fail\n\nSimilar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error\nhandling in __video_register_device()\"), the release hook should be set\nbefore device_register(). Otherwise, when device_register() return error\nand put_device() try to callback the release function, the below warning\nmay happen.\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567\n  Modules linked in:\n  CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE\n  RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567\n  Call Trace:\n   <TASK>\n   kobject_cleanup+0x136/0x410 lib/kobject.c:689\n   kobject_release lib/kobject.c:720 [inline]\n   kref_put include/linux/kref.h:65 [inline]\n   kobject_put+0xe9/0x130 lib/kobject.c:737\n   put_device+0x24/0x30 drivers/base/core.c:3797\n   pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402\n   pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108\n   pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57\n   tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432\n   tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563\n   tiocsetd drivers/tty/tty_io.c:2429 [inline]\n   tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:598 [inline]\n   __se_sys_ioctl fs/ioctl.c:584 [inline]\n   __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   </TASK>\n\nBefore commit c79a39dc8d06 (\"pps: Fix a use-after-free\"),\npps_register_cdev() call device_create() to create pps->dev, which will\ninit dev->release to device_create_release(). Now the comment is outdated,\njust remove it.\n\nThanks for the reminder from Calvin Owens, 'kfree_pps' should be removed\nin pps_register_source() to avoid a double free in the failure case.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40070"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/0f97564a1fb62f34b3b498e2f12caffbe99c004a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/125527db41805693208ee1aacd7f3ffe6a3a489c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/b0531cdba5029f897da5156815e3bdafe1e9b88d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/f01fa3588e0b3cb1540f56d2c6bd99e5b3810234"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-28T12:15:41Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-258w-3pq9-4jh3/GHSA-258w-3pq9-4jh3.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-258w-3pq9-4jh3",
+  "modified": "2025-10-28T12:30:16Z",
+  "published": "2025-10-28T12:30:16Z",
+  "aliases": [
+    "CVE-2025-40039"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix race condition in RPC handle list access\n\nThe 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd\nsession. Access to this list is intended to be protected by\n'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was\nflawed, leading to potential race conditions.\n\nIn ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock\nbefore calling xa_store() and xa_erase(). Since these operations modify\nthe XArray structure, a write lock is required to ensure exclusive access\nand prevent data corruption from concurrent modifications.\n\nFurthermore, ksmbd_session_rpc_method() accessed the list using xa_load()\nwithout holding any lock at all. This could lead to reading inconsistent\ndata or a potential use-after-free if an entry is concurrently removed and\nthe pointer is dereferenced.\n\nFix these issues by:\n1. Using down_write() and up_write() in ksmbd_session_rpc_open()\n   to ensure exclusive access during XArray modification, and ensuring\n   the lock is correctly released on error paths.\n2. Adding down_read() and up_read() in ksmbd_session_rpc_method()\n   to safely protect the lookup.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40039"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/305853cce379407090a73b38c5de5ba748893aee"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/5cc679ba0f4505936124cd4179ba66bb0a4bd9f3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-28T12:15:37Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-29fx-85hc-pfpw/GHSA-29fx-85hc-pfpw.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-29fx-85hc-pfpw",
+  "modified": "2025-10-28T12:30:17Z",
+  "published": "2025-10-28T12:30:17Z",
+  "aliases": [
+    "CVE-2025-40057"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: Add a upper bound on max_vclocks\n\nsyzbot reported WARNING in max_vclocks_store.\n\nThis occurs when the argument max is too large for kcalloc to handle.\n\nExtend the guard to guard against values that are too large for\nkcalloc",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40057"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/35ce5f163889dbce88eda1df661b357a09bbed87"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/8dd446056336faa2283d62cefc2f576536845edc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/e9f35294e18da82162004a2f35976e7031aaf7f9"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-28T12:15:40Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-2r8v-pxwr-9h89/GHSA-2r8v-pxwr-9h89.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2r8v-pxwr-9h89",
+  "modified": "2025-10-28T12:30:16Z",
+  "published": "2025-10-28T12:30:16Z",
+  "aliases": [
+    "CVE-2025-40047"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/waitid: always prune wait queue entry in io_waitid_wait()\n\nFor a successful return, always remove our entry from the wait queue\nentry list. Previously this was skipped if a cancelation was in\nprogress, but this can race with another invocation of the wait queue\nentry callback.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40047"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/2f8229d53d984c6a05b71ac9e9583d4354e3b91f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/3e2205db2f0608898d535da1964e1b376aacfdaa"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/696ba6032081e617564a8113a001b8d7943cb928"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-28T12:15:38Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-2v3w-2h39-x8cq/GHSA-2v3w-2h39-x8cq.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2v3w-2h39-x8cq",
+  "modified": "2025-10-28T12:30:16Z",
+  "published": "2025-10-28T12:30:16Z",
+  "aliases": [
+    "CVE-2025-40041"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Sign-extend struct ops return values properly\n\nThe ns_bpf_qdisc selftest triggers a kernel panic:\n\n  Oops[#1]:\n  CPU 0 Unable to handle kernel paging request at virtual address 0000000000741d58, era == 90000000851b5ac0, ra == 90000000851b5aa4\n  CPU: 0 UID: 0 PID: 449 Comm: test_progs Tainted: G           OE       6.16.0+ #3 PREEMPT(full)\n  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n  Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n  pc 90000000851b5ac0 ra 90000000851b5aa4 tp 90000001076b8000 sp 90000001076bb600\n  a0 0000000000741ce8 a1 0000000000000001 a2 90000001076bb5c0 a3 0000000000000008\n  a4 90000001004c4620 a5 9000000100741ce8 a6 0000000000000000 a7 0100000000000000\n  t0 0000000000000010 t1 0000000000000000 t2 9000000104d24d30 t3 0000000000000001\n  t4 4f2317da8a7e08c4 t5 fffffefffc002f00 t6 90000001004c4620 t7 ffffffffc61c5b3d\n  t8 0000000000000000 u0 0000000000000001 s9 0000000000000050 s0 90000001075bc800\n  s1 0000000000000040 s2 900000010597c400 s3 0000000000000008 s4 90000001075bc880\n  s5 90000001075bc8f0 s6 0000000000000000 s7 0000000000741ce8 s8 0000000000000000\n     ra: 90000000851b5aa4 __qdisc_run+0xac/0x8d8\n    ERA: 90000000851b5ac0 __qdisc_run+0xc8/0x8d8\n   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n   PRMD: 00000004 (PPLV0 +PIE -PWE)\n   EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\n   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n  ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n   BADV: 0000000000741d58\n   PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n  Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE)]\n  Process test_progs (pid: 449, threadinfo=000000009af02b3a, task=00000000e9ba4956)\n  Stack : 0000000000000000 90000001075bc8ac 90000000869524a8 9000000100741ce8\n          90000001075bc800 9000000100415300 90000001075bc8ac 0000000000000000\n          900000010597c400 900000008694a000 0000000000000000 9000000105b59000\n          90000001075bc800 9000000100741ce8 0000000000000050 900000008513000c\n          9000000086936000 0000000100094d4c fffffff400676208 0000000000000000\n          9000000105b59000 900000008694a000 9000000086bf0dc0 9000000105b59000\n          9000000086bf0d68 9000000085147010 90000001075be788 0000000000000000\n          9000000086bf0f98 0000000000000001 0000000000000010 9000000006015840\n          0000000000000000 9000000086be6c40 0000000000000000 0000000000000000\n          0000000000000000 4f2317da8a7e08c4 0000000000000101 4f2317da8a7e08c4\n          ...\n  Call Trace:\n  [<90000000851b5ac0>] __qdisc_run+0xc8/0x8d8\n  [<9000000085130008>] __dev_queue_xmit+0x578/0x10f0\n  [<90000000853701c0>] ip6_finish_output2+0x2f0/0x950\n  [<9000000085374bc8>] ip6_finish_output+0x2b8/0x448\n  [<9000000085370b24>] ip6_xmit+0x304/0x858\n  [<90000000853c4438>] inet6_csk_xmit+0x100/0x170\n  [<90000000852b32f0>] __tcp_transmit_skb+0x490/0xdd0\n  [<90000000852b47fc>] tcp_connect+0xbcc/0x1168\n  [<90000000853b9088>] tcp_v6_connect+0x580/0x8a0\n  [<90000000852e7738>] __inet_stream_connect+0x170/0x480\n  [<90000000852e7a98>] inet_stream_connect+0x50/0x88\n  [<90000000850f2814>] __sys_connect+0xe4/0x110\n  [<90000000850f2858>] sys_connect+0x18/0x28\n  [<9000000085520c94>] do_syscall+0x94/0x1a0\n  [<9000000083df1fb8>] handle_syscall+0xb8/0x158\n\n  Code: 4001ad80  2400873f  2400832d <240073cc> 001137ff  001133ff  6407b41f  001503cc  0280041d\n\n  ---[ end trace 0000000000000000 ]---\n\nThe bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer\nis treated as a 32bit value and sign extend to 64bit in epilogue. This\nbehavior is right for most bpf prog types but wrong for struct ops which\nrequires LoongArch ABI.\n\nSo let's sign extend struct ops return values according to the LoongArch\nABI ([1]) and return value spec in function model.\n\n[1]: https://loongson.github.io/LoongArch-Documentation/LoongArch-ELF-ABI-EN.html",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40041"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/8b51b11b3d81c1ed48a52f87da9256d737b723a0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/9f3169bb3c2967166b4f4433cf152a84f3eb95d0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-28T12:15:38Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-2w39-4r85-2c9m/GHSA-2w39-4r85-2c9m.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2w39-4r85-2c9m",
+  "modified": "2025-10-28T12:30:17Z",
+  "published": "2025-10-28T12:30:17Z",
+  "aliases": [
+    "CVE-2025-40069"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix obj leak in VM_BIND error path\n\nIf we fail a handle-lookup part way thru, we need to drop the already\nobtained obj references.\n\nPatchwork: https://patchwork.freedesktop.org/patch/669784/",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40069"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/278f8904434aa96055e793936b5977c010549e28"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/2b512909a291a964cfcf6b58de13256ab3e848c4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-28T12:15:41Z"
+  }
+}

advisories/unreviewed/2025/10/GHSA-2xf6-75gh-3848/GHSA-2xf6-75gh-3848.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2xf6-75gh-3848",
+  "modified": "2025-10-28T12:30:17Z",
+  "published": "2025-10-28T12:30:16Z",
+  "aliases": [
+    "CVE-2025-40054"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix UAF issue in f2fs_merge_page_bio()\n\nAs JY reported in bugzilla [1],\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\npc : [0xffffffe51d249484] f2fs_is_cp_guaranteed+0x70/0x98\nlr : [0xffffffe51d24adbc] f2fs_merge_page_bio+0x520/0x6d4\nCPU: 3 UID: 0 PID: 6790 Comm: kworker/u16:3 Tainted: P    B   W  OE      6.12.30-android16-5-maybe-dirty-4k #1 5f7701c9cbf727d1eebe77c89bbbeb3371e895e5\nTainted: [P]=PROPRIETARY_MODULE, [B]=BAD_PAGE, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nWorkqueue: writeback wb_workfn (flush-254:49)\nCall trace:\n f2fs_is_cp_guaranteed+0x70/0x98\n f2fs_inplace_write_data+0x174/0x2f4\n f2fs_do_write_data_page+0x214/0x81c\n f2fs_write_single_data_page+0x28c/0x764\n f2fs_write_data_pages+0x78c/0xce4\n do_writepages+0xe8/0x2fc\n __writeback_single_inode+0x4c/0x4b4\n writeback_sb_inodes+0x314/0x540\n __writeback_inodes_wb+0xa4/0xf4\n wb_writeback+0x160/0x448\n wb_workfn+0x2f0/0x5dc\n process_scheduled_works+0x1c8/0x458\n worker_thread+0x334/0x3f0\n kthread+0x118/0x1ac\n ret_from_fork+0x10/0x20\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=220575\n\nThe panic was caused by UAF issue w/ below race condition:\n\nkworker\n- writepages\n - f2fs_write_cache_pages\n  - f2fs_write_single_data_page\n   - f2fs_do_write_data_page\n    - f2fs_inplace_write_data\n     - f2fs_merge_page_bio\n      - add_inu_page\n      : cache page #1 into bio & cache bio in\n        io->bio_list\n  - f2fs_write_single_data_page\n   - f2fs_do_write_data_page\n    - f2fs_inplace_write_data\n     - f2fs_merge_page_bio\n      - add_inu_page\n      : cache page #2 into bio which is linked\n        in io->bio_list\n\t\t\t\t\t\twrite\n\t\t\t\t\t\t- f2fs_write_begin\n\t\t\t\t\t\t: write page #1\n\t\t\t\t\t\t - f2fs_folio_wait_writeback\n\t\t\t\t\t\t  - f2fs_submit_merged_ipu_write\n\t\t\t\t\t\t   - f2fs_submit_write_bio\n\t\t\t\t\t\t   : submit bio which inclues page #1 and #2\n\n\t\t\t\t\t\tsoftware IRQ\n\t\t\t\t\t\t- f2fs_write_end_io\n\t\t\t\t\t\t - fscrypt_free_bounce_page\n\t\t\t\t\t\t : freed bounced page which belongs to page #2\n      - inc_page_count( , WB_DATA_TYPE(data_folio), false)\n      : data_folio points to fio->encrypted_page\n        the bounced page can be freed before\n        accessing it in f2fs_is_cp_guarantee()\n\nIt can reproduce w/ below testcase:\nRun below script in shell #1:\nfor ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \\\n-c \"pwrite 0 32k\" -c \"fdatasync\"\n\nRun below script in shell #2:\nfor ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \\\n-c \"pwrite 0 32k\" -c \"fdatasync\"\n\nSo, in f2fs_merge_page_bio(), let's avoid using fio->encrypted_page after\ncommit page into internal ipu cache.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40054"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/01118321e0c8a5f3ece57d0d377bfc92d83cd210"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/edf7e9040fc52c922db947f9c6c36f07377c52ea"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-28T12:15:39Z"
+  }
+}