CWE-617
AllowedReachable Assertion
Abstraction: Base · Status: Draft
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
989 vulnerabilities reference this CWE, most recent first.
GHSA-2GR2-CM9Q-VR3V
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.
{
"affected": [],
"aliases": [
"CVE-2025-59029"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T16:17:58Z",
"severity": "MODERATE"
},
"details": "An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.",
"id": "GHSA-2gr2-cm9q-vr3v",
"modified": "2025-12-09T18:30:37Z",
"published": "2025-12-09T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59029"
},
{
"type": "WEB",
"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2H65-8RVG-GMC7
Vulnerability from github – Published: 2023-12-04 06:30 – Updated: 2023-12-07 18:30In 5G Modem, there is a possible system crash due to improper error handling. This could lead to remote denial of service when receiving malformed RRC messages, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01128524; Issue ID: MOLY01128524 (MSV-846).
{
"affected": [],
"aliases": [
"CVE-2023-32841"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-04T04:15:07Z",
"severity": "HIGH"
},
"details": "In 5G Modem, there is a possible system crash due to improper error handling. This could lead to remote denial of service when receiving malformed RRC messages, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01128524; Issue ID: MOLY01128524 (MSV-846).",
"id": "GHSA-2h65-8rvg-gmc7",
"modified": "2023-12-07T18:30:28Z",
"published": "2023-12-04T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32841"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/December-2023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2JPV-MGVF-9659
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-05-12 21:30In the Linux kernel, the following vulnerability has been resolved:
ubifs: Fix races between xattr_{set|get} and listxattr operations
UBIFS may occur some problems with concurrent xattr_{set|get} and listxattr operations, such as assertion failure, memory corruption, stale xattr value[1].
Fix it by importing a new rw-lock in @ubifs_inode to serilize write operations on xattr, concurrent read operations are still effective, just like ext4.
[1] https://lore.kernel.org/linux-mtd/20200630130438.141649-1-houtao1@huawei.com
{
"affected": [],
"aliases": [
"CVE-2021-47351"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:21Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix races between xattr_{set|get} and listxattr operations\n\nUBIFS may occur some problems with concurrent xattr_{set|get} and\nlistxattr operations, such as assertion failure, memory corruption,\nstale xattr value[1].\n\nFix it by importing a new rw-lock in @ubifs_inode to serilize write\noperations on xattr, concurrent read operations are still effective,\njust like ext4.\n\n[1] https://lore.kernel.org/linux-mtd/20200630130438.141649-1-houtao1@huawei.com",
"id": "GHSA-2jpv-mgvf-9659",
"modified": "2025-05-12T21:30:55Z",
"published": "2024-05-21T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47351"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/38dde03eb239605f428f3f1e4baa73d4933a4cc6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7adc05b73d91a5e3d4ca7714fa53ad9b70c53d08"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9558612cb829f2c022b788f55d6b8437d5234a82"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c0756f75c22149d20fcb7d8409827cee905eb386"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f4e3634a3b642225a530c292fdb1e8a4007507f5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2M6W-7QWV-3JCX
Vulnerability from github – Published: 2026-06-01 18:31 – Updated: 2026-06-01 21:30FlexRIC v2.0.0 contains reachable assert(0) calls in stub message handlers for whitelisted but unimplemented E2AP message types in the near-RT RIC. A remote unauthenticated attacker can send a decodable E2AP PDU of such a type (e.g., E2nodeConfigurationUpdate) to crash the near-RT RIC process (port 36421) via SIGABRT. The message passes whitelist validation but triggers an unconditional assertion in the handler.
{
"affected": [],
"aliases": [
"CVE-2026-37227"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-01T17:16:58Z",
"severity": "HIGH"
},
"details": "FlexRIC v2.0.0 contains reachable assert(0) calls in stub message handlers for whitelisted but unimplemented E2AP message types in the near-RT RIC. A remote unauthenticated attacker can send a decodable E2AP PDU of such a type (e.g., E2nodeConfigurationUpdate) to crash the near-RT RIC process (port 36421) via SIGABRT. The message passes whitelist validation but triggers an unconditional assertion in the handler.",
"id": "GHSA-2m6w-7qwv-3jcx",
"modified": "2026-06-01T21:30:41Z",
"published": "2026-06-01T18:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37227"
},
{
"type": "WEB",
"url": "https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37227.md"
},
{
"type": "WEB",
"url": "https://gitlab.eurecom.fr/mosaic5g/flexric"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2MMR-2HQ6-5C3V
Vulnerability from github – Published: 2022-05-13 01:39 – Updated: 2022-05-13 01:39The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the relay_send_end_cell_from_edge_ function via a malformed BEGIN cell.
{
"affected": [],
"aliases": [
"CVE-2017-0375"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-09T17:29:00Z",
"severity": "HIGH"
},
"details": "The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the relay_send_end_cell_from_edge_ function via a malformed BEGIN cell.",
"id": "GHSA-2mmr-2hq6-5c3v",
"modified": "2022-05-13T01:39:57Z",
"published": "2022-05-13T01:39:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0375"
},
{
"type": "WEB",
"url": "https://github.com/torproject/tor/commit/79b59a2dfcb68897ee89d98587d09e55f07e68d7"
},
{
"type": "WEB",
"url": "https://lists.torproject.org/pipermail/tor-announce/2017-June/000131.html"
},
{
"type": "WEB",
"url": "https://trac.torproject.org/projects/tor/ticket/22493"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99017"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2PG2-FVWW-4XJW
Vulnerability from github – Published: 2022-08-27 00:00 – Updated: 2022-09-02 00:01Mikrotik RouterOs through stable v6.48.3 was discovered to contain an assertion failure in the component /advanced-tools/nova/bin/netwatch. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet.
{
"affected": [],
"aliases": [
"CVE-2022-36522"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-26T18:15:00Z",
"severity": "MODERATE"
},
"details": "Mikrotik RouterOs through stable v6.48.3 was discovered to contain an assertion failure in the component /advanced-tools/nova/bin/netwatch. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet.",
"id": "GHSA-2pg2-fvww-4xjw",
"modified": "2022-09-02T00:01:07Z",
"published": "2022-08-27T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36522"
},
{
"type": "WEB",
"url": "https://github.com/cq674350529/pocs_slides/blob/master/advisory/MikroTik/CVE-2022-36522/README.md"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2021/Jul/0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2QCC-GM3C-QCF7
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2026-05-12 15:31In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Remove WARN_ON for device endpoint command timeouts
This commit addresses a rarely observed endpoint command timeout which causes kernel panic due to warn when 'panic_on_warn' is enabled and unnecessary call trace prints when 'panic_on_warn' is disabled. It is seen during fast software-controlled connect/disconnect testcases. The following is one such endpoint command timeout that we observed:
-
Connect ======= ->dwc3_thread_interrupt ->dwc3_ep0_interrupt ->configfs_composite_setup ->composite_setup ->usb_ep_queue ->dwc3_gadget_ep0_queue ->__dwc3_gadget_ep0_queue ->__dwc3_ep0_do_control_data ->dwc3_send_gadget_ep_cmd
-
Disconnect ========== ->dwc3_thread_interrupt ->dwc3_gadget_disconnect_interrupt ->dwc3_ep0_reset_state ->dwc3_ep0_end_control_data ->dwc3_send_gadget_ep_cmd
In the issue scenario, in Exynos platforms, we observed that control transfers for the previous connect have not yet been completed and end transfer command sent as a part of the disconnect sequence and processing of USB_ENDPOINT_HALT feature request from the host timeout. This maybe an expected scenario since the controller is processing EP commands sent as a part of the previous connect. It maybe better to remove WARN_ON in all places where device endpoint commands are sent to avoid unnecessary kernel panic due to warn.
{
"affected": [],
"aliases": [
"CVE-2025-39801"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T13:15:35Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Remove WARN_ON for device endpoint command timeouts\n\nThis commit addresses a rarely observed endpoint command timeout\nwhich causes kernel panic due to warn when \u0027panic_on_warn\u0027 is enabled\nand unnecessary call trace prints when \u0027panic_on_warn\u0027 is disabled.\nIt is seen during fast software-controlled connect/disconnect testcases.\nThe following is one such endpoint command timeout that we observed:\n\n1. Connect\n =======\n-\u003edwc3_thread_interrupt\n -\u003edwc3_ep0_interrupt\n -\u003econfigfs_composite_setup\n -\u003ecomposite_setup\n -\u003eusb_ep_queue\n -\u003edwc3_gadget_ep0_queue\n -\u003e__dwc3_gadget_ep0_queue\n -\u003e__dwc3_ep0_do_control_data\n -\u003edwc3_send_gadget_ep_cmd\n\n2. Disconnect\n ==========\n-\u003edwc3_thread_interrupt\n -\u003edwc3_gadget_disconnect_interrupt\n -\u003edwc3_ep0_reset_state\n -\u003edwc3_ep0_end_control_data\n -\u003edwc3_send_gadget_ep_cmd\n\nIn the issue scenario, in Exynos platforms, we observed that control\ntransfers for the previous connect have not yet been completed and end\ntransfer command sent as a part of the disconnect sequence and\nprocessing of USB_ENDPOINT_HALT feature request from the host timeout.\nThis maybe an expected scenario since the controller is processing EP\ncommands sent as a part of the previous connect. It maybe better to\nremove WARN_ON in all places where device endpoint commands are sent to\navoid unnecessary kernel panic due to warn.",
"id": "GHSA-2qcc-gm3c-qcf7",
"modified": "2026-05-12T15:31:08Z",
"published": "2025-09-15T15:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39801"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/45eae113dccaf8e502090ecf5b3d9e9b805add6f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a1a847d841505dba2bd85602daf5c218e1d85b8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/84c95dbf5bece56086cdb65a64162af35158bdd9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db27482b9db340402e05d4e9b75352bbaca51af2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dfe40159eec6ca63b40133bfa783eee2e3ed829f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f49697dfba2915a9ff36f94604eb76fa61413929"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2RF4-5672-VQWM
Vulnerability from github – Published: 2026-04-13 15:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
ipv6: avoid overflows in ip6_datagram_send_ctl()
Yiming Qian reported :
I believe I found a locally triggerable kernel bug in the IPv6 sendmsg
ancillary-data path that can panic the kernel via skb_under_panic()
(local DoS).
The core issue is a mismatch between:
- a 16-bit length accumulator (
struct ipv6_txoptions::opt_flen, type__u16) and - a pointer to the last provided destination-options header (
opt->dst1opt)
when multiple IPV6_DSTOPTS control messages (cmsgs) are provided.
include/net/ipv6.h:struct ipv6_txoptions::opt_flenis__u16(wrap possible). (lines 291-307, especially 298)net/ipv6/datagram.c:ip6_datagram_send_ctl():- Accepts repeated
IPV6_DSTOPTSand accumulates intoopt_flenwithout rejecting duplicates. (lines 909-933) net/ipv6/ip6_output.c:__ip6_append_data():- Uses
opt->opt_flen + opt->opt_nflento compute header sizes/headroom decisions. (lines 1448-1466, especially 1463-1465) net/ipv6/ip6_output.c:__ip6_make_skb():- Calls
ipv6_push_frag_opts()ifopt->opt_flenis non-zero. (lines 1930-1934) net/ipv6/exthdrs.c:ipv6_push_frag_opts()/ipv6_push_exthdr():-
Push size comes from
ipv6_optlen(opt->dst1opt)(based on the pointed-to header). (lines 1179-1185 and 1206-1211) -
opt_flenis a 16-bit accumulator: -
include/net/ipv6.h:298defines__u16 opt_flen; /* after fragment hdr */. -
ip6_datagram_send_ctl()accepts repeatedIPV6_DSTOPTScmsgs and incrementsopt_fleneach time: -
In
net/ipv6/datagram.c:909-933, forIPV6_DSTOPTS: - It computes
len = ((hdr->hdrlen + 1) << 3); - It checks
CAP_NET_RAWusingns_capable(net->user_ns, CAP_NET_RAW). (line 922) - Then it does:
opt->opt_flen += len;(line 927)opt->dst1opt = hdr;(line 928)
There is no duplicate rejection here (unlike the legacy
IPV6_2292DSTOPTS path which rejects duplicates at
net/ipv6/datagram.c:901-904).
If enough large IPV6_DSTOPTS cmsgs are provided, opt_flen wraps
while dst1opt still points to a large (2048-byte)
destination-options header.
In the attached PoC (poc.c):
- 32 cmsgs with
hdrlen=255=>len = (255+1)*8 = 2048 - 1 cmsg with
hdrlen=0=>len = 8 - Total increment:
32*2048 + 8 = 65544, so(__u16)opt_flen == 8 -
The last cmsg is 2048 bytes, so
dst1optpoints to a 2048-byte header. -
The transmit path sizes headers using the wrapped
opt_flen: -
In
net/ipv6/ip6_output.c:1463-1465: headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen + opt->opt_nflen : 0) + ...;
With wrapped opt_flen, headersize/headroom decisions underestimate
what will be pushed later.
-
When building the final skb, the actual push length comes from
dst1optand is not limited by wrappedopt_flen: -
In
net/ipv6/ip6_output.c:1930-1934: if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);- In
net/ipv6/exthdrs.c:1206-1211,ipv6_push_frag_opts()pushesdst1optviaipv6_push_exthdr(). - In
net/ipv6/exthdrs.c:1179-1184,ipv6_push_exthdr()does: skb_push(skb, ipv6_optlen(opt));memcpy(h, opt, ipv6_optlen(opt));
With insufficient headroom, skb_push() underflows and triggers
skb_under_panic() -> BUG():
net/core/skbuff.c:2669-2675(skb_push()callsskb_under_panic())-
net/core/skbuff.c:207-214(skb_panic()ends inBUG()) -
The
IPV6_DSTOPTScmsg path requiresCAP_NET_RAWin the target netns user namespace (ns_capable(net->user_ns, CAP_NET_RAW)). - Root (or any task with
CAP_NET_RAW) can trigger this without user namespaces. -
An unprivileged
uid=1000user can trigger this if unprivileged user namespaces are enabled and it can create a userns+netns to obtain namespacedCAP_NET_RAW(the attached PoC does this). -
Local denial of service: kernel BUG/panic (system crash). - ---truncated---
{
"affected": [],
"aliases": [
"CVE-2026-31415"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-13T14:16:10Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid overflows in ip6_datagram_send_ctl()\n\nYiming Qian reported :\n\u003cquote\u003e\n I believe I found a locally triggerable kernel bug in the IPv6 sendmsg\n ancillary-data path that can panic the kernel via `skb_under_panic()`\n (local DoS).\n\n The core issue is a mismatch between:\n\n - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type\n `__u16`) and\n - a pointer to the *last* provided destination-options header (`opt-\u003edst1opt`)\n\n when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided.\n\n - `include/net/ipv6.h`:\n - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible).\n (lines 291-307, especially 298)\n - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`:\n - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen`\n without rejecting duplicates. (lines 909-933)\n - `net/ipv6/ip6_output.c:__ip6_append_data()`:\n - Uses `opt-\u003eopt_flen + opt-\u003eopt_nflen` to compute header\n sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)\n - `net/ipv6/ip6_output.c:__ip6_make_skb()`:\n - Calls `ipv6_push_frag_opts()` if `opt-\u003eopt_flen` is non-zero.\n (lines 1930-1934)\n - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`:\n - Push size comes from `ipv6_optlen(opt-\u003edst1opt)` (based on the\n pointed-to header). (lines 1179-1185 and 1206-1211)\n\n 1. `opt_flen` is a 16-bit accumulator:\n\n - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`.\n\n 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs\n and increments `opt_flen` each time:\n\n - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`:\n - It computes `len = ((hdr-\u003ehdrlen + 1) \u003c\u003c 3);`\n - It checks `CAP_NET_RAW` using `ns_capable(net-\u003euser_ns,\n CAP_NET_RAW)`. (line 922)\n - Then it does:\n - `opt-\u003eopt_flen += len;` (line 927)\n - `opt-\u003edst1opt = hdr;` (line 928)\n\n There is no duplicate rejection here (unlike the legacy\n `IPV6_2292DSTOPTS` path which rejects duplicates at\n `net/ipv6/datagram.c:901-904`).\n\n If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps\n while `dst1opt` still points to a large (2048-byte)\n destination-options header.\n\n In the attached PoC (`poc.c`):\n\n - 32 cmsgs with `hdrlen=255` =\u003e `len = (255+1)*8 = 2048`\n - 1 cmsg with `hdrlen=0` =\u003e `len = 8`\n - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8`\n - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header.\n\n 3. The transmit path sizes headers using the wrapped `opt_flen`:\n\n- In `net/ipv6/ip6_output.c:1463-1465`:\n - `headersize = sizeof(struct ipv6hdr) + (opt ? opt-\u003eopt_flen +\n opt-\u003eopt_nflen : 0) + ...;`\n\n With wrapped `opt_flen`, `headersize`/headroom decisions underestimate\n what will be pushed later.\n\n 4. When building the final skb, the actual push length comes from\n `dst1opt` and is not limited by wrapped `opt_flen`:\n\n - In `net/ipv6/ip6_output.c:1930-1934`:\n - `if (opt-\u003eopt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);`\n - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes\n `dst1opt` via `ipv6_push_exthdr()`.\n - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does:\n - `skb_push(skb, ipv6_optlen(opt));`\n - `memcpy(h, opt, ipv6_optlen(opt));`\n\n With insufficient headroom, `skb_push()` underflows and triggers\n `skb_under_panic()` -\u003e `BUG()`:\n\n - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`)\n - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`)\n\n - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target\n netns user namespace (`ns_capable(net-\u003euser_ns, CAP_NET_RAW)`).\n - Root (or any task with `CAP_NET_RAW`) can trigger this without user\n namespaces.\n - An unprivileged `uid=1000` user can trigger this if unprivileged\n user namespaces are enabled and it can create a userns+netns to obtain\n namespaced `CAP_NET_RAW` (the attached PoC does this).\n\n - Local denial of service: kernel BUG/panic (system crash).\n -\n---truncated---",
"id": "GHSA-2rf4-5672-vqwm",
"modified": "2026-07-14T15:31:51Z",
"published": "2026-04-13T15:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31415"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2dbfb003bbf3fc0e94f07efefab0ebcf83029a2a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4082f9984a694829153115d28c956a3534f52f29"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4e453375561fc60820e6b9d8ebeb6b3ee177d42e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5e4ee5dbea134e9257f205e31a96040bed71e83f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/63fda74885555e6bd1623b5d811feec998740ba4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/872b74900d5daa37067ac676d9001bb929fc6a2a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9ed81d692758dfb9471d7799b24bfa7a08224c31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2RFQ-4JX8-3HP9
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38The access_pmu_evcntr function in arch/arm64/kvm/sys_regs.c in the Linux kernel before 4.8.11 allows privileged KVM guest OS users to cause a denial of service (assertion failure and host OS crash) by accessing the Performance Monitors Cycle Count Register (PMCCNTR).
{
"affected": [],
"aliases": [
"CVE-2017-12168"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-20T08:29:00Z",
"severity": "MODERATE"
},
"details": "The access_pmu_evcntr function in arch/arm64/kvm/sys_regs.c in the Linux kernel before 4.8.11 allows privileged KVM guest OS users to cause a denial of service (assertion failure and host OS crash) by accessing the Performance Monitors Cycle Count Register (PMCCNTR).",
"id": "GHSA-2rfq-4jx8-3hp9",
"modified": "2022-05-13T01:38:13Z",
"published": "2022-05-13T01:38:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12168"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/9e3f7a29694049edd728e2400ab57ad7553e5aa9"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHEA-2017:3163"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2017-12168"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1492984"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9e3f7a29694049edd728e2400ab57ad7553e5aa9"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2RWM-P2MW-2GWH
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
libceph: handle rbtree insertion error in decode_choose_args()
A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). In this function, num_choose_arg_maps is read from the message, and a corresponding number of crush_choose_arg_maps gets decoded afterwards. Each crush_choose_arg_map has a choose_args_index, which serves as the key when inserting it into the choose_args rbtree of the decoded crush_map. If a (potentially corrupted) message contains two crush_choose_arg_maps with the same index, the assertion in insert_choose_arg_map() triggers a kernel BUG when trying to insert the second crush_choose_arg_map.
This patch fixes the issue by switching to the non-asserting rbtree insertion function and rejecting the message if the insertion fails.
[ idryomov: changelog ]
{
"affected": [],
"aliases": [
"CVE-2026-52954"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:05Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: handle rbtree insertion error in decode_choose_args()\n\nA message of type CEPH_MSG_OSD_MAP contains an OSD map that itself\ncontains a CRUSH map. The received CRUSH map may optionally contain\nchoose_args that get decoded in decode_choose_args(). In this function,\nnum_choose_arg_maps is read from the message, and a corresponding number\nof crush_choose_arg_maps gets decoded afterwards. Each\ncrush_choose_arg_map has a choose_args_index, which serves as the key\nwhen inserting it into the choose_args rbtree of the decoded crush_map.\nIf a (potentially corrupted) message contains two crush_choose_arg_maps\nwith the same index, the assertion in insert_choose_arg_map() triggers a\nkernel BUG when trying to insert the second crush_choose_arg_map.\n\nThis patch fixes the issue by switching to the non-asserting rbtree\ninsertion function and rejecting the message if the insertion fails.\n\n[ idryomov: changelog ]",
"id": "GHSA-2rwm-p2mw-2gwh",
"modified": "2026-06-28T09:31:37Z",
"published": "2026-06-24T18:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52954"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0a1265a9ab875f92b6a3ffb497404f46cf9d76a3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0b6a3bcb91bc5bfeda39f0df3b71bab62c13e9da"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d2b37abda9536808655830d683dc491d31741a8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/534ebc08df97c47d4c7596f336fa31ecbf91519c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/80c73bd1b2b04355d1d0c29be8ccbd25a380905d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c7bf7864e2924fa5508ac270b0e9364bc13d5a6c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d289478cfc0bcf81c7914200d6abdcb78bd04ded"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f47430fc1f815e87406e2d3b4e476eff1bc7fd9b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
Mitigation
Strategy: Input Validation
Perform input validation on user data.
No CAPEC attack patterns related to this CWE.