CWE-672
Allowed-with-ReviewOperation on a Resource after Expiration or Release
Abstraction: Class · Status: Draft
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
118 vulnerabilities reference this CWE, most recent first.
GHSA-5R25-M2H9-W299
Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2025-10-22 21:31When the BIG-IP Advanced WAF and ASM security policy and a server-side HTTP/2 profile are configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2025-55669"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T14:15:51Z",
"severity": "HIGH"
},
"details": "When the BIG-IP Advanced WAF and ASM security policy and a server-side HTTP/2 profile are configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-5r25-m2h9-w299",
"modified": "2025-10-22T21:31:18Z",
"published": "2025-10-15T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55669"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000150752"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-655H-HG88-5QMF
Vulnerability from github – Published: 2025-08-22 17:34 – Updated: 2025-08-22 17:34The API of xcb::Connection has constructors which allow an arbitrary RawFd to be used as a socket connection. On either failure of these constructors or on the drop of Connection, it closes the associated file descriptor. Thus, a program which uses an OwnedFd (such as a UnixStream) as the file descriptor can close the file descriptor and continue to attempt using it or close an already-closed file descriptor, violating I/O safety.
Starting in version 1.6.0, xcb provides Connection::connect_with_fd and Connection::connect_with_fd_and_extensions as safe alternatives and deprecates the problematic functions.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "xcb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-666",
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-22T17:34:45Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "The API of `xcb::Connection` has constructors which allow an arbitrary `RawFd` to be used as a socket connection. On either failure of these constructors or on the drop of `Connection`, it closes the associated file descriptor. Thus, a program which uses an `OwnedFd` (such as a `UnixStream`) as the file descriptor can close the file descriptor and continue to attempt using it or close an already-closed file descriptor, violating I/O safety.\n\nStarting in version 1.6.0, `xcb` provides `Connection::connect_with_fd` and `Connection::connect_with_fd_and_extensions` as safe alternatives and deprecates the problematic functions.",
"id": "GHSA-655h-hg88-5qmf",
"modified": "2025-08-22T17:34:45Z",
"published": "2025-08-22T17:34:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rust-x-bindings/rust-xcb/issues/167"
},
{
"type": "WEB",
"url": "https://github.com/rust-x-bindings/rust-xcb/issues/282"
},
{
"type": "WEB",
"url": "https://github.com/rust-x-bindings/rust-xcb/pull/283"
},
{
"type": "WEB",
"url": "https://github.com/rustsec/advisory-db/pull/2355"
},
{
"type": "WEB",
"url": "https://github.com/rust-x-bindings/rust-xcb/commit/da830976870c1174e3b33eb0643177be3991c002"
},
{
"type": "PACKAGE",
"url": "https://github.com/rust-x-bindings/rust-xcb"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0051.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Rust XCB `xcb::Connection::connect_to_fd*` functions violate I/O safety"
}
GHSA-675F-RQ2R-JW82
Vulnerability from github – Published: 2025-01-09 17:23 – Updated: 2025-01-09 18:57Impact
The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.
Example attack scenario:
1. An attacker has stolen the private key for a key published in JWK Set.
2. The publishers of that JWK Set remove that key from the JWK Set.
3. Enough time has passed that the program using the auto-caching HTTP client found in github.com/MicahParks/jwkset v0.5.0-v0.5.21 has elapsed its HTTPClientStorageOptions.RefreshInterval duration, causing a refresh of the remote JWK Set.
4. The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation.
Patches
The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. Upgrade to v0.6.0 or later.
Workarounds
The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value). Upgrade to v0.6.0 is advised.
References
Please see the tracking issue on GitHub for additional details: https://github.com/MicahParks/jwkset/issues/40
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.21"
},
"package": {
"ecosystem": "Go",
"name": "github.com/MicahParks/jwkset"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.0"
},
{
"fixed": "0.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-22149"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-09T17:23:43Z",
"nvd_published_at": "2025-01-09T18:15:30Z",
"severity": "LOW"
},
"details": "### Impact\nThe project\u0027s provided HTTP client\u0027s local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.\n\nExample attack scenario:\n1. An attacker has stolen the private key for a key published in JWK Set.\n2. The publishers of that JWK Set remove that key from the JWK Set.\n3. Enough time has passed that the program using the auto-caching HTTP client found in `github.com/MicahParks/jwkset` v0.5.0-v0.5.21 has elapsed its `HTTPClientStorageOptions.RefreshInterval` duration, causing a refresh of the remote JWK Set.\n4. The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation.\n\n### Patches\nThe affected auto-caching HTTP client was added in version `v0.5.0` and fixed in `v0.6.0`. Upgrade to `v0.6.0` or later.\n\n### Workarounds\nThe only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the `HTTPClientStorageOptions.RefreshInterval` to zero (or not specifying the value). Upgrade to `v0.6.0` is advised.\n\n### References\nPlease see the tracking issue on GitHub for additional details: https://github.com/MicahParks/jwkset/issues/40\n",
"id": "GHSA-675f-rq2r-jw82",
"modified": "2025-01-09T18:57:32Z",
"published": "2025-01-09T17:23:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22149"
},
{
"type": "WEB",
"url": "https://github.com/MicahParks/jwkset/issues/40"
},
{
"type": "WEB",
"url": "https://github.com/MicahParks/jwkset/pull/41"
},
{
"type": "WEB",
"url": "https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3"
},
{
"type": "PACKAGE",
"url": "https://github.com/MicahParks/jwkset"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "JWK Set\u0027s HTTP client only overwrites and appends JWK to local cache during refresh"
}
GHSA-67R5-RQWV-9P9Q
Vulnerability from github – Published: 2025-03-31 16:13 – Updated: 2025-03-31 16:13The Drop implementation will get run twice when using the cursor.
This issue does not affect you, if you are using only using the crate with types that are Copy such as u8.
This issue also does not affect you, if you are only depending on it through the crate planus.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "array-init-cursor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-31T16:13:34Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "The `Drop` implementation will get run twice when using the cursor.\n\nThis issue does not affect you, if you are using only using the crate with types that are `Copy` such as `u8`.\n\nThis issue also does not affect you, if you are only depending on it through the crate `planus`.",
"id": "GHSA-67r5-rqwv-9p9q",
"modified": "2025-03-31T16:13:34Z",
"published": "2025-03-31T16:13:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/planus-org/planus/issues/293"
},
{
"type": "WEB",
"url": "https://github.com/planus-org/planus/pull/294"
},
{
"type": "PACKAGE",
"url": "https://github.com/planus-org/planus"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0019.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "array-init-cursor is unsound when used with types that implement `Drop`"
}
GHSA-6FVH-VVX6-69V5
Vulnerability from github – Published: 2025-01-08 03:30 – Updated: 2025-01-08 03:30UAF vulnerability in the device node access module Impact: Successful exploitation of this vulnerability may cause service exceptions of the device.
{
"affected": [],
"aliases": [
"CVE-2024-56434"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T02:15:25Z",
"severity": "MODERATE"
},
"details": "UAF vulnerability in the device node access module\nImpact: Successful exploitation of this vulnerability may cause service exceptions of the device.",
"id": "GHSA-6fvh-vvx6-69v5",
"modified": "2025-01-08T03:30:23Z",
"published": "2025-01-08T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56434"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6XMX-4966-5MWP
Vulnerability from github – Published: 2025-06-12 21:30 – Updated: 2025-06-12 21:30Amazon Cloud Cam is a home security camera that was deprecated on December 2, 2022, is end of life, and is no longer actively supported.
When a user powers on the Amazon Cloud Cam, the device attempts to connect to a remote service infrastructure that has been deprecated due to end-of-life status. The device defaults to a pairing status in which an arbitrary user can bypass SSL pinning to associate the device to an arbitrary network, allowing for network traffic interception and modification.
We recommend customers discontinue usage of any remaining Amazon Cloud Cams.
{
"affected": [],
"aliases": [
"CVE-2025-6031"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-12T20:15:22Z",
"severity": "HIGH"
},
"details": "Amazon Cloud Cam is a home security camera that was deprecated on December 2, 2022, is end of life, and is no longer actively supported. \n\nWhen a user powers on the Amazon Cloud Cam, the device attempts to connect to a remote service infrastructure that has been deprecated due to end-of-life status. The device defaults to a pairing status in which an arbitrary user can bypass SSL pinning to associate the device to an arbitrary network, allowing for network traffic interception and modification.\n\nWe recommend customers discontinue usage of any remaining Amazon Cloud Cams.",
"id": "GHSA-6xmx-4966-5mwp",
"modified": "2025-06-12T21:30:31Z",
"published": "2025-06-12T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6031"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-86J3-8QQW-575J
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2026-04-24 15:32An invalid memory address dereference was discovered in load_pnm in frompnm.c in libsixel before 1.8.3.
{
"affected": [],
"aliases": [
"CVE-2019-20022"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-27T02:15:00Z",
"severity": "MODERATE"
},
"details": "An invalid memory address dereference was discovered in load_pnm in frompnm.c in libsixel before 1.8.3.",
"id": "GHSA-86j3-8qqw-575j",
"modified": "2026-04-24T15:32:16Z",
"published": "2022-05-24T17:05:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20022"
},
{
"type": "WEB",
"url": "https://github.com/saitoha/libsixel/issues/108"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8H6Q-7WVM-5W36
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2026-05-12 12:32In the Linux kernel, the following vulnerability has been resolved:
ACPI: battery: Fix possible crash when unregistering a battery hook
When a battery hook returns an error when adding a new battery, then the battery hook is automatically unregistered. However the battery hook provider cannot know that, so it will later call battery_hook_unregister() on the already unregistered battery hook, resulting in a crash.
Fix this by using the list head to mark already unregistered battery hooks as already being unregistered so that they can be ignored by battery_hook_unregister().
{
"affected": [],
"aliases": [
"CVE-2024-49955"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:16Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: battery: Fix possible crash when unregistering a battery hook\n\nWhen a battery hook returns an error when adding a new battery, then\nthe battery hook is automatically unregistered.\nHowever the battery hook provider cannot know that, so it will later\ncall battery_hook_unregister() on the already unregistered battery\nhook, resulting in a crash.\n\nFix this by using the list head to mark already unregistered battery\nhooks as already being unregistered so that they can be ignored by\nbattery_hook_unregister().",
"id": "GHSA-8h6q-7wvm-5w36",
"modified": "2026-05-12T12:32:11Z",
"published": "2024-10-21T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49955"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/07b98400cb0285a6348188aa8c5ec6a2ae0551f7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/76959aff14a0012ad6b984ec7686d163deccdc16"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/76fb2cbf01571926da8ecf6876cc8cb07d3f5183"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9f469ef1c79dac7f9ac1518643a33703918f7e13"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c47843a831e0eae007ad7e848d208e675ba4c132"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca1fb7942a287b40659cc79551a1de54a2c2e7d5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca26e8eed9c1c6651f51f7fa38fe444f8573cd1b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ce31847f109c3a5b2abdd19d7bcaafaacfde53de"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/da964de4c18199e14b961b5b2e5e6570552a313c"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8QRG-FXFF-9FCM
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2024-11-07 18:31In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice
The km.state is not checked in driver's delayed work. When xfrm_state_check_expire() is called, the state can be reset to XFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This happens when xfrm state is deleted, but not freed yet. As __xfrm_state_delete() is called again in xfrm timer, the following crash occurs.
To fix this issue, skip xfrm_state_check_expire() if km.state is not XFRM_STATE_VALID.
Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5e_ipsec: eth%d mlx5e_ipsec_handle_sw_limits [mlx5_core] RIP: 0010:__xfrm_state_delete+0x3d/0x1b0 Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 <48> 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48 RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246 RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036 RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980 RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246 R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400 FS: 0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? die_addr+0x33/0x90 ? exc_general_protection+0x1a2/0x390 ? asm_exc_general_protection+0x22/0x30 ? __xfrm_state_delete+0x3d/0x1b0 ? __xfrm_state_delete+0x2f/0x1b0 xfrm_timer_handler+0x174/0x350 ? __xfrm_state_delete+0x1b0/0x1b0 __hrtimer_run_queues+0x121/0x270 hrtimer_run_softirq+0x88/0xd0 handle_softirqs+0xcc/0x270 do_softirq+0x3c/0x50 __local_bh_enable_ip+0x47/0x50 mlx5e_ipsec_handle_sw_limits+0x7d/0x90 [mlx5_core] process_one_work+0x137/0x2d0 worker_thread+0x28d/0x3a0 ? rescuer_thread+0x480/0x480 kthread+0xb8/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20
{
"affected": [],
"aliases": [
"CVE-2024-49953"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:16Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice\n\nThe km.state is not checked in driver\u0027s delayed work. When\nxfrm_state_check_expire() is called, the state can be reset to\nXFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This\nhappens when xfrm state is deleted, but not freed yet. As\n__xfrm_state_delete() is called again in xfrm timer, the following\ncrash occurs.\n\nTo fix this issue, skip xfrm_state_check_expire() if km.state is not\nXFRM_STATE_VALID.\n\n Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP\n CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: mlx5e_ipsec: eth%d mlx5e_ipsec_handle_sw_limits [mlx5_core]\n RIP: 0010:__xfrm_state_delete+0x3d/0x1b0\n Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 \u003c48\u003e 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48\n RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246\n RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036\n RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980\n RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000\n R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246\n R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400\n FS: 0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cIRQ\u003e\n ? die_addr+0x33/0x90\n ? exc_general_protection+0x1a2/0x390\n ? asm_exc_general_protection+0x22/0x30\n ? __xfrm_state_delete+0x3d/0x1b0\n ? __xfrm_state_delete+0x2f/0x1b0\n xfrm_timer_handler+0x174/0x350\n ? __xfrm_state_delete+0x1b0/0x1b0\n __hrtimer_run_queues+0x121/0x270\n hrtimer_run_softirq+0x88/0xd0\n handle_softirqs+0xcc/0x270\n do_softirq+0x3c/0x50\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0x47/0x50\n mlx5e_ipsec_handle_sw_limits+0x7d/0x90 [mlx5_core]\n process_one_work+0x137/0x2d0\n worker_thread+0x28d/0x3a0\n ? rescuer_thread+0x480/0x480\n kthread+0xb8/0xe0\n ? kthread_park+0x80/0x80\n ret_from_fork+0x2d/0x50\n ? kthread_park+0x80/0x80\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e",
"id": "GHSA-8qrg-fxff-9fcm",
"modified": "2024-11-07T18:31:21Z",
"published": "2024-10-21T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49953"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0b1672834634df9ac9cedf856db9fc36d92c50ef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/151e7dead1f5399a73c19c4b50307ea48aff1dc0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7b124695db40d5c9c5295a94ae928a8d67a01c3d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fab615ac9fcb8589222303099975d464d8857527"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-95W4-863F-9MJ3
Vulnerability from github – Published: 2025-09-05 21:32 – Updated: 2025-09-05 21:32MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22 and MongoDB Server v8.0 versions prior to 8.0.12
{
"affected": [],
"aliases": [
"CVE-2025-10060"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T21:15:34Z",
"severity": "MODERATE"
},
"details": "MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22 and MongoDB Server v8.0 versions prior to 8.0.12",
"id": "GHSA-95w4-863f-9mj3",
"modified": "2025-09-05T21:32:38Z",
"published": "2025-09-05T21:32:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10060"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-95524"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.