Common Weakness Enumeration

CWE-617

Allowed

Reachable Assertion

Abstraction: Base · Status: Draft

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

989 vulnerabilities reference this CWE, most recent first.

GHSA-4XVW-5JFQ-R7FH

Vulnerability from github – Published: 2023-12-04 06:30 – Updated: 2023-12-07 18:30
VLAI
Details

In 5G Modem, there is a possible system crash due to improper error handling. This could lead to remote denial of service when receiving malformed RRC messages, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01128524; Issue ID: MOLY01130183 (MSV-850).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-04T04:15:07Z",
    "severity": "HIGH"
  },
  "details": "In 5G Modem, there is a possible system crash due to improper error handling. This could lead to remote denial of service when receiving malformed RRC messages, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01128524; Issue ID: MOLY01130183 (MSV-850).",
  "id": "GHSA-4xvw-5jfq-r7fh",
  "modified": "2023-12-07T18:30:29Z",
  "published": "2023-12-04T06:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32844"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/December-2023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-527M-PCCF-WF58

Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2025-11-03 21:30
VLAI
Details

A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-22T19:16:23Z",
    "severity": "MODERATE"
  },
  "details": "A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.",
  "id": "GHSA-527m-pccf-wf58",
  "modified": "2025-11-03T21:30:53Z",
  "published": "2023-08-22T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37052"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.freedesktop.org/poppler/poppler/-/commit/8677500399fc2548fa816b619580c2c07915a98c"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.freedesktop.org/poppler/poppler/-/issues/1278"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00037.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5353-GRP4-P243

Vulnerability from github – Published: 2023-05-02 06:30 – Updated: 2024-04-04 03:45
VLAI
Details

Transient DOS due to reachable assertion in Modem while processing config related to cross carrier scheduling, which is not supported.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-02T06:15:10Z",
    "severity": "HIGH"
  },
  "details": "Transient DOS due to reachable assertion in Modem while processing config related to cross carrier scheduling, which is not supported.",
  "id": "GHSA-5353-grp4-p243",
  "modified": "2024-04-04T03:45:39Z",
  "published": "2023-05-02T06:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40508"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/may-2023-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-53GP-F34C-FMFJ

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22
VLAI
Details

An issue was discovered in Bento4 v1.5.1-627. There is an assertion failure in AP4_AtomListWriter::Action in Core/Ap4Atom.cpp, leading to a denial of service (program crash), as demonstrated by mp42hls.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-7697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-10T22:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Bento4 v1.5.1-627. There is an assertion failure in AP4_AtomListWriter::Action in Core/Ap4Atom.cpp, leading to a denial of service (program crash), as demonstrated by mp42hls.",
  "id": "GHSA-53gp-f34c-fmfj",
  "modified": "2022-05-13T01:22:52Z",
  "published": "2022-05-13T01:22:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7697"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/issues/351"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-54J7-PX5Q-9WRR

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-07 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

arm64/mm: fix incorrect file_map_count for non-leaf pmd/pud

The page table check trigger BUG_ON() unexpectedly when collapse hugepage:

------------[ cut here ]------------ kernel BUG at mm/page_table_check.c:82! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 6 PID: 68 Comm: khugepaged Not tainted 6.1.0-rc3+ #750 Hardware name: linux,dummy-virt (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : page_table_check_clear.isra.0+0x258/0x3f0 lr : page_table_check_clear.isra.0+0x240/0x3f0 [...] Call trace: page_table_check_clear.isra.0+0x258/0x3f0 __page_table_check_pmd_clear+0xbc/0x108 pmdp_collapse_flush+0xb0/0x160 collapse_huge_page+0xa08/0x1080 hpage_collapse_scan_pmd+0xf30/0x1590 khugepaged_scan_mm_slot.constprop.0+0x52c/0xac8 khugepaged+0x338/0x518 kthread+0x278/0x2f8 ret_from_fork+0x10/0x20 [...]

Since pmd_user_accessible_page() doesn't check if a pmd is leaf, it decrease file_map_count for a non-leaf pmd comes from collapse_huge_page(). and so trigger BUG_ON() unexpectedly.

Fix this problem by using pmd_leaf() insteal of pmd_present() in pmd_user_accessible_page(). Moreover, use pud_leaf() for pud_user_accessible_page() too.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:00Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/mm: fix incorrect file_map_count for non-leaf pmd/pud\n\nThe page table check trigger BUG_ON() unexpectedly when collapse hugepage:\n\n ------------[ cut here ]------------\n kernel BUG at mm/page_table_check.c:82!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n Dumping ftrace buffer:\n    (ftrace buffer empty)\n Modules linked in:\n CPU: 6 PID: 68 Comm: khugepaged Not tainted 6.1.0-rc3+ #750\n Hardware name: linux,dummy-virt (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : page_table_check_clear.isra.0+0x258/0x3f0\n lr : page_table_check_clear.isra.0+0x240/0x3f0\n[...]\n Call trace:\n  page_table_check_clear.isra.0+0x258/0x3f0\n  __page_table_check_pmd_clear+0xbc/0x108\n  pmdp_collapse_flush+0xb0/0x160\n  collapse_huge_page+0xa08/0x1080\n  hpage_collapse_scan_pmd+0xf30/0x1590\n  khugepaged_scan_mm_slot.constprop.0+0x52c/0xac8\n  khugepaged+0x338/0x518\n  kthread+0x278/0x2f8\n  ret_from_fork+0x10/0x20\n[...]\n\nSince pmd_user_accessible_page() doesn\u0027t check if a pmd is leaf, it\ndecrease file_map_count for a non-leaf pmd comes from collapse_huge_page().\nand so trigger BUG_ON() unexpectedly.\n\nFix this problem by using pmd_leaf() insteal of pmd_present() in\npmd_user_accessible_page(). Moreover, use pud_leaf() for\npud_user_accessible_page() too.",
  "id": "GHSA-54j7-px5q-9wrr",
  "modified": "2025-11-07T21:31:16Z",
  "published": "2025-05-01T15:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49778"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d458046df634088611d44fd77f45465e833ef78"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5b47348fc0b18a78c96f8474cc90b7525ad1bbfe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-555F-PJPV-4MJM

Vulnerability from github – Published: 2026-02-02 09:30 – Updated: 2026-02-04 15:30
VLAI
Details

In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738310; Issue ID: MSV-5933.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617",
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-02T09:15:54Z",
    "severity": "HIGH"
  },
  "details": "In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738310; Issue ID: MSV-5933.",
  "id": "GHSA-555f-pjpv-4mjm",
  "modified": "2026-02-04T15:30:28Z",
  "published": "2026-02-02T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20401"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/February-2026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5694-Q557-W4RG

Vulnerability from github – Published: 2025-07-11 15:31 – Updated: 2025-07-11 15:31
VLAI
Details

A Reachable Assertion vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS).On all Junos OS and Junos OS Evolved devices, when route validation is enabled, a rare condition during BGP initial session establishment can lead to an rpd crash and restart. This occurs specifically when the connection request fails during error-handling scenario.

Continued session establishment failures leads to a sustained DoS condition. 

This issue affects Junos OS:

  • All versions before 22.2R3-S6,
  • from 22.4 before 22.4R3-S6,
  • from 23.2 before 23.2R2-S3,
  • from 23.4 before 23.4R2-S4,
  • from 24.2 before 24.2R2;

Junos OS Evolved: * All versions before 22.2R3-S6-EVO, * from 22.4 before 22.4R3-S6-EVO, * from 23.2 before 23.2R2-S3-EVO, * from 23.4 before 23.4R2-S4-EVO, * from 24.2 before 24.2R2-EVO.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-11T15:15:26Z",
    "severity": "MODERATE"
  },
  "details": "A Reachable Assertion vulnerability in the routing protocol daemon (rpd) of Juniper\u00a0Networks Junos OS and Junos OS Evolved allows an adjacent,\u00a0unauthenticated\u00a0attacker to cause a Denial of Service (DoS).On all Junos OS and Junos OS Evolved devices, when route validation is enabled, a rare condition during BGP initial session establishment can lead to an rpd crash and restart. This occurs specifically when the connection request fails during error-handling scenario.\n\nContinued session establishment failures leads to a sustained DoS condition.\u00a0\n\nThis issue affects Junos OS:\n\n  *  All versions before 22.2R3-S6, \n  *  from 22.4 before 22.4R3-S6, \n  *  from 23.2 before 23.2R2-S3, \n  *  from 23.4 before 23.4R2-S4, \n  *  from 24.2 before 24.2R2; \n\n\n\nJunos OS Evolved: \n  *  All versions before 22.2R3-S6-EVO, \n  *  from 22.4 before\u00a022.4R3-S6-EVO,\n  *  from 23.2 before\u00a023.2R2-S3-EVO,\n  *  from 23.4 before 23.4R2-S4-EVO, \n  *  from 24.2 before 24.2R2-EVO.",
  "id": "GHSA-5694-q557-w4rg",
  "modified": "2025-07-11T15:31:39Z",
  "published": "2025-07-11T15:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52958"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA100066"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:M/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-56VF-QHHQ-RRC2

Vulnerability from github – Published: 2022-05-26 00:01 – Updated: 2025-06-27 21:30
VLAI
Details

In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in libsox.a.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-25T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in libsox.a.",
  "id": "GHSA-56vf-qhhq-rrc2",
  "modified": "2025-06-27T21:30:26Z",
  "published": "2022-05-26T00:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31651"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/sox/bugs/360"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5356"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/02/03/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-56W8-48FP-6MGV

Vulnerability from github – Published: 2025-11-14 00:30 – Updated: 2026-06-19 14:34
VLAI
Summary
golang.org/x/crypto/ssh/agent has a potential denial of service
Details

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "golang.org/x/crypto/ssh/agent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.43.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T14:34:03Z",
    "nvd_published_at": "2025-11-13T22:15:51Z",
    "severity": "HIGH"
  },
  "details": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.",
  "id": "GHSA-56w8-48fp-6mgv",
  "modified": "2026-06-19T14:34:03Z",
  "published": "2025-11-14T00:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47913"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/golang/crypto"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/700295"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/75178"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4116"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "golang.org/x/crypto/ssh/agent has a potential denial of service"
}

GHSA-576Q-7774-8VCQ

Vulnerability from github – Published: 2024-05-01 06:31 – Updated: 2026-05-12 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gt: Reset queue_priority_hint on parking

Originally, with strict in order execution, we could complete execution only when the queue was empty. Preempt-to-busy allows replacement of an active request that may complete before the preemption is processed by HW. If that happens, the request is retired from the queue, but the queue_priority_hint remains set, preventing direct submission until after the next CS interrupt is processed.

This preempt-to-busy race can be triggered by the heartbeat, which will also act as the power-management barrier and upon completion allow us to idle the HW. We may process the completion of the heartbeat, and begin parking the engine before the CS event that restores the queue_priority_hint, causing us to fail the assertion that it is MIN.

<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 166.210781] Dumping ftrace buffer: <0>[ 166.210795] --------------------------------- ... <0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 } <0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646 <0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0 <0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659 <0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40 <0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 } <0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2 <0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin <0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2 <0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin <0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660 <0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns } <0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked <0>[ 167.303534] -0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040 <0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns } <0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns } <0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 167.303811] --------------------------------- <4>[ 167.304722] ------------[ cut here ]------------ <2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283! <4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI <4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1 <4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022 <4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915] <4>[ 16 ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26937"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T06:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Reset queue_priority_hint on parking\n\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\n\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\n\n\u003c3\u003e[  166.210729] __engine_park:283 GEM_BUG_ON(engine-\u003esched_engine-\u003equeue_priority_hint != (-((int)(~0U \u003e\u003e 1)) - 1))\n\u003c0\u003e[  166.210781] Dumping ftrace buffer:\n\u003c0\u003e[  166.210795] ---------------------------------\n...\n\u003c0\u003e[  167.302811] drm_fdin-1097      2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n\u003c0\u003e[  167.302861] drm_fdin-1097      2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n\u003c0\u003e[  167.302928] drm_fdin-1097      2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n\u003c0\u003e[  167.302992] drm_fdin-1097      2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n\u003c0\u003e[  167.303044] drm_fdin-1097      2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n\u003c0\u003e[  167.303095] drm_fdin-1097      2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n\u003c0\u003e[  167.303159] kworker/-89       11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n\u003c0\u003e[  167.303208] kworker/-89       11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n\u003c0\u003e[  167.303272] kworker/-89       11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n\u003c0\u003e[  167.303321] kworker/-89       11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n\u003c0\u003e[  167.303384] kworker/-89       11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n\u003c0\u003e[  167.303434] kworker/-89       11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n\u003c0\u003e[  167.303484] kworker/-89       11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n\u003c0\u003e[  167.303534]   \u003cidle\u003e-0         5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n\u003c0\u003e[  167.303583] kworker/-89       11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n\u003c0\u003e[  167.303756] kworker/-89       11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n\u003c0\u003e[  167.303806] kworker/-89       11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine-\u003esched_engine-\u003equeue_priority_hint != (-((int)(~0U \u003e\u003e 1)) - 1))\n\u003c0\u003e[  167.303811] ---------------------------------\n\u003c4\u003e[  167.304722] ------------[ cut here ]------------\n\u003c2\u003e[  167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n\u003c4\u003e[  167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n\u003c4\u003e[  167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G        W          6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n\u003c4\u003e[  167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n\u003c4\u003e[  167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n\u003c4\u003e[  16\n---truncated---",
  "id": "GHSA-576q-7774-8vcq",
  "modified": "2026-05-12T12:31:42Z",
  "published": "2024-05-01T06:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26937"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)

Mitigation
Implementation

Strategy: Input Validation

Perform input validation on user data.

No CAPEC attack patterns related to this CWE.