Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/12/GHSA-2cq7-86qp-4xjx/GHSA-2cq7-86qp-4xjx.json

@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2cq7-86qp-4xjx",
+  "modified": "2025-12-24T12:30:27Z",
+  "published": "2025-12-24T12:30:27Z",
+  "aliases": [
+    "CVE-2023-53995"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix one memleak in __inet_del_ifa()\n\nI got the below warning when do fuzzing test:\nunregister_netdevice: waiting for bond0 to become free. Usage count = 2\n\nIt can be repoduced via:\n\nip link add bond0 type bond\nsysctl -w net.ipv4.conf.bond0.promote_secondaries=1\nip addr add 4.117.174.103/0 scope 0x40 dev bond0\nip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0\nip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0\nip addr del 4.117.174.103/0 scope 0x40 dev bond0\nip link delete bond0 type bond\n\nIn this reproduction test case, an incorrect 'last_prim' is found in\n__inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40)\nis lost. The memory of the secondary address is leaked and the reference of\nin_device and net_device is leaked.\n\nFix this problem:\nLook for 'last_prim' starting at location of the deleted IP and inserting\nthe promoted IP into the location of 'last_prim'.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53995"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/2f1e86014d0cc084886c36a2d77bc620e2d42618"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/42652af5360d30b43b06057c193739e7dfb18f42"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/5624f26a3574500ce23929cb2c9976a0dec9920a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/7c8ddcdab1b900bed69cad6beef477fff116289e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/980f8445479814509a3cd55a8eabaae1c9030a4c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/ac28b1ec6135649b5d78b028e47264cb3ebca5ea"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-24T11:15:52Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-2j5g-62c3-j9jj/GHSA-2j5g-62c3-j9jj.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2j5g-62c3-j9jj",
+  "modified": "2025-12-24T12:30:28Z",
+  "published": "2025-12-24T12:30:28Z",
+  "aliases": [
+    "CVE-2023-54017"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: fix possible memory leak in ibmebus_bus_init()\n\nIf device_register() returns error in ibmebus_bus_init(), name of kobject\nwhich is allocated in dev_set_name() called in device_add() is leaked.\n\nAs comment of device_add() says, it should call put_device() to drop\nthe reference count that was set in device_initialize() when it fails,\nso the name can be freed in kobject_cleanup().",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54017"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/3cc4c2f6c266fe5b33a7fa797f31e8b3f06ce58c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/7ffe14fce7425c32e735bdc44bce425f18976a49"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/96f27ff732208dce6468016e7a7d5032bd1bfc23"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/9f3b2b666833ebef6d0ce5a40e189f38e70342a1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/afda85b963c12947e298ad85d757e333aa40fd74"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/d35e7ae10eb8917883da2a0b1823c620a1be42d6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/e4ff88548defafb1ef84facd9856ec252da7b008"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/ebd8dc974fcc59e2851a0d89ee7935b55142dc8e"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-24T11:15:54Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-2m44-r2x5-4q79/GHSA-2m44-r2x5-4q79.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2m44-r2x5-4q79",
+  "modified": "2025-12-24T12:30:29Z",
+  "published": "2025-12-24T12:30:29Z",
+  "aliases": [
+    "CVE-2025-68358"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix racy bitfield write in btrfs_clear_space_info_full()\n\nFrom the memory-barriers.txt document regarding memory barrier ordering\nguarantees:\n\n (*) These guarantees do not apply to bitfields, because compilers often\n     generate code to modify these using non-atomic read-modify-write\n     sequences.  Do not attempt to use bitfields to synchronize parallel\n     algorithms.\n\n (*) Even in cases where bitfields are protected by locks, all fields\n     in a given bitfield must be protected by one lock.  If two fields\n     in a given bitfield are protected by different locks, the compiler's\n     non-atomic read-modify-write sequences can cause an update to one\n     field to corrupt the value of an adjacent field.\n\nbtrfs_space_info has a bitfield sharing an underlying word consisting of\nthe fields full, chunk_alloc, and flush:\n\nstruct btrfs_space_info {\n        struct btrfs_fs_info *     fs_info;              /*     0     8 */\n        struct btrfs_space_info *  parent;               /*     8     8 */\n        ...\n        int                        clamp;                /*   172     4 */\n        unsigned int               full:1;               /*   176: 0  4 */\n        unsigned int               chunk_alloc:1;        /*   176: 1  4 */\n        unsigned int               flush:1;              /*   176: 2  4 */\n        ...\n\nTherefore, to be safe from parallel read-modify-writes losing a write to\none of the bitfield members protected by a lock, all writes to all the\nbitfields must use the lock. They almost universally do, except for\nbtrfs_clear_space_info_full() which iterates over the space_infos and\nwrites out found->full = 0 without a lock.\n\nImagine that we have one thread completing a transaction in which we\nfinished deleting a block_group and are thus calling\nbtrfs_clear_space_info_full() while simultaneously the data reclaim\nticket infrastructure is running do_async_reclaim_data_space():\n\n          T1                                             T2\nbtrfs_commit_transaction\n  btrfs_clear_space_info_full\n  data_sinfo->full = 0\n  READ: full:0, chunk_alloc:0, flush:1\n                                              do_async_reclaim_data_space(data_sinfo)\n                                              spin_lock(&space_info->lock);\n                                              if(list_empty(tickets))\n                                                space_info->flush = 0;\n                                                READ: full: 0, chunk_alloc:0, flush:1\n                                                MOD/WRITE: full: 0, chunk_alloc:0, flush:0\n                                                spin_unlock(&space_info->lock);\n                                                return;\n  MOD/WRITE: full:0, chunk_alloc:0, flush:1\n\nand now data_sinfo->flush is 1 but the reclaim worker has exited. This\nbreaks the invariant that flush is 0 iff there is no work queued or\nrunning. Once this invariant is violated, future allocations that go\ninto __reserve_bytes() will add tickets to space_info->tickets but will\nsee space_info->flush is set to 1 and not queue the work. After this,\nthey will block forever on the resulting ticket, as it is now impossible\nto kick the worker again.\n\nI also confirmed by looking at the assembly of the affected kernel that\nit is doing RMW operations. For example, to set the flush (3rd) bit to 0,\nthe assembly is:\n  andb    $0xfb,0x60(%rbx)\nand similarly for setting the full (1st) bit to 0:\n  andb    $0xfe,-0x20(%rax)\n\nSo I think this is really a bug on practical systems.  I have observed\na number of systems in this exact state, but am currently unable to\nreproduce it.\n\nRather than leaving this footgun lying around for the future, take\nadvantage of the fact that there is room in the struct anyway, and that\nit is already quite large and simply change the three bitfield members to\nbools. This avoids writes to space_info->full having any effect on\n---truncated---",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68358"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/38e818718c5e04961eea0fa8feff3f100ce40408"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/6f442808a86eef847ee10afa9e6459494ed85bb3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/742b90eaf394f0018352c0e10dc89763b2dd5267"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-24T11:15:59Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-2rxh-4vr2-w87x/GHSA-2rxh-4vr2-w87x.json

@@ -0,0 +1,45 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2rxh-4vr2-w87x",
+  "modified": "2025-12-24T12:30:25Z",
+  "published": "2025-12-24T12:30:25Z",
+  "aliases": [
+    "CVE-2022-50698"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: da7219: Fix an error handling path in da7219_register_dai_clks()\n\nIf clk_hw_register() fails, the corresponding clk should not be\nunregistered.\n\nTo handle errors from loops, clean up partial iterations before doing the\ngoto.  So add a clk_hw_unregister().\nThen use a while (--i >= 0) loop in the unwind section.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50698"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/4993c1511d66326f1037bc5156b024a6a96d23ef"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/abb4e4349afe7eecdb0499582f1c777031e3a7c8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/cefce8bee0e988f9a005fe40705b98a25cfb7f9d"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/ec692f0b51006de1138cd1f82cae625f0d2888d1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/f5f1f5ee5048cfa7bd07f496b33bd2cfc198a176"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-24T11:15:49Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-2vmp-q8v6-7qc9/GHSA-2vmp-q8v6-7qc9.json

@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2vmp-q8v6-7qc9",
+  "modified": "2025-12-24T12:30:27Z",
+  "published": "2025-12-24T12:30:27Z",
+  "aliases": [
+    "CVE-2023-54012"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix stack overflow when LRO is disabled for virtual interfaces\n\nWhen the virtual interface's feature is updated, it synchronizes the\nupdated feature for its own lower interface.\nThis propagation logic should be worked as the iteration, not recursively.\nBut it works recursively due to the netdev notification unexpectedly.\nThis problem occurs when it disables LRO only for the team and bonding\ninterface type.\n\n       team0\n         |\n  +------+------+-----+-----+\n  |      |      |     |     |\nteam1  team2  team3  ...  team200\n\nIf team0's LRO feature is updated, it generates the NETDEV_FEAT_CHANGE\nevent to its own lower interfaces(team1 ~ team200).\nIt is worked by netdev_sync_lower_features().\nSo, the NETDEV_FEAT_CHANGE notification logic of each lower interface\nwork iteratively.\nBut generated NETDEV_FEAT_CHANGE event is also sent to the upper\ninterface too.\nupper interface(team0) generates the NETDEV_FEAT_CHANGE event for its own\nlower interfaces again.\nlower and upper interfaces receive this event and generate this\nevent again and again.\nSo, the stack overflow occurs.\n\nBut it is not the infinite loop issue.\nBecause the netdev_sync_lower_features() updates features before\ngenerating the NETDEV_FEAT_CHANGE event.\nAlready synchronized lower interfaces skip notification logic.\nSo, it is just the problem that iteration logic is changed to the\nrecursive unexpectedly due to the notification mechanism.\n\nReproducer:\n\nip link add team0 type team\nethtool -K team0 lro on\nfor i in {1..200}\ndo\n        ip link add team$i master team0 type team\n        ethtool -K team$i lro on\ndone\n\nethtool -K team0 lro off\n\nIn order to fix it, the notifier_ctx member of bonding/team is introduced.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54012"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/4bb955c4d2830a58c08e2a48ab75d75368e3ff36"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/6bf00bb3dc7e5b9fb05488e11616e65d64e975fa"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/9ea0c5f90a27b5b884d880e146e0f65f3052e401"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/ae9b15fbe63447bc1d3bba3769f409d17ca6fdf6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/cf3b5cd7127cc10c5b12400c545f263f0e5e715c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/ed66e6327a69fec95034cda2ac5b6a57b8b3b622"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-24T11:15:54Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-35gj-2h6h-27p5/GHSA-35gj-2h6h-27p5.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-35gj-2h6h-27p5",
+  "modified": "2025-12-24T12:30:27Z",
+  "published": "2025-12-24T12:30:27Z",
+  "aliases": [
+    "CVE-2023-54016"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix memory leak in rx_desc and tx_desc\n\nCurrently when ath12k_dp_cc_desc_init() is called we allocate\nmemory to rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), during\ndescriptor cleanup rx_descs and tx_descs memory is not freed.\n\nThis is cause of memory leak. These allocated memory should be\nfreed in ath12k_dp_cc_cleanup.\n\nIn ath12k_dp_cc_desc_init(), we can save base address of rx_descs\nand tx_descs. In ath12k_dp_cc_cleanup(), we can free rx_descs and\ntx_descs memory using their base address.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54016"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/afb522b36e76acaa9f8fc06d0a9742d841c47c16"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/e16be2d34883eecfe7fd888fcdb76c7a5db5d187"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-24T11:15:54Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-3crq-qf2v-x94m/GHSA-3crq-qf2v-x94m.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3crq-qf2v-x94m",
+  "modified": "2025-12-24T12:30:29Z",
+  "published": "2025-12-24T12:30:29Z",
+  "aliases": [
+    "CVE-2025-68370"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: tmc: add the handle of the event to the path\n\nThe handle is essential for retrieving the AUX_EVENT of each CPU and is\nrequired in perf mode. It has been added to the coresight_path so that\ndependent devices can access it from the path when needed.\n\nThe existing bug can be reproduced with:\nperf record -e cs_etm//k -C 0-9 dd if=/dev/zero of=/dev/null\n\nShowing an oops as follows:\nUnable to handle kernel paging request at virtual address 000f6e84934ed19e\n\nCall trace:\n tmc_etr_get_buffer+0x30/0x80 [coresight_tmc] (P)\n catu_enable_hw+0xbc/0x3d0 [coresight_catu]\n catu_enable+0x70/0xe0 [coresight_catu]\n coresight_enable_path+0xb0/0x258 [coresight]",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68370"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/aaa5abcc9d44d2c8484f779ab46d242d774cabcb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/d0c9effd82f2c19b92acd07d357fac5f392d549a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/faa8f38f7ccb344ace2c1f364efc70e3a12d32f3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-24T11:16:00Z"
+  }
+}

advisories/unreviewed/2025/12/GHSA-3cw8-5h35-w527/GHSA-3cw8-5h35-w527.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3cw8-5h35-w527",
+  "modified": "2025-12-24T12:30:29Z",
+  "published": "2025-12-24T12:30:29Z",
+  "aliases": [
+    "CVE-2025-68352"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: ch341: fix out-of-bounds memory access in ch341_transfer_one\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nThe 'len' variable is calculated as 'min(32, trans->len + 1)',\nwhich includes the 1-byte command header.\n\nWhen copying data from 'trans->tx_buf' to 'ch341->tx_buf + 1', using 'len'\nas the length is incorrect because:\n\n1. It causes an out-of-bounds read from 'trans->tx_buf' (which has size\n   'trans->len', i.e., 'len - 1' in this context).\n2. It can cause an out-of-bounds write to 'ch341->tx_buf' if 'len' is\n   CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341->tx_buf + 1\n   overflows the buffer.\n\nFix this by copying 'len - 1' bytes.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68352"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/545d1287e40a55242f6ab68bcc1ba3b74088b1bc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/81841da1f30f66a850cc8796d99ba330aad9d696"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/ea1e43966cd03098fcd5f0d72e6c2901d45fa08d"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-12-24T11:15:58Z"
+  }
+}