CWE-617
AllowedReachable Assertion
Abstraction: Base · Status: Draft
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
989 vulnerabilities reference this CWE, most recent first.
GHSA-FW47-MXV2-W4H2
Vulnerability from github – Published: 2024-05-19 09:34 – Updated: 2026-05-12 12:31In the Linux kernel, the following vulnerability has been resolved:
udp: do not accept non-tunnel GSO skbs landing in a tunnel
When rx-udp-gro-forwarding is enabled UDP packets might be GROed when being forwarded. If such packets might land in a tunnel this can cause various issues and udp_gro_receive makes sure this isn't the case by looking for a matching socket. This is performed in udp4/6_gro_lookup_skb but only in the current netns. This is an issue with tunneled packets when the endpoint is in another netns. In such cases the packets will be GROed at the UDP level, which leads to various issues later on. The same thing can happen with rx-gro-list.
We saw this with geneve packets being GROed at the UDP level. In such case gso_size is set; later the packet goes through the geneve rx path, the geneve header is pulled, the offset are adjusted and frag_list skbs are not adjusted with regard to geneve. When those skbs hit skb_fragment, it will misbehave. Different outcomes are possible depending on what the GROed skbs look like; from corrupted packets to kernel crashes.
One example is a BUG_ON[1] triggered in skb_segment while processing the frag_list. Because gso_size is wrong (geneve header was pulled) skb_segment thinks there is "geneve header size" of data in frag_list, although it's in fact the next packet. The BUG_ON itself has nothing to do with the issue. This is only one of the potential issues.
Looking up for a matching socket in udp_gro_receive is fragile: the lookup could be extended to all netns (not speaking about performances) but nothing prevents those packets from being modified in between and we could still not find a matching socket. It's OK to keep the current logic there as it should cover most cases but we also need to make sure we handle tunnel packets being GROed too early.
This is done by extending the checks in udp_unexpected_gso: GSO packets lacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must be segmented.
[1] kernel BUG at net/core/skbuff.c:4408! RIP: 0010:skb_segment+0xd2a/0xf70 __udp_gso_segment+0xaa/0x560
{
"affected": [],
"aliases": [
"CVE-2024-35884"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-19T09:15:09Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: do not accept non-tunnel GSO skbs landing in a tunnel\n\nWhen rx-udp-gro-forwarding is enabled UDP packets might be GROed when\nbeing forwarded. If such packets might land in a tunnel this can cause\nvarious issues and udp_gro_receive makes sure this isn\u0027t the case by\nlooking for a matching socket. This is performed in\nudp4/6_gro_lookup_skb but only in the current netns. This is an issue\nwith tunneled packets when the endpoint is in another netns. In such\ncases the packets will be GROed at the UDP level, which leads to various\nissues later on. The same thing can happen with rx-gro-list.\n\nWe saw this with geneve packets being GROed at the UDP level. In such\ncase gso_size is set; later the packet goes through the geneve rx path,\nthe geneve header is pulled, the offset are adjusted and frag_list skbs\nare not adjusted with regard to geneve. When those skbs hit\nskb_fragment, it will misbehave. Different outcomes are possible\ndepending on what the GROed skbs look like; from corrupted packets to\nkernel crashes.\n\nOne example is a BUG_ON[1] triggered in skb_segment while processing the\nfrag_list. Because gso_size is wrong (geneve header was pulled)\nskb_segment thinks there is \"geneve header size\" of data in frag_list,\nalthough it\u0027s in fact the next packet. The BUG_ON itself has nothing to\ndo with the issue. This is only one of the potential issues.\n\nLooking up for a matching socket in udp_gro_receive is fragile: the\nlookup could be extended to all netns (not speaking about performances)\nbut nothing prevents those packets from being modified in between and we\ncould still not find a matching socket. It\u0027s OK to keep the current\nlogic there as it should cover most cases but we also need to make sure\nwe handle tunnel packets being GROed too early.\n\nThis is done by extending the checks in udp_unexpected_gso: GSO packets\nlacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must\nbe segmented.\n\n[1] kernel BUG at net/core/skbuff.c:4408!\n RIP: 0010:skb_segment+0xd2a/0xf70\n __udp_gso_segment+0xaa/0x560",
"id": "GHSA-fw47-mxv2-w4h2",
"modified": "2026-05-12T12:31:47Z",
"published": "2024-05-19T09:34:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35884"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3001e7aa43d6691db2a878b0745b854bf12ddd19"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3391b157780bbedf8ef9f202cbf10ee90bf6b0f8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/35fe0e0b5c00bef7dde74842a2564c43856fbce4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3d010c8031e39f5fa1e8b13ada77e0321091011f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d12245080cb259d82b34699f6cd4ec11bdb688bd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d49ae15a5767d4e9ef8bbb79e42df1bfebc94670"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FW4J-88V3-6HFW
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-05-12 21:30In the Linux kernel, the following vulnerability has been resolved:
dma-buf/sync_file: Don't leak fences on merge failure
Each add_fence() call does a dma_fence_get() on the relevant fence. In the error path, we weren't calling dma_fence_put() so all those fences got leaked. Also, in the krealloc_array failure case, we weren't freeing the fences array. Instead, ensure that i and fences are always zero-initialized and dma_fence_put() all the fences and kfree(fences) on every error path.
{
"affected": [],
"aliases": [
"CVE-2021-47305"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:18Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sync_file: Don\u0027t leak fences on merge failure\n\nEach add_fence() call does a dma_fence_get() on the relevant fence. In\nthe error path, we weren\u0027t calling dma_fence_put() so all those fences\ngot leaked. Also, in the krealloc_array failure case, we weren\u0027t\nfreeing the fences array. Instead, ensure that i and fences are always\nzero-initialized and dma_fence_put() all the fences and kfree(fences) on\nevery error path.",
"id": "GHSA-fw4j-88v3-6hfw",
"modified": "2025-05-12T21:30:55Z",
"published": "2024-05-21T15:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47305"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0d514185ae792d3a1903c8e1a83899aa996705ce"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/19edcd97727aae9362444a859a24d99a8730cb27"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/19f51c2529339280d2c8c6427cd3e21ddf1ac3f8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/41f45e91c92c8480242ea448d54e28c753b13902"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e0355a0ad31a1d677b2a4514206de4902bd550e8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ffe000217c5068c5da07ccb1c0f8cce7ad767435"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FW73-7P7W-P28M
Vulnerability from github – Published: 2025-09-25 15:30 – Updated: 2025-09-25 21:30In PyTorch before 2.7.0, when inductor is used, nn.Fold has an assertion error.
{
"affected": [],
"aliases": [
"CVE-2025-46149"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-25T15:16:12Z",
"severity": "MODERATE"
},
"details": "In PyTorch before 2.7.0, when inductor is used, nn.Fold has an assertion error.",
"id": "GHSA-fw73-7p7w-p28m",
"modified": "2025-09-25T21:30:25Z",
"published": "2025-09-25T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46149"
},
{
"type": "WEB",
"url": "https://github.com/pytorch/pytorch/issues/147848"
},
{
"type": "WEB",
"url": "https://github.com/pytorch/pytorch/pull/147961"
},
{
"type": "WEB",
"url": "https://gist.github.com/shaoyuyoung/4bcefba4004f8271e64b5185c95a248a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FX22-XFH5-4JX4
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24Google Chrome before 6.0.472.59 on Linux does not properly handle cursors, which might allow attackers to cause a denial of service (assertion failure) via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2010-3411"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-09-16T21:00:00Z",
"severity": "MODERATE"
},
"details": "Google Chrome before 6.0.472.59 on Linux does not properly handle cursors, which might allow attackers to cause a denial of service (assertion failure) via unspecified vectors.",
"id": "GHSA-fx22-xfh5-4jx4",
"modified": "2022-05-13T01:24:50Z",
"published": "2022-05-13T01:24:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3411"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14156"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=51709"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_14.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FX5C-H9F6-RV7C
Vulnerability from github – Published: 2022-02-09 23:28 – Updated: 2024-11-07 22:30Impact
A malicious user can cause a denial of service by altering a SavedModel such that Grappler optimizer would attempt to build a tensor using a reference dtype. This would result in a crash due to a CHECK-fail in the Tensor constructor as reference types are not allowed.
Patches
We have patched the issue in GitHub commit 6b5adc0877de832b2a7c189532dbbbc64622eeb6. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
}
],
"aliases": [
"CVE-2022-23588"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-04T18:59:59Z",
"nvd_published_at": "2022-02-04T23:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nA malicious user can cause a denial of service by altering a `SavedModel` such that [Grappler optimizer would attempt to build a tensor using a reference `dtype`](https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/optimizers/constant_folding.cc#L1328-L1402). This would result in a crash due to a `CHECK`-fail [in the `Tensor` constructor](https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/tensor.cc#L733-L781) as reference types are not allowed.\n### Patches\nWe have patched the issue in GitHub commit [6b5adc0877de832b2a7c189532dbbbc64622eeb6](https://github.com/tensorflow/tensorflow/commit/6b5adc0877de832b2a7c189532dbbbc64622eeb6).\nThe fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.",
"id": "GHSA-fx5c-h9f6-rv7c",
"modified": "2024-11-07T22:30:23Z",
"published": "2022-02-09T23:28:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fx5c-h9f6-rv7c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23588"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/6b5adc0877de832b2a7c189532dbbbc64622eeb6"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-97.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-152.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/tensor.cc#L733-L781"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/optimizers/constant_folding.cc#L1328-L1402"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "`CHECK`-fails due to attempting to build a reference tensor"
}
GHSA-FXVQ-F6W2-C6GP
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50An issue was discovered in Xen 4.11 allowing HVM guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because x86 IOREQ server resource accounting (for external emulators) was mishandled.
{
"affected": [],
"aliases": [
"CVE-2018-19963"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-08T04:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Xen 4.11 allowing HVM guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because x86 IOREQ server resource accounting (for external emulators) was mishandled.",
"id": "GHSA-fxvq-f6w2-c6gp",
"modified": "2022-05-13T01:50:55Z",
"published": "2022-05-13T01:50:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19963"
},
{
"type": "WEB",
"url": "https://xenbits.xen.org/xsa/advisory-276.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106182"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G2G3-XC9M-VR7R
Vulnerability from github – Published: 2023-09-05 09:30 – Updated: 2024-04-04 07:26Transient DOS in Modem while processing invalid System Information Block 1.
{
"affected": [],
"aliases": [
"CVE-2023-21646"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-05T07:15:12Z",
"severity": "HIGH"
},
"details": "Transient DOS in Modem while processing invalid System Information Block 1.",
"id": "GHSA-g2g3-xc9m-vr7r",
"modified": "2024-04-04T07:26:52Z",
"published": "2023-09-05T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21646"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/september-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G2JG-2QCV-Q3H9
Vulnerability from github – Published: 2023-07-16 00:30 – Updated: 2024-04-04 06:09Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this.
{
"affected": [],
"aliases": [
"CVE-2021-31294"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-15T23:15:09Z",
"severity": "MODERATE"
},
"details": "Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this.",
"id": "GHSA-g2jg-2qcv-q3h9",
"modified": "2024-04-04T06:09:17Z",
"published": "2023-07-16T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31294"
},
{
"type": "WEB",
"url": "https://github.com/redis/redis/issues/8712"
},
{
"type": "WEB",
"url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48"
},
{
"type": "WEB",
"url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230814-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G395-WPQC-CMPV
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32While handling a particular type of malformed packet BIND erroneously selects a SERVFAIL rcode instead of a FORMERR rcode. If the receiving view has the SERVFAIL cache feature enabled, this can trigger an assertion failure in badcache.c when the request doesn't contain all of the expected information. Affects BIND 9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, 9.10.6-S2.
{
"affected": [],
"aliases": [
"CVE-2018-5734"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-16T20:29:00Z",
"severity": "HIGH"
},
"details": "While handling a particular type of malformed packet BIND erroneously selects a SERVFAIL rcode instead of a FORMERR rcode. If the receiving view has the SERVFAIL cache feature enabled, this can trigger an assertion failure in badcache.c when the request doesn\u0027t contain all of the expected information. Affects BIND 9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, 9.10.6-S2.",
"id": "GHSA-g395-wpqc-cmpv",
"modified": "2022-05-13T01:32:04Z",
"published": "2022-05-13T01:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5734"
},
{
"type": "WEB",
"url": "https://kb.isc.org/docs/aa-01562"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20180926-0005"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103189"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040438"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G39R-297W-VH94
Vulnerability from github – Published: 2025-07-12 21:30 – Updated: 2025-07-12 21:30A vulnerability classified as problematic was found in Open5GS up to 2.7.3. Affected by this vulnerability is the function ngap_recv_handler/s1ap_recv_handler/recv_handler of the component SCTP Partial Message Handler. The manipulation leads to reachable assertion. The attack needs to be approached locally. The patch is named cfa44575020f3fb045fd971358442053c8684d3d. It is recommended to apply a patch to fix this issue.
{
"affected": [],
"aliases": [
"CVE-2025-7485"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-12T19:15:25Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic was found in Open5GS up to 2.7.3. Affected by this vulnerability is the function ngap_recv_handler/s1ap_recv_handler/recv_handler of the component SCTP Partial Message Handler. The manipulation leads to reachable assertion. The attack needs to be approached locally. The patch is named cfa44575020f3fb045fd971358442053c8684d3d. It is recommended to apply a patch to fix this issue.",
"id": "GHSA-g39r-297w-vh94",
"modified": "2025-07-12T21:30:20Z",
"published": "2025-07-12T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7485"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/issues/3878"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/issues/3878#issuecomment-2853775136"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/commit/cfa44575020f3fb045fd971358442053c8684d3d"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.316135"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.316135"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.610601"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
Mitigation
Strategy: Input Validation
Perform input validation on user data.
No CAPEC attack patterns related to this CWE.