Common Weakness Enumeration

CWE-908

Allowed

Use of Uninitialized Resource

Abstraction: Base · Status: Incomplete

The product uses or accesses a resource that has not been initialized.

822 vulnerabilities reference this CWE, most recent first.

GHSA-W46C-WW47-4HF8

Vulnerability from github – Published: 2025-01-11 15:30 – Updated: 2025-02-03 15:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR

Currently fpmr_set() doesn't initialize the temporary 'fpmr' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently an arbitrary value will be written back to target->thread.uw.fpmr, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism.

Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing contents of FPMR will be retained.

Before this patch:

| # ./fpmr-test | Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Attempting to write NT_ARM_FPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0xffff800083963d50

After this patch:

| # ./fpmr-test | Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Attempting to write NT_ARM_FPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-11T15:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR\n\nCurrently fpmr_set() doesn\u0027t initialize the temporary \u0027fpmr\u0027 variable,\nand a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently an arbitrary value will be written back to\ntarget-\u003ethread.uw.fpmr, potentially leaking up to 64 bits of memory from\nthe kernel stack. The read is limited to a specific slot on the stack,\nand the issue does not provide a write mechanism.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\ncontents of FPMR will be retained.\n\nBefore this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0xffff800083963d50\n\nAfter this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d",
  "id": "GHSA-w46c-ww47-4hf8",
  "modified": "2025-02-03T15:32:01Z",
  "published": "2025-01-11T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57878"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ab73c34e3c5b580721696665eabd799346bc50b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f5d71291841aecfe5d8435da2dfa7f58ccd18bc8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W497-WQWX-V847

Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2025-11-26 21:31
VLAI
Details

A flaw was found in Samba, in the vfs_streams_xattr module, where uninitialized heap memory could be written into alternate data streams. This allows an authenticated user to read residual memory content that may include sensitive data, resulting in an information disclosure vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T13:16:01Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Samba, in the vfs_streams_xattr module, where uninitialized heap memory could be written into alternate data streams. This allows an authenticated user to read residual memory content that may include sensitive data, resulting in an information disclosure vulnerability.",
  "id": "GHSA-w497-wqwx-v847",
  "modified": "2025-11-26T21:31:25Z",
  "published": "2025-10-15T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9640"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-9640"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391698"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "https://www.samba.org/samba/history/security.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/10/15/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/10/16/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W5CR-FRPH-HW7F

Vulnerability from github – Published: 2021-08-25 21:01 – Updated: 2021-05-25 20:52
VLAI
Summary
Use of uninitialized buffer in rkyv
Details

An issue was discovered in the rkyv crate before 0.6.0 for Rust. When an archive is created via serialization, the archive content may contain uninitialized values of certain parts of a struct.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rkyv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-31919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772",
      "CWE-908"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-25T20:52:53Z",
    "nvd_published_at": "2021-04-30T03:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the rkyv crate before 0.6.0 for Rust. When an archive is created via serialization, the archive content may contain uninitialized values of certain parts of a struct.",
  "id": "GHSA-w5cr-frph-hw7f",
  "modified": "2021-05-25T20:52:53Z",
  "published": "2021-08-25T21:01:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31919"
    },
    {
      "type": "WEB",
      "url": "https://github.com/djkoloski/rkyv/issues/113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/djkoloski/rkyv/commit/9c65ae9c2c67dd949b5c3aba9b8eba6da802ab7e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/djkoloski/rkyv/commit/f141b560523a20557db6540576d153010bd18712"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0054.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of uninitialized buffer in rkyv"
}

GHSA-W5F5-72QQ-HGJ6

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

Adobe Prelude version 10.0 (and earlier) are affected by an uninitialized variable vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36007"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-20T19:15:00Z",
    "severity": "LOW"
  },
  "details": "Adobe Prelude version 10.0 (and earlier) are affected by an uninitialized variable vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-w5f5-72qq-hgj6",
  "modified": "2022-05-24T19:11:43Z",
  "published": "2022-05-24T19:11:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36007"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/prelude/apsb21-58.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W5JH-VR73-453V

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2026-02-23 18:31
VLAI
Details

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16929, CVE-2020-16930, CVE-2020-16932.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-16T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka \u0027Microsoft Excel Remote Code Execution Vulnerability\u0027. This CVE ID is unique from CVE-2020-16929, CVE-2020-16930, CVE-2020-16932.",
  "id": "GHSA-w5jh-vr73-453v",
  "modified": "2026-02-23T18:31:49Z",
  "published": "2022-05-24T17:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16931"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16931"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1255"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6P3-73R2-4574

Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-28 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/irdma: Initialize free_qp completion before using it

In irdma_create_qp, if ib_copy_to_udata fails, it will call irdma_destroy_qp to clean up which will attempt to wait on the free_qp completion, which is not initialized yet. Fix this by initializing the completion before the ib_copy_to_udata call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T14:16:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Initialize free_qp completion before using it\n\nIn irdma_create_qp, if ib_copy_to_udata fails, it will call\nirdma_destroy_qp to clean up which will attempt to wait on\nthe free_qp completion, which is not initialized yet. Fix this\nby initializing the completion before the ib_copy_to_udata call.",
  "id": "GHSA-w6p3-73r2-4574",
  "modified": "2026-04-28T15:30:47Z",
  "published": "2026-04-22T15:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31492"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/11a95521fb93c91e2d4ef9d53dc80ef0a755549b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3cb88c12461b71c7d9c604aa2e6a9a477ecfa147"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac1da7bd224d406b6f1b84414f0f652ab43b6bd8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af310407f79d5816fc0ab3638e1588b6193316dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd1534c8f4984432382c240f6784408497f5bb0a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f72996834f7bdefc2b95e3eec30447ee195df44e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6XP-GC2W-28HX

Vulnerability from github – Published: 2024-04-10 18:30 – Updated: 2025-11-04 00:30
VLAI
Details

IBM Security Verify Access Appliance 10.0.0 through 10.0.7 uses uninitialized variables when deploying that could allow a local user to cause a denial of service. IBM X-Force ID: 287318.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457",
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-10T16:15:15Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Verify Access Appliance 10.0.0 through 10.0.7 uses uninitialized variables when deploying that could allow a local user to cause a denial of service.   IBM X-Force ID:  287318.",
  "id": "GHSA-w6xp-gc2w-28hx",
  "modified": "2025-11-04T00:30:48Z",
  "published": "2024-04-10T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31874"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/287318"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7147932"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Nov/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W77R-V3RV-5RCP

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix bpf_xdp_store_bytes proto for read-only arg

While making some maps in Cilium read-only from the BPF side, we noticed that the bpf_xdp_store_bytes proto is incorrect. In particular, the verifier was throwing the following error:

; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr), &nat->address, 4, 0); 635: (79) r1 = (u64 )(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx() 636: (b4) w2 = 26 ; R2=26 637: (b4) w4 = 4 ; R4=4 638: (b4) w5 = 0 ; R5=0 639: (85) call bpf_xdp_store_bytes#190 write into map forbidden, value_size=6 off=0 size=4

nat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE. The verifier checks the helper's memory access to R3 in check_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third argument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the MEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3. Given R3 points to a read-only map, the check fails.

Conversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading from uninitialized memory.

This patch simply fixes the expected argument type to match that of bpf_skb_store_bytes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:02Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix bpf_xdp_store_bytes proto for read-only arg\n\nWhile making some maps in Cilium read-only from the BPF side, we noticed\nthat the bpf_xdp_store_bytes proto is incorrect. In particular, the\nverifier was throwing the following error:\n\n  ; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr),\n                          \u0026nat-\u003eaddress, 4, 0);\n  635: (79) r1 = *(u64 *)(r10 -144)     ; R1=ctx() R10=fp0 fp-144=ctx()\n  636: (b4) w2 = 26                     ; R2=26\n  637: (b4) w4 = 4                      ; R4=4\n  638: (b4) w5 = 0                      ; R5=0\n  639: (85) call bpf_xdp_store_bytes#190\n  write into map forbidden, value_size=6 off=0 size=4\n\nnat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE.\nThe verifier checks the helper\u0027s memory access to R3 in\ncheck_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third\nargument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the\nMEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3.\nGiven R3 points to a read-only map, the check fails.\n\nConversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading\nfrom uninitialized memory.\n\nThis patch simply fixes the expected argument type to match that of\nbpf_skb_store_bytes.",
  "id": "GHSA-w77r-v3rv-5rcp",
  "modified": "2026-06-25T21:31:20Z",
  "published": "2026-05-27T15:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45886"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0db169a91381a473b7974021d1c02f8da72c5775"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6557f1565d779851c4db9c488c49c05a47a6e72f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d7b87adeb0eb539b9b824b101bb14fb01e41240b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddc34a1b85505c919026ddc82fafdada9a160b15"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W7CV-FRW4-84FJ

Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak

When building netlink messages, tc_chain_fill_node() never initializes the tcm_info field of struct tcmsg. Since the allocation is not zeroed, kernel heap memory is leaked to userspace through this 4-byte field.

The fix simply zeroes tcm_info alongside the other fields that are already initialized.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43035"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T15:16:48Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak\n\nWhen building netlink messages, tc_chain_fill_node() never initializes\nthe tcm_info field of struct tcmsg. Since the allocation is not zeroed,\nkernel heap memory is leaked to userspace through this 4-byte field.\n\nThe fix simply zeroes tcm_info alongside the other fields that are\nalready initialized.",
  "id": "GHSA-w7cv-frw4-84fj",
  "modified": "2026-07-14T15:31:57Z",
  "published": "2026-05-01T15:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43035"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1091b3c174441a52fdbb92e2fe00338f9371a91c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ae5d23f51fb91d7d1140c6f1ba77ab0756054c3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/71a3eda7e850ae844cb8993065f4e410c11a46ce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/903c3405cfcc7700260e456ab66a5867586c9e69"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/906997ea3766c24fbbf9cc4bf17c047315bbd138"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d6db08484c6cb3d4ad696246f9d288eceba2a078"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e35f5195cd44ff4053fbc5d71ea97681728a0099"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e6e3eb5ee89ac4c163d46429391c889a1bb5e404"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9QV-V668-Q8RF

Vulnerability from github – Published: 2026-06-03 18:33 – Updated: 2026-06-09 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

clocksource/drivers/timer-sp804: Fix an Oops when read_current_timer is called on ARM32 platforms where the SP804 is not registered as the sched_clock.

On SP804, the delay timer shares the same clkevt instance with sched_clock. On some platforms, when sp804_clocksource_and_sched_clock_init is called with use_sched_clock not set to 1, sched_clkevt is not properly initialized. However, sp804_register_delay_timer is invoked unconditionally, and read_current_timer() subsequently calls sp804_read on an uninitialized sched_clkevt, leading to a kernel Oops when accessing sched_clkevt->value.

Declare a dedicated clkevt instance exclusively for delay timer, instead of sharing the same clkevt with sched_clock. This ensures that read_current_timer continues to work correctly regardless of whether SP804 is selected as the sched_clock.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-03T18:16:26Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource/drivers/timer-sp804: Fix an Oops when read_current_timer is called on ARM32 platforms where the SP804 is not registered as the sched_clock.\n\nOn SP804, the delay timer shares the same clkevt instance with\nsched_clock. On some platforms, when\nsp804_clocksource_and_sched_clock_init is called with use_sched_clock\nnot set to 1, sched_clkevt is not properly initialized. However,\nsp804_register_delay_timer is invoked unconditionally, and\nread_current_timer() subsequently calls sp804_read on an uninitialized\nsched_clkevt, leading to a kernel Oops when accessing\nsched_clkevt-\u003evalue.\n\nDeclare a dedicated clkevt instance exclusively for delay timer,\ninstead of sharing the same clkevt with sched_clock.  This ensures\nthat read_current_timer continues to work correctly regardless of\nwhether SP804 is selected as the sched_clock.",
  "id": "GHSA-w9qv-v668-q8rf",
  "modified": "2026-06-09T21:32:21Z",
  "published": "2026-06-03T18:33:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46257"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/693b0b594b0f278bafa784984129c0c0f988e352"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/694921a93f3e3621e067afc545cedf6fe3b234a9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile the product with settings that generate warnings about uninitialized variables or data.

No CAPEC attack patterns related to this CWE.