Common Weakness Enumeration

CWE-617

Allowed

Reachable Assertion

Abstraction: Base · Status: Draft

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

989 vulnerabilities reference this CWE, most recent first.

GHSA-VFWV-M6QG-W443

Vulnerability from github – Published: 2023-07-14 18:31 – Updated: 2024-04-04 06:08
VLAI
Details

A Reachable Assertion vulnerability in Routing Protocol Daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved allows a locally-based, low-privileged attacker to cause a Denial of Service (DoS).

On all Junos OS and Junos OS Evolved, when a specific L2VPN command is run, RPD will crash and restart. Continued execution of this specific command will create a sustained Denial of Service (DoS) condition.

This issue affects: Juniper Networks Junos OS All versions prior to 19.3R3-S10; 20.1 versions prior to 20.1R3-S4; 20.2 versions prior to 20.2R3-S6; 20.3 versions prior to 20.3R3-S6; 20.4 versions prior to 20.4R3-S5; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S3; 21.3 versions prior to 21.3R3-S2; 21.4 versions prior to 21.4R3; 22.1 versions prior to 22.1R3; 22.2 versions prior to 22.2R2; 22.3 versions prior to 22.3R2;

Juniper Networks Junos OS Evolved All versions prior to 20.4R3-S7-EVO; 21.1 versions prior to 21.1R3-S3-EVO; 21.2 versions prior to 21.2R3-S5-EVO; 21.3 versions prior to 21.3R3-S4-EVO; 21.4 versions prior to 21.4R3-EVO; 22.1 versions prior to 22.1R3-EVO; 22.2 versions prior to 22.2R2-EVO; 22.3 versions prior to 22.3R2-EVO;

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-14T18:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A Reachable Assertion vulnerability in Routing Protocol Daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved allows a locally-based, low-privileged attacker to cause a Denial of Service (DoS).\n\nOn all Junos OS and Junos OS Evolved, when a specific L2VPN command is run, RPD will crash and restart. Continued execution of this specific command will create a sustained Denial of Service (DoS) condition.\n\nThis issue affects:\nJuniper Networks Junos OS\nAll versions prior to 19.3R3-S10;\n20.1 versions prior to 20.1R3-S4;\n20.2 versions prior to 20.2R3-S6;\n20.3 versions prior to 20.3R3-S6;\n20.4 versions prior to 20.4R3-S5;\n21.1 versions prior to 21.1R3-S4;\n21.2 versions prior to 21.2R3-S3;\n21.3 versions prior to 21.3R3-S2;\n21.4 versions prior to 21.4R3;\n22.1 versions prior to 22.1R3;\n22.2 versions prior to 22.2R2;\n22.3 versions prior to 22.3R2;\n\nJuniper Networks Junos OS Evolved\nAll versions prior to 20.4R3-S7-EVO;\n21.1 versions prior to 21.1R3-S3-EVO;\n21.2 versions prior to 21.2R3-S5-EVO;\n21.3 versions prior to 21.3R3-S4-EVO;\n21.4 versions prior to 21.4R3-EVO;\n22.1 versions prior to 22.1R3-EVO;\n22.2 versions prior to 22.2R2-EVO;\n22.3 versions prior to 22.3R2-EVO;\n",
  "id": "GHSA-vfwv-m6qg-w443",
  "modified": "2024-04-04T06:08:46Z",
  "published": "2023-07-14T18:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36840"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA71647"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGHX-352F-93JM

Vulnerability from github – Published: 2026-05-21 19:46 – Updated: 2026-06-10 13:41
VLAI
Summary
nimiq-blockchain: Genesis batch set request
Details

Impact

A remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls get_epoch_chunks which iterates backwards through macro blocks using Policy::macro_block_before. When it reaches the genesis block number, macro_block_before panics with "No macro blocks before genesis block".

Patches

The patch for this vulnerability is formally released as part of v1.5.0.

Workarounds

No Workaround, although requesting the genesis batch set is not used during normal operation.

Resources

See PR.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "nimiq-blockchain"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T19:46:15Z",
    "nvd_published_at": "2026-06-10T00:16:54Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block\u0027s hash. The handler calls `get_epoch_chunks` which iterates backwards through macro blocks using `Policy::macro_block_before`. When it reaches the genesis block number, `macro_block_before` panics with \"No macro blocks before genesis block\".\n\n### Patches\n[The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/pull/3745) is formally released as part of [v1.5.0](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0).\n\n### Workarounds\nNo Workaround, although requesting the genesis batch set is not used during normal operation.\n\n### Resources\nSee [PR](https://github.com/nimiq/core-rs-albatross/pull/3745).",
  "id": "GHSA-vghx-352f-93jm",
  "modified": "2026-06-10T13:41:37Z",
  "published": "2026-05-21T19:46:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vghx-352f-93jm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46543"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nimiq/core-rs-albatross/pull/3745"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nimiq/core-rs-albatross/commit/8e8b0abdb1b66f5e9b25b3833879f05c173a5596"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nimiq/core-rs-albatross"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nimiq-blockchain: Genesis batch set request"
}

GHSA-VGQ7-9R5R-J9V3

Vulnerability from github – Published: 2025-11-24 18:31 – Updated: 2025-11-25 21:01
VLAI
Summary
Free5GC is vulnerable to DoS through its Npcf_BDTPolicyControl POST API
Details

An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/pcf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-60632"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-25T21:01:13Z",
    "nvd_published_at": "2025-11-24T16:15:49Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API.",
  "id": "GHSA-vgq7-9r5r-j9v3",
  "modified": "2025-11-25T21:01:13Z",
  "published": "2025-11-24T18:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60632"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/issues/705"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/pcf/pull/53"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/pcf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Free5GC is vulnerable to DoS through its Npcf_BDTPolicyControl POST API"
}

GHSA-VGV4-555V-W6X3

Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31
VLAI
Details

When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T23:17:03Z",
    "severity": "HIGH"
  },
  "details": "When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.",
  "id": "GHSA-vgv4-555v-w6x3",
  "modified": "2026-06-10T00:31:50Z",
  "published": "2026-06-10T00:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9746"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-124190"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VH8H-JG54-V92W

Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2024-08-01 15:31
VLAI
Details

** DISPUTED ** The validateInputImageSize function in modules/imgcodecs/src/loadsave.cpp in OpenCV 3.4.1 allows remote attackers to cause a denial of service (assertion failure) because (size.height <= (1<<20)) may be false. Note: “OpenCV CV_Assert is not an assertion (C-like assert()), it is regular C++ exception which can raised in case of invalid or non-supported parameters.”

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7712"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-05T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "** DISPUTED ** The validateInputImageSize function in modules/imgcodecs/src/loadsave.cpp in OpenCV 3.4.1 allows remote attackers to cause a denial of service (assertion failure) because (size.height \u003c= (1\u003c\u003c20)) may be false. Note: \u201cOpenCV CV_Assert is not an assertion (C-like assert()), it is regular C++ exception which can raised in case of invalid or non-supported parameters.\u201d",
  "id": "GHSA-vh8h-jg54-v92w",
  "modified": "2024-08-01T15:31:13Z",
  "published": "2022-05-13T01:28:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7712"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencv/opencv/issues/10998"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xiaoqx/pocs/tree/master/opencv/dos-by-assert"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ4F-PW6H-MXV3

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

There is an Assertion 'context_p->token.type == LEXER_RIGHT_BRACE || context_p->token.type == LEXER_ASSIGN || context_p->token.type == LEXER_COMMA' failed at js-parser-expr.c:3230 in parser_parse_object_initializer in JerryScript 2.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-23311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-10T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is an Assertion \u0027context_p-\u003etoken.type == LEXER_RIGHT_BRACE || context_p-\u003etoken.type == LEXER_ASSIGN || context_p-\u003etoken.type == LEXER_COMMA\u0027 failed at js-parser-expr.c:3230 in parser_parse_object_initializer in JerryScript 2.2.0.",
  "id": "GHSA-vj4f-pw6h-mxv3",
  "modified": "2022-05-24T19:05:14Z",
  "published": "2022-05-24T19:05:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23311"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jerryscript-project/jerryscript/issues/3822"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VJJP-V767-CX96

Vulnerability from github – Published: 2026-02-04 18:30 – Updated: 2026-03-13 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu/io-pgtable-arm: fix size_t signedness bug in unmap path

__arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems).

This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova

This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment.

Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-04T17:16:17Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/io-pgtable-arm: fix size_t signedness bug in unmap path\n\n__arm_lpae_unmap() returns size_t but was returning -ENOENT (negative\nerror code) when encountering an unmapped PTE. Since size_t is unsigned,\n-ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE\non 64-bit systems).\n\nThis corrupted value propagates through the call chain:\n  __arm_lpae_unmap() returns -ENOENT as size_t\n  -\u003e arm_lpae_unmap_pages() returns it\n  -\u003e __iommu_unmap() adds it to iova address\n  -\u003e iommu_pgsize() triggers BUG_ON due to corrupted iova\n\nThis can cause IOVA address overflow in __iommu_unmap() loop and\ntrigger BUG_ON in iommu_pgsize() from invalid address alignment.\n\nFix by returning 0 instead of -ENOENT. The WARN_ON already signals\nthe error condition, and returning 0 (meaning \"nothing unmapped\")\nis the correct semantic for size_t return type. This matches the\nbehavior of other io-pgtable implementations (io-pgtable-arm-v7s,\nio-pgtable-dart) which return 0 on error conditions.",
  "id": "GHSA-vjjp-v767-cx96",
  "modified": "2026-03-13T21:31:40Z",
  "published": "2026-02-04T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23067"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/41ec6988547819756fb65e94fc24f3e0dddf84ac"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VM7X-4QHJ-RRCQ

Vulnerability from github – Published: 2022-09-16 22:15 – Updated: 2022-09-19 19:55
VLAI
Summary
TensorFlow vulnerable to `CHECK` fail in `TensorListScatter` and `TensorListScatterV2`
Details

Impact

When TensorListScatter and TensorListScatterV2 receive an element_shape of a rank greater than one, they give a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
arg_0=tf.random.uniform(shape=(2, 2, 2), dtype=tf.float16, maxval=None)
arg_1=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536)
arg_2=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536)
arg_3=''
tf.raw_ops.TensorListScatter(tensor=arg_0, indices=arg_1, 
element_shape=arg_2, name=arg_3)

Patches

We have patched the issue in GitHub commit bb03fdf4aae944ab2e4b35c7daa051068a8b7f61.

The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-35991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T22:15:05Z",
    "nvd_published_at": "2022-09-16T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen `TensorListScatter` and `TensorListScatterV2` receive an `element_shape` of a rank greater than one, they give a `CHECK` fail that can trigger a denial of service attack.\n```python\nimport tensorflow as tf\narg_0=tf.random.uniform(shape=(2, 2, 2), dtype=tf.float16, maxval=None)\narg_1=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536)\narg_2=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536)\narg_3=\u0027\u0027\ntf.raw_ops.TensorListScatter(tensor=arg_0, indices=arg_1, \nelement_shape=arg_2, name=arg_3)\n```\n\n### Patches\nWe have patched the issue in GitHub commit [bb03fdf4aae944ab2e4b35c7daa051068a8b7f61](https://github.com/tensorflow/tensorflow/commit/bb03fdf4aae944ab2e4b35c7daa051068a8b7f61).\n\nThe fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.\n\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n\n### Attribution\nThis vulnerability has been reported by \u5218\u529b\u6e90, Information System \u0026 Security and Countermeasures Experiments Center, Beijing Institute of Technology.\n",
  "id": "GHSA-vm7x-4qhj-rrcq",
  "modified": "2022-09-19T19:55:20Z",
  "published": "2022-09-16T22:15:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-vm7x-4qhj-rrcq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35991"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/bb03fdf4aae944ab2e4b35c7daa051068a8b7f61"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.10.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TensorFlow vulnerable to `CHECK` fail in `TensorListScatter` and `TensorListScatterV2`"
}

GHSA-VPVV-3968-XXMC

Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2025-12-19 18:31
VLAI
Details

An issue was discovered in Open5GS 2.7.5-49-g465e90f, when processing a PFCP Session Establishment Request (type=50), the UPF crashes with a reachable assertion in lib/pfcp/context.c (ogs_pfcp_object_teid_hash_set) if the CreatePDR?PDI?F-TEID has CH=1 and the F-TEID address-family flag(s) (IPv4/IPv6) do not match the GTP-U resource family configured for the selected DNN (Network Instance), resulting in a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T19:16:33Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Open5GS 2.7.5-49-g465e90f, when processing a PFCP Session Establishment Request (type=50), the UPF crashes with a reachable assertion in `lib/pfcp/context.c` (`ogs_pfcp_object_teid_hash_set`) if the CreatePDR?PDI?F-TEID has CH=1 and the F-TEID address-family flag(s) (IPv4/IPv6) do not match the GTP-U resource family configured for the selected DNN (Network Instance), resulting in a denial of service.",
  "id": "GHSA-vpvv-3968-xxmc",
  "modified": "2025-12-19T18:31:12Z",
  "published": "2025-12-18T21:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65559"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open5gs/open5gs/issues/4135"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VV4J-XQG9-J5G3

Vulnerability from github – Published: 2022-01-11 00:01 – Updated: 2022-01-14 00:02
VLAI
Details

A Denial of Service vulnerability exists in Binaryen 104 due to an assertion abort in wasm::Tuple::validate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-10T14:11:00Z",
    "severity": "MODERATE"
  },
  "details": "A Denial of Service vulnerability exists in Binaryen 104 due to an assertion abort in wasm::Tuple::validate.",
  "id": "GHSA-vv4j-xqg9-j5g3",
  "modified": "2022-01-14T00:02:39Z",
  "published": "2022-01-11T00:01:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46052"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WebAssembly/binaryen/issues/4411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation

Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)

Mitigation
Implementation

Strategy: Input Validation

Perform input validation on user data.

No CAPEC attack patterns related to this CWE.