Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2026/05/GHSA-2xr2-hxv5-9jxf/GHSA-2xr2-hxv5-9jxf.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2xr2-hxv5-9jxf",
-  "modified": "2026-05-08T15:31:29Z",
+  "modified": "2026-05-11T09:30:31Z",
   "published": "2026-05-08T15:31:29Z",
   "aliases": [
     "CVE-2026-43462"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: spacemit: Fix error handling in emac_tx_mem_map()\n\nThe DMA mappings were leaked on mapping error. Free them with the\nexisting emac_free_tx_buf() function.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -29,7 +34,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T15:16:59Z"

advisories/unreviewed/2026/05/GHSA-3ggx-x2j4-gfqr/GHSA-3ggx-x2j4-gfqr.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3ggx-x2j4-gfqr",
-  "modified": "2026-05-08T15:31:24Z",
+  "modified": "2026-05-11T09:30:30Z",
   "published": "2026-05-08T15:31:24Z",
   "aliases": [
     "CVE-2026-43334"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SMP: force responder MITM requirements before building the pairing response\n\nsmp_cmd_pairing_req() currently builds the pairing response from the\ninitiator auth_req before enforcing the local BT_SECURITY_HIGH\nrequirement. If the initiator omits SMP_AUTH_MITM, the response can\nalso omit it even though the local side still requires MITM.\n\ntk_request() then sees an auth value without SMP_AUTH_MITM and may\nselect JUST_CFM, making method selection inconsistent with the pairing\npolicy the responder already enforces.\n\nWhen the local side requires HIGH security, first verify that MITM can\nbe achieved from the IO capabilities and then force SMP_AUTH_MITM in the\nresponse in both rsp.auth_req and auth. This keeps the responder auth bits\nand later method selection aligned.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -49,7 +54,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T14:16:43Z"

advisories/unreviewed/2026/05/GHSA-3jfw-v6mf-ccwx/GHSA-3jfw-v6mf-ccwx.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3jfw-v6mf-ccwx",
-  "modified": "2026-05-08T15:31:29Z",
+  "modified": "2026-05-11T09:30:31Z",
   "published": "2026-05-08T15:31:29Z",
   "aliases": [
     "CVE-2026-43452"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: guard option walkers against 1-byte tail reads\n\nWhen the last byte of options is a non-single-byte option kind, walkers\nthat advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end\nof the option area.\n\nAdd an explicit i == optlen - 1 check before dereferencing op[i + 1]\nin xt_tcpudp and xt_dccp option walkers.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -49,7 +54,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T15:16:57Z"

advisories/unreviewed/2026/05/GHSA-3mqh-w39c-q3pj/GHSA-3mqh-w39c-q3pj.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3mqh-w39c-q3pj",
-  "modified": "2026-05-08T15:31:26Z",
+  "modified": "2026-05-11T09:30:30Z",
   "published": "2026-05-08T15:31:25Z",
   "aliases": [
     "CVE-2026-43362"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix in-place encryption corruption in SMB2_write()\n\nSMB2_write() places write payload in iov[1..n] as part of rq_iov.\nsmb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()\nencrypts iov[1] in-place, replacing the original plaintext with\nciphertext. On a replayable error, the retry sends the same iov[1]\nwhich now contains ciphertext instead of the original data,\nresulting in corruption.\n\nThe corruption is most likely to be observed when connections are\nunstable, as reconnects trigger write retries that re-send the\nalready-encrypted data.\n\nThis affects SFU mknod, MF symlinks, etc. On kernels before\n6.10 (prior to the netfs conversion), sync writes also used\nthis path and were similarly affected. The async write path\nwasn't unaffected as it uses rq_iter which gets deep-copied.\n\nFix by moving the write payload into rq_iter via iov_iter_kvec(),\nso smb3_init_transform_rq() deep-copies it before encryption.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -37,7 +42,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T15:16:47Z"

advisories/unreviewed/2026/05/GHSA-3v8x-c22j-hv4q/GHSA-3v8x-c22j-hv4q.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3v8x-c22j-hv4q",
-  "modified": "2026-05-08T15:31:26Z",
+  "modified": "2026-05-11T09:30:30Z",
   "published": "2026-05-08T15:31:26Z",
   "aliases": [
     "CVE-2026-43376"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free by using call_rcu() for oplock_info\n\nksmbd currently frees oplock_info immediately using kfree(), even\nthough it is accessed under RCU read-side critical sections in places\nlike opinfo_get() and proc_show_files().\n\nSince there is no RCU grace period delay between nullifying the pointer\nand freeing the memory, a reader can still access oplock_info\nstructure after it has been freed. This can leads to a use-after-free\nespecially in opinfo_get() where atomic_inc_not_zero() is called on\nalready freed memory.\n\nFix this by switching to deferred freeing using call_rcu().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -37,7 +42,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T15:16:48Z"

advisories/unreviewed/2026/05/GHSA-3xxf-f9pw-rwm5/GHSA-3xxf-f9pw-rwm5.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3xxf-f9pw-rwm5",
-  "modified": "2026-05-08T15:31:26Z",
+  "modified": "2026-05-11T09:30:31Z",
   "published": "2026-05-08T15:31:26Z",
   "aliases": [
     "CVE-2026-43384"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tcp-ao: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant\ntime.  Use the appropriate helper function for this.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -33,7 +38,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T15:16:49Z"

advisories/unreviewed/2026/05/GHSA-45q4-4828-537r/GHSA-45q4-4828-537r.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-45q4-4828-537r",
-  "modified": "2026-05-08T15:31:23Z",
+  "modified": "2026-05-11T09:30:29Z",
   "published": "2026-05-08T15:31:23Z",
   "aliases": [
     "CVE-2026-43329"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: strictly check for maximum number of actions\n\nThe maximum number of flowtable hardware offload actions in IPv6 is:\n\n* ethernet mangling (4 payload actions, 2 for each ethernet address)\n* SNAT (4 payload actions)\n* DNAT (4 payload actions)\n* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)\n  for QinQ.\n* Redirect (1 action)\n\nWhich makes 17, while the maximum is 16. But act_ct supports for tunnels\nactions too. Note that payload action operates at 32-bit word level, so\nmangling an IPv6 address takes 4 payload actions.\n\nUpdate flow_action_entry_next() calls to check for the maximum number of\nsupported actions.\n\nWhile at it, rise the maximum number of actions per flow from 16 to 24\nso this works fine with IPv6 setups.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -45,7 +50,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T14:16:42Z"

advisories/unreviewed/2026/05/GHSA-462c-h7qr-cxm6/GHSA-462c-h7qr-cxm6.json

@@ -0,0 +1,39 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-462c-h7qr-cxm6",
+  "modified": "2026-05-11T09:30:32Z",
+  "published": "2026-05-11T09:30:32Z",
+  "aliases": [
+    "CVE-2026-5084"
+  ],
+  "details": "WebDyne::Session versions through 2.075 for Perl generates the session id insecurely.\n\nThe session handler generates the session id from an MD5 hash seeded with a call to the built-in rand() function. The rand function is passed a maximum value based on the process id, the epoch time and the reference address of the object, but this information will have no effect on the overall quality of the seed of the message digest.\n\nThe rand function is seeded by 32-bits and is predictable. It is considered unsuitable for cryptographic purposes.\n\nPredictable session ids could allow an attacker to gain access to systems.\n\nNote that WebDyne::Session versions 1.042 and earlier appear to be in separate distributions from WebDyne.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5084"
+    },
+    {
+      "type": "WEB",
+      "url": "https://metacpan.org/release/ASPEER/WebDyne-2.075/source/lib/WebDyne/Session.pm#L120"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://webdyne.org"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-338"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-05-11T08:16:16Z"
+  }
+}

advisories/unreviewed/2026/05/GHSA-473v-h78r-2j73/GHSA-473v-h78r-2j73.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-473v-h78r-2j73",
-  "modified": "2026-05-08T15:31:25Z",
+  "modified": "2026-05-11T09:30:30Z",
   "published": "2026-05-08T15:31:25Z",
   "aliases": [
     "CVE-2026-43353"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Fix race in DMA ring dequeue\n\nThe HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for\nmultiple transfers that timeout around the same time.  However, the\nfunction is not serialized and can race with itself.\n\nWhen a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes\nincomplete transfers, and then restarts the ring.  If another timeout\ntriggers a parallel call into the same function, the two instances may\ninterfere with each other - stopping or restarting the ring at unexpected\ntimes.\n\nAdd a mutex so that hci_dma_dequeue_xfer() is serialized with respect to\nitself.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -29,7 +34,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T15:16:46Z"

advisories/unreviewed/2026/05/GHSA-4f56-4jhm-5934/GHSA-4f56-4jhm-5934.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4f56-4jhm-5934",
-  "modified": "2026-05-08T15:31:23Z",
+  "modified": "2026-05-11T09:30:29Z",
   "published": "2026-05-08T15:31:23Z",
   "aliases": [
     "CVE-2026-43324"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: dummy-hcd: Fix interrupt synchronization error\n\nThis fixes an error in synchronization in the dummy-hcd driver.  The\nerror has a somewhat involved history.  The synchronization mechanism\nwas introduced by commit 7dbd8f4cabd9 (\"USB: dummy-hcd: Fix erroneous\nsynchronization change\"), which added an emulated \"interrupts enabled\"\nflag together with code emulating synchronize_irq() (it waits until\nall current handler callbacks have returned).\n\nBut the emulated interrupt-disable occurred too late, after the driver\ncontaining the handler callback routines had been told that it was\nunbound and no more callbacks would occur.  Commit 4a5d797a9f9c (\"usb:\ngadget: dummy_hcd: fix gpf in gadget_setup\") tried to fix this by\nmoving the synchronize_irq() emulation code from dummy_stop() to\ndummy_pullup(), which runs before the unbind callback.\n\nThere still were races, though, because the emulated interrupt-disable\nstill occurred too late.  It couldn't be moved to dummy_pullup(),\nbecause that routine can be called for reasons other than an impending\nunbind.  Therefore commits 7dc0c55e9f30 (\"USB: UDC core: Add\nudc_async_callbacks gadget op\") and 04145a03db9d (\"USB: UDC: Implement\nudc_async_callbacks in dummy-hcd\") added an API allowing the UDC core\nto tell dummy-hcd exactly when emulated interrupts and their callbacks\nshould be disabled.\n\nThat brings us to the current state of things, which is still wrong\nbecause the emulated synchronize_irq() occurs before the emulated\ninterrupt-disable!  That's no good, beause it means that more emulated\ninterrupts can occur after the synchronize_irq() emulation has run,\nleading to the possibility that a callback handler may be running when\nthe gadget driver is unbound.\n\nTo fix this, we have to move the synchronize_irq() emulation code yet\nagain, to the dummy_udc_async_callbacks() routine, which takes care of\nenabling and disabling emulated interrupt requests.  The\nsynchronization will now run immediately after emulated interrupts are\ndisabled, which is where it belongs.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -45,7 +50,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T14:16:41Z"