Common Weakness Enumeration

CWE-911

Allowed

Improper Update of Reference Count

Abstraction: Base · Status: Incomplete

The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.

25 vulnerabilities reference this CWE, most recent first.

CVE-2020-11935 (GCVE-0-2020-11935)

Vulnerability from cvelistv5 – Published: 2023-04-07 00:00 – Updated: 2024-08-04 11:42
VLAI
Title
aufs: improperly managed inode reference counts in the vfsub_dentry_open() method
Summary
It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.
CWE
  • CWE-911 - Improper Update of Reference Count
Assigner
References
Impacted products
Vendor Product Version
Ubuntu Linux kernel (aufs filesystem module) Unaffected: 4.4.0-186.216 , < 4.4* (custom)
Unaffected: 4.15.0-112.113 , < 4.15* (custom)
Unaffected: 5.4.0-42.46 , < 5.4* (custom)
Create a notification for this product.
Credits
Mauricio Faria de Oliveira discovered that the aufs implementation in the Linux kernel improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:42:00.593Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "Ubuntu Security CVE-2020-11935",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://ubuntu.com/security/CVE-2020-11935"
          },
          {
            "name": "Launchpad Bug 1873074",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://bugs.launchpad.net/bugs/1873074"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Linux kernel (aufs filesystem module)",
          "vendor": "Ubuntu",
          "versions": [
            {
              "lessThan": "4.4*",
              "status": "unaffected",
              "version": "4.4.0-186.216",
              "versionType": "custom"
            },
            {
              "lessThan": "4.15*",
              "status": "unaffected",
              "version": "4.15.0-112.113",
              "versionType": "custom"
            },
            {
              "lessThan": "5.4*",
              "status": "unaffected",
              "version": "5.4.0-42.46",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Mauricio Faria de Oliveira discovered that the aufs implementation in the Linux kernel improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-911",
              "description": "CWE-911 Improper Update of Reference Count",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-07T00:00:00.000Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "name": "Ubuntu Security CVE-2020-11935",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://ubuntu.com/security/CVE-2020-11935"
        },
        {
          "name": "Launchpad Bug 1873074",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://bugs.launchpad.net/bugs/1873074"
        }
      ],
      "source": {
        "defect": [
          "LP#1873074"
        ],
        "discovery": "USER"
      },
      "title": "aufs: improperly managed inode reference counts in the vfsub_dentry_open() method",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2020-11935",
    "datePublished": "2023-04-07T00:00:00.000Z",
    "dateReserved": "2020-04-20T00:00:00.000Z",
    "dateUpdated": "2024-08-04T11:42:00.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-3HMC-JXR7-RW7J

Vulnerability from github – Published: 2023-10-24 00:31 – Updated: 2024-07-24 18:31
VLAI
Details

The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5633"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-911"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-23T22:15:09Z",
    "severity": "HIGH"
  },
  "details": "The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges.",
  "id": "GHSA-3hmc-jxr7-rw7j",
  "modified": "2024-07-24T18:31:15Z",
  "published": "2023-10-24T00:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5633"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0113"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0134"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0461"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1404"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:4823"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:4831"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-5633"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245663"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4WXW-3VRC-3HMH

Vulnerability from github – Published: 2025-02-18 21:32 – Updated: 2025-05-13 21:30
VLAI
Details

A flaw was found in grub2. When failing to mount an HFS+ grub, the hfsplus filesystem driver doesn't properly set an ERRNO value. This issue may lead to a NULL pointer access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45783"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-911"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-18T20:15:19Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in grub2. When failing to mount an HFS+ grub, the hfsplus filesystem driver doesn\u0027t properly set an ERRNO value. This issue may lead to a NULL pointer access.",
  "id": "GHSA-4wxw-3vrc-3hmh",
  "modified": "2025-05-13T21:30:28Z",
  "published": "2025-02-18T21:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45783"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:6990"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-45783"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345863"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5XP2-X7QR-WJRX

Vulnerability from github – Published: 2023-03-29 21:30 – Updated: 2023-04-06 15:30
VLAI
Details

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation OPC UA C++ Demo Server 1.7.6-537. Authentication is not required to exploit this vulnerability. The specific flaw exists within the OpcUa_SecureListener_ProcessSessionCallRequest method. A crafted OPC UA message can force the server to incorrectly update a reference count. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-16927.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-911"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-29T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation OPC UA C++ Demo Server 1.7.6-537. Authentication is not required to exploit this vulnerability. The specific flaw exists within the OpcUa_SecureListener_ProcessSessionCallRequest method. A crafted OPC UA message can force the server to incorrectly update a reference count. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-16927.",
  "id": "GHSA-5xp2-x7qr-wjrx",
  "modified": "2023-04-06T15:30:18Z",
  "published": "2023-03-29T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37012"
    },
    {
      "type": "WEB",
      "url": "https://documentation.unified-automation.com/uasdkcpp/1.7.7/CHANGELOG.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1030"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8W7W-2RV7-QQW7

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-07-03 18:42
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu/arm-smmu: Fix arm_smmu_device refcount leak when arm_smmu_rpm_get fails

arm_smmu_rpm_get() invokes pm_runtime_get_sync(), which increases the refcount of the "smmu" even though the return value is less than 0.

The reference counting issue happens in some error handling paths of arm_smmu_rpm_get() in its caller functions. When arm_smmu_rpm_get() fails, the caller functions forget to decrease the refcount of "smmu" increased by arm_smmu_rpm_get(), causing a refcount leak.

Fix this issue by calling pm_runtime_resume_and_get() instead of pm_runtime_get_sync() in arm_smmu_rpm_get(), which can keep the refcount balanced in case of failure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-911"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:19Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Fix arm_smmu_device refcount leak when arm_smmu_rpm_get fails\n\narm_smmu_rpm_get() invokes pm_runtime_get_sync(), which increases the\nrefcount of the \"smmu\" even though the return value is less than 0.\n\nThe reference counting issue happens in some error handling paths of\narm_smmu_rpm_get() in its caller functions. When arm_smmu_rpm_get()\nfails, the caller functions forget to decrease the refcount of \"smmu\"\nincreased by arm_smmu_rpm_get(), causing a refcount leak.\n\nFix this issue by calling pm_runtime_resume_and_get() instead of\npm_runtime_get_sync() in arm_smmu_rpm_get(), which can keep the refcount\nbalanced in case of failure.",
  "id": "GHSA-8w7w-2rv7-qqw7",
  "modified": "2024-07-03T18:42:48Z",
  "published": "2024-05-21T15:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47327"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1adf30f198c26539a62d761e45af72cde570413d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3761ae0d0e549f2acdaf11f49df4ed06d256b20f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c4007596fbdabc29f858dc2e1990858a146b60b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fbf4daa6f4105e01fbd3868006f65c163365c1e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe92c058199067ae90cf2a901ddf3c271893557a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9VMW-8F7F-QHCH

Vulnerability from github – Published: 2023-04-24 21:30 – Updated: 2024-04-04 03:40
VLAI
Details

A flaw was found in the Linux kernel's netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-911"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-24T21:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the Linux kernel\u0027s netdevsim device driver, within the scheduling of events. This issue results from the improper management of a reference count. This may allow an attacker to create a denial of service condition on the system.",
  "id": "GHSA-9vmw-8f7f-qhch",
  "modified": "2024-04-04T03:40:14Z",
  "published": "2023-04-24T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2019"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/180a6a3ee60a"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2189137"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-17811"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9X88-7C3C-R34G

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-30 03:36
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence:

ksoftirqd/X higher-prio task (same CPU X) ----------- -------------------------------- seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1]

                                rt_genid_bump_ipv6()
                                  -> bumps fib6_sernum
                                     [fib6_sernum from W to Z]
                                ip6_route_output()
                                  -> ip6_pol_route()
                                    -> FIB lookup resolves fib6_nh
                                       [nhid=N]
                                    -> rt6_get_pcpu_route()
                                         pcpu_rt->sernum != fib6_sernum
                                         [W <> Z, stale]
                                      -> prev = xchg(rt6i_pcpu, NULL)
                                      -> dst_release(prev)
                                         [prev is pcpu_rt,
                                          refcount 1->0, dead]

dst = skb_dst(skb)
[dst is the dead pcpu_rt]
dst_cache_set_ip6(dst)
  -> dst_hold() on dead dst
  -> WARN / use-after-free

For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry.

Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46099"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-911"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:31Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels\n\nseg6_input_core() and rpl_input() call ip6_route_input() which sets a\nNOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking\ndst_hold() unconditionally.\nOn PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can\nrelease the underlying pcpu_rt between the lookup and the caching\nthrough a concurrent FIB lookup on a shared nexthop.\nSimplified race sequence:\n\n  ksoftirqd/X                       higher-prio task (same CPU X)\n  -----------                       --------------------------------\n  seg6_input_core(,skb)/rpl_input(skb)\n    dst_cache_get()\n      -\u003e miss\n    ip6_route_input(skb)\n      -\u003e ip6_pol_route(,skb,flags)\n         [RT6_LOOKUP_F_DST_NOREF in flags]\n        -\u003e FIB lookup resolves fib6_nh\n           [nhid=N route]\n        -\u003e rt6_make_pcpu_route()\n           [creates pcpu_rt, refcount=1]\n             pcpu_rt-\u003esernum = fib6_sernum\n             [fib6_sernum=W]\n           -\u003e cmpxchg(fib6_nh.rt6i_pcpu,\n                      NULL, pcpu_rt)\n              [slot was empty, store succeeds]\n      -\u003e skb_dst_set_noref(skb, dst)\n         [dst is pcpu_rt, refcount still 1]\n\n                                    rt_genid_bump_ipv6()\n                                      -\u003e bumps fib6_sernum\n                                         [fib6_sernum from W to Z]\n                                    ip6_route_output()\n                                      -\u003e ip6_pol_route()\n                                        -\u003e FIB lookup resolves fib6_nh\n                                           [nhid=N]\n                                        -\u003e rt6_get_pcpu_route()\n                                             pcpu_rt-\u003esernum != fib6_sernum\n                                             [W \u003c\u003e Z, stale]\n                                          -\u003e prev = xchg(rt6i_pcpu, NULL)\n                                          -\u003e dst_release(prev)\n                                             [prev is pcpu_rt,\n                                              refcount 1-\u003e0, dead]\n\n    dst = skb_dst(skb)\n    [dst is the dead pcpu_rt]\n    dst_cache_set_ip6(dst)\n      -\u003e dst_hold() on dead dst\n      -\u003e WARN / use-after-free\n\nFor the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without\nPREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release\nthe pcpu_rt. Shared nexthop objects provide such a path, as two routes\npointing to the same nhid share the same fib6_nh and its rt6i_pcpu\nentry.\n\nFix seg6_input_core() and rpl_input() by calling skb_dst_force() after\nip6_route_input() to force the NOREF dst into a refcounted one before\ncaching.\nThe output path is not affected as ip6_route_output() already returns a\nrefcounted dst.",
  "id": "GHSA-9x88-7c3c-r34g",
  "modified": "2026-06-30T03:36:51Z",
  "published": "2026-05-27T15:33:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46099"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-46099"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481972"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/51fef5a7c4d160839199e941929456ba21ddf73c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/52f9db67f8f35f436366cf4980b4f0a2583d0ef0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6bd17925bd6866027a6555db17905b9fc073d38d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9dd5481f960e337b81d7dfe429529495c1c481c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b258b849a580285a1692e782ebc902b44c884a71"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b778b6d095421619c331fd2d7751143cd5387103"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f9c52a6ba9780bd27e0bf4c044fd91c13c778b6e"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46099.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5W9-M9R4-63PR

Vulnerability from github – Published: 2024-12-28 06:30 – Updated: 2025-01-09 18:32
VLAI
Details

Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46972"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-911"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-28T05:15:08Z",
    "severity": "HIGH"
  },
  "details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.",
  "id": "GHSA-g5w9-m9r4-63pr",
  "modified": "2025-01-09T18:32:13Z",
  "published": "2024-12-28T06:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46972"
    },
    {
      "type": "WEB",
      "url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JR5C-F7V3-7G8C

Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2022-05-27 00:01
VLAI
Details

Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-911"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-17T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.",
  "id": "GHSA-jr5c-f7v3-7g8c",
  "modified": "2022-05-27T00:01:44Z",
  "published": "2022-05-18T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29581"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3db09e762dc79584a69c10d74a6b98f89a9979f8"
    },
    {
      "type": "WEB",
      "url": "https://kernel.dance/#3db09e762dc79584a69c10d74a6b98f89a9979f8"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220629-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5173"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/167386/Kernel-Live-Patch-Security-Notice-LSN-0086-1.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/168191/Kernel-Live-Patch-Security-Notice-LSN-0089-1.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/18/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M5WQ-R6HH-XQF5

Vulnerability from github – Published: 2023-04-07 03:30 – Updated: 2023-04-13 21:30
VLAI
Details

It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-911"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-07T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "It was discovered that aufs improperly managed inode reference counts in the vfsub_dentry_open() method. A local attacker could use this vulnerability to cause a denial of service attack.",
  "id": "GHSA-m5wq-r6hh-xqf5",
  "modified": "2023-04-13T21:30:27Z",
  "published": "2023-04-07T03:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11935"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/bugs/1873074"
    },
    {
      "type": "WEB",
      "url": "https://ubuntu.com/security/CVE-2020-11935"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.