CWE-908
AllowedUse of Uninitialized Resource
Abstraction: Base · Status: Incomplete
The product uses or accesses a resource that has not been initialized.
822 vulnerabilities reference this CWE, most recent first.
GHSA-39Q5-4VQC-9P73
Vulnerability from github – Published: 2025-08-19 18:31 – Updated: 2026-01-09 15:30In the Linux kernel, the following vulnerability has been resolved:
pptp: ensure minimal skb length in pptp_xmit()
Commit aabc6596ffb3 ("net: ppp: Add bound checking for skb data on ppp_sync_txmung") fixed ppp_sync_txmunge()
We need a similar fix in pptp_xmit(), otherwise we might read uninit data as reported by syzbot.
BUG: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [inline] ppp_input+0x1d6/0xe60 drivers/net/ppp/ppp_generic.c:2314 pppoe_rcv_core+0x1e8/0x760 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 pppoe_sendmsg+0x15d/0xcb0 drivers/net/ppp/pppoe.c:904 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:727 _syssendmsg+0x893/0xd80 net/socket.c:2566 _sys_sendmsg+0x271/0x3b0 net/socket.c:2620 __sys_sendmmsg+0x2d9/0x7c0 net/socket.c:2709
{
"affected": [],
"aliases": [
"CVE-2025-38574"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-19T17:15:34Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npptp: ensure minimal skb length in pptp_xmit()\n\nCommit aabc6596ffb3 (\"net: ppp: Add bound checking for skb data\non ppp_sync_txmung\") fixed ppp_sync_txmunge()\n\nWe need a similar fix in pptp_xmit(), otherwise we might\nread uninit data as reported by syzbot.\n\nBUG: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193\n pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193\n ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [inline]\n ppp_input+0x1d6/0xe60 drivers/net/ppp/ppp_generic.c:2314\n pppoe_rcv_core+0x1e8/0x760 drivers/net/ppp/pppoe.c:379\n sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148\n __release_sock+0x1d3/0x330 net/core/sock.c:3213\n release_sock+0x6b/0x270 net/core/sock.c:3767\n pppoe_sendmsg+0x15d/0xcb0 drivers/net/ppp/pppoe.c:904\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n ____sys_sendmsg+0x893/0xd80 net/socket.c:2566\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n __sys_sendmmsg+0x2d9/0x7c0 net/socket.c:2709",
"id": "GHSA-39q5-4vqc-9p73",
"modified": "2026-01-09T15:30:22Z",
"published": "2025-08-19T18:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38574"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a04db0fd75cb6034fc27a56b67b3b8b9022a98c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26672f1679b143aa34fca0b6046b7fd0c184770d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5005d24377378a20e5c0e53052fc4ebdcdcbc611"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/504cc4ab91073d2ac7404ad146139f86ecee7193"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5de7513f38f3c19c0610294ee478242bea356f8c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/97b8c5d322c5c0038cac4bc56fdbe237d0be426f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b7dcda76fd0615c0599c89f36873a6cd48e02dbb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/de9c4861fb42f0cd72da844c3c34f692d5895b7b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea99b88b1999ebcb24d5d3a6b7910030f40d3bba"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3CCP-5V4P-6XPQ
Vulnerability from github – Published: 2025-12-12 09:30 – Updated: 2025-12-12 09:30A vulnerability has been identified in Simcenter Femap (All versions < V2512). The affected applications contains an uninitialized memory vulnerability while parsing specially crafted SLDPRT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-27146)
{
"affected": [],
"aliases": [
"CVE-2025-40829"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-12T09:15:49Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Simcenter Femap (All versions \u003c V2512). The affected applications contains an uninitialized memory vulnerability while parsing specially crafted SLDPRT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-27146)",
"id": "GHSA-3ccp-5v4p-6xpq",
"modified": "2025-12-12T09:30:20Z",
"published": "2025-12-12T09:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40829"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-512988.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3FFP-FFXG-JV46
Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup
Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic.
? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80
{
"affected": [],
"aliases": [
"CVE-2024-46784"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T08:15:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix error handling in mana_create_txq/rxq\u0027s NAPI cleanup\n\nCurrently napi_disable() gets called during rxq and txq cleanup,\neven before napi is enabled and hrtimer is initialized. It causes\nkernel panic.\n\n? page_fault_oops+0x136/0x2b0\n ? page_counter_cancel+0x2e/0x80\n ? do_user_addr_fault+0x2f2/0x640\n ? refill_obj_stock+0xc4/0x110\n ? exc_page_fault+0x71/0x160\n ? asm_exc_page_fault+0x27/0x30\n ? __mmdrop+0x10/0x180\n ? __mmdrop+0xec/0x180\n ? hrtimer_active+0xd/0x50\n hrtimer_try_to_cancel+0x2c/0xf0\n hrtimer_cancel+0x15/0x30\n napi_disable+0x65/0x90\n mana_destroy_rxq+0x4c/0x2f0\n mana_create_rxq.isra.0+0x56c/0x6d0\n ? mana_uncfg_vport+0x50/0x50\n mana_alloc_queues+0x21b/0x320\n ? skb_dequeue+0x5f/0x80",
"id": "GHSA-3ffp-ffxg-jv46",
"modified": "2025-11-04T00:31:29Z",
"published": "2024-09-18T09:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46784"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/386617efacab10bf5bb40bde403467c57cc00470"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4982a47154f0b50de81ee0a0b169a3fc74120a65"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9178eb8ebcd887ab75e54ac40d538e54bb9c7788"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9e0bff4900b5d412a9bafe4baeaa6facd34f671c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b6ecc662037694488bfff7c9fd21c405df8411f2"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3FH4-4HV7-69QH
Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-01-23 21:30In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Clean up si_domain in the init_dmars() error path
A splat from kmem_cache_destroy() was seen with a kernel prior to commit ee2653bbe89d ("iommu/vt-d: Remove domain and devinfo mempool") when there was a failure in init_dmars(), because the iommu_domain cache still had objects. While the mempool code is now gone, there still is a leak of the si_domain memory if init_dmars() fails. So clean up si_domain in the init_dmars() error path.
{
"affected": [],
"aliases": [
"CVE-2022-50482"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-04T16:15:44Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Clean up si_domain in the init_dmars() error path\n\nA splat from kmem_cache_destroy() was seen with a kernel prior to\ncommit ee2653bbe89d (\"iommu/vt-d: Remove domain and devinfo mempool\")\nwhen there was a failure in init_dmars(), because the iommu_domain\ncache still had objects. While the mempool code is now gone, there\nstill is a leak of the si_domain memory if init_dmars() fails. So\nclean up si_domain in the init_dmars() error path.",
"id": "GHSA-3fh4-4hv7-69qh",
"modified": "2026-01-23T21:30:37Z",
"published": "2025-10-04T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50482"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0365d6af75f9f2696e94a0fef24a2c8464c037c8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5cecfe151874b835331efe086bbdcaeaf64f6b90"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/620bf9f981365c18cc2766c53d92bf8131c63f32"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/724483b585a1b1e063d42ac5aa835707ff2ec165"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/749bea542b67513e99240dc58bbfc099e842d508"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c4ad3ae4c6be9d8b0701761c839771116bca6ea3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d74196bb278b8f8af88e16bd595997dfa3d6fdb0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3FJH-2RCV-9CFC
Vulnerability from github – Published: 2025-07-04 15:31 – Updated: 2025-12-18 21:31In the Linux kernel, the following vulnerability has been resolved:
media: imx-jpeg: Cleanup after an allocation error
When allocation failures are not cleaned up by the driver, further allocation errors will be false-positives, which will cause buffers to remain uninitialized and cause NULL pointer dereferences. Ensure proper cleanup of failed allocations to prevent these issues.
{
"affected": [],
"aliases": [
"CVE-2025-38225"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-04T14:15:31Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Cleanup after an allocation error\n\nWhen allocation failures are not cleaned up by the driver, further\nallocation errors will be false-positives, which will cause buffers to\nremain uninitialized and cause NULL pointer dereferences.\nEnsure proper cleanup of failed allocations to prevent these issues.",
"id": "GHSA-3fjh-2rcv-9cfc",
"modified": "2025-12-18T21:31:34Z",
"published": "2025-07-04T15:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38225"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0ee9469f818a0b4de3c0e7aecd733c103820d181"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6d0efe7d35c75394f32ff9d0650a007642d23857"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7500bb9cf164edbb2c8117d57620227b1a4a8369"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b89ff9cf37ff59399f850d5f7781ef78fc37679f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec26be7d6355a05552a0d0c1e73031f83aa4dc7f"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3GX2-PFP9-4W2V
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, aka "Style Object Memory Corruption Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2011-1964"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-08-10T21:55:00Z",
"severity": "HIGH"
},
"details": "Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, aka \"Style Object Memory Corruption Vulnerability.\"",
"id": "GHSA-3gx2-pfp9-4w2v",
"modified": "2022-05-13T01:03:27Z",
"published": "2022-05-13T01:03:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1964"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-057"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12617"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA11-221A.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3J78-PF43-6MVQ
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-07-02 21:32In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
nft_exthdr_init() passes user-controlled priv->len to nft_parse_register_store(), which marks that many bytes in the register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT is set, the eval paths write only 1 byte (nft_reg_store8) or 4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4, registers beyond the first are never written, retaining uninitialized stack data from nft_regs.
Bail out if userspace requests too much data when F_PRESENT is set.
{
"affected": [],
"aliases": [
"CVE-2026-53218"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:39Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_exthdr: fix register tracking for F_PRESENT flag\n\nnft_exthdr_init() passes user-controlled priv-\u003elen to\nnft_parse_register_store(), which marks that many bytes in the\nregister bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT\nis set, the eval paths write only 1 byte (nft_reg_store8) or\n4 bytes (*dest = 0 on TCP/DCCP error path). When len \u003e 4,\nregisters beyond the first are never written, retaining\nuninitialized stack data from nft_regs.\n\nBail out if userspace requests too much data when F_PRESENT is set.",
"id": "GHSA-3j78-pf43-6mvq",
"modified": "2026-07-02T21:32:05Z",
"published": "2026-06-25T09:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53218"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/19748967d59c31d24d21d40b728570788310b237"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/46fc15a044e9938e7ea77786fb37edd2cd74f031"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/67b27434c43b68a97becda98c9f0c8cf6cba2134"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/772cecf198da732faebb5dcfc46d66a505be8495"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78069a6d8bc86c9e036eb82c2af4a19cc1871a53"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8738b1b6d0e639ca1fc0f61516afd3557ac4ecc6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cd513e43b4b2bd1de39e2367bc4261c699a8652f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f08fb3d42fd3aad0b7a263da3ac3ebaf0845e265"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3J7X-GH3J-GHQJ
Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
{
"affected": [],
"aliases": [
"CVE-2017-9098"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-19T19:29:00Z",
"severity": "HIGH"
},
"details": "ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.",
"id": "GHSA-3j7x-gh3j-ghqj",
"modified": "2022-05-13T01:10:29Z",
"published": "2022-05-13T01:10:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9098"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html"
},
{
"type": "WEB",
"url": "https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html"
},
{
"type": "WEB",
"url": "http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3863"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98593"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3JGJ-55Q7-3RWV
Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-12-11 15:30In the Linux kernel, the following vulnerability has been resolved:
drm/sched: Check scheduler work queue before calling timeout handling
During an IGT GPU reset test we see again oops despite of commit 0c8c901aaaebc9 (drm/sched: Check scheduler ready before calling timeout handling).
It uses ready condition whether to call drm_sched_fault which unwind the TDR leads to GPU reset. However it looks the ready condition is overloaded with other meanings, for example, for the following stack is related GPU reset :
0 gfx_v9_0_cp_gfx_start 1 gfx_v9_0_cp_gfx_resume 2 gfx_v9_0_cp_resume 3 gfx_v9_0_hw_init 4 gfx_v9_0_resume 5 amdgpu_device_ip_resume_phase2
does the following: / start the ring / gfx_v9_0_cp_gfx_start(adev); ring->sched.ready = true;
The same approach is for other ASICs as well : gfx_v8_0_cp_gfx_resume gfx_v10_0_kiq_resume, etc...
As a result, our GPU reset test causes GPU fault which calls unconditionally gfx_v9_0_fault and then drm_sched_fault. However now it depends on whether the interrupt service routine drm_sched_fault is executed after gfx_v9_0_cp_gfx_start is completed which sets the ready field of the scheduler to true even for uninitialized schedulers and causes oops vs no fault or when ISR drm_sched_fault is completed prior gfx_v9_0_cp_gfx_start and NULL pointer dereference does not occur.
Use the field timeout_wq to prevent oops for uninitialized schedulers. The field could be initialized by the work queue of resetting the domain.
v1: Corrections to commit message (Luben)
{
"affected": [],
"aliases": [
"CVE-2023-53351"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-17T15:15:39Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Check scheduler work queue before calling timeout handling\n\nDuring an IGT GPU reset test we see again oops despite of\ncommit 0c8c901aaaebc9 (drm/sched: Check scheduler ready before calling\ntimeout handling).\n\nIt uses ready condition whether to call drm_sched_fault which unwind\nthe TDR leads to GPU reset.\nHowever it looks the ready condition is overloaded with other meanings,\nfor example, for the following stack is related GPU reset :\n\n0 gfx_v9_0_cp_gfx_start\n1 gfx_v9_0_cp_gfx_resume\n2 gfx_v9_0_cp_resume\n3 gfx_v9_0_hw_init\n4 gfx_v9_0_resume\n5 amdgpu_device_ip_resume_phase2\n\ndoes the following:\n\t/* start the ring */\n\tgfx_v9_0_cp_gfx_start(adev);\n\tring-\u003esched.ready = true;\n\nThe same approach is for other ASICs as well :\ngfx_v8_0_cp_gfx_resume\ngfx_v10_0_kiq_resume, etc...\n\nAs a result, our GPU reset test causes GPU fault which calls unconditionally gfx_v9_0_fault\nand then drm_sched_fault. However now it depends on whether the interrupt service routine\ndrm_sched_fault is executed after gfx_v9_0_cp_gfx_start is completed which sets the ready\nfield of the scheduler to true even for uninitialized schedulers and causes oops vs\nno fault or when ISR drm_sched_fault is completed prior gfx_v9_0_cp_gfx_start and\nNULL pointer dereference does not occur.\n\nUse the field timeout_wq to prevent oops for uninitialized schedulers.\nThe field could be initialized by the work queue of resetting the domain.\n\nv1: Corrections to commit message (Luben)",
"id": "GHSA-3jgj-55q7-3rwv",
"modified": "2025-12-11T15:30:30Z",
"published": "2025-09-17T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53351"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2da5bffe9eaa5819a868e8eaaa11b3fd0f16a691"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c43a96fc00b662cef1ef0eb22d40441ce2abae8f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3MF3-2GV9-H39J
Vulnerability from github – Published: 2021-08-25 20:53 – Updated: 2023-06-13 18:44Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. (Record::read()). Arbitrary Read implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior. This flaw was fixed in commit 6299af0 by zero-initializing the newly allocated memory (via data.resize(len, 0)) instead of exposing uninitialized memory (unsafe { data.set_len(len) }).
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "marc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-26308"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T17:52:28Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. (Record::read()). Arbitrary Read implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior. This flaw was fixed in commit 6299af0 by zero-initializing the newly allocated memory (via data.resize(len, 0)) instead of exposing uninitialized memory (unsafe { data.set_len(len) }).",
"id": "GHSA-3mf3-2gv9-h39j",
"modified": "2023-06-13T18:44:34Z",
"published": "2021-08-25T20:53:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26308"
},
{
"type": "WEB",
"url": "https://github.com/blackbeam/rust-marc/issues/7"
},
{
"type": "WEB",
"url": "https://github.com/blackbeam/rust-marc/commit/6299af0"
},
{
"type": "PACKAGE",
"url": "https://github.com/blackbeam/rust-marc"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0014.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Uninitialized buffer use in marc"
}
Mitigation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile the product with settings that generate warnings about uninitialized variables or data.
No CAPEC attack patterns related to this CWE.