Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-41918 (GCVE-0-2026-41918)
Vulnerability from cvelistv5 – Published: 2026-06-02 12:06 – Updated: 2026-06-02 14:13
VLAI
EPSS
Summary
A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-525 - Use of Web Browser Cache Containing Sensitive Information
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | RUGGEDCOM RST2428P |
Affected:
0 , < V4.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T14:13:46.231135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:13:54.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions \u003c V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-525",
"description": "CWE-525: Use of Web Browser Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T12:06:50.291Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2026-41918",
"datePublished": "2026-06-02T12:06:50.291Z",
"dateReserved": "2026-04-22T15:48:53.605Z",
"dateUpdated": "2026-06-02T14:13:54.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-41918\",\"sourceIdentifier\":\"productcert@siemens.com\",\"published\":\"2026-06-02T14:16:53.200\",\"lastModified\":\"2026-06-02T14:50:37.260\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions \u003c V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-525\"}]}],\"references\":[{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-253495.html\",\"source\":\"productcert@siemens.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41918\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-02T14:13:46.231135Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-02T14:13:49.943Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.7, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\"}}, {\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\"}}], \"affected\": [{\"vendor\": \"Siemens\", \"product\": \"RUGGEDCOM RST2428P\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"V4.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-253495.html\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions \u003c V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-525\", \"description\": \"CWE-525: Use of Web Browser Cache Containing Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"cec7a2ec-15b4-4faf-bd53-b40f371f3a77\", \"shortName\": \"siemens\", \"dateUpdated\": \"2026-06-02T12:06:50.291Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-41918\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-02T14:13:54.567Z\", \"dateReserved\": \"2026-04-22T15:48:53.605Z\", \"assignerOrgId\": \"cec7a2ec-15b4-4faf-bd53-b40f371f3a77\", \"datePublished\": \"2026-06-02T12:06:50.291Z\", \"assignerShortName\": \"siemens\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-41918
Vulnerability from fkie_nvd - Published: 2026-06-02 14:16 - Updated: 2026-06-02 14:50
Severity
Summary
A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions \u003c V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser."
}
],
"id": "CVE-2026-41918",
"lastModified": "2026-06-02T14:50:37.260",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "productcert@siemens.com",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "productcert@siemens.com",
"type": "Secondary"
}
]
},
"published": "2026-06-02T14:16:53.200",
"references": [
{
"source": "productcert@siemens.com",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-525"
}
],
"source": "productcert@siemens.com",
"type": "Primary"
}
]
}
GHSA-XPJ8-V2G3-X4R2
Vulnerability from github – Published: 2026-06-02 15:32 – Updated: 2026-06-02 15:32
VLAI
Details
A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser.
Severity
5.7 (Medium)
{
"affected": [],
"aliases": [
"CVE-2026-41918"
],
"database_specific": {
"cwe_ids": [
"CWE-525"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-02T14:16:53Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions \u003c V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser.",
"id": "GHSA-xpj8-v2g3-x4r2",
"modified": "2026-06-02T15:32:12Z",
"published": "2026-06-02T15:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41918"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
SSA-253495
Vulnerability from csaf_siemens - Published: 2026-06-02 00:00 - Updated: 2026-06-02 00:00Summary
SSA-253495: Multiple Vulnerabilities in SINEC OS before V4.0
Notes
Summary: SINEC OS before V4.0 contains multiple vulnerabilities.
Siemens has released a new version for RUGGEDCOM RST2428P and recommends to update to the latest version.
General Recommendations: As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Additional Resources: For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use: The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.
5.0 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RUGGEDCOM RST2428P (6GK6242-6PA00)
Siemens / RUGGEDCOM RST2428P (6GK6242-6PA00)
|
6GK6242-6PA00
|
vers:intdot/<4.0 |
Vendor Fix
fix
|
7.2 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RUGGEDCOM RST2428P (6GK6242-6PA00)
Siemens / RUGGEDCOM RST2428P (6GK6242-6PA00)
|
6GK6242-6PA00
|
vers:intdot/<4.0 |
Vendor Fix
fix
|
7.8 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RUGGEDCOM RST2428P (6GK6242-6PA00)
Siemens / RUGGEDCOM RST2428P (6GK6242-6PA00)
|
6GK6242-6PA00
|
vers:intdot/<4.0 |
Vendor Fix
fix
|
8.0 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RUGGEDCOM RST2428P (6GK6242-6PA00)
Siemens / RUGGEDCOM RST2428P (6GK6242-6PA00)
|
6GK6242-6PA00
|
vers:intdot/<4.0 |
Vendor Fix
fix
|
8.0 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
RUGGEDCOM RST2428P (6GK6242-6PA00)
Siemens / RUGGEDCOM RST2428P (6GK6242-6PA00)
|
6GK6242-6PA00
|
vers:intdot/<4.0 |
Vendor Fix
fix
|
References
2 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "SINEC OS before V4.0 contains multiple vulnerabilities.\n\nSiemens has released a new version for RUGGEDCOM RST2428P and recommends to update to the latest version.",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "productcert@siemens.com",
"name": "Siemens ProductCERT",
"namespace": "https://www.siemens.com"
},
"references": [
{
"category": "self",
"summary": "SSA-253495: Multiple Vulnerabilities in SINEC OS before V4.0 - HTML Version",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
},
{
"category": "self",
"summary": "SSA-253495: Multiple Vulnerabilities in SINEC OS before V4.0 - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-253495.json"
}
],
"title": "SSA-253495: Multiple Vulnerabilities in SINEC OS before V4.0",
"tracking": {
"current_release_date": "2026-06-02T00:00:00.000Z",
"generator": {
"engine": {
"name": "Siemens ProductCERT CSAF Generator",
"version": "1"
}
},
"id": "SSA-253495",
"initial_release_date": "2026-06-02T00:00:00.000Z",
"revision_history": [
{
"date": "2026-06-02T00:00:00.000Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
}
],
"status": "interim",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c4.0",
"product": {
"name": "RUGGEDCOM RST2428P (6GK6242-6PA00)",
"product_id": "1",
"product_identification_helper": {
"model_numbers": [
"6GK6242-6PA00"
]
}
}
}
],
"category": "product_name",
"name": "RUGGEDCOM RST2428P (6GK6242-6PA00)"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-1352",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "summary",
"text": "A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-1352"
},
{
"cve": "CVE-2025-1376",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "summary",
"text": "A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-1376"
},
{
"cve": "CVE-2025-6052",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in how GLib\u2019s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn\u2019t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-6052"
},
{
"cve": "CVE-2025-6141",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "summary",
"text": "A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-6141"
},
{
"cve": "CVE-2025-6170",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-6170"
},
{
"cve": "CVE-2025-7039",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-7039"
},
{
"cve": "CVE-2025-8732",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "summary",
"text": "A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that \"[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all.\"",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-8732"
},
{
"cve": "CVE-2025-9086",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "1. A cookie is set using the `secure` keyword for `https://target` \n 2. curl is redirected to or otherwise made to speak with `http://target` (same \n hostname, but using clear text HTTP) using the same cookie set \n 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`).\n Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-9086"
},
{
"cve": "CVE-2025-9230",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "Issue summary: An application trying to decrypt CMS messages encrypted using\npassword based encryption can trigger an out-of-bounds read and write.\n\nImpact summary: This out-of-bounds read may trigger a crash which leads to\nDenial of Service for an application. The out-of-bounds write can cause\na memory corruption which can have various consequences including\na Denial of Service or Execution of attacker-supplied code.\n\nAlthough the consequences of a successful exploit of this vulnerability\ncould be severe, the probability that the attacker would be able to\nperform it is low. Besides, password based (PWRI) encryption support in CMS\nmessages is very rarely used. For that reason the issue was assessed as\nModerate severity according to our Security Policy.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-9230"
},
{
"cve": "CVE-2025-9231",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"notes": [
{
"category": "summary",
"text": "Issue summary: A timing side-channel which could potentially allow remote\nrecovery of the private key exists in the SM2 algorithm implementation on 64 bit\nARM platforms.\n\nImpact summary: A timing side-channel in SM2 signature computations on 64 bit\nARM platforms could allow recovering the private key by an attacker..\n\nWhile remote key recovery over a network was not attempted by the reporter,\ntiming measurements revealed a timing signal which may allow such an attack.\n\nOpenSSL does not directly support certificates with SM2 keys in TLS, and so\nthis CVE is not relevant in most TLS contexts. However, given that it is\npossible to add support for such certificates via a custom provider, coupled\nwith the fact that in such a custom provider context the private key may be\nrecoverable via remote timing measurements, we consider this to be a Moderate\nseverity issue.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as SM2 is not an approved algorithm.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-9231"
},
{
"cve": "CVE-2025-9232",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "Issue summary: An application using the OpenSSL HTTP client API functions may\ntrigger an out-of-bounds read if the \u0027no_proxy\u0027 environment variable is set and\nthe host portion of the authority component of the HTTP URL is an IPv6 address.\n\nImpact summary: An out-of-bounds read can trigger a crash which leads to\nDenial of Service for an application.\n\nThe OpenSSL HTTP client API functions can be used directly by applications\nbut they are also used by the OCSP client functions and CMP (Certificate\nManagement Protocol) client implementation in OpenSSL. However the URLs used\nby these implementations are unlikely to be controlled by an attacker.\n\nIn this vulnerable code the out of bounds read can only trigger a crash.\nFurthermore the vulnerability requires an attacker-controlled URL to be\npassed from an application to the OpenSSL function and the user has to have\na \u0027no_proxy\u0027 environment variable set. For the aforementioned reasons the\nissue was assessed as Low severity.\n\nThe vulnerable code was introduced in the following patch releases:\n3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the HTTP client implementation is outside the OpenSSL FIPS module\nboundary.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-9232"
},
{
"cve": "CVE-2025-10966",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "curl\u0027s code for managing SSH connections when SFTP was done using the wolfSSH\npowered backend was flawed and missed host verification mechanisms.\n\nThis prevents curl from detecting MITM attackers and more.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-10966"
},
{
"cve": "CVE-2025-13465",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"notes": [
{
"category": "summary",
"text": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset\u00a0and _.omit\u00a0functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\r\n\r\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\r\n\r\nThis issue is patched on 4.17.23",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-13465"
},
{
"cve": "CVE-2025-13601",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "summary",
"text": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-13601"
},
{
"cve": "CVE-2025-39913",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock-\u003ecork.\n\nsyzbot reported the splat below. [0]\n\nThe repro does the following:\n\n 1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes)\n 2. Attach the prog to a SOCKMAP\n 3. Add a socket to the SOCKMAP\n 4. Activate fault injection\n 5. Send data less than cork_bytes\n\nAt 5., the data is carried over to the next sendmsg() as it is\nsmaller than the cork_bytes specified by bpf_msg_cork_bytes().\n\nThen, tcp_bpf_send_verdict() tries to allocate psock-\u003ecork to hold\nthe data, but this fails silently due to fault injection + __GFP_NOWARN.\n\nIf the allocation fails, we need to revert the sk-\u003esk_forward_alloc\nchange done by sk_msg_alloc().\n\nLet\u0027s call sk_msg_free() when tcp_bpf_send_verdict fails to allocate\npsock-\u003ecork.\n\nThe \"*copied\" also needs to be updated such that a proper error can\nbe returned to the caller, sendmsg. It fails to allocate psock-\u003ecork.\nNothing has been corked so far, so this patch simply sets \"*copied\"\nto 0.\n\n[0]:\nWARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983\nModules linked in:\nCPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156\nCode: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 \u003c0f\u003e 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc\nRSP: 0018:ffffc90000a08b48 EFLAGS: 00010246\nRAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80\nRDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000\nRBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4\nR10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380\nR13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872\nFS: 00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0\nCall Trace:\n \u003cIRQ\u003e\n __sk_destruct+0x86/0x660 net/core/sock.c:2339\n rcu_do_batch kernel/rcu/tree.c:2605 [inline]\n rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861\n handle_softirqs+0x286/0x870 kernel/softirq.c:579\n __do_softirq kernel/softirq.c:613 [inline]\n invoke_softirq kernel/softirq.c:453 [inline]\n __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:696\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052\n \u003c/IRQ\u003e",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-39913"
},
{
"cve": "CVE-2025-40214",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\naf_unix: Initialise scc_index in unix_add_edge().\r\n\r\nQuang Le reported that the AF_UNIX GC could garbage-collect a\r\nreceive queue of an alive in-flight socket, with a nice repro.\r\n\r\nThe repro consists of three stages.\r\n\r\n 1)\r\n 1-a. Create a single cyclic reference with many sockets\r\n 1-b. close() all sockets\r\n 1-c. Trigger GC\r\n\r\n 2)\r\n 2-a. Pass sk-A to an embryo sk-B\r\n 2-b. Pass sk-X to sk-X\r\n 2-c. Trigger GC\r\n\r\n 3)\r\n 3-a. accept() the embryo sk-B\r\n 3-b. Pass sk-B to sk-C\r\n 3-c. close() the in-flight sk-A\r\n 3-d. Trigger GC\r\n\r\nAs of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,\r\nand unix_walk_scc() groups them into two different SCCs:\r\n\r\n unix_sk(sk-A)-\u003evertex-\u003escc_index = 2 (UNIX_VERTEX_INDEX_START)\r\n unix_sk(sk-X)-\u003evertex-\u003escc_index = 3\r\n\r\nOnce GC completes, unix_graph_grouped is set to true.\r\nAlso, unix_graph_maybe_cyclic is set to true due to sk-X\u0027s\r\ncyclic self-reference, which makes close() trigger GC.\r\n\r\nAt 3-b, unix_add_edge() allocates unix_sk(sk-B)-\u003evertex and\r\nlinks it to unix_unvisited_vertices.\r\n\r\nunix_update_graph() is called at 3-a. and 3-b., but neither\r\nunix_graph_grouped nor unix_graph_maybe_cyclic is changed\r\nbecause both sk-B\u0027s listener and sk-C are not in-flight.\r\n\r\n3-c decrements sk-A\u0027s file refcnt to 1.\r\n\r\nSince unix_graph_grouped is true at 3-d, unix_walk_scc_fast()\r\nis finally called and iterates 3 sockets sk-A, sk-B, and sk-X:\r\n\r\n sk-A -\u003e sk-B (-\u003e sk-C)\r\n sk-X -\u003e sk-X\r\n\r\nThis is totally fine. All of them are not yet close()d and\r\nshould be grouped into different SCCs.\r\n\r\nHowever, unix_vertex_dead() misjudges that sk-A and sk-B are\r\nin the same SCC and sk-A is dead.\r\n\r\n unix_sk(sk-A)-\u003escc_index == unix_sk(sk-B)-\u003escc_index \u003c-- Wrong!\r\n \u0026\u0026\r\n sk-A\u0027s file refcnt == unix_sk(sk-A)-\u003evertex-\u003eout_degree\r\n ^-- 1 in-flight count for sk-B\r\n -\u003e sk-A is dead !?\r\n\r\nThe problem is that unix_add_edge() does not initialise scc_index.\r\n\r\nStage 1) is used for heap spraying, making a newly allocated\r\nvertex have vertex-\u003escc_index == 2 (UNIX_VERTEX_INDEX_START)\r\nset by unix_walk_scc() at 1-c.\r\n\r\nLet\u0027s track the max SCC index from the previous unix_walk_scc()\r\ncall and assign the max + 1 to a new vertex\u0027s scc_index.\r\n\r\nThis way, we can continue to avoid Tarjan\u0027s algorithm while\r\npreventing misjudgments.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40214"
},
{
"cve": "CVE-2025-40248",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvsock: Ignore signal/timeout on connect() if already established\r\n\r\nDuring connect(), acting on a signal/timeout by disconnecting an already\r\nestablished socket leads to several issues:\r\n\r\n1. connect() invoking vsock_transport_cancel_pkt() -\u003e\r\n virtio_transport_purge_skbs() may race with sendmsg() invoking\r\n virtio_transport_get_credit(). This results in a permanently elevated\r\n `vvs-\u003ebytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.\r\n\r\n2. connect() resetting a connected socket\u0027s state may race with socket\r\n being placed in a sockmap. A disconnected socket remaining in a sockmap\r\n breaks sockmap\u0027s assumptions. And gives rise to WARNs.\r\n\r\n3. connect() transitioning SS_CONNECTED -\u003e SS_UNCONNECTED allows for a\r\n transport change/drop after TCP_ESTABLISHED. Which poses a problem for\r\n any simultaneous sendmsg() or connect() and may result in a\r\n use-after-free/null-ptr-deref.\r\n\r\nDo not disconnect socket on signal/timeout. Keep the logic for unconnected\r\nsockets: they don\u0027t linger, can\u0027t be placed in a sockmap, are rejected by\r\nsendmsg().",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40248"
},
{
"cve": "CVE-2025-40250",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5: Clean up only new IRQ glue on request_irq() failure\r\n\r\nThe mlx5_irq_alloc() function can inadvertently free the entire rmap\r\nand end up in a crash[1] when the other threads tries to access this,\r\nwhen request_irq() fails due to exhausted IRQ vectors. This commit\r\nmodifies the cleanup to remove only the specific IRQ mapping that was\r\njust added.\r\n\r\nThis prevents removal of other valid mappings and ensures precise\r\ncleanup of the failed IRQ allocation\u0027s associated glue object.\r\n\r\nNote: This error is observed when both fwctl and rds configs are enabled.\r\n\r\n[1]\r\nmlx5_core 0000:05:00.0: Successfully registered panic handler for port 1\r\nmlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to\r\nrequest irq. err = -28\r\ninfiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while\r\ntrying to test write-combining support\r\nmlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1\r\nmlx5_core 0000:06:00.0: Successfully registered panic handler for port 1\r\nmlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to\r\nrequest irq. err = -28\r\ninfiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while\r\ntrying to test write-combining support\r\nmlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1\r\nmlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to\r\nrequest irq. err = -28\r\nmlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to\r\nrequest irq. err = -28\r\ngeneral protection fault, probably for non-canonical address\r\n0xe277a58fde16f291: 0000 [#1] SMP NOPTI\r\n\r\nRIP: 0010:free_irq_cpu_rmap+0x23/0x7d\r\nCall Trace:\r\n \u003cTASK\u003e\r\n ? show_trace_log_lvl+0x1d6/0x2f9\r\n ? show_trace_log_lvl+0x1d6/0x2f9\r\n ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]\r\n ? __die_body.cold+0x8/0xa\r\n ? die_addr+0x39/0x53\r\n ? exc_general_protection+0x1c4/0x3e9\r\n ? dev_vprintk_emit+0x5f/0x90\r\n ? asm_exc_general_protection+0x22/0x27\r\n ? free_irq_cpu_rmap+0x23/0x7d\r\n mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]\r\n irq_pool_request_vector+0x7d/0x90 [mlx5_core]\r\n mlx5_irq_request+0x2e/0xe0 [mlx5_core]\r\n mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]\r\n comp_irq_request_pci+0x64/0xf0 [mlx5_core]\r\n create_comp_eq+0x71/0x385 [mlx5_core]\r\n ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]\r\n mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]\r\n ? xas_load+0x8/0x91\r\n mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]\r\n mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]\r\n mlx5e_open_channels+0xad/0x250 [mlx5_core]\r\n mlx5e_open_locked+0x3e/0x110 [mlx5_core]\r\n mlx5e_open+0x23/0x70 [mlx5_core]\r\n __dev_open+0xf1/0x1a5\r\n __dev_change_flags+0x1e1/0x249\r\n dev_change_flags+0x21/0x5c\r\n do_setlink+0x28b/0xcc4\r\n ? __nla_parse+0x22/0x3d\r\n ? inet6_validate_link_af+0x6b/0x108\r\n ? cpumask_next+0x1f/0x35\r\n ? __snmp6_fill_stats64.constprop.0+0x66/0x107\r\n ? __nla_validate_parse+0x48/0x1e6\r\n __rtnl_newlink+0x5ff/0xa57\r\n ? kmem_cache_alloc_trace+0x164/0x2ce\r\n rtnl_newlink+0x44/0x6e\r\n rtnetlink_rcv_msg+0x2bb/0x362\r\n ? __netlink_sendskb+0x4c/0x6c\r\n ? netlink_unicast+0x28f/0x2ce\r\n ? rtnl_calcit.isra.0+0x150/0x146\r\n netlink_rcv_skb+0x5f/0x112\r\n netlink_unicast+0x213/0x2ce\r\n netlink_sendmsg+0x24f/0x4d9\r\n __sock_sendmsg+0x65/0x6a\r\n ____sys_sendmsg+0x28f/0x2c9\r\n ? import_iovec+0x17/0x2b\r\n ___sys_sendmsg+0x97/0xe0\r\n __sys_sendmsg+0x81/0xd8\r\n do_syscall_64+0x35/0x87\r\n entry_SYSCALL_64_after_hwframe+0x6e/0x0\r\nRIP: 0033:0x7fc328603727\r\nCode: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed\r\nff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00\r\nf0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48\r\nRSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\r\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727\r\nRDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d\r\nRBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000\r\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\r\nR13: 00000000000\r\n---truncated---",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40250"
},
{
"cve": "CVE-2025-40251",
"cwe": {
"id": "CWE-911",
"name": "Improper Update of Reference Count"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndevlink: rate: Unset parent pointer in devl_rate_nodes_destroy\r\n\r\nThe function devl_rate_nodes_destroy is documented to \"Unset parent for\r\nall rate objects\". However, it was only calling the driver-specific\r\n`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing\r\nthe parent\u0027s refcount, without actually setting the\r\n`devlink_rate-\u003eparent` pointer to NULL.\r\n\r\nThis leaves a dangling pointer in the `devlink_rate` struct, which cause\r\nrefcount error in netdevsim[1] and mlx5[2]. In addition, this is\r\ninconsistent with the behavior of `devlink_nl_rate_parent_node_set`,\r\nwhere the parent pointer is correctly cleared.\r\n\r\nThis patch fixes the issue by explicitly setting `devlink_rate-\u003eparent`\r\nto NULL after notifying the driver, thus fulfilling the function\u0027s\r\ndocumented behavior for all rate objects.\r\n\r\n[1]\r\nrepro steps:\r\necho 1 \u003e /sys/bus/netdevsim/new_device\r\ndevlink dev eswitch set netdevsim/netdevsim1 mode switchdev\r\necho 1 \u003e /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs\r\ndevlink port function rate add netdevsim/netdevsim1/test_node\r\ndevlink port function rate set netdevsim/netdevsim1/128 parent test_node\r\necho 1 \u003e /sys/bus/netdevsim/del_device\r\n\r\ndmesg:\r\nrefcount_t: decrement hit 0; leaking memory.\r\nWARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\r\nCPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE\r\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\r\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\r\nCall Trace:\r\n \u003cTASK\u003e\r\n devl_rate_leaf_destroy+0x8d/0x90\r\n __nsim_dev_port_del+0x6c/0x70 [netdevsim]\r\n nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]\r\n nsim_drv_remove+0x2b/0xb0 [netdevsim]\r\n device_release_driver_internal+0x194/0x1f0\r\n bus_remove_device+0xc6/0x130\r\n device_del+0x159/0x3c0\r\n device_unregister+0x1a/0x60\r\n del_device_store+0x111/0x170 [netdevsim]\r\n kernfs_fop_write_iter+0x12e/0x1e0\r\n vfs_write+0x215/0x3d0\r\n ksys_write+0x5f/0xd0\r\n do_syscall_64+0x55/0x10f0\r\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\r\n\r\n[2]\r\ndevlink dev eswitch set pci/0000:08:00.0 mode switchdev\r\ndevlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000\r\ndevlink port function rate add pci/0000:08:00.0/group1\r\ndevlink port function rate set pci/0000:08:00.0/32768 parent group1\r\nmodprobe -r mlx5_ib mlx5_fwctl mlx5_core\r\n\r\ndmesg:\r\nrefcount_t: decrement hit 0; leaking memory.\r\nWARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\r\nCPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE\r\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\r\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\r\nCall Trace:\r\n \u003cTASK\u003e\r\n devl_rate_leaf_destroy+0x8d/0x90\r\n mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]\r\n mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]\r\n mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]\r\n mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]\r\n notifier_call_chain+0x33/0xa0\r\n blocking_notifier_call_chain+0x3b/0x50\r\n mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]\r\n mlx5_eswitch_disable+0x63/0x90 [mlx5_core]\r\n mlx5_unload+0x1d/0x170 [mlx5_core]\r\n mlx5_uninit_one+0xa2/0x130 [mlx5_core]\r\n remove_one+0x78/0xd0 [mlx5_core]\r\n pci_device_remove+0x39/0xa0\r\n device_release_driver_internal+0x194/0x1f0\r\n unbind_store+0x99/0xa0\r\n kernfs_fop_write_iter+0x12e/0x1e0\r\n vfs_write+0x215/0x3d0\r\n ksys_write+0x5f/0xd0\r\n do_syscall_64+0x53/0x1f0\r\n entry_SYSCALL_64_after_hwframe+0x4b/0x53",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40251"
},
{
"cve": "CVE-2025-40252",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()\r\n\r\nThe loops in \u0027qede_tpa_cont()\u0027 and \u0027qede_tpa_end()\u0027, iterate\r\nover \u0027cqe-\u003elen_list[]\u0027 using only a zero-length terminator as\r\nthe stopping condition. If the terminator was missing or\r\nmalformed, the loop could run past the end of the fixed-size array.\r\n\r\nAdd an explicit bound check using ARRAY_SIZE() in both loops to prevent\r\na potential out-of-bounds access.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40252"
},
{
"cve": "CVE-2025-40254",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: remove never-working support for setting nsh fields\r\n\r\nThe validation of the set(nsh(...)) action is completely wrong.\r\nIt runs through the nsh_key_put_from_nlattr() function that is the\r\nsame function that validates NSH keys for the flow match and the\r\npush_nsh() action. However, the set(nsh(...)) has a very different\r\nmemory layout. Nested attributes in there are doubled in size in\r\ncase of the masked set(). That makes proper validation impossible.\r\n\r\nThere is also confusion in the code between the \u0027masked\u0027 flag, that\r\nsays that the nested attributes are doubled in size containing both\r\nthe value and the mask, and the \u0027is_mask\u0027 that says that the value\r\nwe\u0027re parsing is the mask. This is causing kernel crash on trying to\r\nwrite into mask part of the match with SW_FLOW_KEY_PUT() during\r\nvalidation, while validate_nsh() doesn\u0027t allocate any memory for it:\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000018\r\n #PF: supervisor read access in kernel mode\r\n #PF: error_code(0x0000) - not-present page\r\n PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0\r\n Oops: Oops: 0000 [#1] SMP NOPTI\r\n CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)\r\n RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]\r\n Call Trace:\r\n \u003cTASK\u003e\r\n validate_nsh+0x60/0x90 [openvswitch]\r\n validate_set.constprop.0+0x270/0x3c0 [openvswitch]\r\n __ovs_nla_copy_actions+0x477/0x860 [openvswitch]\r\n ovs_nla_copy_actions+0x8d/0x100 [openvswitch]\r\n ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]\r\n genl_family_rcv_msg_doit+0xdb/0x130\r\n genl_family_rcv_msg+0x14b/0x220\r\n genl_rcv_msg+0x47/0xa0\r\n netlink_rcv_skb+0x53/0x100\r\n genl_rcv+0x24/0x40\r\n netlink_unicast+0x280/0x3b0\r\n netlink_sendmsg+0x1f7/0x430\r\n ____sys_sendmsg+0x36b/0x3a0\r\n ___sys_sendmsg+0x87/0xd0\r\n __sys_sendmsg+0x6d/0xd0\r\n do_syscall_64+0x7b/0x2c0\r\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\r\n\r\nThe third issue with this process is that while trying to convert\r\nthe non-masked set into masked one, validate_set() copies and doubles\r\nthe size of the OVS_KEY_ATTR_NSH as if it didn\u0027t have any nested\r\nattributes. It should be copying each nested attribute and doubling\r\nthem in size independently. And the process must be properly reversed\r\nduring the conversion back from masked to a non-masked variant during\r\nthe flow dump.\r\n\r\nIn the end, the only two outcomes of trying to use this action are\r\neither validation failure or a kernel crash. And if somehow someone\r\nmanages to install a flow with such an action, it will most definitely\r\nnot do what it is supposed to, since all the keys and the masks are\r\nmixed up.\r\n\r\nFixing all the issues is a complex task as it requires re-writing\r\nmost of the validation code.\r\n\r\nGiven that and the fact that this functionality never worked since\r\nintroduction, let\u0027s just remove it altogether. It\u0027s better to\r\nre-introduce it later with a proper implementation instead of trying\r\nto fix it in stable releases.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40254"
},
{
"cve": "CVE-2025-40257",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: fix a race in mptcp_pm_del_add_timer()\r\n\r\nmptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, \u0026entry-\u003eadd_timer)\r\nwhile another might have free entry already, as reported by syzbot.\r\n\r\nAdd RCU protection to fix this issue.\r\n\r\nAlso change confusing add_timer variable with stop_timer boolean.\r\n\r\nsyzbot report:\r\n\r\nBUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616\r\nRead of size 4 at addr ffff8880311e4150 by task kworker/1:1/44\r\n\r\nCPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\r\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\r\nWorkqueue: events mptcp_worker\r\nCall Trace:\r\n \u003cTASK\u003e\r\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\r\n print_address_description mm/kasan/report.c:378 [inline]\r\n print_report+0xca/0x240 mm/kasan/report.c:482\r\n kasan_report+0x118/0x150 mm/kasan/report.c:595\r\n __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616\r\n sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631\r\n mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362\r\n mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174\r\n tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361\r\n tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441\r\n tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931\r\n tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374\r\n ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205\r\n ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239\r\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\r\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\r\n __netif_receive_skb_one_core net/core/dev.c:6079 [inline]\r\n __netif_receive_skb+0x143/0x380 net/core/dev.c:6192\r\n process_backlog+0x31e/0x900 net/core/dev.c:6544\r\n __napi_poll+0xb6/0x540 net/core/dev.c:7594\r\n napi_poll net/core/dev.c:7657 [inline]\r\n net_rx_action+0x5f7/0xda0 net/core/dev.c:7784\r\n handle_softirqs+0x22f/0x710 kernel/softirq.c:622\r\n __do_softirq kernel/softirq.c:656 [inline]\r\n __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302\r\n mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]\r\n mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1\r\n mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002\r\n mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762\r\n process_one_work kernel/workqueue.c:3263 [inline]\r\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346\r\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427\r\n kthread+0x711/0x8a0 kernel/kthread.c:463\r\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\r\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\r\n \u003c/TASK\u003e\r\n\r\nAllocated by task 44:\r\n kasan_save_stack mm/kasan/common.c:56 [inline]\r\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\r\n poison_kmalloc_redzone mm/kasan/common.c:400 [inline]\r\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417\r\n kasan_kmalloc include/linux/kasan.h:262 [inline]\r\n __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748\r\n kmalloc_noprof include/linux/slab.h:957 [inline]\r\n mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385\r\n mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355\r\n mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]\r\n __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529\r\n mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008\r\n mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762\r\n process_one_work kernel/workqueue.c:3263 [inline]\r\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346\r\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427\r\n kthread+0x711/0x8a0 kernel/kthread.c:463\r\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\r\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\r\n\r\nFreed by task 6630:\r\n kasan_save_stack mm/kasan/common.c:56 [inline]\r\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\r\n __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587\r\n kasan_save_free_info mm/kasan/kasan.h:406 [inline]\r\n poison_slab_object m\r\n---truncated---",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40257"
},
{
"cve": "CVE-2025-40258",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: fix race condition in mptcp_schedule_work()\r\n\r\nsyzbot reported use-after-free in mptcp_schedule_work() [1]\r\n\r\nIssue here is that mptcp_schedule_work() schedules a work,\r\nthen gets a refcount on sk-\u003esk_refcnt if the work was scheduled.\r\nThis refcount will be released by mptcp_worker().\r\n\r\n[A] if (schedule_work(...)) {\r\n[B] sock_hold(sk);\r\n return true;\r\n }\r\n\r\nProblem is that mptcp_worker() can run immediately and complete before [B]\r\n\r\nWe need instead :\r\n\r\n sock_hold(sk);\r\n if (schedule_work(...))\r\n return true;\r\n sock_put(sk);\r\n\r\n[1]\r\nrefcount_t: addition on 0; use-after-free.\r\n WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25\r\nCall Trace:\r\n \u003cTASK\u003e\r\n __refcount_add include/linux/refcount.h:-1 [inline]\r\n __refcount_inc include/linux/refcount.h:366 [inline]\r\n refcount_inc include/linux/refcount.h:383 [inline]\r\n sock_hold include/net/sock.h:816 [inline]\r\n mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943\r\n mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316\r\n call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747\r\n expire_timers kernel/time/timer.c:1798 [inline]\r\n __run_timers kernel/time/timer.c:2372 [inline]\r\n __run_timer_base+0x648/0x970 kernel/time/timer.c:2384\r\n run_timer_base kernel/time/timer.c:2393 [inline]\r\n run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403\r\n handle_softirqs+0x22f/0x710 kernel/softirq.c:622\r\n __do_softirq kernel/softirq.c:656 [inline]\r\n run_ktimerd+0xcf/0x190 kernel/softirq.c:1138\r\n smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160\r\n kthread+0x711/0x8a0 kernel/kthread.c:463\r\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\r\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40258"
},
{
"cve": "CVE-2025-40261",
"cwe": {
"id": "CWE-1341",
"name": "Multiple Releases of Same Resource or Handle"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvme: nvme-fc: Ensure -\u003eioerr_work is cancelled in nvme_fc_delete_ctrl()\r\n\r\nnvme_fc_delete_assocation() waits for pending I/O to complete before\r\nreturning, and an error can cause -\u003eioerr_work to be queued after\r\ncancel_work_sync() had been called. Move the call to cancel_work_sync() to\r\nbe after nvme_fc_delete_association() to ensure -\u003eioerr_work is not running\r\nwhen the nvme_fc_ctrl object is freed. Otherwise the following can occur:\r\n\r\n[ 1135.911754] list_del corruption, ff2d24c8093f31f8-\u003enext is NULL\r\n[ 1135.917705] ------------[ cut here ]------------\r\n[ 1135.922336] kernel BUG at lib/list_debug.c:52!\r\n[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI\r\n[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)\r\n[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025\r\n[ 1135.950969] Workqueue: 0x0 (nvme-wq)\r\n[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f\r\n[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff \u003c0f\u003e 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b\r\n[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046\r\n[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000\r\n[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0\r\n[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08\r\n[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100\r\n[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0\r\n[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000\r\n[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0\r\n[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\r\n[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\r\n[ 1136.055910] PKRU: 55555554\r\n[ 1136.058623] Call Trace:\r\n[ 1136.061074] \u003cTASK\u003e\r\n[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0\r\n[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0\r\n[ 1136.071898] ? move_linked_works+0x4a/0xa0\r\n[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\r\n[ 1136.081744] ? __die_body.cold+0x8/0x12\r\n[ 1136.085584] ? die+0x2e/0x50\r\n[ 1136.088469] ? do_trap+0xca/0x110\r\n[ 1136.091789] ? do_error_trap+0x65/0x80\r\n[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\r\n[ 1136.101289] ? exc_invalid_op+0x50/0x70\r\n[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\r\n[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20\r\n[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\r\n[ 1136.120806] move_linked_works+0x4a/0xa0\r\n[ 1136.124733] worker_thread+0x216/0x3a0\r\n[ 1136.128485] ? __pfx_worker_thread+0x10/0x10\r\n[ 1136.132758] kthread+0xfa/0x240\r\n[ 1136.135904] ? __pfx_kthread+0x10/0x10\r\n[ 1136.139657] ret_from_fork+0x31/0x50\r\n[ 1136.143236] ? __pfx_kthread+0x10/0x10\r\n[ 1136.146988] ret_from_fork_asm+0x1a/0x30\r\n[ 1136.150915] \u003c/TASK\u003e",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40261"
},
{
"cve": "CVE-2025-40262",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: imx_sc_key - fix memory corruption on unload\r\n\r\nThis is supposed to be \"priv\" but we accidentally pass \"\u0026priv\" which is\r\nan address in the stack and so it will lead to memory corruption when\r\nthe imx_sc_key_action() function is called. Remove the \u0026.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40262"
},
{
"cve": "CVE-2025-40263",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: cros_ec_keyb - fix an invalid memory access\r\n\r\nIf cros_ec_keyb_register_matrix() isn\u0027t called (due to\r\n`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev-\u003eidev` remains\r\nNULL. An invalid memory access is observed in cros_ec_keyb_process()\r\nwhen receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()\r\nin such case.\r\n\r\n Unable to handle kernel read from unreadable memory at virtual address 0000000000000028\r\n ...\r\n x3 : 0000000000000000 x2 : 0000000000000000\r\n x1 : 0000000000000000 x0 : 0000000000000000\r\n Call trace:\r\n input_event\r\n cros_ec_keyb_work\r\n blocking_notifier_call_chain\r\n ec_irq_thread\r\n\r\nIt\u0027s still unknown about why the kernel receives such malformed event,\r\nin any cases, the kernel shouldn\u0027t access `ckdev-\u003eidev` and friends if\r\nthe driver doesn\u0027t intend to initialize them.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40263"
},
{
"cve": "CVE-2025-40264",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbe2net: pass wrb_params in case of OS2BMC\r\n\r\nbe_insert_vlan_in_pkt() is called with the wrb_params argument being NULL\r\nat be_send_pkt_to_bmc() call site.\u00a0 This may lead to dereferencing a NULL\r\npointer when processing a workaround for specific packet, as commit\r\nbc0c3405abbb (\"be2net: fix a Tx stall bug caused by a specific ipv6\r\npacket\") states.\r\n\r\nThe correct way would be to pass the wrb_params from be_xmit().",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40264"
},
{
"cve": "CVE-2025-40271",
"cwe": {
"id": "CWE-625",
"name": "Permissive Regular Expression"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: fix uaf in proc_readdir_de()\n\nPde is erased from subdir rbtree through rb_erase(), but not set the node\nto EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()\nset the erased node to EMPTY, then pde_subdir_next() will return NULL to\navoid uaf access.\n\nWe found an uaf issue while using stress-ng testing, need to run testcase\ngetdent and tun in the same time. The steps of the issue is as follows:\n\n1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current\n pde is tun3;\n\n2) in the [time windows] unregister netdevice tun3 and tun2, and erase\n them from rbtree. erase tun3 first, and then erase tun2. the\n pde(tun2) will be released to slab;\n\n3) continue to getdent process, then pde_subdir_next() will return\n pde(tun2) which is released, it will case uaf access.\n\nCPU 0 | CPU 1\n-------------------------------------------------------------------------\ntraverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun-\u003edev) //tun3 tun2\nsys_getdents64() |\n iterate_dir() |\n proc_readdir() |\n proc_readdir_de() | snmp6_unregister_dev()\n pde_get(de); | proc_remove()\n read_unlock(\u0026proc_subdir_lock); | remove_proc_subtree()\n | write_lock(\u0026proc_subdir_lock);\n [time window] | rb_erase(\u0026root-\u003esubdir_node, \u0026parent-\u003esubdir);\n | write_unlock(\u0026proc_subdir_lock);\n read_lock(\u0026proc_subdir_lock); |\n next = pde_subdir_next(de); |\n pde_put(de); |\n de = next; //UAF |\n\nrbtree of dev_snmp6\n |\n pde(tun3)\n / \\\n NULL pde(tun2)",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40271"
},
{
"cve": "CVE-2025-40278",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak\n\nFix a KMSAN kernel-infoleak detected by the syzbot .\n\n[net?] KMSAN: kernel-infoleak in __skb_datagram_iter\n\nIn tcf_ife_dump(), the variable \u0027opt\u0027 was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied.\n\nThis change silences the KMSAN report and prevents potential information\nleaks from the kernel memory.\n\nThis fix has been tested and validated by syzbot. This patch closes the\nbug reported at the following syzkaller link and ensures no infoleak.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40278"
},
{
"cve": "CVE-2025-40280",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free in tipc_mon_reinit_self().\n\nsyzbot reported use-after-free of tipc_net(net)-\u003emonitors[]\nin tipc_mon_reinit_self(). [0]\n\nThe array is protected by RTNL, but tipc_mon_reinit_self()\niterates over it without RTNL.\n\ntipc_mon_reinit_self() is called from tipc_net_finalize(),\nwhich is always under RTNL except for tipc_net_finalize_work().\n\nLet\u0027s hold RTNL in tipc_net_finalize_work().\n\n[0]:\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\nRead of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989\n\nCPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nWorkqueue: events tipc_net_finalize_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568\n kasan_check_byte include/linux/kasan.h:399 [inline]\n lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\n rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline]\n rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline]\n rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244\n rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243\n write_lock_bh include/linux/rwlock_rt.h:99 [inline]\n tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718\n tipc_net_finalize+0x115/0x190 net/tipc/net.c:140\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 6089:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657\n tipc_enable_bearer net/tipc/bearer.c:357 [inline]\n __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047\n __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline]\n tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393\n tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline]\n tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321\n genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:729\n ____sys_sendmsg+0x508/0x820 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/\n---truncated---",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40280"
},
{
"cve": "CVE-2025-40281",
"cwe": {
"id": "CWE-1335",
"name": "Incorrect Bitwise Shift of Integer"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto\n\nsyzbot reported a possible shift-out-of-bounds [1]\n\nBlamed commit added rto_alpha_max and rto_beta_max set to 1000.\n\nIt is unclear if some sctp users are setting very large rto_alpha\nand/or rto_beta.\n\nIn order to prevent user regression, perform the test at run time.\n\nAlso add READ_ONCE() annotations as sysctl values can change under us.\n\n[1]\n\nUBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41\nshift exponent 64 is too large for 32-bit type \u0027unsigned int\u0027\nCPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:233 [inline]\n __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494\n sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509\n sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502\n sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338\n sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]\n sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40281"
},
{
"cve": "CVE-2025-40345",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: storage: sddr55: Reject out-of-bound new_pba\r\n\r\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\r\n\r\nnew_pba comes from the status packet returned after each write.\r\nA bogus device could report values beyond the block count derived\r\nfrom info-\u003ecapacity, letting the driver walk off the end of\r\npba_to_lba[] and corrupt heap memory.\r\n\r\nReject PBAs that exceed the computed block count and fail the\r\ntransfer so we avoid touching out-of-range mapping entries.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40345"
},
{
"cve": "CVE-2025-46394",
"cwe": {
"id": "CWE-451",
"name": "User Interface (UI) Misrepresentation of Critical Information"
},
"notes": [
{
"category": "summary",
"text": "In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-46394"
},
{
"cve": "CVE-2025-49794",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the \u003csch:name path=\"...\"/\u003e schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program\u0027s crash using libxml or other possible undefined behaviors.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-49794"
},
{
"cve": "CVE-2025-49795",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "summary",
"text": "A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-49795"
},
{
"cve": "CVE-2025-49796",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-49796"
},
{
"cve": "CVE-2025-60876",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "summary",
"text": "BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-60876"
},
{
"cve": "CVE-2025-66035",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"notes": [
{
"category": "summary",
"text": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular\u0027s HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-66035"
},
{
"cve": "CVE-2025-66382",
"cwe": {
"id": "CWE-407",
"name": "Inefficient Algorithmic Complexity"
},
"notes": [
{
"category": "summary",
"text": "In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-66382"
},
{
"cve": "CVE-2025-66412",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler\u0027s internal security schema is incomplete, allowing attackers to bypass Angular\u0027s built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-66412"
},
{
"cve": "CVE-2025-69720",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "summary",
"text": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-69720"
},
{
"cve": "CVE-2025-71185",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: ti: dma-crossbar: fix device leak on am335x route allocation\r\n\r\nMake sure to drop the reference taken when looking up the crossbar\r\nplatform device during am335x route allocation.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-71185"
},
{
"cve": "CVE-2025-71186",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: stm32: dmamux: fix device leak on route allocation\r\n\r\nMake sure to drop the reference taken when looking up the DMA mux\r\nplatform device during route allocation.\r\n\r\nNote that holding a reference to a device does not prevent its driver\r\ndata from going away so there is no point in keeping the reference.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-71186"
},
{
"cve": "CVE-2025-71188",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: lpc18xx-dmamux: fix device leak on route allocation\r\n\r\nMake sure to drop the reference taken when looking up the DMA mux\r\nplatform device during route allocation.\r\n\r\nNote that holding a reference to a device does not prevent its driver\r\ndata from going away so there is no point in keeping the reference.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-71188"
},
{
"cve": "CVE-2025-71189",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: dw: dmamux: fix OF node leak on route allocation failure\r\n\r\nMake sure to drop the reference taken to the DMA master OF node also on\r\nlate route allocation failures.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-71189"
},
{
"cve": "CVE-2025-71190",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: bcm-sba-raid: fix device leak on probe\r\n\r\nMake sure to drop the reference taken when looking up the mailbox device\r\nduring probe on probe failures and on driver unbind.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-71190"
},
{
"cve": "CVE-2025-71191",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: at_hdmac: fix device leak on of_dma_xlate()\r\n\r\nMake sure to drop the reference taken when looking up the DMA platform\r\ndevice during of_dma_xlate() when releasing channel resources.\r\n\r\nNote that commit 3832b78b3ec2 (\"dmaengine: at_hdmac: add missing\r\nput_device() call in at_dma_xlate()\") fixed the leak in a couple of\r\nerror paths but the reference is still leaking on successful allocation.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-71191"
},
{
"cve": "CVE-2026-1484",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-1484"
},
{
"cve": "CVE-2026-1489",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-1489"
},
{
"cve": "CVE-2026-3784",
"cwe": {
"id": "CWE-305",
"name": "Authentication Bypass by Primary Weakness"
},
"notes": [
{
"category": "summary",
"text": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a\nserver, even if the new request uses different credentials for the HTTP proxy.\nThe proper behavior is to create or use a separate connection.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-3784"
},
{
"cve": "CVE-2026-22610",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "summary",
"text": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular\u2019s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG \u003cscript\u003e elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-22610"
},
{
"cve": "CVE-2026-22976",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset\r\n\r\n`qfq_class-\u003eleaf_qdisc-\u003eq.qlen \u003e 0` does not imply that the class\r\nitself is active.\r\n\r\nTwo qfq_class objects may point to the same leaf_qdisc. This happens\r\nwhen:\r\n\r\n1. one QFQ qdisc is attached to the dev as the root qdisc, and\r\n\r\n2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()\r\n/ qdisc_put()) and is pending to be destroyed, as in function\r\ntc_new_tfilter.\r\n\r\nWhen packets are enqueued through the root QFQ qdisc, the shared\r\nleaf_qdisc-\u003eq.qlen increases. At the same time, the second QFQ\r\nqdisc triggers qdisc_put and qdisc_destroy: the qdisc enters\r\nqfq_reset() with its own q-\u003eq.qlen == 0, but its class\u0027s leaf\r\nqdisc-\u003eq.qlen \u003e 0. Therefore, the qfq_reset would wrongly deactivate\r\nan inactive aggregate and trigger a null-deref in qfq_deactivate_agg:\r\n\r\n[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000\r\n[ 0.903571] #PF: supervisor write access in kernel mode\r\n[ 0.903860] #PF: error_code(0x0002) - not-present page\r\n[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0\r\n[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI\r\n[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE\r\n[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\r\n[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))\r\n[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0\r\n\r\nCode starting with the faulting instruction\r\n===========================================\r\n 0:\t0f 84 4d 01 00 00 \tje 0x153\r\n 6:\t48 89 70 18 \tmov %rsi,0x18(%rax)\r\n a:\t8b 4b 10 \tmov 0x10(%rbx),%ecx\r\n d:\t48 c7 c2 ff ff ff ff \tmov $0xffffffffffffffff,%rdx\r\n 14:\t48 8b 78 08 \tmov 0x8(%rax),%rdi\r\n 18:\t48 d3 e2 \tshl %cl,%rdx\r\n 1b:\t48 21 f2 \tand %rsi,%rdx\r\n 1e:\t48 2b 13 \tsub (%rbx),%rdx\r\n 21:\t48 8b 30 \tmov (%rax),%rsi\r\n 24:\t48 d3 ea \tshr %cl,%rdx\r\n 27:\t8b 4b 18 \tmov 0x18(%rbx),%ecx\r\n\t...\r\n[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246\r\n[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000\r\n[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\r\n[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000\r\n[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000\r\n[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880\r\n[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000\r\n[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0\r\n[ 0.910247] PKRU: 55555554\r\n[ 0.910391] Call Trace:\r\n[ 0.910527] \u003cTASK\u003e\r\n[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)\r\n[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)\r\n[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076)\r\n[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447)\r\n[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\r\n[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)\r\n[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550)\r\n[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\r\n[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706)\r\n[ 0.912484] netlink_sendmsg (net/netlink/af\r\n---truncated---",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-22976"
},
{
"cve": "CVE-2026-22977",
"cwe": {
"id": "CWE-489",
"name": "Active Debug Code"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: sock: fix hardened usercopy panic in sock_recv_errqueue\r\n\r\nskbuff_fclone_cache was created without defining a usercopy region,\r\n[1] unlike skbuff_head_cache which properly whitelists the cb[] field.\r\n[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is\r\nenabled and the kernel attempts to copy sk_buff.cb data to userspace\r\nvia sock_recv_errqueue() -\u003e put_cmsg().\r\n\r\nThe crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone()\r\n (from skbuff_fclone_cache) [1]\r\n2. The skb is cloned via skb_clone() using the pre-allocated fclone\r\n[3] 3. The cloned skb is queued to sk_error_queue for timestamp\r\nreporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE)\r\n5. sock_recv_errqueue() calls put_cmsg() to copy serr-\u003eee from skb-\u003ecb\r\n[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no\r\n usercopy whitelist [5]\r\n\r\nWhen cloned skbs allocated from skbuff_fclone_cache are used in the\r\nsocket error queue, accessing the sock_exterr_skb structure in skb-\u003ecb\r\nvia put_cmsg() triggers a usercopy hardening violation:\r\n\r\n[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object \u0027skbuff_fclone_cache\u0027 (offset 296, size 16)!\r\n[ 5.382796] kernel BUG at mm/usercopy.c:102!\r\n[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\r\n[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7\r\n[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\r\n[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80\r\n[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff \u003c0f\u003e 0b 490\r\n[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246\r\n[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74\r\n[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0\r\n[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74\r\n[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001\r\n[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00\r\n[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000\r\n[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0\r\n[ 5.384903] PKRU: 55555554\r\n[ 5.384903] Call Trace:\r\n[ 5.384903] \u003cTASK\u003e\r\n[ 5.384903] __check_heap_object+0x9a/0xd0\r\n[ 5.384903] __check_object_size+0x46c/0x690\r\n[ 5.384903] put_cmsg+0x129/0x5e0\r\n[ 5.384903] sock_recv_errqueue+0x22f/0x380\r\n[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960\r\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\r\n[ 5.384903] ? schedule+0x6d/0x270\r\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\r\n[ 5.384903] ? mutex_unlock+0x81/0xd0\r\n[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10\r\n[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10\r\n[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0\r\n[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40\r\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\r\n\r\nThe crash offset 296 corresponds to skb2-\u003ecb within skbuff_fclones:\r\n - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 -\r\n offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 =\r\n 272 + 24 (inside sock_exterr_skb.ee)\r\n\r\nThis patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure.\r\n\r\n[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885\r\n[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104\r\n[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566\r\n[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491\r\n[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-22977"
},
{
"cve": "CVE-2026-23025",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmm/page_alloc: prevent pcp corruption with SMP=n\r\n\r\nThe kernel test robot has reported:\r\n\r\n BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28\r\n lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0\r\n CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470\r\n Call Trace:\r\n \u003cIRQ\u003e\r\n __dump_stack (lib/dump_stack.c:95)\r\n dump_stack_lvl (lib/dump_stack.c:123)\r\n dump_stack (lib/dump_stack.c:130)\r\n spin_dump (kernel/locking/spinlock_debug.c:71)\r\n do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?)\r\n _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138)\r\n __free_frozen_pages (mm/page_alloc.c:2973)\r\n ___free_pages (mm/page_alloc.c:5295)\r\n __free_pages (mm/page_alloc.c:5334)\r\n tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290)\r\n ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289)\r\n ? rcu_core (kernel/rcu/tree.c:?)\r\n rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861)\r\n rcu_core_si (kernel/rcu/tree.c:2879)\r\n handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623)\r\n __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725)\r\n irq_exit_rcu (kernel/softirq.c:741)\r\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052)\r\n \u003c/IRQ\u003e\r\n \u003cTASK\u003e\r\n RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)\r\n free_pcppages_bulk (mm/page_alloc.c:1494)\r\n drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632)\r\n __drain_all_pages (mm/page_alloc.c:2731)\r\n drain_all_pages (mm/page_alloc.c:2747)\r\n kcompactd (mm/compaction.c:3115)\r\n kthread (kernel/kthread.c:465)\r\n ? __cfi_kcompactd (mm/compaction.c:3166)\r\n ? __cfi_kthread (kernel/kthread.c:412)\r\n ret_from_fork (arch/x86/kernel/process.c:164)\r\n ? __cfi_kthread (kernel/kthread.c:412)\r\n ret_from_fork_asm (arch/x86/entry/entry_64.S:255)\r\n \u003c/TASK\u003e\r\n\r\nMatthew has analyzed the report and identified that in drain_page_zone()\r\nwe are in a section protected by spin_lock(\u0026pcp-\u003elock) and then get an\r\ninterrupt that attempts spin_trylock() on the same lock. The code is\r\ndesigned to work this way without disabling IRQs and occasionally fail the\r\ntrylock with a fallback. However, the SMP=n spinlock implementation\r\nassumes spin_trylock() will always succeed, and thus it\u0027s normally a\r\nno-op. Here the enabled lock debugging catches the problem, but otherwise\r\nit could cause a corruption of the pcp structure.\r\n\r\nThe problem has been introduced by commit 574907741599 (\"mm/page_alloc:\r\nleave IRQs enabled for per-cpu page allocations\"). The pcp locking scheme\r\nrecognizes the need for disabling IRQs to prevent nesting spin_trylock()\r\nsections on SMP=n, but the need to prevent the nesting in spin_lock() has\r\nnot been recognized. Fix it by introducing local wrappers that change the\r\nspin_lock() to spin_lock_iqsave() with SMP=n and use them in all places\r\nthat do spin_lock(\u0026pcp-\u003elock).\r\n\r\n[vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven]",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23025"
},
{
"cve": "CVE-2026-23026",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()\r\n\r\nFix a memory leak in gpi_peripheral_config() where the original memory\r\npointed to by gchan-\u003econfig could be lost if krealloc() fails.\r\n\r\nThe issue occurs when:\r\n1. gchan-\u003econfig points to previously allocated memory\r\n2. krealloc() fails and returns NULL\r\n3. The function directly assigns NULL to gchan-\u003econfig, losing the\r\n reference to the original memory\r\n4. The original memory becomes unreachable and cannot be freed\r\n\r\nFix this by using a temporary variable to hold the krealloc() result\r\nand only updating gchan-\u003econfig when the allocation succeeds.\r\n\r\nFound via static analysis and code review.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23026"
},
{
"cve": "CVE-2026-23030",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nphy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()\r\n\r\nThe for_each_available_child_of_node() calls of_node_put() to\r\nrelease child_np in each success loop. After breaking from the\r\nloop with the child_np has been released, the code will jump to\r\nthe put_child label and will call the of_node_put() again if the\r\ndevm_request_threaded_irq() fails. These cause a double free bug.\r\n\r\nFix by returning directly to avoid the duplicate of_node_put().",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23030"
},
{
"cve": "CVE-2026-23031",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak\r\n\r\nIn gs_can_open(), the URBs for USB-in transfers are allocated, added to the\r\nparent-\u003erx_submitted anchor and submitted. In the complete callback\r\ngs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In\r\ngs_can_close() the URBs are freed by calling\r\nusb_kill_anchored_urbs(parent-\u003erx_submitted).\r\n\r\nHowever, this does not take into account that the USB framework unanchors\r\nthe URB before the complete function is called. This means that once an\r\nin-URB has been completed, it is no longer anchored and is ultimately not\r\nreleased in gs_can_close().\r\n\r\nFix the memory leak by anchoring the URB in the\r\ngs_usb_receive_bulk_callback() to the parent-\u003erx_submitted anchor.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23031"
},
{
"cve": "CVE-2026-23032",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnull_blk: fix kmemleak by releasing references to fault configfs items\r\n\r\nWhen CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk\r\ndriver sets up fault injection support by creating the timeout_inject,\r\nrequeue_inject, and init_hctx_fault_inject configfs items as children\r\nof the top-level nullbX configfs group.\r\n\r\nHowever, when the nullbX device is removed, the references taken to\r\nthese fault-config configfs items are not released. As a result,\r\nkmemleak reports a memory leak, for example:\r\n\r\nunreferenced object 0xc00000021ff25c40 (size 32):\r\n comm \"mkdir\", pid 10665, jiffies 4322121578\r\n hex dump (first 32 bytes):\r\n 69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_\r\n 69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject..........\r\n backtrace (crc 1a018c86):\r\n __kmalloc_node_track_caller_noprof+0x494/0xbd8\r\n kvasprintf+0x74/0xf4\r\n config_item_set_name+0xf0/0x104\r\n config_group_init_type_name+0x48/0xfc\r\n fault_config_init+0x48/0xf0\r\n 0xc0080000180559e4\r\n configfs_mkdir+0x304/0x814\r\n vfs_mkdir+0x49c/0x604\r\n do_mkdirat+0x314/0x3d0\r\n sys_mkdir+0xa0/0xd8\r\n system_call_exception+0x1b0/0x4f0\r\n system_call_vectored_common+0x15c/0x2ec\r\n\r\nFix this by explicitly releasing the references to the fault-config\r\nconfigfs items when dropping the reference to the top-level nullbX\r\nconfigfs group.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23032"
},
{
"cve": "CVE-2026-23033",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: omap-dma: fix dma_pool resource leak in error paths\r\n\r\nThe dma_pool created by dma_pool_create() is not destroyed when\r\ndma_async_device_register() or of_dma_controller_register() fails,\r\ncausing a resource leak in the probe error paths.\r\n\r\nAdd dma_pool_destroy() in both error paths to properly release the\r\nallocated dma_pool resource.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23033"
},
{
"cve": "CVE-2026-23037",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncan: etas_es58x: allow partial RX URB allocation to succeed\r\n\r\nWhen es58x_alloc_rx_urbs() fails to allocate the requested number of\r\nURBs but succeeds in allocating some, it returns an error code.\r\nThis causes es58x_open() to return early, skipping the cleanup label\r\n\u0027free_urbs\u0027, which leads to the anchored URBs being leaked.\r\n\r\nAs pointed out by maintainer Vincent Mailhol, the driver is designed\r\nto handle partial URB allocation gracefully. Therefore, partial\r\nallocation should not be treated as a fatal error.\r\n\r\nModify es58x_alloc_rx_urbs() to return 0 if at least one URB has been\r\nallocated, restoring the intended behavior and preventing the leak\r\nin es58x_open().",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23037"
},
{
"cve": "CVE-2026-23038",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\npnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()\r\n\r\nIn nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,\r\nthe function jumps to the out_scratch label without freeing the already\r\nallocated dsaddrs list, leading to a memory leak.\r\n\r\nFix this by jumping to the out_err_drain_dsaddrs label, which properly\r\nfrees the dsaddrs list before cleaning up other resources.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23038"
},
{
"cve": "CVE-2026-23111",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don\u0027t need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n nft_mapelem_activate():\n if (nft_set_elem_active(ext, iter-\u003egenmask))\n return 0; /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n nft_map_catchall_activate():\n if (!nft_set_elem_active(ext, genmask))\n continue; /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain-\u003euse reference count. Each abort cycle\npermanently decrements chain-\u003euse. Once chain-\u003euse reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23111"
},
{
"cve": "CVE-2026-23112",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec\n\nnvmet_tcp_build_pdu_iovec() could walk past cmd-\u003ereq.sg when a PDU\nlength or offset exceeds sg_cnt and then use bogus sg-\u003elength/offset\nvalues, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining\nentries, and sg-\u003elength/offset before building the bvec.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23112"
},
{
"cve": "CVE-2026-23220",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths\r\n\r\nThe problem occurs when a signed request fails smb2 signature verification\r\ncheck. In __process_request(), if check_sign_req() returns an error,\r\nset_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called.\r\nset_smb2_rsp_status() set work-\u003enext_smb2_rcv_hdr_off as zero. By resetting\r\nnext_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain\r\nis lost. Consequently, is_chained_smb2_message() continues to point to\r\nthe same request header instead of advancing. If the header\u0027s NextCommand\r\nfield is non-zero, the function returns true, causing __handle_ksmbd_work()\r\nto repeatedly process the same failed request in an infinite loop.\r\nThis results in the kernel log being flooded with \"bad smb2 signature\"\r\nmessages and high CPU usage.\r\n\r\nThis patch fixes the issue by changing the return value from\r\nSERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that\r\nthe processing loop terminates immediately rather than attempting to\r\ncontinue from an invalidated offset.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23220"
},
{
"cve": "CVE-2026-23222",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly\n\nThe existing allocation of scatterlists in omap_crypto_copy_sg_lists()\nwas allocating an array of scatterlist pointers, not scatterlist objects,\nresulting in a 4x too small allocation.\n\nUse sizeof(*new_sg) to get the correct object size.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23222"
},
{
"cve": "CVE-2026-23228",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nsmb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()\r\n\r\nOn kthread_run() failure in ksmbd_tcp_new_connection(), the transport is\r\nfreed via free_transport(), which does not decrement active_num_conn,\r\nleaking this counter.\r\n\r\nReplace free_transport() with ksmbd_tcp_disconnect().",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23228"
},
{
"cve": "CVE-2026-23229",
"cwe": {
"id": "CWE-820",
"name": "Missing Synchronization"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ncrypto: virtio - Add spinlock protection with virtqueue notification\r\n\r\nWhen VM boots with one virtio-crypto PCI device and builtin backend,\r\nrun openssl benchmark command with multiple processes, such as\r\n openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32\r\n\r\nopenssl processes will hangup and there is error reported like this:\r\n virtio_crypto virtio0: dataq.0:id 3 is not a head!\r\n\r\nIt seems that the data virtqueue need protection when it is handled\r\nfor virtio done notification. If the spinlock protection is added\r\nin virtcrypto_done_task(), openssl benchmark with multiple processes\r\nworks well.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23229"
},
{
"cve": "CVE-2026-23230",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: split cached_fid bitfields to avoid shared-byte RMW races\n\nis_open, has_lease and on_list are stored in the same bitfield byte in\nstruct cached_fid but are updated in different code paths that may run\nconcurrently. Bitfield assignments generate byte read\u2013modify\u2013write\noperations (e.g. `orb $mask, addr` on x86_64), so updating one flag can\nrestore stale values of the others.\n\nA possible interleaving is:\n CPU1: load old byte (has_lease=1, on_list=1)\n CPU2: clear both flags (store 0)\n CPU1: RMW store (old | IS_OPEN) -\u003e reintroduces cleared bits\n\nTo avoid this class of races, convert these flags to separate bool\nfields.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23230"
},
{
"cve": "CVE-2026-23231",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix use-after-free in nf_tables_addchain()\n\nnf_tables_addchain() publishes the chain to table-\u003echains via\nlist_add_tail_rcu() (in nft_chain_add()) before registering hooks.\nIf nf_tables_register_hook() then fails, the error path calls\nnft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()\nwith no RCU grace period in between.\n\nThis creates two use-after-free conditions:\n\n 1) Control-plane: nf_tables_dump_chains() traverses table-\u003echains\n under rcu_read_lock(). A concurrent dump can still be walking\n the chain when the error path frees it.\n\n 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly\n installs the IPv4 hook before IPv6 registration fails. Packets\n entering nft_do_chain() via the transient IPv4 hook can still be\n dereferencing chain-\u003eblob_gen_X when the error path frees the\n chain.\n\nAdd synchronize_rcu() between nft_chain_del() and the chain destroy\nso that all RCU readers -- both dump threads and in-flight packet\nevaluation -- have finished before the chain is freed.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23231"
},
{
"cve": "CVE-2026-23236",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: properly copy ioctl memory to kernelspace\n\nThe UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from\nuserspace to kernelspace, and instead directly references the memory,\nwhich can cause problems if invalid data is passed from userspace. Fix\nthis all up by correctly copying the memory before accessing it within\nthe kernel.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23236"
},
{
"cve": "CVE-2026-23238",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nromfs: check sb_set_blocksize() return value\r\n\r\nromfs_fill_super() ignores the return value of sb_set_blocksize(), which\r\ncan fail if the requested block size is incompatible with the block\r\ndevice\u0027s configuration.\r\n\r\nThis can be triggered by setting a loop device\u0027s block size larger than\r\nPAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs\r\nfilesystem on that device.\r\n\r\nWhen sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the\r\ndevice has logical_block_size=32768, bdev_validate_blocksize() fails\r\nbecause the requested size is smaller than the device\u0027s logical block\r\nsize. sb_set_blocksize() returns 0 (failure), but romfs ignores this and\r\ncontinues mounting.\r\n\r\nThe superblock\u0027s block size remains at the device\u0027s logical block size\r\n(32768). Later, when sb_bread() attempts I/O with this oversized block\r\nsize, it triggers a kernel BUG in folio_set_bh():\r\n\r\n kernel BUG at fs/buffer.c:1582!\r\n BUG_ON(size \u003e PAGE_SIZE);\r\n\r\nFix by checking the return value of sb_set_blocksize() and failing the\r\nmount with -EINVAL if it returns 0.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-23238"
},
{
"cve": "CVE-2026-24515",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "summary",
"text": "In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-24515"
},
{
"cve": "CVE-2026-25210",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "summary",
"text": "In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-25210"
},
{
"cve": "CVE-2026-26157",
"cwe": {
"id": "CWE-73",
"name": "External Control of File Name or Path"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-26157"
},
{
"cve": "CVE-2026-26158",
"cwe": {
"id": "CWE-73",
"name": "External Control of File Name or Path"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-26158"
},
{
"cve": "CVE-2026-35535",
"cwe": {
"id": "CWE-271",
"name": "Privilege Dropping / Lowering Errors"
},
"notes": [
{
"category": "summary",
"text": "In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-35535"
},
{
"cve": "CVE-2026-41918",
"cwe": {
"id": "CWE-525",
"name": "Use of Web Browser Cache Containing Sensitive Information"
},
"notes": [
{
"category": "summary",
"text": "The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-41918"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…