CWE-252
AllowedUnchecked Return Value
Abstraction: Base · Status: Draft
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
227 vulnerabilities reference this CWE, most recent first.
GHSA-C7XG-CC4Q-797M
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40A denial of service vulnerability in the Android media framework (libstagefright). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-62673844.
{
"affected": [],
"aliases": [
"CVE-2017-0774"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-08T20:29:00Z",
"severity": "HIGH"
},
"details": "A denial of service vulnerability in the Android media framework (libstagefright). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-62673844.",
"id": "GHSA-c7xg-cc4q-797m",
"modified": "2022-05-13T01:40:40Z",
"published": "2022-05-13T01:40:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0774"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-09-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100649"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C9G6-7M2J-RFH8
Vulnerability from github – Published: 2022-11-02 12:00 – Updated: 2022-11-03 19:00A vulnerability was found in Axiomatic Bento4. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Incomplete Fix CVE-2019-13238. The manipulation leads to resource consumption. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-212660.
{
"affected": [],
"aliases": [
"CVE-2022-3807"
],
"database_specific": {
"cwe_ids": [
"CWE-252",
"CWE-400",
"CWE-404"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-01T20:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Axiomatic Bento4. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Incomplete Fix CVE-2019-13238. The manipulation leads to resource consumption. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-212660.",
"id": "GHSA-c9g6-7m2j-rfh8",
"modified": "2022-11-03T19:00:27Z",
"published": "2022-11-02T12:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3807"
},
{
"type": "WEB",
"url": "https://github.com/axiomatic-systems/Bento4/issues/803"
},
{
"type": "WEB",
"url": "https://github.com/axiomatic-systems/Bento4/files/9820612/mp42aac_exhaustive_AP4_RtpAtom50.zip"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.212660"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CFV5-3VM4-4JFP
Vulnerability from github – Published: 2022-08-29 20:06 – Updated: 2022-09-02 00:01A flaw was found in the copying tool nbdcopy of libnbd. When performing multi-threaded copies using asynchronous nbd calls, nbdcopy was blindly treating the completion of an asynchronous command as successful, rather than checking the *error parameter. This could result in the silent creation of a corrupted destination image.
{
"affected": [],
"aliases": [
"CVE-2022-0485"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-29T15:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in the copying tool `nbdcopy` of libnbd. When performing multi-threaded copies using asynchronous nbd calls, nbdcopy was blindly treating the completion of an asynchronous command as successful, rather than checking the *error parameter. This could result in the silent creation of a corrupted destination image.",
"id": "GHSA-cfv5-3vm4-4jfp",
"modified": "2022-09-02T00:01:03Z",
"published": "2022-08-29T20:06:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0485"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-0485"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2046194"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050324"
},
{
"type": "WEB",
"url": "https://gitlab.com/nbdkit/libnbd/-/commit/8d444b41d09a700c7ee6f9182a649f3f2d325abb"
},
{
"type": "WEB",
"url": "https://listman.redhat.com/archives/libguestfs/2022-February/msg00104.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CG3G-C98G-38CG
Vulnerability from github – Published: 2022-05-01 18:17 – Updated: 2024-10-15 18:30Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.
{
"affected": [],
"aliases": [
"CVE-2007-3798"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-07-16T22:30:00Z",
"severity": "MODERATE"
},
"details": "Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.",
"id": "GHSA-cg3g-c98g-38cg",
"modified": "2024-10-15T18:30:48Z",
"published": "2022-05-01T18:17:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3798"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9771"
},
{
"type": "WEB",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=184815"
},
{
"type": "WEB",
"url": "http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-bgp.c?r1=1.91.2.11\u0026r2=1.91.2.12"
},
{
"type": "WEB",
"url": "http://docs.info.apple.com/article.html?artnum=307179"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26135"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26168"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26223"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26231"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26263"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26266"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26286"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26395"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26404"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26521"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27580"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/28136"
},
{
"type": "WEB",
"url": "http://security.freebsd.org/advisories/FreeBSD-SA-07:06.tcpdump.asc"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200707-14.xml"
},
{
"type": "WEB",
"url": "http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2007\u0026m=slackware-security.449313"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2007/dsa-1353"
},
{
"type": "WEB",
"url": "http://www.digit-labs.org/files/exploits/private/tcpdump-bgp.c"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:148"
},
{
"type": "WEB",
"url": "http://www.novell.com/linux/security/advisories/2007_16_sr.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2007-0368.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2007-0387.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/474225/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/24965"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1018434"
},
{
"type": "WEB",
"url": "http://www.trustix.org/errata/2007/0023"
},
{
"type": "WEB",
"url": "http://www.turbolinux.com/security/2007/TLSA-2007-46.txt"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/usn-492-1"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA07-352A.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/2578"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/4238"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CQ7M-PX5H-48PX
Vulnerability from github – Published: 2025-10-15 18:31 – Updated: 2025-10-15 18:31When a BIG IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2025-61935"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T16:15:35Z",
"severity": "HIGH"
},
"details": "When a BIG IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-cq7m-px5h-48px",
"modified": "2025-10-15T18:31:51Z",
"published": "2025-10-15T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61935"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000154664"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CW7V-45WM-MCF2
Vulnerability from github – Published: 2026-03-27 22:21 – Updated: 2026-04-30 18:33Duplicate Advisory
This advisory has been withdrawn because it is been determined to not be a vulnerability. This link is maintained to preserve external references.
Original Description
Summary
Kirby CMS through version 5.1.4 allows an authenticated user with Editor permissions to cause a persistent Denial of Service (DoS) via a malformed image upload.
Details
The vulnerability is caused by improper validation of the return value of PHP's getimagesize() function. When a malformed file is uploaded with a valid image extension (e.g., .jpg), the function returns false instead of an expected array.
The application fails to handle this condition properly and proceeds with image processing, resulting in a fatal TypeError. This leads to persistent application crashes when the affected file is accessed.
Impact
- Persistent Denial of Service (DoS)
- Affected pages return HTTP 500 errors
- Requires manual removal of the malformed file to restore functionality
- Exploitable by authenticated users with Editor permissions
Identifiers
- CVE-2026-29905
Resources
- https://github.com/github/advisory-database/pull/7503
- https://github.com/Stalin-143/CVE-2026-29905
- https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1
- https://www.cve.org/CVERecord?id=CVE-2026-29905
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.0-rc.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-29905"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-252"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T22:21:26Z",
"nvd_published_at": "2026-03-26T17:16:34Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is been determined to not be a vulnerability. This link is maintained to preserve external references.\n\n### Original Description\n\n## Summary\n\nKirby CMS through version 5.1.4 allows an authenticated user with Editor permissions to cause a persistent Denial of Service (DoS) via a malformed image upload.\n\n## Details\n\nThe vulnerability is caused by improper validation of the return value of PHP\u0027s `getimagesize()` function. When a malformed file is uploaded with a valid image extension (e.g., `.jpg`), the function returns `false` instead of an expected array.\n\nThe application fails to handle this condition properly and proceeds with image processing, resulting in a fatal `TypeError`. This leads to persistent application crashes when the affected file is accessed.\n\n## Impact\n\n- Persistent Denial of Service (DoS)\n- Affected pages return HTTP 500 errors\n- Requires manual removal of the malformed file to restore functionality\n- Exploitable by authenticated users with Editor permissions\n\n\n## Identifiers\n- CVE-2026-29905\n\n## Resources\n\n- https://github.com/github/advisory-database/pull/7503\n- https://github.com/Stalin-143/CVE-2026-29905\n- https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1\n- https://www.cve.org/CVERecord?id=CVE-2026-29905",
"id": "GHSA-cw7v-45wm-mcf2",
"modified": "2026-04-30T18:33:03Z",
"published": "2026-03-27T22:21:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Stalin-143/CVE-2026-29905/security/advisories/GHSA-cw7v-45wm-mcf2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29905"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/pull/7503"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1MwvvSYIwnC8kOIzjycGMQZw4d2K2ef8h/view?usp=sharing"
},
{
"type": "PACKAGE",
"url": "https://github.com/Stalin-143/CVE-2026-29905"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload",
"withdrawn": "2026-04-30T18:33:03Z"
}
GHSA-CXVJ-JX5H-9XF2
Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-18 12:00An Unchecked Return Value to NULL Pointer Dereference vulnerability in Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). On SRX Series if Unified Threat Management (UTM) Enhanced Content Filtering (CF) and AntiVirus (AV) are enabled together and the system processes specific valid transit traffic the Packet Forwarding Engine (PFE) will crash and restart. This issue affects Juniper Networks Junos OS 21.4 versions prior to 21.4R1-S2, 21.4R2 on SRX Series. This issue does not affect Juniper Networks Junos OS versions prior to 21.4R1.
{
"affected": [],
"aliases": [
"CVE-2022-22231"
],
"database_specific": {
"cwe_ids": [
"CWE-252",
"CWE-476",
"CWE-690"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-18T03:15:00Z",
"severity": "HIGH"
},
"details": "An Unchecked Return Value to NULL Pointer Dereference vulnerability in Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). On SRX Series if Unified Threat Management (UTM) Enhanced Content Filtering (CF) and AntiVirus (AV) are enabled together and the system processes specific valid transit traffic the Packet Forwarding Engine (PFE) will crash and restart. This issue affects Juniper Networks Junos OS 21.4 versions prior to 21.4R1-S2, 21.4R2 on SRX Series. This issue does not affect Juniper Networks Junos OS versions prior to 21.4R1.",
"id": "GHSA-cxvj-jx5h-9xf2",
"modified": "2022-10-18T12:00:30Z",
"published": "2022-10-18T12:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22231"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA69885"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F329-HQH6-8QMX
Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-21 19:01An Unchecked Return Value to NULL Pointer Dereference vulnerability in Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a locally authenticated attacker with low privileges to cause a Denial of Service (DoS). In Segment Routing (SR) to Label Distribution Protocol (LDP) interworking scenario, configured with Segment Routing Mapping Server (SRMS) at any node, when an Area Border Router (ABR) leaks the SRMS entries having "S" flag set from IS-IS Level 2 to Level 1, an rpd core might be observed when a specific low privileged CLI command is issued. This issue affects: Juniper Networks Junos OS 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R2. Juniper Networks Junos OS Evolved 21.4-EVO versions prior to 21.4R1-S2-EVO, 21.4R2-S1-EVO, 21.4R3-EVO; 22.1-EVO versions prior to 22.1R2-EVO. This issue does not affect: Juniper Networks Junos OS versions prior to 21.4R1. Juniper Networks Junos OS Evolved versions prior to 21.4R1-EVO.
{
"affected": [],
"aliases": [
"CVE-2022-22233"
],
"database_specific": {
"cwe_ids": [
"CWE-252",
"CWE-476",
"CWE-690"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-18T03:15:00Z",
"severity": "MODERATE"
},
"details": "An Unchecked Return Value to NULL Pointer Dereference vulnerability in Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a locally authenticated attacker with low privileges to cause a Denial of Service (DoS). In Segment Routing (SR) to Label Distribution Protocol (LDP) interworking scenario, configured with Segment Routing Mapping Server (SRMS) at any node, when an Area Border Router (ABR) leaks the SRMS entries having \"S\" flag set from IS-IS Level 2 to Level 1, an rpd core might be observed when a specific low privileged CLI command is issued. This issue affects: Juniper Networks Junos OS 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R2. Juniper Networks Junos OS Evolved 21.4-EVO versions prior to 21.4R1-S2-EVO, 21.4R2-S1-EVO, 21.4R3-EVO; 22.1-EVO versions prior to 22.1R2-EVO. This issue does not affect: Juniper Networks Junos OS versions prior to 21.4R1. Juniper Networks Junos OS Evolved versions prior to 21.4R1-EVO.",
"id": "GHSA-f329-hqh6-8qmx",
"modified": "2022-10-21T19:01:13Z",
"published": "2022-10-18T12:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22233"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA69887"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F3GJ-M2GW-JF95
Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-12 21:31In the Linux kernel, the following vulnerability has been resolved:
ACPI: PPTT: Fix to avoid sleep in the atomic context when PPTT is absent
Commit 0c80f9e165f8 ("ACPI: PPTT: Leave the table mapped for the runtime usage") enabled to map PPTT once on the first invocation of acpi_get_pptt() and never unmapped the same allowing it to be used at runtime with out the hassle of mapping and unmapping the table. This was needed to fetch LLC information from the PPTT in the cpuhotplug path which is executed in the atomic context as the acpi_get_table() might sleep waiting for a mutex.
However it missed to handle the case when there is no PPTT on the system which results in acpi_get_pptt() being called from all the secondary CPUs attempting to fetch the LLC information in the atomic context without knowing the absence of PPTT resulting in the splat like below:
| BUG: sleeping function called from invalid context at kernel/locking/semaphore.c:164 | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 | preempt_count: 1, expected: 0 | RCU nest depth: 0, expected: 0 | no locks held by swapper/1/0. | irq event stamp: 0 | hardirqs last enabled at (0): 0x0 | hardirqs last disabled at (0): copy_process+0x61c/0x1b40 | softirqs last enabled at (0): copy_process+0x61c/0x1b40 | softirqs last disabled at (0): 0x0 | CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.3.0-rc1 #1 | Call trace: | dump_backtrace+0xac/0x138 | show_stack+0x30/0x48 | dump_stack_lvl+0x60/0xb0 | dump_stack+0x18/0x28 | __might_resched+0x160/0x270 | __might_sleep+0x58/0xb0 | down_timeout+0x34/0x98 | acpi_os_wait_semaphore+0x7c/0xc0 | acpi_ut_acquire_mutex+0x58/0x108 | acpi_get_table+0x40/0xe8 | acpi_get_pptt+0x48/0xa0 | acpi_get_cache_info+0x38/0x140 | init_cache_level+0xf4/0x118 | detect_cache_attributes+0x2e4/0x640 | update_siblings_masks+0x3c/0x330 | store_cpu_topology+0x88/0xf0 | secondary_start_kernel+0xd0/0x168 | __secondary_switched+0xb8/0xc0
Update acpi_get_pptt() to consider the fact that PPTT is once checked and is not available on the system and return NULL avoiding any attempts to fetch PPTT and thereby avoiding any possible sleep waiting for a mutex in the atomic context.
{
"affected": [],
"aliases": [
"CVE-2023-53070"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-02T16:15:26Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: PPTT: Fix to avoid sleep in the atomic context when PPTT is absent\n\nCommit 0c80f9e165f8 (\"ACPI: PPTT: Leave the table mapped for the runtime usage\")\nenabled to map PPTT once on the first invocation of acpi_get_pptt() and\nnever unmapped the same allowing it to be used at runtime with out the\nhassle of mapping and unmapping the table. This was needed to fetch LLC\ninformation from the PPTT in the cpuhotplug path which is executed in\nthe atomic context as the acpi_get_table() might sleep waiting for a\nmutex.\n\nHowever it missed to handle the case when there is no PPTT on the system\nwhich results in acpi_get_pptt() being called from all the secondary\nCPUs attempting to fetch the LLC information in the atomic context\nwithout knowing the absence of PPTT resulting in the splat like below:\n\n | BUG: sleeping function called from invalid context at kernel/locking/semaphore.c:164\n | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1\n | preempt_count: 1, expected: 0\n | RCU nest depth: 0, expected: 0\n | no locks held by swapper/1/0.\n | irq event stamp: 0\n | hardirqs last enabled at (0): 0x0\n | hardirqs last disabled at (0): copy_process+0x61c/0x1b40\n | softirqs last enabled at (0): copy_process+0x61c/0x1b40\n | softirqs last disabled at (0): 0x0\n | CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.3.0-rc1 #1\n | Call trace:\n | dump_backtrace+0xac/0x138\n | show_stack+0x30/0x48\n | dump_stack_lvl+0x60/0xb0\n | dump_stack+0x18/0x28\n | __might_resched+0x160/0x270\n | __might_sleep+0x58/0xb0\n | down_timeout+0x34/0x98\n | acpi_os_wait_semaphore+0x7c/0xc0\n | acpi_ut_acquire_mutex+0x58/0x108\n | acpi_get_table+0x40/0xe8\n | acpi_get_pptt+0x48/0xa0\n | acpi_get_cache_info+0x38/0x140\n | init_cache_level+0xf4/0x118\n | detect_cache_attributes+0x2e4/0x640\n | update_siblings_masks+0x3c/0x330\n | store_cpu_topology+0x88/0xf0\n | secondary_start_kernel+0xd0/0x168\n | __secondary_switched+0xb8/0xc0\n\nUpdate acpi_get_pptt() to consider the fact that PPTT is once checked and\nis not available on the system and return NULL avoiding any attempts to\nfetch PPTT and thereby avoiding any possible sleep waiting for a mutex\nin the atomic context.",
"id": "GHSA-f3gj-m2gw-jf95",
"modified": "2025-11-12T21:31:00Z",
"published": "2025-05-02T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53070"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1318a07706bb2f8c65f88f39a16c2b5260bcdcd4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/91d7b60a65d9f71230ea09b86d2058a884a3c2af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e0c1106d51b9abc8eae03c5522b20649b6a55f6e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F5X6-7QGP-JHF3
Vulnerability from github – Published: 2023-07-25 17:46 – Updated: 2024-11-19 16:44Impact
the ecrecover precompile does not fill the output buffer if the signature does not verify, see https://github.com/ethereum/go-ethereum/blob/b058cf454b3bdc7e770e2b3cec83a0bcb48f55ee/core/vm/contracts.go#L188. however, the ecrecover builtin will still return whatever is at memory location 0.
this means that the if the compiler has been convinced to write to the 0 memory location with specially crafted data (generally, this can happen with a hashmap access or immutable read) just before the ecrecover, a signature check might pass on an invalid signature.
A contract search was performed. Most uses of ecrecover are used for erc2612-style permit implementations, which typically look like:
assert _owner != empty(address)
assert block.timestamp <= _deadline
nonce: uint256 = self.nonces[_owner]
digest: bytes32 = keccak256(
concat(
b"\x19\x01",
self.DOMAIN_SEPARATOR,
keccak256(_abi_encode(PERMIT_TYPEHASH, _owner, _spender, _value, nonce, _deadline))
)
)
assert ecrecover(digest, convert(_v, uint256), convert(_r, uint256), convert(_s, uint256)) == _owner
in this case, the immutable PERMIT_TYPEHASH is loaded into ecrecover's output buffer right before ecrecover(), and so the output of ecrecover() here when the signature is invalid will be the value of PERMIT_TYPEHASH. in this case, since PERMIT_TYPEHASH is not a valid address, it will never compare == to _owner, and so the behaviour is exactly the same as if ecrecover() returned 0 in this case.
in general, a contract could have unexpected behavior (i.e. mistakenly pass this style of signature check) if an immutable representing a real address (ex. OWNER) was read right before the ecrecover operation.
Patches
v0.3.10 (with 019a37ab98ff53f04fecfadf602b6cd5ac748f7f and #3586)
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vyper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-37902"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-25T17:46:19Z",
"nvd_published_at": "2023-07-25T21:15:10Z",
"severity": "MODERATE"
},
"details": "### Impact\nthe ecrecover precompile does not fill the output buffer if the signature does not verify, see https://github.com/ethereum/go-ethereum/blob/b058cf454b3bdc7e770e2b3cec83a0bcb48f55ee/core/vm/contracts.go#L188. however, the ecrecover builtin will still return whatever is at memory location 0.\n\nthis means that the if the compiler has been convinced to write to the 0 memory location with specially crafted data (generally, this can happen with a hashmap access or immutable read) just before the ecrecover, a signature check might pass on an invalid signature.\n\nA contract search was performed. Most uses of `ecrecover` are used for erc2612-style permit implementations, which typically look like:\n\n```vyper\n assert _owner != empty(address)\n assert block.timestamp \u003c= _deadline\n \n nonce: uint256 = self.nonces[_owner]\n digest: bytes32 = keccak256(\n concat( \n b\"\\x19\\x01\",\n self.DOMAIN_SEPARATOR,\n keccak256(_abi_encode(PERMIT_TYPEHASH, _owner, _spender, _value, nonce, _deadline))\n ) \n ) \n assert ecrecover(digest, convert(_v, uint256), convert(_r, uint256), convert(_s, uint256)) == _owner\n```\n\nin this case, the immutable `PERMIT_TYPEHASH` is loaded into `ecrecover`\u0027s output buffer right before `ecrecover()`, and so the output of `ecrecover()` here when the signature is invalid will be the value of `PERMIT_TYPEHASH`. in this case, since `PERMIT_TYPEHASH` is not a valid address, it will never compare `==` to `_owner`, and so the behaviour is exactly the same as if `ecrecover()` returned 0 in this case.\n\nin general, a contract could have unexpected behavior (i.e. mistakenly pass this style of signature check) if an immutable representing a real address (ex. `OWNER`) was read right before the `ecrecover` operation.\n\n### Patches\nv0.3.10 (with 019a37ab98ff53f04fecfadf602b6cd5ac748f7f and #3586)\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n_Are there any links users can visit to find out more?_\n",
"id": "GHSA-f5x6-7qgp-jhf3",
"modified": "2024-11-19T16:44:35Z",
"published": "2023-07-25T17:46:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-f5x6-7qgp-jhf3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37902"
},
{
"type": "WEB",
"url": "https://github.com/vyperlang/vyper/commit/019a37ab98ff53f04fecfadf602b6cd5ac748f7f"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-133.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vyperlang/vyper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ecrecover can return undefined data if signature does not verify"
}
Mitigation MIT-53
Check the results of all functions that return a value and verify that the value is expected.
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Ensure that you account for all possible return values from the function.
Mitigation
When designing a function, make sure you return a value or throw an exception in case of an error.
No CAPEC attack patterns related to this CWE.