Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/11/GHSA-336v-j3x2-qmh8/GHSA-336v-j3x2-qmh8.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-336v-j3x2-qmh8",
-  "modified": "2025-11-12T12:30:26Z",
+  "modified": "2026-03-13T21:31:39Z",
   "published": "2025-11-12T12:30:26Z",
   "aliases": [
     "CVE-2025-40119"
@@ -18,6 +18,10 @@
       "type": "WEB",
       "url": "https://git.kernel.org/stable/c/00110f3cfc9b34b2dfee2a6c9e55a0ae6df125ae"
     },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/08d9175578d6a8e9b81921898fbf01aa669cd2be"
+    },
     {
       "type": "WEB",
       "url": "https://git.kernel.org/stable/c/3c3fac6bc0a9c00dbe65d8dc0d3a282afe4d3188"

advisories/unreviewed/2026/01/GHSA-6v4g-392h-r9mh/GHSA-6v4g-392h-r9mh.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6v4g-392h-r9mh",
-  "modified": "2026-03-12T21:34:39Z",
+  "modified": "2026-03-13T21:31:39Z",
   "published": "2026-01-14T18:31:36Z",
   "aliases": [
     "CVE-2025-14242"
@@ -51,6 +51,14 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:4525"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:4543"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:4550"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-14242"

advisories/unreviewed/2026/02/GHSA-2r6w-8qqx-7jq3/GHSA-2r6w-8qqx-7jq3.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2r6w-8qqx-7jq3",
-  "modified": "2026-02-06T18:30:30Z",
+  "modified": "2026-03-13T21:31:40Z",
   "published": "2026-02-04T18:30:43Z",
   "aliases": [
     "CVE-2026-23068"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-sprd-adi: Fix double free in probe error path\n\nThe driver currently uses spi_alloc_host() to allocate the controller\nbut registers it using devm_spi_register_controller().\n\nIf devm_register_restart_handler() fails, the code jumps to the\nput_ctlr label and calls spi_controller_put(). However, since the\ncontroller was registered via a devm function, the device core will\nautomatically call spi_controller_put() again when the probe fails.\nThis results in a double-free of the spi_controller structure.\n\nFix this by switching to devm_spi_alloc_host() and removing the\nmanual spi_controller_put() call.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -36,8 +41,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-415"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-02-04T17:16:17Z"

advisories/unreviewed/2026/02/GHSA-34wc-9m9j-23pc/GHSA-34wc-9m9j-23pc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-34wc-9m9j-23pc",
-  "modified": "2026-02-06T18:30:30Z",
+  "modified": "2026-03-13T21:31:40Z",
   "published": "2026-02-04T18:30:43Z",
   "aliases": [
     "CVE-2026-23060"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec\n\nauthencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than\nthe minimum expected length, crypto_authenc_esn_decrypt() can advance past\nthe end of the destination scatterlist and trigger a NULL pointer dereference\nin scatterwalk_map_and_copy(), leading to a kernel panic (DoS).\n\nAdd a minimum AAD length check to fail fast on invalid inputs.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -44,8 +49,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-02-04T17:16:16Z"

advisories/unreviewed/2026/02/GHSA-4v3j-3fr4-cjrj/GHSA-4v3j-3fr4-cjrj.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4v3j-3fr4-cjrj",
-  "modified": "2026-02-04T18:30:43Z",
+  "modified": "2026-03-13T21:31:40Z",
   "published": "2026-02-04T18:30:43Z",
   "aliases": [
     "CVE-2026-23065"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd: Fix memory leak in wbrf_record()\n\nThe tmp buffer is allocated using kcalloc() but is not freed if\nacpi_evaluate_dsm() fails. This causes a memory leak in the error path.\n\nFix this by explicitly freeing the tmp buffer in the error handling\npath of acpi_evaluate_dsm().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-401"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-02-04T17:16:17Z"

advisories/unreviewed/2026/02/GHSA-58j5-qr69-3544/GHSA-58j5-qr69-3544.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-58j5-qr69-3544",
-  "modified": "2026-02-24T15:30:33Z",
+  "modified": "2026-03-13T21:31:40Z",
   "published": "2026-02-24T15:30:33Z",
   "aliases": [
     "CVE-2025-10010"
@@ -22,6 +22,10 @@
     {
       "type": "WEB",
       "url": "https://r.sec-consult.com/cpsd"
+    },
+    {
+      "type": "WEB",
+      "url": "http://seclists.org/fulldisclosure/2026/Mar/0"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/02/GHSA-5jgq-pv8m-5cx7/GHSA-5jgq-pv8m-5cx7.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5jgq-pv8m-5cx7",
-  "modified": "2026-03-02T21:31:20Z",
+  "modified": "2026-03-13T21:31:40Z",
   "published": "2026-02-18T18:30:40Z",
   "aliases": [
     "CVE-2026-23226"
@@ -23,6 +23,10 @@
       "type": "WEB",
       "url": "https://git.kernel.org/stable/c/36ef605c0395b94b826a8c8d6f2697071173de6e"
     },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/4c2ca31608521895dd742a43beca4b4d29762345"
+    },
     {
       "type": "WEB",
       "url": "https://git.kernel.org/stable/c/4f3a06cc57976cafa8c6f716646be6c79a99e485"

advisories/unreviewed/2026/02/GHSA-5vj7-8hh8-cpcc/GHSA-5vj7-8hh8-cpcc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5vj7-8hh8-cpcc",
-  "modified": "2026-02-04T18:30:43Z",
+  "modified": "2026-03-13T21:31:40Z",
   "published": "2026-02-04T18:30:43Z",
   "aliases": [
     "CVE-2026-23062"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro\n\nThe GET_INSTANCE_ID macro that caused a kernel panic when accessing sysfs\nattributes:\n\n1. Off-by-one error: The loop condition used '<=' instead of '<',\n   causing access beyond array bounds. Since array indices are 0-based\n   and go from 0 to instances_count-1, the loop should use '<'.\n\n2. Missing NULL check: The code dereferenced attr_name_kobj->name\n   without checking if attr_name_kobj was NULL, causing a null pointer\n   dereference in min_length_show() and other attribute show functions.\n\nThe panic occurred when fwupd tried to read BIOS configuration attributes:\n\n  Oops: general protection fault [#1] SMP KASAN NOPTI\n  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n  RIP: 0010:min_length_show+0xcf/0x1d0 [hp_bioscfg]\n\nAdd a NULL check for attr_name_kobj before dereferencing and corrects\nthe loop boundary to match the pattern used elsewhere in the driver.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-02-04T17:16:16Z"

advisories/unreviewed/2026/02/GHSA-84c2-7hw8-q83c/GHSA-84c2-7hw8-q83c.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-84c2-7hw8-q83c",
-  "modified": "2026-02-06T18:30:30Z",
+  "modified": "2026-03-13T21:31:40Z",
   "published": "2026-02-04T18:30:43Z",
   "aliases": [
     "CVE-2026-23061"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the\nURBs for USB-in transfers are allocated, added to the dev->rx_submitted\nanchor and submitted. In the complete callback\nkvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nkvaser_usb_remove_interfaces() the URBs are freed by calling\nusb_kill_anchored_urbs(&dev->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nkvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -44,8 +49,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-401"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-02-04T17:16:16Z"

advisories/unreviewed/2026/02/GHSA-949x-gvhg-pggc/GHSA-949x-gvhg-pggc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-949x-gvhg-pggc",
-  "modified": "2026-02-06T18:30:30Z",
+  "modified": "2026-03-13T21:31:40Z",
   "published": "2026-02-04T18:30:43Z",
   "aliases": [
     "CVE-2026-23064"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ife: avoid possible NULL deref\n\ntcf_ife_encode() must make sure ife_encode() does not return NULL.\n\nsyzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166\nCPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full)\nCall Trace:\n <TASK>\n  ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101\n  tcf_ife_encode net/sched/act_ife.c:841 [inline]\n  tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877\n  tc_act include/net/tc_wrapper.h:130 [inline]\n  tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152\n  tcf_exts_exec include/net/pkt_cls.h:349 [inline]\n  mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42\n  tc_classify include/net/tc_wrapper.h:197 [inline]\n  __tcf_classify net/sched/cls_api.c:1764 [inline]\n  tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860\n  multiq_classify net/sched/sch_multiq.c:39 [inline]\n  multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66\n  dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147\n  __dev_xmit_skb net/core/dev.c:4262 [inline]\n  __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -44,8 +49,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-02-04T17:16:17Z"