Publish Advisories

GHSA-2qcc-gm3c-qcf7
GHSA-65ww-5pr7-752v
GHSA-9q78-c4fv-64q9
GHSA-m4vj-r234-c4jf
GHSA-qjjr-vrx2-c9cp
GHSA-2237-jrrh-3624
GHSA-46q9-g5hq-xpgm
GHSA-5whm-xp9m-869g
GHSA-64fr-fj38-r253
GHSA-76q6-633x-65vj
GHSA-877f-88x9-cx9x
GHSA-8xg4-jw8q-mm7v
GHSA-f7fj-8w72-h36h
GHSA-hvxw-2j3f-v3hp
GHSA-hx6j-r6x5-73w3
GHSA-q74c-c6q2-f852
GHSA-w4g3-pp54-phhq
GHSA-wxmx-9x37-q992
GHSA-x72c-72g3-7ffp
GHSA-xj77-m3jq-h2r8
GHSA-2cwp-h6w6-7hmq

Author: advisory-database[bot]

advisories/unreviewed/2025/09/GHSA-2qcc-gm3c-qcf7/GHSA-2qcc-gm3c-qcf7.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2qcc-gm3c-qcf7",
-  "modified": "2025-11-03T18:31:40Z",
+  "modified": "2026-01-23T03:30:28Z",
   "published": "2025-09-15T15:31:21Z",
   "aliases": [
     "CVE-2025-39801"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Remove WARN_ON for device endpoint command timeouts\n\nThis commit addresses a rarely observed endpoint command timeout\nwhich causes kernel panic due to warn when 'panic_on_warn' is enabled\nand unnecessary call trace prints when 'panic_on_warn' is disabled.\nIt is seen during fast software-controlled connect/disconnect testcases.\nThe following is one such endpoint command timeout that we observed:\n\n1. Connect\n   =======\n->dwc3_thread_interrupt\n ->dwc3_ep0_interrupt\n  ->configfs_composite_setup\n   ->composite_setup\n    ->usb_ep_queue\n     ->dwc3_gadget_ep0_queue\n      ->__dwc3_gadget_ep0_queue\n       ->__dwc3_ep0_do_control_data\n        ->dwc3_send_gadget_ep_cmd\n\n2. Disconnect\n   ==========\n->dwc3_thread_interrupt\n ->dwc3_gadget_disconnect_interrupt\n  ->dwc3_ep0_reset_state\n   ->dwc3_ep0_end_control_data\n    ->dwc3_send_gadget_ep_cmd\n\nIn the issue scenario, in Exynos platforms, we observed that control\ntransfers for the previous connect have not yet been completed and end\ntransfer command sent as a part of the disconnect sequence and\nprocessing of USB_ENDPOINT_HALT feature request from the host timeout.\nThis maybe an expected scenario since the controller is processing EP\ncommands sent as a part of the previous connect. It maybe better to\nremove WARN_ON in all places where device endpoint commands are sent to\navoid unnecessary kernel panic due to warn.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -44,8 +49,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-617"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-15T13:15:35Z"

advisories/unreviewed/2025/09/GHSA-65ww-5pr7-752v/GHSA-65ww-5pr7-752v.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-65ww-5pr7-752v",
-  "modified": "2025-12-07T00:30:56Z",
+  "modified": "2026-01-23T03:30:28Z",
   "published": "2025-09-22T21:30:18Z",
   "aliases": [
     "CVE-2025-39866"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: writeback: fix use-after-free in __mark_inode_dirty()\n\nAn use-after-free issue occurred when __mark_inode_dirty() get the\nbdi_writeback that was in the progress of switching.\n\nCPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1\n......\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __mark_inode_dirty+0x124/0x418\nlr : __mark_inode_dirty+0x118/0x418\nsp : ffffffc08c9dbbc0\n........\nCall trace:\n __mark_inode_dirty+0x124/0x418\n generic_update_time+0x4c/0x60\n file_modified+0xcc/0xd0\n ext4_buffered_write_iter+0x58/0x124\n ext4_file_write_iter+0x54/0x704\n vfs_write+0x1c0/0x308\n ksys_write+0x74/0x10c\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x40/0xe4\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x194/0x198\n\nRoot cause is:\n\nsystemd-random-seed                         kworker\n----------------------------------------------------------------------\n___mark_inode_dirty                     inode_switch_wbs_work_fn\n\n  spin_lock(&inode->i_lock);\n  inode_attach_wb\n  locked_inode_to_wb_and_lock_list\n     get inode->i_wb\n     spin_unlock(&inode->i_lock);\n     spin_lock(&wb->list_lock)\n  spin_lock(&inode->i_lock)\n  inode_io_list_move_locked\n  spin_unlock(&wb->list_lock)\n  spin_unlock(&inode->i_lock)\n                                    spin_lock(&old_wb->list_lock)\n                                      inode_do_switch_wbs\n                                        spin_lock(&inode->i_lock)\n                                        inode->i_wb = new_wb\n                                        spin_unlock(&inode->i_lock)\n                                    spin_unlock(&old_wb->list_lock)\n                                    wb_put_many(old_wb, nr_switched)\n                                      cgwb_release\n                                      old wb released\n  wb_wakeup_delayed() accesses wb,\n  then trigger the use-after-free\n  issue\n\nFix this race condition by holding inode spinlock until\nwb_wakeup_delayed() finished.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -48,8 +53,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-19T16:15:45Z"

advisories/unreviewed/2025/09/GHSA-9q78-c4fv-64q9/GHSA-9q78-c4fv-64q9.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9q78-c4fv-64q9",
-  "modified": "2025-11-03T18:31:41Z",
+  "modified": "2026-01-23T03:30:28Z",
   "published": "2025-09-22T21:30:17Z",
   "aliases": [
     "CVE-2025-39838"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent NULL pointer dereference in UTF16 conversion\n\nThere can be a NULL pointer dereference bug here. NULL is passed to\n__cifs_sfu_make_node without checks, which passes it unchecked to\ncifs_strndup_to_utf16, which in turn passes it to\ncifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash.\n\nThis patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and\nreturns NULL early to prevent dereferencing NULL pointer.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -40,8 +45,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-19T16:15:42Z"

advisories/unreviewed/2025/09/GHSA-m4vj-r234-c4jf/GHSA-m4vj-r234-c4jf.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m4vj-r234-c4jf",
-  "modified": "2025-11-03T18:31:40Z",
+  "modified": "2026-01-23T03:30:28Z",
   "published": "2025-09-12T18:31:10Z",
   "aliases": [
     "CVE-2025-39794"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: tegra: Use I/O memcpy to write to IRAM\n\nKasan crashes the kernel trying to check boundaries when using the\nnormal memcpy.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -61,7 +66,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-12T16:15:33Z"

advisories/unreviewed/2025/09/GHSA-qjjr-vrx2-c9cp/GHSA-qjjr-vrx2-c9cp.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qjjr-vrx2-c9cp",
-  "modified": "2025-11-03T18:31:40Z",
+  "modified": "2026-01-23T03:30:28Z",
   "published": "2025-09-11T18:35:52Z",
   "aliases": [
     "CVE-2025-39760"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: core: config: Prevent OOB read in SS endpoint companion parsing\n\nusb_parse_ss_endpoint_companion() checks descriptor type before length,\nenabling a potentially odd read outside of the buffer size.\n\nFix this up by checking the size first before looking at any of the\nfields in the descriptor.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -56,8 +61,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-09-11T17:15:39Z"

advisories/unreviewed/2025/10/GHSA-2237-jrrh-3624/GHSA-2237-jrrh-3624.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2237-jrrh-3624",
-  "modified": "2025-11-03T18:31:43Z",
+  "modified": "2026-01-23T03:30:29Z",
   "published": "2025-10-01T09:30:24Z",
   "aliases": [
     "CVE-2025-39891"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Initialize the chan_stats array to zero\n\nThe adapter->chan_stats[] array is initialized in\nmwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out\nmemory.  The array is filled in mwifiex_update_chan_statistics()\nand then the user can query the data in mwifiex_cfg80211_dump_survey().\n\nThere are two potential issues here.  What if the user calls\nmwifiex_cfg80211_dump_survey() before the data has been filled in.\nAlso the mwifiex_update_chan_statistics() function doesn't necessarily\ninitialize the whole array.  Since the array was not initialized at\nthe start that could result in an information leak.\n\nAlso this array is pretty small.  It's a maximum of 900 bytes so it's\nmore appropriate to use kcalloc() instead vmalloc().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -57,7 +62,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-10-01T08:15:31Z"

advisories/unreviewed/2025/10/GHSA-46q9-g5hq-xpgm/GHSA-46q9-g5hq-xpgm.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-46q9-g5hq-xpgm",
-  "modified": "2025-10-01T12:30:28Z",
+  "modified": "2026-01-23T03:30:29Z",
   "published": "2025-10-01T12:30:28Z",
   "aliases": [
     "CVE-2022-50434"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix possible memleak when register 'hctx' failed\n\nThere's issue as follows when do fault injection test:\nunreferenced object 0xffff888132a9f400 (size 512):\n  comm \"insmod\", pid 308021, jiffies 4324277909 (age 509.733s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 08 f4 a9 32 81 88 ff ff  ...........2....\n    08 f4 a9 32 81 88 ff ff 00 00 00 00 00 00 00 00  ...2............\n  backtrace:\n    [<00000000e8952bb4>] kmalloc_node_trace+0x22/0xa0\n    [<00000000f9980e0f>] blk_mq_alloc_and_init_hctx+0x3f1/0x7e0\n    [<000000002e719efa>] blk_mq_realloc_hw_ctxs+0x1e6/0x230\n    [<000000004f1fda40>] blk_mq_init_allocated_queue+0x27e/0x910\n    [<00000000287123ec>] __blk_mq_alloc_disk+0x67/0xf0\n    [<00000000a2a34657>] 0xffffffffa2ad310f\n    [<00000000b173f718>] 0xffffffffa2af824a\n    [<0000000095a1dabb>] do_one_initcall+0x87/0x2a0\n    [<00000000f32fdf93>] do_init_module+0xdf/0x320\n    [<00000000cbe8541e>] load_module+0x3006/0x3390\n    [<0000000069ed1bdb>] __do_sys_finit_module+0x113/0x1b0\n    [<00000000a1a29ae8>] do_syscall_64+0x35/0x80\n    [<000000009cd878b0>] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nFault injection context as follows:\n kobject_add\n blk_mq_register_hctx\n blk_mq_sysfs_register\n blk_register_queue\n device_add_disk\n null_add_dev.part.0 [null_blk]\n\nAs 'blk_mq_register_hctx' may already add some objects when failed halfway,\nbut there isn't do fallback, caller don't know which objects add failed.\nTo solve above issue just do fallback when add objects failed halfway in\n'blk_mq_register_hctx'.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -52,8 +57,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-401"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-10-01T12:15:35Z"

advisories/unreviewed/2025/10/GHSA-5whm-xp9m-869g/GHSA-5whm-xp9m-869g.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5whm-xp9m-869g",
-  "modified": "2025-10-01T12:30:30Z",
+  "modified": "2026-01-23T03:30:29Z",
   "published": "2025-10-01T12:30:30Z",
   "aliases": [
     "CVE-2023-53505"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: tegra: tegra124-emc: Fix potential memory leak\n\nThe tegra and tegra needs to be freed in the error handling path, otherwise\nit will be leaked.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -44,8 +49,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-401"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-10-01T12:15:54Z"

advisories/unreviewed/2025/10/GHSA-64fr-fj38-r253/GHSA-64fr-fj38-r253.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-64fr-fj38-r253",
-  "modified": "2025-10-01T12:30:30Z",
+  "modified": "2026-01-23T03:30:29Z",
   "published": "2025-10-01T12:30:30Z",
   "aliases": [
     "CVE-2023-53483"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: Check for null return of devm_kzalloc() in fch_misc_setup()\n\ndevm_kzalloc() may fail, clk_data->name might be NULL and will\ncause a NULL pointer dereference later.\n\n[ rjw: Subject and changelog edits ]",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-10-01T12:15:51Z"

advisories/unreviewed/2025/10/GHSA-76q6-633x-65vj/GHSA-76q6-633x-65vj.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-76q6-633x-65vj",
-  "modified": "2025-10-01T12:30:30Z",
+  "modified": "2026-01-23T03:30:29Z",
   "published": "2025-10-01T12:30:30Z",
   "aliases": [
     "CVE-2023-53501"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind\n\nWhen unbinding pasid - a race condition exists vs outstanding page faults.\n\nTo prevent this, the pasid_state object contains a refcount.\n    * set to 1 on pasid bind\n    * incremented on each ppr notification start\n    * decremented on each ppr notification done\n    * decremented on pasid unbind\n\nSince refcount_dec assumes that refcount will never reach 0:\n  the current implementation causes the following to be invoked on\n  pasid unbind:\n        REFCOUNT_WARN(\"decrement hit 0; leaking memory\")\n\nFix this issue by changing refcount_dec to refcount_dec_and_test\nto explicitly handle refcount=1.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -37,7 +42,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-10-01T12:15:53Z"