CWE-670
Allowed-with-ReviewAlways-Incorrect Control Flow Implementation
Abstraction: Class · Status: Draft
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
203 vulnerabilities reference this CWE, most recent first.
GHSA-HHC4-47RH-CR34
Vulnerability from github – Published: 2022-10-25 22:27 – Updated: 2022-10-25 22:27Impact
A custom stateful precompile can use the is_static parameter to determine if the call is executed in a static context (via STATICCALL), and thus decide if stateful operations should be done. Previously, the passed is_static parameter was incorrect -- it was only set to true if the call comes from a direct STATICCALL opcode. However, once a static call context is entered, it should stay static.
The issue only impacts custom precompiles that actually uses is_static. The maintainers estimate the usage is low. However, for those affected, it can lead to possible incorrect state transitions.
Patches
PR: https://github.com/rust-blockchain/evm/pull/133 Released in v0.36.0.
Older patch versions can be released on request if anyone needs them. Simply contact @sorpaas by email to request it.
For more information
If you have any questions or comments about this advisory: * Open an issue in evm repo * Email Wei at wei@that.world
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.35.0"
},
"package": {
"ecosystem": "crates.io",
"name": "evm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.36.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39354"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-25T22:27:21Z",
"nvd_published_at": "2022-10-25T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA custom stateful precompile can use the `is_static` parameter to determine if the call is executed in a static context (via `STATICCALL`), and thus decide if stateful operations should be done. Previously, the passed `is_static` parameter was incorrect -- it was only set to `true` if the call comes from a **direct** `STATICCALL` opcode. However, once a static call context is entered, it should stay static. \n\nThe issue only impacts custom precompiles that actually uses `is_static`. The maintainers estimate the usage is low. However, for those affected, it can lead to possible incorrect state transitions.\n\n### Patches\n\nPR: https://github.com/rust-blockchain/evm/pull/133\nReleased in v0.36.0.\n\nOlder patch versions can be released on request if anyone needs them. Simply contact @sorpaas by email to request it.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [evm repo](https://github.com/rust-blockchain/evm)\n* Email Wei at [wei@that.world](mailto:wei@that.world)\n",
"id": "GHSA-hhc4-47rh-cr34",
"modified": "2022-10-25T22:27:21Z",
"published": "2022-10-25T22:27:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rust-blockchain/evm/security/advisories/GHSA-hhc4-47rh-cr34"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39354"
},
{
"type": "WEB",
"url": "https://github.com/rust-blockchain/evm/pull/133"
},
{
"type": "PACKAGE",
"url": "https://github.com/rust-blockchain/evm"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0083.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Incorrect is_static parameter for custom stateful precompiles in SputnikVM (evm)"
}
GHSA-HJ38-J9JQ-RJPP
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2023-02-11 03:32Multiple Cisco products are affected by a vulnerability in the Snort application detection engine that could allow an unauthenticated, remote attacker to bypass the configured policies on an affected system. The vulnerability is due to a flaw in the detection algorithm. An attacker could exploit this vulnerability by sending crafted packets that would flow through an affected system. A successful exploit could allow the attacker to bypass the configured policies and deliver a malicious payload to the protected network.
{
"affected": [],
"aliases": [
"CVE-2021-1236"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-13T22:15:00Z",
"severity": "MODERATE"
},
"details": "Multiple Cisco products are affected by a vulnerability in the Snort application detection engine that could allow an unauthenticated, remote attacker to bypass the configured policies on an affected system. The vulnerability is due to a flaw in the detection algorithm. An attacker could exploit this vulnerability by sending crafted packets that would flow through an affected system. A successful exploit could allow the attacker to bypass the configured policies and deliver a malicious payload to the protected network.",
"id": "GHSA-hj38-j9jq-rjpp",
"modified": "2023-02-11T03:32:49Z",
"published": "2022-05-24T17:39:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1236"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00011.html"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-app-bypass-cSBYCATq"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5354"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJ9R-8PFM-RMJJ
Vulnerability from github – Published: 2026-04-22 18:31 – Updated: 2026-07-06 19:54Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-wv33-5pxh-r7j7. This link is maintained to preserve external references.
Original Description
The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "coreutils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-29T22:56:16Z",
"nvd_published_at": "2026-04-22T17:16:36Z",
"severity": "LOW"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-wv33-5pxh-r7j7. This link is maintained to preserve external references.\n\n### Original Description\nThe cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering.",
"id": "GHSA-hj9r-8pfm-rmjj",
"modified": "2026-07-06T19:54:28Z",
"published": "2026-04-22T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35343"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/pull/11143"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/commit/9bbb58b746c41802278b0cba738eebbf21517cf7"
},
{
"type": "PACKAGE",
"url": "https://github.com/uutils/coreutils"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/releases/tag/0.7.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: uutils coreutils has an Issue With its Always-Incorrect Control Flow Implementation",
"withdrawn": "2026-07-06T19:54:28Z"
}
GHSA-HM3C-93PG-4CXW
Vulnerability from github – Published: 2024-10-10 22:02 – Updated: 2025-01-21 17:56Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability involves data exposure due to the enable_monitoring flag not properly disabling monitoring when set to False. Even when monitoring is supposedly disabled, an attacker or unauthorized user can still access the monitoring dashboard by directly requesting the /monitoring endpoint. This means that sensitive application analytics may still be exposed, particularly in environments where monitoring is expected to be disabled. Users who set enable_monitoring=False to prevent unauthorized access to monitoring data are impacted.
Patches
Yes, please upgrade to gradio>=4.44 to address this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "gradio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.44.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47168"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-10T22:02:30Z",
"nvd_published_at": "2024-10-10T22:15:11Z",
"severity": "LOW"
},
"details": "### Impact\nWhat kind of vulnerability is it? Who is impacted?\n\nThis vulnerability involves data exposure due to the enable_monitoring flag not properly disabling monitoring when set to False. Even when monitoring is supposedly disabled, an attacker or unauthorized user can still access the monitoring dashboard by directly requesting the /monitoring endpoint. This means that sensitive application analytics may still be exposed, particularly in environments where monitoring is expected to be disabled. Users who set enable_monitoring=False to prevent unauthorized access to monitoring data are impacted.\n\n### Patches\nYes, please upgrade to gradio\u003e=4.44 to address this issue.\n\n",
"id": "GHSA-hm3c-93pg-4cxw",
"modified": "2025-01-21T17:56:54Z",
"published": "2024-10-10T22:02:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-hm3c-93pg-4cxw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47168"
},
{
"type": "PACKAGE",
"url": "https://github.com/gradio-app/gradio"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-198.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "In Gradio, the `enable_monitoring` flag set to `False` does not disable monitoring"
}
GHSA-HPXH-VGMP-3QP6
Vulnerability from github – Published: 2026-04-02 18:31 – Updated: 2026-04-02 18:31OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
{
"affected": [],
"aliases": [
"CVE-2026-35387"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-02T17:16:27Z",
"severity": "LOW"
},
"details": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.",
"id": "GHSA-hpxh-vgmp-3qp6",
"modified": "2026-04-02T18:31:38Z",
"published": "2026-04-02T18:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35387"
},
{
"type": "WEB",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=177513443901484\u0026w=2"
},
{
"type": "WEB",
"url": "https://www.openssh.org/releasenotes.html#10.3p1"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J45Q-P2R4-75M3
Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2025-11-19 21:31In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash
Currently, we encounter the following kernel call trace when a firmware crash occurs. This happens because the host sends WMI commands to the firmware while it is in recovery, causing the commands to fail and resulting in the kernel call trace.
Set the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the host driver receives the firmware crash notification from MHI. This prevents sending WMI commands to the firmware during recovery.
Call Trace: dump_stack_lvl+0x75/0xc0 register_lock_class+0x6be/0x7a0 ? __lock_acquire+0x644/0x19a0 __lock_acquire+0x95/0x19a0 lock_acquire+0x265/0x310 ? ath12k_ce_send+0xa2/0x210 [ath12k] ? find_held_lock+0x34/0xa0 ? ath12k_ce_send+0x56/0x210 [ath12k] _raw_spin_lock_bh+0x33/0x70 ? ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_htc_send+0x178/0x390 [ath12k] ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k] ath12k_wmi_cmd_send+0x62/0x190 [ath12k] ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1 ath12k_mac_op_get_survey+0x2be/0x310 [ath12k] ieee80211_dump_survey+0x99/0x240 [mac80211] nl80211_dump_survey+0xe7/0x470 [cfg80211] ? kmalloc_reserve+0x59/0xf0 genl_dumpit+0x24/0x70 netlink_dump+0x177/0x360 __netlink_dump_start+0x206/0x280 genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0 ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0 ? genl_op_lock.part.12+0x10/0x10 ? genl_dumpit+0x70/0x70 genl_rcv_msg+0x1d0/0x290 ? nl80211_del_station+0x330/0x330 [cfg80211] ? genl_get_cmd_both+0x50/0x50 netlink_rcv_skb+0x4f/0x100 genl_rcv+0x1f/0x30 netlink_unicast+0x1b6/0x260 netlink_sendmsg+0x31a/0x450 __sock_sendmsg+0xa8/0xb0 _syssendmsg+0x1e4/0x260 _sys_sendmsg+0x89/0xe0 ? local_clock_noinstr+0xb/0xc0 ? rcu_is_watching+0xd/0x40 ? kfree+0x1de/0x370 ? __sys_sendmsg+0x7a/0xc0
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
{
"affected": [],
"aliases": [
"CVE-2025-38291"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T08:15:27Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Prevent sending WMI commands to firmware during firmware crash\n\nCurrently, we encounter the following kernel call trace when a firmware\ncrash occurs. This happens because the host sends WMI commands to the\nfirmware while it is in recovery, causing the commands to fail and\nresulting in the kernel call trace.\n\nSet the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the\nhost driver receives the firmware crash notification from MHI. This\nprevents sending WMI commands to the firmware during recovery.\n\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x75/0xc0\n register_lock_class+0x6be/0x7a0\n ? __lock_acquire+0x644/0x19a0\n __lock_acquire+0x95/0x19a0\n lock_acquire+0x265/0x310\n ? ath12k_ce_send+0xa2/0x210 [ath12k]\n ? find_held_lock+0x34/0xa0\n ? ath12k_ce_send+0x56/0x210 [ath12k]\n _raw_spin_lock_bh+0x33/0x70\n ? ath12k_ce_send+0xa2/0x210 [ath12k]\n ath12k_ce_send+0xa2/0x210 [ath12k]\n ath12k_htc_send+0x178/0x390 [ath12k]\n ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k]\n ath12k_wmi_cmd_send+0x62/0x190 [ath12k]\n ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1\n ath12k_mac_op_get_survey+0x2be/0x310 [ath12k]\n ieee80211_dump_survey+0x99/0x240 [mac80211]\n nl80211_dump_survey+0xe7/0x470 [cfg80211]\n ? kmalloc_reserve+0x59/0xf0\n genl_dumpit+0x24/0x70\n netlink_dump+0x177/0x360\n __netlink_dump_start+0x206/0x280\n genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0\n ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0\n ? genl_op_lock.part.12+0x10/0x10\n ? genl_dumpit+0x70/0x70\n genl_rcv_msg+0x1d0/0x290\n ? nl80211_del_station+0x330/0x330 [cfg80211]\n ? genl_get_cmd_both+0x50/0x50\n netlink_rcv_skb+0x4f/0x100\n genl_rcv+0x1f/0x30\n netlink_unicast+0x1b6/0x260\n netlink_sendmsg+0x31a/0x450\n __sock_sendmsg+0xa8/0xb0\n ____sys_sendmsg+0x1e4/0x260\n ___sys_sendmsg+0x89/0xe0\n ? local_clock_noinstr+0xb/0xc0\n ? rcu_is_watching+0xd/0x40\n ? kfree+0x1de/0x370\n ? __sys_sendmsg+0x7a/0xc0\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1",
"id": "GHSA-j45q-p2r4-75m3",
"modified": "2025-11-19T21:31:15Z",
"published": "2025-07-10T09:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38291"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2563069baf243cadc76dc64d9085606742c4b282"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e9e094a9734ea3bd4d4d117c915ccf129ac61ba1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J47C-J42C-MWQQ
Vulnerability from github – Published: 2022-08-06 05:39 – Updated: 2022-08-06 05:39Description
When a Solana Pay transaction is located using a reference key, it may be checked to represent a transfer of the desired amount to the recipient, using the supplied validateTransfer function. An edge case regarding this mechanism could cause the validation logic to validate multiple transfers.
Impact
Most known Solana Pay point of sale applications are currently run on physical point of sale devices, which makes this issue unlikely to occur. However, there may be web-based point of sale applications using the protocol where it may be more likely to occur.
Patches
This issue has been patched as of version 0.2.1. Users of the Solana Pay SDK should upgrade to it.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.2.0"
},
"package": {
"ecosystem": "npm",
"name": "@solana/pay"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-35917"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-06T05:39:18Z",
"nvd_published_at": "2022-08-01T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Description\nWhen a Solana Pay transaction is located using a [reference key](https://github.com/solana-labs/solana-pay/blob/master/SPEC.md#reference), it may be checked to represent a transfer of the desired amount to the recipient, using the supplied [`validateTransfer` function](https://github.com/solana-labs/solana-pay/blob/master/core/src/validateTransfer.ts). An edge case regarding this mechanism could cause the validation logic to validate multiple transfers.\n\n### Impact\nMost known Solana Pay point of sale applications are currently run on physical point of sale devices, which makes this issue unlikely to occur. However, there may be web-based point of sale applications using the protocol where it may be more likely to occur.\n\n### Patches\nThis issue has been patched as of version [`0.2.1`](https://www.npmjs.com/package/@solana/pay/v/0.2.1). Users of the Solana Pay SDK should upgrade to it.",
"id": "GHSA-j47c-j42c-mwqq",
"modified": "2022-08-06T05:39:18Z",
"published": "2022-08-06T05:39:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/solana-labs/solana-pay/security/advisories/GHSA-j47c-j42c-mwqq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35917"
},
{
"type": "WEB",
"url": "https://github.com/solana-labs/solana-pay/commit/ac6ce0d0a81137700874a8bf5a7caac3be999fad"
},
{
"type": "PACKAGE",
"url": "https://github.com/solana-labs/solana-pay"
},
{
"type": "WEB",
"url": "https://github.com/solana-labs/solana-pay/blob/master/SPEC.md#reference"
},
{
"type": "WEB",
"url": "https://github.com/solana-labs/solana-pay/blob/master/core/src/validateTransfer.ts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Solana Pay Vulnerable to Weakness in Transfer Validation Logic"
}
GHSA-J77X-X992-6J7F
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-09-25 18:30In the Linux kernel, the following vulnerability has been resolved:
net: USB: Fix wrong-direction WARNING in plusb.c
The syzbot fuzzer detected a bug in the plusb network driver: A zero-length control-OUT transfer was treated as a read instead of a write. In modern kernels this error provokes a WARNING:
usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0 WARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Modules linked in: CPU: 1 PID: 4645 Comm: dhcpcd Not tainted 6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 ... Call Trace: usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153 __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010 usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068 pl_vendor_req drivers/net/usb/plusb.c:60 [inline] pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline] pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85 usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889 __dev_open+0x297/0x4d0 net/core/dev.c:1417 __dev_change_flags+0x587/0x750 net/core/dev.c:8530 dev_change_flags+0x97/0x170 net/core/dev.c:8602 devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147 inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979 sock_do_ioctl+0xcc/0x230 net/socket.c:1169 sock_ioctl+0x1f8/0x680 net/socket.c:1286 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
The fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and remove the USB_DIR_IN flag.
{
"affected": [],
"aliases": [
"CVE-2023-52742"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:14Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: USB: Fix wrong-direction WARNING in plusb.c\n\nThe syzbot fuzzer detected a bug in the plusb network driver: A\nzero-length control-OUT transfer was treated as a read instead of a\nwrite. In modern kernels this error provokes a WARNING:\n\nusb 1-1: BOGUS control dir, pipe 80000280 doesn\u0027t match bRequestType c0\nWARNING: CPU: 0 PID: 4645 at drivers/usb/core/urb.c:411\nusb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nModules linked in:\nCPU: 1 PID: 4645 Comm: dhcpcd Not tainted\n6.2.0-rc6-syzkaller-00050-g9f266ccaa2f5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n01/12/2023\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\n...\nCall Trace:\n \u003cTASK\u003e\n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\n __usbnet_read_cmd+0xb9/0x390 drivers/net/usb/usbnet.c:2010\n usbnet_read_cmd+0x96/0xf0 drivers/net/usb/usbnet.c:2068\n pl_vendor_req drivers/net/usb/plusb.c:60 [inline]\n pl_set_QuickLink_features drivers/net/usb/plusb.c:75 [inline]\n pl_reset+0x2f/0xf0 drivers/net/usb/plusb.c:85\n usbnet_open+0xcc/0x5d0 drivers/net/usb/usbnet.c:889\n __dev_open+0x297/0x4d0 net/core/dev.c:1417\n __dev_change_flags+0x587/0x750 net/core/dev.c:8530\n dev_change_flags+0x97/0x170 net/core/dev.c:8602\n devinet_ioctl+0x15a2/0x1d70 net/ipv4/devinet.c:1147\n inet_ioctl+0x33f/0x380 net/ipv4/af_inet.c:979\n sock_do_ioctl+0xcc/0x230 net/socket.c:1169\n sock_ioctl+0x1f8/0x680 net/socket.c:1286\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe fix is to call usbnet_write_cmd() instead of usbnet_read_cmd() and\nremove the USB_DIR_IN flag.",
"id": "GHSA-j77x-x992-6j7f",
"modified": "2025-09-25T18:30:28Z",
"published": "2024-05-21T18:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52742"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0d2cf3fae701646061e295815bb7588d2f3671cc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1be271c52bf3554edcb8d124d1f8c7f777ee5727"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/25141fb4119112f4ebf8f00cf52014abbc8020b1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/43379fcacea2dcee35d02efc9c8fe97807a503c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6f69307f625904feed189008381fd83bd1a35b63"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/811d581194f7412eda97acc03d17fc77824b561f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f0ad46ef772438c0596df370450d8bdc8a12dbfb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J8HH-2V2C-WQMV
Vulnerability from github – Published: 2024-01-12 09:30 – Updated: 2024-01-12 09:30Insufficient authentication flow in Checkmk before 2.2.0p17, 2.1.0p37 and 2.0.0p39 allows attacker to use locked credentials
{
"affected": [],
"aliases": [
"CVE-2023-31211"
],
"database_specific": {
"cwe_ids": [
"CWE-303",
"CWE-670",
"CWE-691"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-12T08:15:43Z",
"severity": "HIGH"
},
"details": "Insufficient authentication flow in Checkmk before 2.2.0p17, 2.1.0p37 and 2.0.0p39 allows attacker to use locked credentials",
"id": "GHSA-j8hh-2v2c-wqmv",
"modified": "2024-01-12T09:30:29Z",
"published": "2024-01-12T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31211"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/16227"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JH22-4F6V-H4PH
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix list iterator in fastrpc_req_mem_unmap_impl
This is another instance of incorrect use of list iterator and checking it for NULL.
The list iterator value 'map' will always be set and non-NULL by list_for_each_entry(), so it is incorrect to assume that the iterator value will be NULL if the list is empty (in this case, the check 'if (!map) {' will always be false and never exit as expected).
To fix the bug, use a new variable 'iter' as the list iterator, while use the original variable 'map' as a dedicated pointer to point to the found element.
Without this patch, Kernel crashes with below trace:
Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000ffff7fb03750 ... Call trace: fastrpc_map_create+0x70/0x290 [fastrpc] fastrpc_req_mem_map+0xf0/0x2dc [fastrpc] fastrpc_device_ioctl+0x138/0xc60 [fastrpc] __arm64_sys_ioctl+0xa8/0xec invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0xd4/0xfc do_el0_svc+0x28/0x90 el0_svc+0x3c/0x130 el0t_64_sync_handler+0xa4/0x130 el0t_64_sync+0x18c/0x190 Code: 14000016 f94000a5 eb05029f 54000260 (b94018a6) ---[ end trace 0000000000000000 ]---
{
"affected": [],
"aliases": [
"CVE-2022-49393"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:15Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix list iterator in fastrpc_req_mem_unmap_impl\n\nThis is another instance of incorrect use of list iterator and\nchecking it for NULL.\n\nThe list iterator value \u0027map\u0027 will *always* be set and non-NULL\nby list_for_each_entry(), so it is incorrect to assume that the\niterator value will be NULL if the list is empty (in this case, the\ncheck \u0027if (!map) {\u0027 will always be false and never exit as expected).\n\nTo fix the bug, use a new variable \u0027iter\u0027 as the list iterator,\nwhile use the original variable \u0027map\u0027 as a dedicated pointer to\npoint to the found element.\n\nWithout this patch, Kernel crashes with below trace:\n\nUnable to handle kernel access to user memory outside uaccess routines\n at virtual address 0000ffff7fb03750\n...\nCall trace:\n fastrpc_map_create+0x70/0x290 [fastrpc]\n fastrpc_req_mem_map+0xf0/0x2dc [fastrpc]\n fastrpc_device_ioctl+0x138/0xc60 [fastrpc]\n __arm64_sys_ioctl+0xa8/0xec\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xd4/0xfc\n do_el0_svc+0x28/0x90\n el0_svc+0x3c/0x130\n el0t_64_sync_handler+0xa4/0x130\n el0t_64_sync+0x18c/0x190\nCode: 14000016 f94000a5 eb05029f 54000260 (b94018a6)\n---[ end trace 0000000000000000 ]---",
"id": "GHSA-jh22-4f6v-h4ph",
"modified": "2025-09-22T21:30:16Z",
"published": "2025-09-22T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49393"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2d12905aad462383f4e7a5fdb024d2b7ae2d10cf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c5c07c5958cf0c9af6e76813e6de15d42ee49822"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.