csaf_redhat - rhsa-2025:23202

RHSA-2025:23202

Vulnerability from csaf_redhat - Published: 2025-12-15 15:29 - Updated: 2025-12-30 17:42

Summary

Red Hat Security Advisory: Red Hat AI Inference Server Model Optimization Tools 3.2.5 (CUDA)

Notes

Topic

Red Hat AI Inference Server Model Optimization Tools 3.2.5 (CUDA) is now available.

Details

Red Hat® AI Inference Server Model Optimization Tools

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat AI Inference Server Model Optimization Tools 3.2.5 (CUDA) is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat\u00ae AI Inference Server Model Optimization Tools",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:23202",
        "url": "https://access.redhat.com/errata/RHSA-2025:23202"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-22868",
        "url": "https://access.redhat.com/security/cve/CVE-2025-22868"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-22869",
        "url": "https://access.redhat.com/security/cve/CVE-2025-22869"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-52565",
        "url": "https://access.redhat.com/security/cve/CVE-2025-52565"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-59375",
        "url": "https://access.redhat.com/security/cve/CVE-2025-59375"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-66506",
        "url": "https://access.redhat.com/security/cve/CVE-2025-66506"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-9230",
        "url": "https://access.redhat.com/security/cve/CVE-2025-9230"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-9714",
        "url": "https://access.redhat.com/security/cve/CVE-2025-9714"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://www.redhat.com/en/products/ai/inference-server",
        "url": "https://www.redhat.com/en/products/ai/inference-server"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23202.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat AI Inference Server Model Optimization Tools 3.2.5 (CUDA)",
    "tracking": {
      "current_release_date": "2025-12-30T17:42:15+00:00",
      "generator": {
        "date": "2025-12-30T17:42:15+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.14"
        }
      },
      "id": "RHSA-2025:23202",
      "initial_release_date": "2025-12-15T15:29:01+00:00",
      "revision_history": [
        {
          "date": "2025-12-15T15:29:01+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-12-15T15:29:08+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-12-30T17:42:15+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat AI Inference Server 3.2",
                "product": {
                  "name": "Red Hat AI Inference Server 3.2",
                  "product_id": "Red Hat AI Inference Server 3.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ai_inference_server:3.2::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat AI Inference Server"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64",
                "product": {
                  "name": "registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64",
                  "product_id": "registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/model-opt-cuda-rhel9@sha256%3Afca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e?arch=amd64\u0026repository_url=registry.redhat.io/rhaiis\u0026tag=3.2.5-1765361184"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
                "product": {
                  "name": "registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
                  "product_id": "registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/model-opt-cuda-rhel9@sha256%3Af083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d?arch=arm64\u0026repository_url=registry.redhat.io/rhaiis\u0026tag=3.2.5-1765361184"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64 as a component of Red Hat AI Inference Server 3.2",
          "product_id": "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64"
        },
        "product_reference": "registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
        "relates_to_product_reference": "Red Hat AI Inference Server 3.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64 as a component of Red Hat AI Inference Server 3.2",
          "product_id": "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
        },
        "product_reference": "registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64",
        "relates_to_product_reference": "Red Hat AI Inference Server 3.2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-9230",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "discovery_date": "2025-09-17T12:15:34.387000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2396054"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Issue summary: An application trying to decrypt CMS messages encrypted using\npassword based encryption can trigger an out-of-bounds read and write.\n\nImpact summary: This out-of-bounds read may trigger a crash which leads to\nDenial of Service for an application. The out-of-bounds write can cause\na memory corruption which can have various consequences including\na Denial of Service or Execution of attacker-supplied code.\n\nAlthough the consequences of a successful exploit of this vulnerability\ncould be severe, the probability that the attacker would be able to\nperform it is low. Besides, password based (PWRI) encryption support in CMS\nmessages is very rarely used. For that reason the issue was assessed as\nModerate severity according to our Security Policy.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: Out-of-bounds read \u0026 write in RFC 3211 KEK Unwrap",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The vulnerability was rated as Moderate because, while the potential impact includes an application level denial of service and possible arbitrary code execution, successful exploitation is considered unlikely due to the high attack complexity and the fact that password-based CMS encryption (PWRI) is rarely used in real-world deployments.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successful exploitation of a CWE-787: Out-of-bounds Write or a CWE-125: Out-of-bounds Read vulnerability, and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform enforces hardening guidelines and baseline configurations to ensure secure system and software settings, while least functionality reduces the attack surface by disabling unnecessary services and ports. Rigorous development practices, including static analysis, input validation, and error handling, detect and mitigate memory vulnerabilities before deployment. Process isolation and memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) preserve memory integrity by confining faults to individual workloads and preventing unauthorized access. Malicious code protections and continuous system monitoring detect anomalous memory activity and exploitation attempts, reducing the likelihood and impact of out-of-bounds read and write vulnerabilities.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-9230"
        },
        {
          "category": "external",
          "summary": "RHBZ#2396054",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396054"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-9230",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-9230"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9230",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9230"
        }
      ],
      "release_date": "2025-09-30T23:59:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-12-15T15:29:01+00:00",
          "details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23202",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:23202"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openssl: Out-of-bounds read \u0026 write in RFC 3211 KEK Unwrap"
    },
    {
      "cve": "CVE-2025-9714",
      "cwe": {
        "id": "CWE-606",
        "name": "Unchecked Input for Loop Condition"
      },
      "discovery_date": "2025-09-02T13:03:56.452000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2392605"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in libxstl/libxml2. The \u0027exsltDynMapFunction\u0027 function in libexslt/dynamic.c does not contain a recursion depth check, which may cause an infinite loop via a specially crafted XSLT document while handling \u0027dyn:map()\u0027, leading to stack exhaustion and a local denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "No evidence was found for arbitrary memory corruption through this flaw, limiting its impact to Availability only, and reducing its severity to Moderate.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-606: Unchecked Input for Loop Condition vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nInput validation controls are in place, which ensure that any input controlling loop behavior is validated against strict criteria like type, length, and range before being processed. This prevents malicious or abnormal inputs from causing excessive or infinite iterations, thereby avoiding logic errors or system overloads. Memory protection controls such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protect the system\u2019s memory from overuse or corruption if an unchecked input were to cause a loop to execute excessively. It ensures that memory is safely allocated and accessed, reducing the risks of buffer overflows, resource exhaustion, or crashes. Lastly, the implementation of security engineering principles dictates the use of secure coding practices, such as input validation, loop iteration limits, and error handling, are integrated during system design and development.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-9714"
        },
        {
          "category": "external",
          "summary": "RHBZ#2392605",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392605"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-9714",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-9714"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9714",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9714"
        },
        {
          "category": "external",
          "summary": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21",
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21"
        },
        {
          "category": "external",
          "summary": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/148",
          "url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/148"
        }
      ],
      "release_date": "2025-09-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-12-15T15:29:01+00:00",
          "details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23202",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:23202"
        },
        {
          "category": "workaround",
          "details": "The impact of this flaw may be reduced by setting strict resource limits to the stack size of processes at the operational system level. This can be achieved either through the \u0027ulimit\u0027 shell built-in or the \u0027limits.conf\u0027 file.",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "jub0bs"
          ]
        }
      ],
      "cve": "CVE-2025-22868",
      "cwe": {
        "id": "CWE-1286",
        "name": "Improper Validation of Syntactic Correctness of Input"
      },
      "discovery_date": "2025-02-26T04:00:44.350024+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2348366"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, \".\")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22868"
        },
        {
          "category": "external",
          "summary": "RHBZ#2348366",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22868",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/652155",
          "url": "https://go.dev/cl/652155"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/71490",
          "url": "https://go.dev/issue/71490"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-3488",
          "url": "https://pkg.go.dev/vuln/GO-2025-3488"
        }
      ],
      "release_date": "2025-02-26T03:07:49.012000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-12-15T15:29:01+00:00",
          "details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23202",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:23202"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to `go-jose` to check that they do not contain an excessive amount of `.` characters.",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws"
    },
    {
      "cve": "CVE-2025-22869",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2025-02-26T04:00:47.683125+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2348367"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While this flaw affects both SSH clients and servers implemented with golang.org/x/crypto/ssh, realistically the flaw will only lead to a DoS when transferring large files, greatly reducing the likelihood of exploitation.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22869"
        },
        {
          "category": "external",
          "summary": "RHBZ#2348367",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22869",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/652135",
          "url": "https://go.dev/cl/652135"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/71931",
          "url": "https://go.dev/issue/71931"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-3487",
          "url": "https://pkg.go.dev/vuln/GO-2025-3487"
        }
      ],
      "release_date": "2025-02-26T03:07:48.855000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-12-15T15:29:01+00:00",
          "details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23202",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:23202"
        },
        {
          "category": "workaround",
          "details": "This flaw can be mitigated when using the client only connecting to trusted servers.",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh"
    },
    {
      "cve": "CVE-2025-52565",
      "cwe": {
        "id": "CWE-59",
        "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
      },
      "discovery_date": "2025-10-17T14:19:18.653000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2404708"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in runc. CVE-2025-52565 is very similar in concept and application toCVE-2025-31133, except that it exploits a flaw in /dev/console\nbind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "runc: container escape with malicious config due to /dev/console mount and related races",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat considers this as an Important flaw since the impact is limited to local attack with minimal privileges in order to jeopardize the environment.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-52565"
        },
        {
          "category": "external",
          "summary": "RHBZ#2404708",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404708"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-52565",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-52565"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52565",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52565"
        }
      ],
      "release_date": "2025-11-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-12-15T15:29:01+00:00",
          "details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23202",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:23202"
        },
        {
          "category": "workaround",
          "details": "Potential mitigations for this issue include:\n\n* Using user namespaces, with the host root user not mapped into the container\u0027s namespace. procfs file permissions are managed using Unix DAC and thus user namespaces stop a container process from being able to write to them.\n* Not running as a root user in the container (this includes disabling setuid binaries with noNewPrivileges). As above, procfs file permissions are managed using Unix DAC and thus non-root users cannot write to them.\n* The default SELinux policy should mitigate this issue, as the /dev/console bind-mount does not re-label the mount and so the container process should not be able to write to unsafe procfs files. However, CVE-2025-52881 allows an attacker to bypass LSM labels, and so this mitigation is not helpful when considered in combination with CVE-2025-52881.\n* The default AppArmor profile used by most runtimes will NOT help mitigate this issue, as /dev/console access is permitted. You could create a custom profile that blocks access to /dev/console, but such a profile might break regular containers. In addition, CVE-2025-52881 allows an attacker to bypass LSM labels, and so that mitigation is not helpful when considered in combination with CVE-2025-52881.",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "runc: container escape with malicious config due to /dev/console mount and related races"
    },
    {
      "cve": "CVE-2025-59375",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2025-09-15T03:00:59.775098+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2395108"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A memory amplification vulnerability in libexpat allows attackers to trigger excessive dynamic memory allocations by submitting specially crafted XML input. A small input (~250 KiB) can cause the parser to allocate hundreds of megabytes, leading to denial-of-service (DoS) through memory exhaustion.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue is Important rather than Critical because, while it allows for significant resource exhaustion leading to denial-of-service (DoS), it does not enable arbitrary code execution, data leakage, or privilege escalation. The vulnerability stems from an uncontrolled memory amplification behavior in libexpat\u2019s parser, where a relatively small XML payload can cause disproportionately large heap allocations. However, the flaw is limited in scope to service disruption and requires the attacker to submit a crafted XML document\u2014something that can be mitigated with proper input validation and memory usage limits. Therefore, while the exploitability is high, the impact is confined to availability, not confidentiality or integrity, making it a high-severity but not critical flaw.\n\nIn Firefox and Thunderbird, where libexpat is a transitive userspace dependency, exploitation usually just crashes the application (app-level DoS), so it is classify as Moderate instead of Important.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-59375"
        },
        {
          "category": "external",
          "summary": "RHBZ#2395108",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395108"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-59375",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-59375"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59375",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59375"
        },
        {
          "category": "external",
          "summary": "https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74",
          "url": "https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74"
        },
        {
          "category": "external",
          "summary": "https://github.com/libexpat/libexpat/issues/1018",
          "url": "https://github.com/libexpat/libexpat/issues/1018"
        },
        {
          "category": "external",
          "summary": "https://github.com/libexpat/libexpat/pull/1034",
          "url": "https://github.com/libexpat/libexpat/pull/1034"
        },
        {
          "category": "external",
          "summary": "https://issues.oss-fuzz.com/issues/439133977",
          "url": "https://issues.oss-fuzz.com/issues/439133977"
        }
      ],
      "release_date": "2025-09-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-12-15T15:29:01+00:00",
          "details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23202",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:23202"
        },
        {
          "category": "workaround",
          "details": "To mitigate the issue, limit XML input size and complexity before parsing, and avoid accepting compressed or deeply nested XML. Use OS-level resource controls (like ulimit or setrlimit()) to cap memory usage, or run the parser in a sandboxed or isolated process with strict memory and CPU limits. This helps prevent denial-of-service by containing excessive resource consumption.",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing"
    },
    {
      "cve": "CVE-2025-66506",
      "cwe": {
        "id": "CWE-405",
        "name": "Asymmetric Resource Consumption (Amplification)"
      },
      "discovery_date": "2025-12-04T23:01:20.507333+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2419056"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function\u0027s argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated Important for Red Hat as Fulcio, a certificate authority used for issuing code signing certificates, is susceptible to a denial of service when processing a specially crafted OpenID Connect (OIDC) token. This could lead to resource exhaustion and service unavailability in affected Red Hat products that utilize Fulcio.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
          "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-66506"
        },
        {
          "category": "external",
          "summary": "RHBZ#2419056",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419056"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-66506",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-66506"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66506",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66506"
        },
        {
          "category": "external",
          "summary": "https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a",
          "url": "https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a"
        },
        {
          "category": "external",
          "summary": "https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw",
          "url": "https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw"
        }
      ],
      "release_date": "2025-12-04T22:04:41.637000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-12-15T15:29:01+00:00",
          "details": "For more information visit https://access.redhat.com/errata/RHSA-2025:23202",
          "product_ids": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:23202"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:f083e52ef4198ab8123c49eb044c4374ec996f65633d224bb8152ef0c3f30e7d_arm64",
            "Red Hat AI Inference Server 3.2:registry.redhat.io/rhaiis/model-opt-cuda-rhel9@sha256:fca12d55fef49b9a67c8aa7c2c004adb8916b9784134b4e571067a615a7a4a2e_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token"
    }
  ]
}

CVE-2025-22869 (GCVE-0-2025-22869)

Vulnerability from cvelistv5 – Published: 2025-02-26 03:07 – Updated: 2025-04-11 22:03

Title

Potential denial of service in golang.org/x/crypto

Summary

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

References

URL

Tags

	https://go.dev/cl/652135
	https://go.dev/issue/71931
	https://pkg.go.dev/vuln/GO-2025-3487

Impacted products

	Vendor	Product	Version
	golang.org/x/crypto	golang.org/x/crypto/ssh	Affected: 0 , < 0.35.0 (semver)

Credits

Yuichi Watanabe

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22869",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-26T14:57:07.968721Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-26T14:57:49.252Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-11T22:03:24.222Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250411-0010/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/crypto/ssh",
          "product": "golang.org/x/crypto/ssh",
          "programRoutines": [
            {
              "name": "newHandshakeTransport"
            },
            {
              "name": "handshakeTransport.recordWriteError"
            },
            {
              "name": "handshakeTransport.kexLoop"
            },
            {
              "name": "handshakeTransport.writePacket"
            },
            {
              "name": "Client.Dial"
            },
            {
              "name": "Client.DialContext"
            },
            {
              "name": "Client.DialTCP"
            },
            {
              "name": "Client.Listen"
            },
            {
              "name": "Client.ListenTCP"
            },
            {
              "name": "Client.ListenUnix"
            },
            {
              "name": "Client.NewSession"
            },
            {
              "name": "Dial"
            },
            {
              "name": "DiscardRequests"
            },
            {
              "name": "NewClient"
            },
            {
              "name": "NewClientConn"
            },
            {
              "name": "NewServerConn"
            },
            {
              "name": "Request.Reply"
            },
            {
              "name": "Session.Close"
            },
            {
              "name": "Session.CombinedOutput"
            },
            {
              "name": "Session.Output"
            },
            {
              "name": "Session.RequestPty"
            },
            {
              "name": "Session.RequestSubsystem"
            },
            {
              "name": "Session.Run"
            },
            {
              "name": "Session.SendRequest"
            },
            {
              "name": "Session.Setenv"
            },
            {
              "name": "Session.Shell"
            },
            {
              "name": "Session.Signal"
            },
            {
              "name": "Session.Start"
            },
            {
              "name": "Session.WindowChange"
            },
            {
              "name": "channel.Accept"
            },
            {
              "name": "channel.Close"
            },
            {
              "name": "channel.CloseWrite"
            },
            {
              "name": "channel.Read"
            },
            {
              "name": "channel.ReadExtended"
            },
            {
              "name": "channel.Reject"
            },
            {
              "name": "channel.SendRequest"
            },
            {
              "name": "channel.Write"
            },
            {
              "name": "channel.WriteExtended"
            },
            {
              "name": "connection.SendAuthBanner"
            },
            {
              "name": "curve25519sha256.Client"
            },
            {
              "name": "curve25519sha256.Server"
            },
            {
              "name": "dhGEXSHA.Client"
            },
            {
              "name": "dhGEXSHA.Server"
            },
            {
              "name": "dhGroup.Client"
            },
            {
              "name": "dhGroup.Server"
            },
            {
              "name": "ecdh.Client"
            },
            {
              "name": "ecdh.Server"
            },
            {
              "name": "extChannel.Read"
            },
            {
              "name": "extChannel.Write"
            },
            {
              "name": "mux.OpenChannel"
            },
            {
              "name": "mux.SendRequest"
            },
            {
              "name": "sessionStdin.Close"
            },
            {
              "name": "sshClientKeyboardInteractive.Challenge"
            },
            {
              "name": "tcpListener.Accept"
            },
            {
              "name": "tcpListener.Close"
            },
            {
              "name": "unixListener.Accept"
            },
            {
              "name": "unixListener.Close"
            }
          ],
          "vendor": "golang.org/x/crypto",
          "versions": [
            {
              "lessThan": "0.35.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Yuichi Watanabe"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-26T03:07:48.855Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/652135"
        },
        {
          "url": "https://go.dev/issue/71931"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3487"
        }
      ],
      "title": "Potential denial of service in golang.org/x/crypto"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-22869",
    "datePublished": "2025-02-26T03:07:48.855Z",
    "dateReserved": "2025-01-08T19:11:42.834Z",
    "dateUpdated": "2025-04-11T22:03:24.222Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-52565 (GCVE-0-2025-52565)

Vulnerability from cvelistv5 – Published: 2025-11-06 20:02 – Updated: 2025-11-06 21:32

Title

container escape due to /dev/console mount and related races

Summary

runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Severity ?

8.4 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

CWE

CWE-61 - UNIX Symbolic Link (Symlink) Following
CWE-363 - Race Condition Enabling Link Following

Assigner

GitHub_M

References

URL

Tags

	https://github.com/opencontainers/runc/security/a…	x_refsource_CONFIRM
	https://github.com/opencontainers/runc/commit/01d…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/398…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/531…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/9be…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/aee…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/db1…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/de8…	x_refsource_MISC
	https://github.com/opencontainers/runc/commit/ff9…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	opencontainers	runc	Affected: >= 1.0.0-rc3, < 1.2.8 Affected: >= 1.3.0-rc.1, < 1.3.3 Affected: >= 1.4.0-rc.1, < 1.4.0-rc.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-52565",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-06T21:32:07.457681Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-06T21:32:19.129Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "runc",
          "vendor": "opencontainers",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0-rc3, \u003c 1.2.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.3.0-rc.1, \u003c 1.3.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.4.0-rc.1, \u003c 1.4.0-rc.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-61",
              "description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-363",
              "description": "CWE-363: Race Condition Enabling Link Following",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-06T20:02:58.513Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8"
        },
        {
          "name": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
        }
      ],
      "source": {
        "advisory": "GHSA-qw9x-cqr3-wc7r",
        "discovery": "UNKNOWN"
      },
      "title": "container escape due to /dev/console mount and related races"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-52565",
    "datePublished": "2025-11-06T20:02:58.513Z",
    "dateReserved": "2025-06-18T03:55:52.036Z",
    "dateUpdated": "2025-11-06T21:32:19.129Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-9230 (GCVE-0-2025-9230)

Vulnerability from cvelistv5 – Published: 2025-09-30 13:17 – Updated: 2025-11-04 21:15

Title

Out-of-bounds read & write in RFC 3211 KEK Unwrap

Summary

Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

Severity ?

No CVSS data available.

CWE

CWE-125 - Out-of-bounds Read
CWE-787 - Out-of-bounds Write

Assigner

openssl

References

URL

Tags

	https://openssl-library.org/news/secadv/20250930.txt	vendor-advisory
	https://github.com/openssl/openssl/commit/bae259a…	patch
	https://github.com/openssl/openssl/commit/9e91358…	patch
	https://github.com/openssl/openssl/commit/5965ea5…	patch
	https://github.com/openssl/openssl/commit/b5282d6…	patch
	https://github.com/openssl/openssl/commit/a79c4ce…	patch
	https://github.openssl.org/openssl/extended-relea…	patch
	https://github.openssl.org/openssl/extended-relea…	patch

Impacted products

	Vendor	Product	Version
	OpenSSL	OpenSSL	Affected: 3.5.0 , < 3.5.4 (semver) Affected: 3.4.0 , < 3.4.3 (semver) Affected: 3.3.0 , < 3.3.5 (semver) Affected: 3.2.0 , < 3.2.6 (semver) Affected: 3.0.0 , < 3.0.18 (semver) Affected: 1.1.1 , < 1.1.1zd (custom) Affected: 1.0.2 , < 1.0.2zm (custom)

Credits

Stanislav Fort (Aisle Research) Stanislav Fort (Aisle Research) Viktor Dukhovni

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-9230",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-30T19:30:08.302408Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-30T19:30:29.803Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:15:17.295Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00001.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/09/30/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "3.5.4",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.4.3",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.3.5",
              "status": "affected",
              "version": "3.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.2.6",
              "status": "affected",
              "version": "3.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.18",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.1.1zd",
              "status": "affected",
              "version": "1.1.1",
              "versionType": "custom"
            },
            {
              "lessThan": "1.0.2zm",
              "status": "affected",
              "version": "1.0.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Stanislav Fort (Aisle Research)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Stanislav Fort (Aisle Research)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Viktor Dukhovni"
        }
      ],
      "datePublic": "2025-09-30T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: An application trying to decrypt CMS messages encrypted using\u003cbr\u003epassword based encryption can trigger an out-of-bounds read and write.\u003cbr\u003e\u003cbr\u003eImpact summary: This out-of-bounds read may trigger a crash which leads to\u003cbr\u003eDenial of Service for an application. The out-of-bounds write can cause\u003cbr\u003ea memory corruption which can have various consequences including\u003cbr\u003ea Denial of Service or Execution of attacker-supplied code.\u003cbr\u003e\u003cbr\u003eAlthough the consequences of a successful exploit of this vulnerability\u003cbr\u003ecould be severe, the probability that the attacker would be able to\u003cbr\u003eperform it is low. Besides, password based (PWRI) encryption support in CMS\u003cbr\u003emessages is very rarely used. For that reason the issue was assessed as\u003cbr\u003eModerate severity according to our Security Policy.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\u003cbr\u003eissue, as the CMS implementation is outside the OpenSSL FIPS module\u003cbr\u003eboundary."
            }
          ],
          "value": "Issue summary: An application trying to decrypt CMS messages encrypted using\npassword based encryption can trigger an out-of-bounds read and write.\n\nImpact summary: This out-of-bounds read may trigger a crash which leads to\nDenial of Service for an application. The out-of-bounds write can cause\na memory corruption which can have various consequences including\na Denial of Service or Execution of attacker-supplied code.\n\nAlthough the consequences of a successful exploit of this vulnerability\ncould be severe, the probability that the attacker would be able to\nperform it is low. Besides, password based (PWRI) encryption support in CMS\nmessages is very rarely used. For that reason the issue was assessed as\nModerate severity according to our Security Policy.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "Moderate"
            },
            "type": "https://openssl-library.org/policies/general/security-policy/"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-30T13:17:00.808Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://openssl-library.org/news/secadv/20250930.txt"
        },
        {
          "name": "3.5.4 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/bae259a211ada6315dc50900686daaaaaa55f482"
        },
        {
          "name": "3.4.3 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/9e91358f365dee6c446dcdcdb01c04d2743fd280"
        },
        {
          "name": "3.3.5 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45"
        },
        {
          "name": "3.2.6 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/b5282d677551afda7d20e9c00e09561b547b2dfd"
        },
        {
          "name": "3.0.18 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/a79c4ce559c6a3a8fd4109e9f33c1185d5bf2def"
        },
        {
          "name": "1.1.1zd git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.openssl.org/openssl/extended-releases/commit/dfbaf161d8dafc1132dd88cd48ad990ed9b4c8ba"
        },
        {
          "name": "1.0.2zm git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.openssl.org/openssl/extended-releases/commit/c2b96348bfa662f25f4fabf81958ae822063dae3"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Out-of-bounds read \u0026 write in RFC 3211 KEK Unwrap",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2025-9230",
    "datePublished": "2025-09-30T13:17:00.808Z",
    "dateReserved": "2025-08-20T08:38:07.678Z",
    "dateUpdated": "2025-11-04T21:15:17.295Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66506 (GCVE-0-2025-66506)

Vulnerability from cvelistv5 – Published: 2025-12-04 22:04 – Updated: 2025-12-05 15:32

Title

Fulcio allocates excessive memory during token parsing

Summary

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-405 - Asymmetric Resource Consumption (Amplification)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/sigstore/fulcio/security/advis…	x_refsource_CONFIRM
	https://github.com/sigstore/fulcio/commit/765a0e5…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	sigstore	fulcio	Affected: < 1.8.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66506",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-05T15:32:15.086814Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-05T15:32:25.591Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fulcio",
          "vendor": "sigstore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function\u0027s argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-405",
              "description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T22:04:41.637Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw"
        },
        {
          "name": "https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a"
        }
      ],
      "source": {
        "advisory": "GHSA-f83f-xpx7-ffpw",
        "discovery": "UNKNOWN"
      },
      "title": "Fulcio allocates excessive memory during token parsing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66506",
    "datePublished": "2025-12-04T22:04:41.637Z",
    "dateReserved": "2025-12-03T15:12:22.978Z",
    "dateUpdated": "2025-12-05T15:32:25.591Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22868 (GCVE-0-2025-22868)

Vulnerability from cvelistv5 – Published: 2025-02-26 03:07 – Updated: 2025-02-26 14:46

Title

Unexpected memory consumption during token parsing in golang.org/x/oauth2

Summary

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-1286 - Improper Validation of Syntactic Correctness of Input

Assigner

References

URL

Tags

	https://go.dev/cl/652155
	https://go.dev/issue/71490
	https://pkg.go.dev/vuln/GO-2025-3488

Impacted products

	Vendor	Product	Version
	golang.org/x/oauth2	golang.org/x/oauth2/jws	Affected: 0 , < 0.27.0 (semver)

Credits

jub0bs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22868",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-26T14:45:27.246610Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1286",
                "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-26T14:46:20.671Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/oauth2/jws",
          "product": "golang.org/x/oauth2/jws",
          "programRoutines": [
            {
              "name": "Verify"
            }
          ],
          "vendor": "golang.org/x/oauth2",
          "versions": [
            {
              "lessThan": "0.27.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "jub0bs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-26T03:07:49.012Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/652155"
        },
        {
          "url": "https://go.dev/issue/71490"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3488"
        }
      ],
      "title": "Unexpected memory consumption during token parsing in golang.org/x/oauth2"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-22868",
    "datePublished": "2025-02-26T03:07:49.012Z",
    "dateReserved": "2025-01-08T19:11:42.834Z",
    "dateUpdated": "2025-02-26T14:46:20.671Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-59375 (GCVE-0-2025-59375)

Vulnerability from cvelistv5 – Published: 2025-09-15 00:00 – Updated: 2025-11-04 21:13

Summary

libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:T/RC:C

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

mitre

References

URL

Tags

	https://github.com/libexpat/libexpat/issues/1018
	https://github.com/libexpat/libexpat/pull/1034
	https://github.com/libexpat/libexpat/blob/676a4c5…
	https://issues.oss-fuzz.com/issues/439133977
	https://github.com/libexpat/libexpat/blob/R_2_7_2…

Impacted products

	Vendor	Product	Version
	libexpat project	libexpat	Affected: 0 , < 2.7.2 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59375",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-15T20:22:58.509715Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-15T20:23:08.737Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:49.823Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/09/16/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "libexpat",
          "vendor": "libexpat project",
          "versions": [
            {
              "lessThan": "2.7.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.7.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:T/RC:C",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-17T13:21:47.961Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/libexpat/libexpat/issues/1018"
        },
        {
          "url": "https://github.com/libexpat/libexpat/pull/1034"
        },
        {
          "url": "https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74"
        },
        {
          "url": "https://issues.oss-fuzz.com/issues/439133977"
        },
        {
          "url": "https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-59375",
    "datePublished": "2025-09-15T00:00:00.000Z",
    "dateReserved": "2025-09-15T00:00:00.000Z",
    "dateUpdated": "2025-11-04T21:13:49.823Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-9714 (GCVE-0-2025-9714)

Vulnerability from cvelistv5 – Published: 2025-09-10 18:43 – Updated: 2025-11-03 18:14

Title

Stack overflow in libxml2

Summary

Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.

Severity ?

6.2 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-674 - Uncontrolled Recursion

Assigner

canonical

References

URL

Tags

https://gitlab.gnome.org/GNOME/libxml2/-/commit/6…

patch

Impacted products

	Vendor	Product	Version
	libxml2	libxml2	Affected: 0 , < 2.10.0 (semver) Affected: 0 , < 2.12.7+dfsg+really2.9.14-0.4ubuntu0.3 (dpkg) Affected: 0 , < 2.9.14+dfsg-1.3ubuntu3.5 (dpkg) Affected: 0 , < 2.9.13+dfsg-1ubuntu0.9 (dpkg) Affected: 0 , < 2.9.10+dfsg-5ubuntu0.20.04.10+esm2 (dpkg) Affected: 0 , < 2.9.4+dfsg1-6.1ubuntu1.9+esm5 (dpkg) Affected: 0 , < 2.9.3+dfsg1-1ubuntu0.7+esm10 (dpkg) Affected: 0 , < 2.9.1+dfsg1-3ubuntu4.13+esm9 (dpkg)

Credits

Nikita Sveshnikov (Positive Technologies)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-9714",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-10T18:46:42.383800Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-10T18:46:46.622Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T18:14:19.914Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00035.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://gitlab.gnome.org/GNOME/libxml2",
          "defaultStatus": "unaffected",
          "modules": [
            "xpath"
          ],
          "packageName": "libxml2",
          "platforms": [
            "Linux"
          ],
          "product": "libxml2",
          "programFiles": [
            "xpath.c"
          ],
          "repo": "https://gitlab.gnome.org/GNOME/libxml2",
          "vendor": "libxml2",
          "versions": [
            {
              "lessThan": "2.10.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "2.12.7+dfsg+really2.9.14-0.4ubuntu0.3",
              "status": "affected",
              "version": "0",
              "versionType": "dpkg"
            },
            {
              "lessThan": "2.9.14+dfsg-1.3ubuntu3.5",
              "status": "affected",
              "version": "0",
              "versionType": "dpkg"
            },
            {
              "lessThan": "2.9.13+dfsg-1ubuntu0.9",
              "status": "affected",
              "version": "0",
              "versionType": "dpkg"
            },
            {
              "lessThan": "2.9.10+dfsg-5ubuntu0.20.04.10+esm2",
              "status": "affected",
              "version": "0",
              "versionType": "dpkg"
            },
            {
              "lessThan": "2.9.4+dfsg1-6.1ubuntu1.9+esm5",
              "status": "affected",
              "version": "0",
              "versionType": "dpkg"
            },
            {
              "lessThan": "2.9.3+dfsg1-1ubuntu0.7+esm10",
              "status": "affected",
              "version": "0",
              "versionType": "dpkg"
            },
            {
              "lessThan": "2.9.1+dfsg1-3ubuntu4.13+esm9",
              "status": "affected",
              "version": "0",
              "versionType": "dpkg"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Nikita Sveshnikov (Positive Technologies)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eUncontrolled recursion in\u0026nbsp;XPath evaluation\u0026nbsp;in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `\u003ccode\u003exmlXPathCtxtCompile\u003c/code\u003e`, and `\u003ccode\u003exmlXPathEvalExpr\u003c/code\u003e` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.\u003c/div\u003e"
            }
          ],
          "value": "Uncontrolled recursion in\u00a0XPath evaluation\u00a0in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674 Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-10T18:43:12.204Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Stack overflow in libxml2",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2025-9714",
    "datePublished": "2025-09-10T18:43:12.204Z",
    "dateReserved": "2025-08-29T23:28:33.339Z",
    "dateUpdated": "2025-11-03T18:14:19.914Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2025:23202

CVE-2025-22869 (GCVE-0-2025-22869)

CVE-2025-52565 (GCVE-0-2025-52565)

CVE-2025-9230 (GCVE-0-2025-9230)

CVE-2025-66506 (GCVE-0-2025-66506)

CVE-2025-22868 (GCVE-0-2025-22868)

CVE-2025-59375 (GCVE-0-2025-59375)

CVE-2025-9714 (GCVE-0-2025-9714)

Tags

Sightings

Nomenclature