Common Weakness Enumeration

CWE-617

Allowed

Reachable Assertion

Abstraction: Base · Status: Draft

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

986 vulnerabilities reference this CWE, most recent first.

GHSA-7C47-VXFH-P7Q4

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-14 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size

The generic/642 test-case can reproduce the kernel crash:

[40243.605254] ------------[ cut here ]------------ [40243.605956] kernel BUG at fs/ceph/xattr.c:918! [40243.607142] Oops: invalid opcode: 0000 [#1] SMP PTI [40243.608067] CPU: 7 UID: 0 PID: 498762 Comm: kworker/7:1 Not tainted 7.0.0-rc7+ #3 PREEMPT(full) [40243.609700] Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [40243.611820] Workqueue: ceph-msgr ceph_con_workfn [40243.612715] RIP: 0010:__ceph_build_xattrs_blob+0x1b8/0x1e0 [40243.613731] Code: 0f 84 82 fe ff ff e9 cf 8e 56 ff 48 8d 65 e8 31 c0 5b 41 5c 41 5d 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc <0f> 0b 4c 8b 62 08 41 8b 85 24 07 00 00 49 83 c4 04 41 89 44 24 fc [40243.616888] RSP: 0018:ffffcc80c4d4b688 EFLAGS: 00010287 [40243.617773] RAX: 0000000000010026 RBX: 0000000000000001 RCX: 0000000000000000 [40243.618928] RDX: ffff8a773798dee0 RSI: 0000000000000000 RDI: 0000000000000000 [40243.620158] RBP: ffffcc80c4d4b6a0 R08: 0000000000000000 R09: 0000000000000000 [40243.621573] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a75f3b58000 [40243.622907] R13: ffff8a75f3b58000 R14: 0000000000000080 R15: 000000000000bffd [40243.624054] FS: 0000000000000000(0000) GS:ffff8a787d1b4000(0000) knlGS:0000000000000000 [40243.625331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [40243.626269] CR2: 000072f390b623c0 CR3: 000000011c02a003 CR4: 0000000000372ef0 [40243.627408] Call Trace: [40243.627839] [40243.628188] __prep_cap+0x3fd/0x4a0 [40243.628789] ? do_raw_spin_unlock+0x4e/0xe0 [40243.629474] ceph_check_caps+0x46a/0xc80 [40243.630094] ? __lock_acquire+0x4a2/0x2650 [40243.630773] ? find_held_lock+0x31/0x90 [40243.631347] ? handle_cap_grant+0x79f/0x1060 [40243.632068] ? lock_release+0xd9/0x300 [40243.632696] ? __mutex_unlock_slowpath+0x3e/0x340 [40243.633429] ? lock_release+0xd9/0x300 [40243.634052] handle_cap_grant+0xcf6/0x1060 [40243.634745] ceph_handle_caps+0x122b/0x2110 [40243.635415] mds_dispatch+0x5bd/0x2160 [40243.636034] ? ceph_con_process_message+0x65/0x190 [40243.636828] ? lock_release+0xd9/0x300 [40243.637431] ceph_con_process_message+0x7a/0x190 [40243.638184] ? kfree+0x311/0x4f0 [40243.638749] ? kfree+0x311/0x4f0 [40243.639268] process_message+0x16/0x1a0 [40243.639915] ? sg_free_table+0x39/0x90 [40243.640572] ceph_con_v2_try_read+0xf58/0x2120 [40243.641255] ? lock_acquire+0xc8/0x300 [40243.641863] ceph_con_workfn+0x151/0x820 [40243.642493] process_one_work+0x22f/0x630 [40243.643093] ? process_one_work+0x254/0x630 [40243.643770] worker_thread+0x1e2/0x400 [40243.644332] ? __pfx_worker_thread+0x10/0x10 [40243.645020] kthread+0x109/0x140 [40243.645560] ? __pfx_kthread+0x10/0x10 [40243.646125] ret_from_fork+0x3f8/0x480 [40243.646752] ? __pfx_kthread+0x10/0x10 [40243.647316] ? __pfx_kthread+0x10/0x10 [40243.647919] ret_from_fork_asm+0x1a/0x30 [40243.648556] [40243.648902] Modules linked in: overlay hctr2 libpolyval chacha libchacha adiantum libnh libpoly1305 essiv intel_rapl_msr intel_rapl_common intel_uncore_frequency_common skx_edac_common nfit kvm_intel kvm irqbypass joydev ghash_clmulni_intel aesni_intel rapl input_leds mac_hid psmouse vga16fb serio_raw vgastate floppy i2c_piix4 pata_acpi bochs qemu_fw_cfg i2c_smbus sch_fq_codel rbd dm_crypt msr parport_pc ppdev lp parport efi_pstore [40243.654766] ---[ end trace 0000000000000000 ]---

Commit d93231a6bc8a ("ceph: prevent a client from exceeding the MDS maximum xattr size") moved the required_blob_size computation to before the __build_xattrs() call, introducing a race.

__build_xattrs() releases and reacquires i_ceph_lock during execution. In that window, handle_cap_grant() may update i_xattrs.blob with a newer MDS-provided blob and bump i_xattrs.version. When __bui ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52961"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size\n\nThe generic/642 test-case can reproduce the kernel crash:\n\n[40243.605254] ------------[ cut here ]------------\n[40243.605956] kernel BUG at fs/ceph/xattr.c:918!\n[40243.607142] Oops: invalid opcode: 0000 [#1] SMP PTI\n[40243.608067] CPU: 7 UID: 0 PID: 498762 Comm: kworker/7:1 Not tainted 7.0.0-rc7+ #3 PREEMPT(full)\n[40243.609700] Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[40243.611820] Workqueue: ceph-msgr ceph_con_workfn\n[40243.612715] RIP: 0010:__ceph_build_xattrs_blob+0x1b8/0x1e0\n[40243.613731] Code: 0f 84 82 fe ff ff e9 cf 8e 56 ff 48 8d 65 e8 31 c0 5b 41 5c 41 5d 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc \u003c0f\u003e 0b 4c 8b 62 08 41 8b 85 24 07 00 00 49 83 c4 04 41 89 44 24 fc\n[40243.616888] RSP: 0018:ffffcc80c4d4b688 EFLAGS: 00010287\n[40243.617773] RAX: 0000000000010026 RBX: 0000000000000001 RCX: 0000000000000000\n[40243.618928] RDX: ffff8a773798dee0 RSI: 0000000000000000 RDI: 0000000000000000\n[40243.620158] RBP: ffffcc80c4d4b6a0 R08: 0000000000000000 R09: 0000000000000000\n[40243.621573] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a75f3b58000\n[40243.622907] R13: ffff8a75f3b58000 R14: 0000000000000080 R15: 000000000000bffd\n[40243.624054] FS:  0000000000000000(0000) GS:ffff8a787d1b4000(0000) knlGS:0000000000000000\n[40243.625331] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[40243.626269] CR2: 000072f390b623c0 CR3: 000000011c02a003 CR4: 0000000000372ef0\n[40243.627408] Call Trace:\n[40243.627839]  \u003cTASK\u003e\n[40243.628188]  __prep_cap+0x3fd/0x4a0\n[40243.628789]  ? do_raw_spin_unlock+0x4e/0xe0\n[40243.629474]  ceph_check_caps+0x46a/0xc80\n[40243.630094]  ? __lock_acquire+0x4a2/0x2650\n[40243.630773]  ? find_held_lock+0x31/0x90\n[40243.631347]  ? handle_cap_grant+0x79f/0x1060\n[40243.632068]  ? lock_release+0xd9/0x300\n[40243.632696]  ? __mutex_unlock_slowpath+0x3e/0x340\n[40243.633429]  ? lock_release+0xd9/0x300\n[40243.634052]  handle_cap_grant+0xcf6/0x1060\n[40243.634745]  ceph_handle_caps+0x122b/0x2110\n[40243.635415]  mds_dispatch+0x5bd/0x2160\n[40243.636034]  ? ceph_con_process_message+0x65/0x190\n[40243.636828]  ? lock_release+0xd9/0x300\n[40243.637431]  ceph_con_process_message+0x7a/0x190\n[40243.638184]  ? kfree+0x311/0x4f0\n[40243.638749]  ? kfree+0x311/0x4f0\n[40243.639268]  process_message+0x16/0x1a0\n[40243.639915]  ? sg_free_table+0x39/0x90\n[40243.640572]  ceph_con_v2_try_read+0xf58/0x2120\n[40243.641255]  ? lock_acquire+0xc8/0x300\n[40243.641863]  ceph_con_workfn+0x151/0x820\n[40243.642493]  process_one_work+0x22f/0x630\n[40243.643093]  ? process_one_work+0x254/0x630\n[40243.643770]  worker_thread+0x1e2/0x400\n[40243.644332]  ? __pfx_worker_thread+0x10/0x10\n[40243.645020]  kthread+0x109/0x140\n[40243.645560]  ? __pfx_kthread+0x10/0x10\n[40243.646125]  ret_from_fork+0x3f8/0x480\n[40243.646752]  ? __pfx_kthread+0x10/0x10\n[40243.647316]  ? __pfx_kthread+0x10/0x10\n[40243.647919]  ret_from_fork_asm+0x1a/0x30\n[40243.648556]  \u003c/TASK\u003e\n[40243.648902] Modules linked in: overlay hctr2 libpolyval chacha libchacha adiantum libnh libpoly1305 essiv intel_rapl_msr intel_rapl_common intel_uncore_frequency_common skx_edac_common nfit kvm_intel kvm irqbypass joydev ghash_clmulni_intel aesni_intel rapl input_leds mac_hid psmouse vga16fb serio_raw vgastate floppy i2c_piix4 pata_acpi bochs qemu_fw_cfg i2c_smbus sch_fq_codel rbd dm_crypt msr parport_pc ppdev lp parport efi_pstore\n[40243.654766] ---[ end trace 0000000000000000 ]---\n\nCommit d93231a6bc8a (\"ceph: prevent a client from exceeding the MDS\nmaximum xattr size\") moved the required_blob_size computation to before\nthe __build_xattrs() call, introducing a race.\n\n__build_xattrs() releases and reacquires i_ceph_lock during execution.\nIn that window, handle_cap_grant() may update i_xattrs.blob with a\nnewer MDS-provided blob and bump i_xattrs.version.  When\n__bui\n---truncated---",
  "id": "GHSA-7c47-vxfh-p7q4",
  "modified": "2026-07-14T18:31:48Z",
  "published": "2026-06-24T18:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52961"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0c22d9511cbde746622f8e4c11aaa63fe76d45f9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/368d21ae9081c93497b1c8163bed3eddcb2443ff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7eb72425c4e3234926502eb262f9d6193ccd572c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d5bd8b4e39cfa8b087448adcd48088065cd629d5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7F2C-G8WP-6P7V

Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-14 21:32
VLAI
Details

NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API where an attacker could trigger a reachable assertion in the sampler thread. A successful exploit of this vulnerability might lead to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-47475"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T21:16:56Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA TensorRT-LLM contains a vulnerability in the OpenAI-compatible inference API where an attacker could trigger a reachable assertion in the sampler thread. A successful exploit of this vulnerability might lead to denial of service.",
  "id": "GHSA-7f2c-g8wp-6p7v",
  "modified": "2026-07-14T21:32:21Z",
  "published": "2026-07-14T21:32:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47475"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-47475"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7F2R-WRJW-8JR4

Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2026-05-12 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix WARN() in get_bpf_raw_tp_regs

syzkaller reported an issue:

WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 Modules linked in: CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005 RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003 R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004 R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900 FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: _bpfget_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline] bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931 bpf_prog_ec3b2eefa702d8d3+0x43/0x47 bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline] bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405 __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47 __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47 __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:204 [inline] stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157 __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483 _bpfget_stack kernel/bpf/stackmap.c:499 [inline] bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496 __bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931 bpf_prog_ec3b2eefa702d8d3+0x43/0x47

Tracepoint like trace_mmap_lock_acquire_returned may cause nested call as the corner case show above, which will be resolved with more general method in the future. As a result, WARN_ON_ONCE will be triggered. As Alexei suggested, remove the WARN_ON_ONCE first.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38285"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T08:15:26Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix WARN() in get_bpf_raw_tp_regs\n\nsyzkaller reported an issue:\n\nWARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861\nModules linked in:\nCPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861\nRSP: 0018:ffffc90003636fa8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c\nRDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005\nRBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003\nR10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004\nR13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900\nFS:  0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline]\n bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931\n bpf_prog_ec3b2eefa702d8d3+0x43/0x47\n bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]\n __bpf_prog_run include/linux/filter.h:718 [inline]\n bpf_prog_run include/linux/filter.h:725 [inline]\n __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]\n bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405\n __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47\n __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47\n __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]\n trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]\n __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35\n __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]\n mmap_read_trylock include/linux/mmap_lock.h:204 [inline]\n stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157\n __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483\n ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]\n bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496\n ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]\n bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931\n bpf_prog_ec3b2eefa702d8d3+0x43/0x47\n\nTracepoint like trace_mmap_lock_acquire_returned may cause nested call\nas the corner case show above, which will be resolved with more general\nmethod in the future. As a result, WARN_ON_ONCE will be triggered. As\nAlexei suggested, remove the WARN_ON_ONCE first.",
  "id": "GHSA-7f2r-wrjw-8jr4",
  "modified": "2026-05-12T15:30:55Z",
  "published": "2025-07-10T09:32:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38285"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/147ea936fc6fa8fe0c93f0df918803a5375ca535"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18e8cbbae79cb35bdce8a01c889827b9799c762e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3880cdbed1c4607e378f58fa924c5d6df900d1d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/44ebe361abb322d2afd77930fa767a99f271c4d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d8f39875a10a194051c3eaefebc7ac06a34aaf3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c98cdf6795a36bca163ebb40411fef1687b9eb13"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e167414beabb1e941fe563a96becc98627d5bdf6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee90be48edb3dac612e0b7f5332482a9e8be2696"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7FVH-RQHX-CR7P

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

tinyexr 0.9.5 has an assertion failure in ComputeChannelLayout in tinyexr.h.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-16T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "tinyexr 0.9.5 has an assertion failure in ComputeChannelLayout in tinyexr.h.",
  "id": "GHSA-7fvh-rqhx-cr7p",
  "modified": "2022-05-13T01:49:36Z",
  "published": "2022-05-13T01:49:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12504"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syoyo/tinyexr/issues/82"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChijinZ/security_advisories/tree/master/tinyexr_b53a457"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7GF7-JV65-WJMH

Vulnerability from github – Published: 2023-06-05 06:30 – Updated: 2025-01-08 19:00
VLAI
Summary
xml-rs vulnerable to denial of service via invalid token in XML document
Details

The xml-rs crate >= 0.8.9 and < 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XML document.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "xml-rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.9"
            },
            {
              "fixed": "0.8.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-06T02:06:58Z",
    "nvd_published_at": "2023-06-05T04:15:11Z",
    "severity": "HIGH"
  },
  "details": "The xml-rs crate \u003e= 0.8.9 and \u003c 0.8.14 for Rust and Crab allows a denial of service (panic) via an invalid \u003c! token (such as \u003c!DOCTYPEs/%\u003c!A nesting) in an XML document.",
  "id": "GHSA-7gf7-jv65-wjmh",
  "modified": "2025-01-08T19:00:56Z",
  "published": "2023-06-05T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34411"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netvl/xml-rs/pull/226"
    },
    {
      "type": "WEB",
      "url": "https://github.com/00xc/xml-rs/commit/0f084d45aa53e4a27476961785f59f2bd7d59a9f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netvl/xml-rs/commit/014d808be900c85a0afc5ccdfe668be040d175aa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netvl/xml-rs/commit/c09549a187e62d39d40467f129e64abf32efc35c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/netvl/xml-rs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netvl/xml-rs/compare/0.8.13...0.8.14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "xml-rs vulnerable to denial of service via invalid token in XML document"
}

GHSA-7GMH-9H47-R2X3

Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-12-11 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix BUG_ON condition in btrfs_cancel_balance

Pausing and canceling balance can race to interrupt balance lead to BUG_ON panic in btrfs_cancel_balance. The BUG_ON condition in btrfs_cancel_balance does not take this race scenario into account.

However, the race condition has no other side effects. We can fix that.

Reproducing it with panic trace like this:

kernel BUG at fs/btrfs/volumes.c:4618! RIP: 0010:btrfs_cancel_balance+0x5cf/0x6a0 Call Trace: ? do_nanosleep+0x60/0x120 ? hrtimer_nanosleep+0xb7/0x1a0 ? sched_core_clone_cookie+0x70/0x70 btrfs_ioctl_balance_ctl+0x55/0x70 btrfs_ioctl+0xa46/0xd20 __x64_sys_ioctl+0x7d/0xa0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Race scenario as follows:

mutex_unlock(&fs_info->balance_mutex);

.......issue pause and cancel req in another thread

ret = __btrfs_balance(fs_info);

mutex_lock(&fs_info->balance_mutex); if (ret == -ECANCELED && atomic_read(&fs_info->balance_pause_req)) { btrfs_info(fs_info, "balance: paused"); btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED); }

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T15:15:37Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix BUG_ON condition in btrfs_cancel_balance\n\nPausing and canceling balance can race to interrupt balance lead to BUG_ON\npanic in btrfs_cancel_balance. The BUG_ON condition in btrfs_cancel_balance\ndoes not take this race scenario into account.\n\nHowever, the race condition has no other side effects. We can fix that.\n\nReproducing it with panic trace like this:\n\n  kernel BUG at fs/btrfs/volumes.c:4618!\n  RIP: 0010:btrfs_cancel_balance+0x5cf/0x6a0\n  Call Trace:\n   \u003cTASK\u003e\n   ? do_nanosleep+0x60/0x120\n   ? hrtimer_nanosleep+0xb7/0x1a0\n   ? sched_core_clone_cookie+0x70/0x70\n   btrfs_ioctl_balance_ctl+0x55/0x70\n   btrfs_ioctl+0xa46/0xd20\n   __x64_sys_ioctl+0x7d/0xa0\n   do_syscall_64+0x38/0x80\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n  Race scenario as follows:\n  \u003e mutex_unlock(\u0026fs_info-\u003ebalance_mutex);\n  \u003e --------------------\n  \u003e .......issue pause and cancel req in another thread\n  \u003e --------------------\n  \u003e ret = __btrfs_balance(fs_info);\n  \u003e\n  \u003e mutex_lock(\u0026fs_info-\u003ebalance_mutex);\n  \u003e if (ret == -ECANCELED \u0026\u0026 atomic_read(\u0026fs_info-\u003ebalance_pause_req)) {\n  \u003e         btrfs_info(fs_info, \"balance: paused\");\n  \u003e         btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED);\n  \u003e }",
  "id": "GHSA-7gmh-9h47-r2x3",
  "modified": "2025-12-11T18:30:32Z",
  "published": "2025-09-17T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53339"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/29eefa6d0d07e185f7bfe9576f91e6dba98189c2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7c93b89cd46636b5e74c12fa21dd86167bc6ea8d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a0a462a0f20926918d6009f0b4b25673e883fc98"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae81329f7de3aa6f34ecdfa5412e72161a30e9ce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b966e9e1e250dfdb41a7f41775faea4a37af923c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd7bef82ce0e929ef4cf63a34990545aaca28077"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ceb9ba8e30833a4823e2dc73f80ebcdf2498d01a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7J6P-G885-85V2

Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44
VLAI
Details

User process can perform the kernel DOS in ashmem when doing cache maintenance operation in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-18169"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-15T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "User process can perform the kernel DOS in ashmem when doing cache maintenance operation in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel.",
  "id": "GHSA-7j6p-g885-85v2",
  "modified": "2022-05-13T01:44:35Z",
  "published": "2022-05-13T01:44:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18169"
    },
    {
      "type": "WEB",
      "url": "https://www.codeaurora.org/security-bulletin/2018/06/04/june-2018-code-aurora-security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JF7-RX7V-XWQQ

Vulnerability from github – Published: 2023-05-10 00:30 – Updated: 2024-02-03 03:30
VLAI
Details

A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-09T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system.",
  "id": "GHSA-7jf7-rx7v-xwqq",
  "modified": "2024-02-03T03:30:27Z",
  "published": "2023-05-10T00:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2156"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196292"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230622-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5448"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5453"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-547"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/05/17/8"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/05/17/9"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/05/18/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/05/19/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JJH-W2VP-QM6G

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-18252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-27T03:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file.",
  "id": "GHSA-7jjh-w2vp-qm6g",
  "modified": "2022-05-13T01:23:17Z",
  "published": "2022-05-13T01:23:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18252"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/802"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3681-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JV7-XXC6-MF32

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

There is an Assertion 'context_p->stack_depth == context_p->context_stack_depth' failed at js-parser-statm.c:2756 in parser_parse_statements in JerryScript 2.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-23309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-10T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is an Assertion \u0027context_p-\u003estack_depth == context_p-\u003econtext_stack_depth\u0027 failed at js-parser-statm.c:2756 in parser_parse_statements in JerryScript 2.2.0.",
  "id": "GHSA-7jv7-xxc6-mf32",
  "modified": "2022-05-24T19:05:14Z",
  "published": "2022-05-24T19:05:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23309"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jerryscript-project/jerryscript/issues/3820"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation

Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)

Mitigation
Implementation

Strategy: Input Validation

Perform input validation on user data.

No CAPEC attack patterns related to this CWE.