{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "SINEC OS before V4.0 contains multiple vulnerabilities.\n\nSiemens has released a new version for RUGGEDCOM RST2428P and recommends to update to the latest version.",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "productcert@siemens.com",
"name": "Siemens ProductCERT",
"namespace": "https://www.siemens.com"
},
"references": [
{
"category": "self",
"summary": "SSA-253495: Multiple Vulnerabilities in SINEC OS before V4.0 - HTML Version",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
},
{
"category": "self",
"summary": "SSA-253495: Multiple Vulnerabilities in SINEC OS before V4.0 - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-253495.json"
}
],
"title": "SSA-253495: Multiple Vulnerabilities in SINEC OS before V4.0",
"tracking": {
"current_release_date": "2026-06-02T00:00:00.000Z",
"generator": {
"engine": {
"name": "Siemens ProductCERT CSAF Generator",
"version": "1"
}
},
"id": "SSA-253495",
"initial_release_date": "2026-06-02T00:00:00.000Z",
"revision_history": [
{
"date": "2026-06-02T00:00:00.000Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
}
],
"status": "interim",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/<4.0",
"product": {
"name": "RUGGEDCOM RST2428P (6GK6242-6PA00)",
"product_id": "1",
"product_identification_helper": {
"model_numbers": [
"6GK6242-6PA00"
]
}
}
}
],
"category": "product_name",
"name": "RUGGEDCOM RST2428P (6GK6242-6PA00)"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-1352",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "summary",
"text": "A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-1352"
},
{
"cve": "CVE-2025-1376",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "summary",
"text": "A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-1376"
},
{
"cve": "CVE-2025-6052",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in how GLib\u2019s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn\u2019t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-6052"
},
{
"cve": "CVE-2025-6141",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "summary",
"text": "A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-6141"
},
{
"cve": "CVE-2025-6170",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-6170"
},
{
"cve": "CVE-2025-7039",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-7039"
},
{
"cve": "CVE-2025-8732",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "summary",
"text": "A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that \"[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all.\"",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-8732"
},
{
"cve": "CVE-2025-9086",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "1. A cookie is set using the `secure` keyword for `https://target` \n 2. curl is redirected to or otherwise made to speak with `http://target` (same \n hostname, but using clear text HTTP) using the same cookie set \n 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`).\n Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-9086"
},
{
"cve": "CVE-2025-9230",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "Issue summary: An application trying to decrypt CMS messages encrypted using\npassword based encryption can trigger an out-of-bounds read and write.\n\nImpact summary: This out-of-bounds read may trigger a crash which leads to\nDenial of Service for an application. The out-of-bounds write can cause\na memory corruption which can have various consequences including\na Denial of Service or Execution of attacker-supplied code.\n\nAlthough the consequences of a successful exploit of this vulnerability\ncould be severe, the probability that the attacker would be able to\nperform it is low. Besides, password based (PWRI) encryption support in CMS\nmessages is very rarely used. For that reason the issue was assessed as\nModerate severity according to our Security Policy.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-9230"
},
{
"cve": "CVE-2025-9231",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"notes": [
{
"category": "summary",
"text": "Issue summary: A timing side-channel which could potentially allow remote\nrecovery of the private key exists in the SM2 algorithm implementation on 64 bit\nARM platforms.\n\nImpact summary: A timing side-channel in SM2 signature computations on 64 bit\nARM platforms could allow recovering the private key by an attacker..\n\nWhile remote key recovery over a network was not attempted by the reporter,\ntiming measurements revealed a timing signal which may allow such an attack.\n\nOpenSSL does not directly support certificates with SM2 keys in TLS, and so\nthis CVE is not relevant in most TLS contexts. However, given that it is\npossible to add support for such certificates via a custom provider, coupled\nwith the fact that in such a custom provider context the private key may be\nrecoverable via remote timing measurements, we consider this to be a Moderate\nseverity issue.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as SM2 is not an approved algorithm.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-9231"
},
{
"cve": "CVE-2025-9232",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "Issue summary: An application using the OpenSSL HTTP client API functions may\ntrigger an out-of-bounds read if the 'no_proxy' environment variable is set and\nthe host portion of the authority component of the HTTP URL is an IPv6 address.\n\nImpact summary: An out-of-bounds read can trigger a crash which leads to\nDenial of Service for an application.\n\nThe OpenSSL HTTP client API functions can be used directly by applications\nbut they are also used by the OCSP client functions and CMP (Certificate\nManagement Protocol) client implementation in OpenSSL. However the URLs used\nby these implementations are unlikely to be controlled by an attacker.\n\nIn this vulnerable code the out of bounds read can only trigger a crash.\nFurthermore the vulnerability requires an attacker-controlled URL to be\npassed from an application to the OpenSSL function and the user has to have\na 'no_proxy' environment variable set. For the aforementioned reasons the\nissue was assessed as Low severity.\n\nThe vulnerable code was introduced in the following patch releases:\n3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the HTTP client implementation is outside the OpenSSL FIPS module\nboundary.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-9232"
},
{
"cve": "CVE-2025-10966",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "curl's code for managing SSH connections when SFTP was done using the wolfSSH\npowered backend was flawed and missed host verification mechanisms.\n\nThis prevents curl from detecting MITM attackers and more.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-10966"
},
{
"cve": "CVE-2025-13465",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"
},
"notes": [
{
"category": "summary",
"text": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset\u00a0and _.omit\u00a0functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\r\n\r\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\r\n\r\nThis issue is patched on 4.17.23",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-13465"
},
{
"cve": "CVE-2025-13601",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "summary",
"text": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-13601"
},
{
"cve": "CVE-2025-39913",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.\n\nsyzbot reported the splat below. [0]\n\nThe repro does the following:\n\n 1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes)\n 2. Attach the prog to a SOCKMAP\n 3. Add a socket to the SOCKMAP\n 4. Activate fault injection\n 5. Send data less than cork_bytes\n\nAt 5., the data is carried over to the next sendmsg() as it is\nsmaller than the cork_bytes specified by bpf_msg_cork_bytes().\n\nThen, tcp_bpf_send_verdict() tries to allocate psock->cork to hold\nthe data, but this fails silently due to fault injection + __GFP_NOWARN.\n\nIf the allocation fails, we need to revert the sk->sk_forward_alloc\nchange done by sk_msg_alloc().\n\nLet's call sk_msg_free() when tcp_bpf_send_verdict fails to allocate\npsock->cork.\n\nThe \"*copied\" also needs to be updated such that a proper error can\nbe returned to the caller, sendmsg. It fails to allocate psock->cork.\nNothing has been corked so far, so this patch simply sets \"*copied\"\nto 0.\n\n[0]:\nWARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983\nModules linked in:\nCPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156\nCode: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 <0f> 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc\nRSP: 0018:ffffc90000a08b48 EFLAGS: 00010246\nRAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80\nRDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000\nRBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4\nR10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380\nR13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872\nFS: 00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0\nCall Trace:\n \n __sk_destruct+0x86/0x660 net/core/sock.c:2339\n rcu_do_batch kernel/rcu/tree.c:2605 [inline]\n rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861\n handle_softirqs+0x286/0x870 kernel/softirq.c:579\n __do_softirq kernel/softirq.c:613 [inline]\n invoke_softirq kernel/softirq.c:453 [inline]\n __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:696\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052\n ",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-39913"
},
{
"cve": "CVE-2025-40214",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\naf_unix: Initialise scc_index in unix_add_edge().\r\n\r\nQuang Le reported that the AF_UNIX GC could garbage-collect a\r\nreceive queue of an alive in-flight socket, with a nice repro.\r\n\r\nThe repro consists of three stages.\r\n\r\n 1)\r\n 1-a. Create a single cyclic reference with many sockets\r\n 1-b. close() all sockets\r\n 1-c. Trigger GC\r\n\r\n 2)\r\n 2-a. Pass sk-A to an embryo sk-B\r\n 2-b. Pass sk-X to sk-X\r\n 2-c. Trigger GC\r\n\r\n 3)\r\n 3-a. accept() the embryo sk-B\r\n 3-b. Pass sk-B to sk-C\r\n 3-c. close() the in-flight sk-A\r\n 3-d. Trigger GC\r\n\r\nAs of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,\r\nand unix_walk_scc() groups them into two different SCCs:\r\n\r\n unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START)\r\n unix_sk(sk-X)->vertex->scc_index = 3\r\n\r\nOnce GC completes, unix_graph_grouped is set to true.\r\nAlso, unix_graph_maybe_cyclic is set to true due to sk-X's\r\ncyclic self-reference, which makes close() trigger GC.\r\n\r\nAt 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and\r\nlinks it to unix_unvisited_vertices.\r\n\r\nunix_update_graph() is called at 3-a. and 3-b., but neither\r\nunix_graph_grouped nor unix_graph_maybe_cyclic is changed\r\nbecause both sk-B's listener and sk-C are not in-flight.\r\n\r\n3-c decrements sk-A's file refcnt to 1.\r\n\r\nSince unix_graph_grouped is true at 3-d, unix_walk_scc_fast()\r\nis finally called and iterates 3 sockets sk-A, sk-B, and sk-X:\r\n\r\n sk-A -> sk-B (-> sk-C)\r\n sk-X -> sk-X\r\n\r\nThis is totally fine. All of them are not yet close()d and\r\nshould be grouped into different SCCs.\r\n\r\nHowever, unix_vertex_dead() misjudges that sk-A and sk-B are\r\nin the same SCC and sk-A is dead.\r\n\r\n unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong!\r\n &&\r\n sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree\r\n ^-- 1 in-flight count for sk-B\r\n -> sk-A is dead !?\r\n\r\nThe problem is that unix_add_edge() does not initialise scc_index.\r\n\r\nStage 1) is used for heap spraying, making a newly allocated\r\nvertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START)\r\nset by unix_walk_scc() at 1-c.\r\n\r\nLet's track the max SCC index from the previous unix_walk_scc()\r\ncall and assign the max + 1 to a new vertex's scc_index.\r\n\r\nThis way, we can continue to avoid Tarjan's algorithm while\r\npreventing misjudgments.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40214"
},
{
"cve": "CVE-2025-40248",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nvsock: Ignore signal/timeout on connect() if already established\r\n\r\nDuring connect(), acting on a signal/timeout by disconnecting an already\r\nestablished socket leads to several issues:\r\n\r\n1. connect() invoking vsock_transport_cancel_pkt() ->\r\n virtio_transport_purge_skbs() may race with sendmsg() invoking\r\n virtio_transport_get_credit(). This results in a permanently elevated\r\n `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.\r\n\r\n2. connect() resetting a connected socket's state may race with socket\r\n being placed in a sockmap. A disconnected socket remaining in a sockmap\r\n breaks sockmap's assumptions. And gives rise to WARNs.\r\n\r\n3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a\r\n transport change/drop after TCP_ESTABLISHED. Which poses a problem for\r\n any simultaneous sendmsg() or connect() and may result in a\r\n use-after-free/null-ptr-deref.\r\n\r\nDo not disconnect socket on signal/timeout. Keep the logic for unconnected\r\nsockets: they don't linger, can't be placed in a sockmap, are rejected by\r\nsendmsg().",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40248"
},
{
"cve": "CVE-2025-40250",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet/mlx5: Clean up only new IRQ glue on request_irq() failure\r\n\r\nThe mlx5_irq_alloc() function can inadvertently free the entire rmap\r\nand end up in a crash[1] when the other threads tries to access this,\r\nwhen request_irq() fails due to exhausted IRQ vectors. This commit\r\nmodifies the cleanup to remove only the specific IRQ mapping that was\r\njust added.\r\n\r\nThis prevents removal of other valid mappings and ensures precise\r\ncleanup of the failed IRQ allocation's associated glue object.\r\n\r\nNote: This error is observed when both fwctl and rds configs are enabled.\r\n\r\n[1]\r\nmlx5_core 0000:05:00.0: Successfully registered panic handler for port 1\r\nmlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to\r\nrequest irq. err = -28\r\ninfiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while\r\ntrying to test write-combining support\r\nmlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1\r\nmlx5_core 0000:06:00.0: Successfully registered panic handler for port 1\r\nmlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to\r\nrequest irq. err = -28\r\ninfiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while\r\ntrying to test write-combining support\r\nmlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1\r\nmlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to\r\nrequest irq. err = -28\r\nmlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to\r\nrequest irq. err = -28\r\ngeneral protection fault, probably for non-canonical address\r\n0xe277a58fde16f291: 0000 [#1] SMP NOPTI\r\n\r\nRIP: 0010:free_irq_cpu_rmap+0x23/0x7d\r\nCall Trace:\r\n \r\n ? show_trace_log_lvl+0x1d6/0x2f9\r\n ? show_trace_log_lvl+0x1d6/0x2f9\r\n ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]\r\n ? __die_body.cold+0x8/0xa\r\n ? die_addr+0x39/0x53\r\n ? exc_general_protection+0x1c4/0x3e9\r\n ? dev_vprintk_emit+0x5f/0x90\r\n ? asm_exc_general_protection+0x22/0x27\r\n ? free_irq_cpu_rmap+0x23/0x7d\r\n mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]\r\n irq_pool_request_vector+0x7d/0x90 [mlx5_core]\r\n mlx5_irq_request+0x2e/0xe0 [mlx5_core]\r\n mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]\r\n comp_irq_request_pci+0x64/0xf0 [mlx5_core]\r\n create_comp_eq+0x71/0x385 [mlx5_core]\r\n ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]\r\n mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]\r\n ? xas_load+0x8/0x91\r\n mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]\r\n mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]\r\n mlx5e_open_channels+0xad/0x250 [mlx5_core]\r\n mlx5e_open_locked+0x3e/0x110 [mlx5_core]\r\n mlx5e_open+0x23/0x70 [mlx5_core]\r\n __dev_open+0xf1/0x1a5\r\n __dev_change_flags+0x1e1/0x249\r\n dev_change_flags+0x21/0x5c\r\n do_setlink+0x28b/0xcc4\r\n ? __nla_parse+0x22/0x3d\r\n ? inet6_validate_link_af+0x6b/0x108\r\n ? cpumask_next+0x1f/0x35\r\n ? __snmp6_fill_stats64.constprop.0+0x66/0x107\r\n ? __nla_validate_parse+0x48/0x1e6\r\n __rtnl_newlink+0x5ff/0xa57\r\n ? kmem_cache_alloc_trace+0x164/0x2ce\r\n rtnl_newlink+0x44/0x6e\r\n rtnetlink_rcv_msg+0x2bb/0x362\r\n ? __netlink_sendskb+0x4c/0x6c\r\n ? netlink_unicast+0x28f/0x2ce\r\n ? rtnl_calcit.isra.0+0x150/0x146\r\n netlink_rcv_skb+0x5f/0x112\r\n netlink_unicast+0x213/0x2ce\r\n netlink_sendmsg+0x24f/0x4d9\r\n __sock_sendmsg+0x65/0x6a\r\n ____sys_sendmsg+0x28f/0x2c9\r\n ? import_iovec+0x17/0x2b\r\n ___sys_sendmsg+0x97/0xe0\r\n __sys_sendmsg+0x81/0xd8\r\n do_syscall_64+0x35/0x87\r\n entry_SYSCALL_64_after_hwframe+0x6e/0x0\r\nRIP: 0033:0x7fc328603727\r\nCode: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed\r\nff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00\r\nf0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48\r\nRSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\r\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727\r\nRDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d\r\nRBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000\r\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\r\nR13: 00000000000\r\n---truncated---",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40250"
},
{
"cve": "CVE-2025-40251",
"cwe": {
"id": "CWE-911",
"name": "Improper Update of Reference Count"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndevlink: rate: Unset parent pointer in devl_rate_nodes_destroy\r\n\r\nThe function devl_rate_nodes_destroy is documented to \"Unset parent for\r\nall rate objects\". However, it was only calling the driver-specific\r\n`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing\r\nthe parent's refcount, without actually setting the\r\n`devlink_rate->parent` pointer to NULL.\r\n\r\nThis leaves a dangling pointer in the `devlink_rate` struct, which cause\r\nrefcount error in netdevsim[1] and mlx5[2]. In addition, this is\r\ninconsistent with the behavior of `devlink_nl_rate_parent_node_set`,\r\nwhere the parent pointer is correctly cleared.\r\n\r\nThis patch fixes the issue by explicitly setting `devlink_rate->parent`\r\nto NULL after notifying the driver, thus fulfilling the function's\r\ndocumented behavior for all rate objects.\r\n\r\n[1]\r\nrepro steps:\r\necho 1 > /sys/bus/netdevsim/new_device\r\ndevlink dev eswitch set netdevsim/netdevsim1 mode switchdev\r\necho 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs\r\ndevlink port function rate add netdevsim/netdevsim1/test_node\r\ndevlink port function rate set netdevsim/netdevsim1/128 parent test_node\r\necho 1 > /sys/bus/netdevsim/del_device\r\n\r\ndmesg:\r\nrefcount_t: decrement hit 0; leaking memory.\r\nWARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\r\nCPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE\r\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\r\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\r\nCall Trace:\r\n \r\n devl_rate_leaf_destroy+0x8d/0x90\r\n __nsim_dev_port_del+0x6c/0x70 [netdevsim]\r\n nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]\r\n nsim_drv_remove+0x2b/0xb0 [netdevsim]\r\n device_release_driver_internal+0x194/0x1f0\r\n bus_remove_device+0xc6/0x130\r\n device_del+0x159/0x3c0\r\n device_unregister+0x1a/0x60\r\n del_device_store+0x111/0x170 [netdevsim]\r\n kernfs_fop_write_iter+0x12e/0x1e0\r\n vfs_write+0x215/0x3d0\r\n ksys_write+0x5f/0xd0\r\n do_syscall_64+0x55/0x10f0\r\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\r\n\r\n[2]\r\ndevlink dev eswitch set pci/0000:08:00.0 mode switchdev\r\ndevlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000\r\ndevlink port function rate add pci/0000:08:00.0/group1\r\ndevlink port function rate set pci/0000:08:00.0/32768 parent group1\r\nmodprobe -r mlx5_ib mlx5_fwctl mlx5_core\r\n\r\ndmesg:\r\nrefcount_t: decrement hit 0; leaking memory.\r\nWARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\r\nCPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE\r\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\r\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\r\nCall Trace:\r\n \r\n devl_rate_leaf_destroy+0x8d/0x90\r\n mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]\r\n mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]\r\n mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]\r\n mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]\r\n notifier_call_chain+0x33/0xa0\r\n blocking_notifier_call_chain+0x3b/0x50\r\n mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]\r\n mlx5_eswitch_disable+0x63/0x90 [mlx5_core]\r\n mlx5_unload+0x1d/0x170 [mlx5_core]\r\n mlx5_uninit_one+0xa2/0x130 [mlx5_core]\r\n remove_one+0x78/0xd0 [mlx5_core]\r\n pci_device_remove+0x39/0xa0\r\n device_release_driver_internal+0x194/0x1f0\r\n unbind_store+0x99/0xa0\r\n kernfs_fop_write_iter+0x12e/0x1e0\r\n vfs_write+0x215/0x3d0\r\n ksys_write+0x5f/0xd0\r\n do_syscall_64+0x53/0x1f0\r\n entry_SYSCALL_64_after_hwframe+0x4b/0x53",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40251"
},
{
"cve": "CVE-2025-40252",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()\r\n\r\nThe loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate\r\nover 'cqe->len_list[]' using only a zero-length terminator as\r\nthe stopping condition. If the terminator was missing or\r\nmalformed, the loop could run past the end of the fixed-size array.\r\n\r\nAdd an explicit bound check using ARRAY_SIZE() in both loops to prevent\r\na potential out-of-bounds access.\r\n\r\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40252"
},
{
"cve": "CVE-2025-40254",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnet: openvswitch: remove never-working support for setting nsh fields\r\n\r\nThe validation of the set(nsh(...)) action is completely wrong.\r\nIt runs through the nsh_key_put_from_nlattr() function that is the\r\nsame function that validates NSH keys for the flow match and the\r\npush_nsh() action. However, the set(nsh(...)) has a very different\r\nmemory layout. Nested attributes in there are doubled in size in\r\ncase of the masked set(). That makes proper validation impossible.\r\n\r\nThere is also confusion in the code between the 'masked' flag, that\r\nsays that the nested attributes are doubled in size containing both\r\nthe value and the mask, and the 'is_mask' that says that the value\r\nwe're parsing is the mask. This is causing kernel crash on trying to\r\nwrite into mask part of the match with SW_FLOW_KEY_PUT() during\r\nvalidation, while validate_nsh() doesn't allocate any memory for it:\r\n\r\n BUG: kernel NULL pointer dereference, address: 0000000000000018\r\n #PF: supervisor read access in kernel mode\r\n #PF: error_code(0x0000) - not-present page\r\n PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0\r\n Oops: Oops: 0000 [#1] SMP NOPTI\r\n CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)\r\n RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]\r\n Call Trace:\r\n \r\n validate_nsh+0x60/0x90 [openvswitch]\r\n validate_set.constprop.0+0x270/0x3c0 [openvswitch]\r\n __ovs_nla_copy_actions+0x477/0x860 [openvswitch]\r\n ovs_nla_copy_actions+0x8d/0x100 [openvswitch]\r\n ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]\r\n genl_family_rcv_msg_doit+0xdb/0x130\r\n genl_family_rcv_msg+0x14b/0x220\r\n genl_rcv_msg+0x47/0xa0\r\n netlink_rcv_skb+0x53/0x100\r\n genl_rcv+0x24/0x40\r\n netlink_unicast+0x280/0x3b0\r\n netlink_sendmsg+0x1f7/0x430\r\n ____sys_sendmsg+0x36b/0x3a0\r\n ___sys_sendmsg+0x87/0xd0\r\n __sys_sendmsg+0x6d/0xd0\r\n do_syscall_64+0x7b/0x2c0\r\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\r\n\r\nThe third issue with this process is that while trying to convert\r\nthe non-masked set into masked one, validate_set() copies and doubles\r\nthe size of the OVS_KEY_ATTR_NSH as if it didn't have any nested\r\nattributes. It should be copying each nested attribute and doubling\r\nthem in size independently. And the process must be properly reversed\r\nduring the conversion back from masked to a non-masked variant during\r\nthe flow dump.\r\n\r\nIn the end, the only two outcomes of trying to use this action are\r\neither validation failure or a kernel crash. And if somehow someone\r\nmanages to install a flow with such an action, it will most definitely\r\nnot do what it is supposed to, since all the keys and the masks are\r\nmixed up.\r\n\r\nFixing all the issues is a complex task as it requires re-writing\r\nmost of the validation code.\r\n\r\nGiven that and the fact that this functionality never worked since\r\nintroduction, let's just remove it altogether. It's better to\r\nre-introduce it later with a proper implementation instead of trying\r\nto fix it in stable releases.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40254"
},
{
"cve": "CVE-2025-40257",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: fix a race in mptcp_pm_del_add_timer()\r\n\r\nmptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer)\r\nwhile another might have free entry already, as reported by syzbot.\r\n\r\nAdd RCU protection to fix this issue.\r\n\r\nAlso change confusing add_timer variable with stop_timer boolean.\r\n\r\nsyzbot report:\r\n\r\nBUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616\r\nRead of size 4 at addr ffff8880311e4150 by task kworker/1:1/44\r\n\r\nCPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\r\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\r\nWorkqueue: events mptcp_worker\r\nCall Trace:\r\n \r\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\r\n print_address_description mm/kasan/report.c:378 [inline]\r\n print_report+0xca/0x240 mm/kasan/report.c:482\r\n kasan_report+0x118/0x150 mm/kasan/report.c:595\r\n __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616\r\n sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631\r\n mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362\r\n mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174\r\n tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361\r\n tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441\r\n tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931\r\n tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374\r\n ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205\r\n ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239\r\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\r\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\r\n __netif_receive_skb_one_core net/core/dev.c:6079 [inline]\r\n __netif_receive_skb+0x143/0x380 net/core/dev.c:6192\r\n process_backlog+0x31e/0x900 net/core/dev.c:6544\r\n __napi_poll+0xb6/0x540 net/core/dev.c:7594\r\n napi_poll net/core/dev.c:7657 [inline]\r\n net_rx_action+0x5f7/0xda0 net/core/dev.c:7784\r\n handle_softirqs+0x22f/0x710 kernel/softirq.c:622\r\n __do_softirq kernel/softirq.c:656 [inline]\r\n __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302\r\n mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]\r\n mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1\r\n mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002\r\n mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762\r\n process_one_work kernel/workqueue.c:3263 [inline]\r\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346\r\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427\r\n kthread+0x711/0x8a0 kernel/kthread.c:463\r\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\r\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\r\n \r\n\r\nAllocated by task 44:\r\n kasan_save_stack mm/kasan/common.c:56 [inline]\r\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\r\n poison_kmalloc_redzone mm/kasan/common.c:400 [inline]\r\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417\r\n kasan_kmalloc include/linux/kasan.h:262 [inline]\r\n __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748\r\n kmalloc_noprof include/linux/slab.h:957 [inline]\r\n mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385\r\n mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355\r\n mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]\r\n __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529\r\n mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008\r\n mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762\r\n process_one_work kernel/workqueue.c:3263 [inline]\r\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346\r\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427\r\n kthread+0x711/0x8a0 kernel/kthread.c:463\r\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\r\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\r\n\r\nFreed by task 6630:\r\n kasan_save_stack mm/kasan/common.c:56 [inline]\r\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\r\n __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587\r\n kasan_save_free_info mm/kasan/kasan.h:406 [inline]\r\n poison_slab_object m\r\n---truncated---",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40257"
},
{
"cve": "CVE-2025-40258",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nmptcp: fix race condition in mptcp_schedule_work()\r\n\r\nsyzbot reported use-after-free in mptcp_schedule_work() [1]\r\n\r\nIssue here is that mptcp_schedule_work() schedules a work,\r\nthen gets a refcount on sk->sk_refcnt if the work was scheduled.\r\nThis refcount will be released by mptcp_worker().\r\n\r\n[A] if (schedule_work(...)) {\r\n[B] sock_hold(sk);\r\n return true;\r\n }\r\n\r\nProblem is that mptcp_worker() can run immediately and complete before [B]\r\n\r\nWe need instead :\r\n\r\n sock_hold(sk);\r\n if (schedule_work(...))\r\n return true;\r\n sock_put(sk);\r\n\r\n[1]\r\nrefcount_t: addition on 0; use-after-free.\r\n WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25\r\nCall Trace:\r\n \r\n __refcount_add include/linux/refcount.h:-1 [inline]\r\n __refcount_inc include/linux/refcount.h:366 [inline]\r\n refcount_inc include/linux/refcount.h:383 [inline]\r\n sock_hold include/net/sock.h:816 [inline]\r\n mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943\r\n mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316\r\n call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747\r\n expire_timers kernel/time/timer.c:1798 [inline]\r\n __run_timers kernel/time/timer.c:2372 [inline]\r\n __run_timer_base+0x648/0x970 kernel/time/timer.c:2384\r\n run_timer_base kernel/time/timer.c:2393 [inline]\r\n run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403\r\n handle_softirqs+0x22f/0x710 kernel/softirq.c:622\r\n __do_softirq kernel/softirq.c:656 [inline]\r\n run_ktimerd+0xcf/0x190 kernel/softirq.c:1138\r\n smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160\r\n kthread+0x711/0x8a0 kernel/kthread.c:463\r\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\r\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40258"
},
{
"cve": "CVE-2025-40261",
"cwe": {
"id": "CWE-1341",
"name": "Multiple Releases of Same Resource or Handle"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nnvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()\r\n\r\nnvme_fc_delete_assocation() waits for pending I/O to complete before\r\nreturning, and an error can cause ->ioerr_work to be queued after\r\ncancel_work_sync() had been called. Move the call to cancel_work_sync() to\r\nbe after nvme_fc_delete_association() to ensure ->ioerr_work is not running\r\nwhen the nvme_fc_ctrl object is freed. Otherwise the following can occur:\r\n\r\n[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL\r\n[ 1135.917705] ------------[ cut here ]------------\r\n[ 1135.922336] kernel BUG at lib/list_debug.c:52!\r\n[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI\r\n[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)\r\n[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025\r\n[ 1135.950969] Workqueue: 0x0 (nvme-wq)\r\n[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f\r\n[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b\r\n[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046\r\n[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000\r\n[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0\r\n[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08\r\n[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100\r\n[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0\r\n[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000\r\n[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0\r\n[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\r\n[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\r\n[ 1136.055910] PKRU: 55555554\r\n[ 1136.058623] Call Trace:\r\n[ 1136.061074] \r\n[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0\r\n[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0\r\n[ 1136.071898] ? move_linked_works+0x4a/0xa0\r\n[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\r\n[ 1136.081744] ? __die_body.cold+0x8/0x12\r\n[ 1136.085584] ? die+0x2e/0x50\r\n[ 1136.088469] ? do_trap+0xca/0x110\r\n[ 1136.091789] ? do_error_trap+0x65/0x80\r\n[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\r\n[ 1136.101289] ? exc_invalid_op+0x50/0x70\r\n[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\r\n[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20\r\n[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\r\n[ 1136.120806] move_linked_works+0x4a/0xa0\r\n[ 1136.124733] worker_thread+0x216/0x3a0\r\n[ 1136.128485] ? __pfx_worker_thread+0x10/0x10\r\n[ 1136.132758] kthread+0xfa/0x240\r\n[ 1136.135904] ? __pfx_kthread+0x10/0x10\r\n[ 1136.139657] ret_from_fork+0x31/0x50\r\n[ 1136.143236] ? __pfx_kthread+0x10/0x10\r\n[ 1136.146988] ret_from_fork_asm+0x1a/0x30\r\n[ 1136.150915] ",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40261"
},
{
"cve": "CVE-2025-40262",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: imx_sc_key - fix memory corruption on unload\r\n\r\nThis is supposed to be \"priv\" but we accidentally pass \"&priv\" which is\r\nan address in the stack and so it will lead to memory corruption when\r\nthe imx_sc_key_action() function is called. Remove the &.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40262"
},
{
"cve": "CVE-2025-40263",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nInput: cros_ec_keyb - fix an invalid memory access\r\n\r\nIf cros_ec_keyb_register_matrix() isn't called (due to\r\n`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains\r\nNULL. An invalid memory access is observed in cros_ec_keyb_process()\r\nwhen receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()\r\nin such case.\r\n\r\n Unable to handle kernel read from unreadable memory at virtual address 0000000000000028\r\n ...\r\n x3 : 0000000000000000 x2 : 0000000000000000\r\n x1 : 0000000000000000 x0 : 0000000000000000\r\n Call trace:\r\n input_event\r\n cros_ec_keyb_work\r\n blocking_notifier_call_chain\r\n ec_irq_thread\r\n\r\nIt's still unknown about why the kernel receives such malformed event,\r\nin any cases, the kernel shouldn't access `ckdev->idev` and friends if\r\nthe driver doesn't intend to initialize them.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40263"
},
{
"cve": "CVE-2025-40264",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nbe2net: pass wrb_params in case of OS2BMC\r\n\r\nbe_insert_vlan_in_pkt() is called with the wrb_params argument being NULL\r\nat be_send_pkt_to_bmc() call site.\u00a0 This may lead to dereferencing a NULL\r\npointer when processing a workaround for specific packet, as commit\r\nbc0c3405abbb (\"be2net: fix a Tx stall bug caused by a specific ipv6\r\npacket\") states.\r\n\r\nThe correct way would be to pass the wrb_params from be_xmit().",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40264"
},
{
"cve": "CVE-2025-40271",
"cwe": {
"id": "CWE-625",
"name": "Permissive Regular Expression"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: fix uaf in proc_readdir_de()\n\nPde is erased from subdir rbtree through rb_erase(), but not set the node\nto EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()\nset the erased node to EMPTY, then pde_subdir_next() will return NULL to\navoid uaf access.\n\nWe found an uaf issue while using stress-ng testing, need to run testcase\ngetdent and tun in the same time. The steps of the issue is as follows:\n\n1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current\n pde is tun3;\n\n2) in the [time windows] unregister netdevice tun3 and tun2, and erase\n them from rbtree. erase tun3 first, and then erase tun2. the\n pde(tun2) will be released to slab;\n\n3) continue to getdent process, then pde_subdir_next() will return\n pde(tun2) which is released, it will case uaf access.\n\nCPU 0 | CPU 1\n-------------------------------------------------------------------------\ntraverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2\nsys_getdents64() |\n iterate_dir() |\n proc_readdir() |\n proc_readdir_de() | snmp6_unregister_dev()\n pde_get(de); | proc_remove()\n read_unlock(&proc_subdir_lock); | remove_proc_subtree()\n | write_lock(&proc_subdir_lock);\n [time window] | rb_erase(&root->subdir_node, &parent->subdir);\n | write_unlock(&proc_subdir_lock);\n read_lock(&proc_subdir_lock); |\n next = pde_subdir_next(de); |\n pde_put(de); |\n de = next; //UAF |\n\nrbtree of dev_snmp6\n |\n pde(tun3)\n / \\\n NULL pde(tun2)",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40271"
},
{
"cve": "CVE-2025-40278",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak\n\nFix a KMSAN kernel-infoleak detected by the syzbot .\n\n[net?] KMSAN: kernel-infoleak in __skb_datagram_iter\n\nIn tcf_ife_dump(), the variable 'opt' was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied.\n\nThis change silences the KMSAN report and prevents potential information\nleaks from the kernel memory.\n\nThis fix has been tested and validated by syzbot. This patch closes the\nbug reported at the following syzkaller link and ensures no infoleak.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40278"
},
{
"cve": "CVE-2025-40280",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free in tipc_mon_reinit_self().\n\nsyzbot reported use-after-free of tipc_net(net)->monitors[]\nin tipc_mon_reinit_self(). [0]\n\nThe array is protected by RTNL, but tipc_mon_reinit_self()\niterates over it without RTNL.\n\ntipc_mon_reinit_self() is called from tipc_net_finalize(),\nwhich is always under RTNL except for tipc_net_finalize_work().\n\nLet's hold RTNL in tipc_net_finalize_work().\n\n[0]:\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\nRead of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989\n\nCPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nWorkqueue: events tipc_net_finalize_work\nCall Trace:\n \n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568\n kasan_check_byte include/linux/kasan.h:399 [inline]\n lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\n rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline]\n rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline]\n rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244\n rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243\n write_lock_bh include/linux/rwlock_rt.h:99 [inline]\n tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718\n tipc_net_finalize+0x115/0x190 net/tipc/net.c:140\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \n\nAllocated by task 6089:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657\n tipc_enable_bearer net/tipc/bearer.c:357 [inline]\n __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047\n __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline]\n tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393\n tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline]\n tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321\n genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:729\n ____sys_sendmsg+0x508/0x820 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/\n---truncated---",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40280"
},
{
"cve": "CVE-2025-40281",
"cwe": {
"id": "CWE-1335",
"name": "Incorrect Bitwise Shift of Integer"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto\n\nsyzbot reported a possible shift-out-of-bounds [1]\n\nBlamed commit added rto_alpha_max and rto_beta_max set to 1000.\n\nIt is unclear if some sctp users are setting very large rto_alpha\nand/or rto_beta.\n\nIn order to prevent user regression, perform the test at run time.\n\nAlso add READ_ONCE() annotations as sysctl values can change under us.\n\n[1]\n\nUBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41\nshift exponent 64 is too large for 32-bit type 'unsigned int'\nCPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:233 [inline]\n __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494\n sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509\n sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502\n sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338\n sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]\n sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40281"
},
{
"cve": "CVE-2025-40345",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\nusb: storage: sddr55: Reject out-of-bound new_pba\r\n\r\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\r\n\r\nnew_pba comes from the status packet returned after each write.\r\nA bogus device could report values beyond the block count derived\r\nfrom info->capacity, letting the driver walk off the end of\r\npba_to_lba[] and corrupt heap memory.\r\n\r\nReject PBAs that exceed the computed block count and fail the\r\ntransfer so we avoid touching out-of-range mapping entries.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-40345"
},
{
"cve": "CVE-2025-46394",
"cwe": {
"id": "CWE-451",
"name": "User Interface (UI) Misrepresentation of Critical Information"
},
"notes": [
{
"category": "summary",
"text": "In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-46394"
},
{
"cve": "CVE-2025-49794",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-49794"
},
{
"cve": "CVE-2025-49795",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "summary",
"text": "A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-49795"
},
{
"cve": "CVE-2025-49796",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-49796"
},
{
"cve": "CVE-2025-60876",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "summary",
"text": "BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-60876"
},
{
"cve": "CVE-2025-66035",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"notes": [
{
"category": "summary",
"text": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-66035"
},
{
"cve": "CVE-2025-66382",
"cwe": {
"id": "CWE-407",
"name": "Inefficient Algorithmic Complexity"
},
"notes": [
{
"category": "summary",
"text": "In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-66382"
},
{
"cve": "CVE-2025-66412",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
},
"notes": [
{
"category": "summary",
"text": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-66412"
},
{
"cve": "CVE-2025-69720",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "summary",
"text": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-69720"
},
{
"cve": "CVE-2025-71185",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: ti: dma-crossbar: fix device leak on am335x route allocation\r\n\r\nMake sure to drop the reference taken when looking up the crossbar\r\nplatform device during am335x route allocation.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-71185"
},
{
"cve": "CVE-2025-71186",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: stm32: dmamux: fix device leak on route allocation\r\n\r\nMake sure to drop the reference taken when looking up the DMA mux\r\nplatform device during route allocation.\r\n\r\nNote that holding a reference to a device does not prevent its driver\r\ndata from going away so there is no point in keeping the reference.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-71186"
},
{
"cve": "CVE-2025-71188",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: lpc18xx-dmamux: fix device leak on route allocation\r\n\r\nMake sure to drop the reference taken when looking up the DMA mux\r\nplatform device during route allocation.\r\n\r\nNote that holding a reference to a device does not prevent its driver\r\ndata from going away so there is no point in keeping the reference.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-71188"
},
{
"cve": "CVE-2025-71189",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: dw: dmamux: fix OF node leak on route allocation failure\r\n\r\nMake sure to drop the reference taken to the DMA master OF node also on\r\nlate route allocation failures.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-71189"
},
{
"cve": "CVE-2025-71190",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: bcm-sba-raid: fix device leak on probe\r\n\r\nMake sure to drop the reference taken when looking up the mailbox device\r\nduring probe on probe failures and on driver unbind.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-71190"
},
{
"cve": "CVE-2025-71191",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\r\n\r\ndmaengine: at_hdmac: fix device leak on of_dma_xlate()\r\n\r\nMake sure to drop the reference taken when looking up the DMA platform\r\ndevice during of_dma_xlate() when releasing channel resources.\r\n\r\nNote that commit 3832b78b3ec2 (\"dmaengine: at_hdmac: add missing\r\nput_device() call in at_dma_xlate()\") fixed the leak in a couple of\r\nerror paths but the reference is still leaking on successful allocation.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2025-71191"
},
{
"cve": "CVE-2026-1484",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-1484"
},
{
"cve": "CVE-2026-1489",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "summary",
"text": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-1489"
},
{
"cve": "CVE-2026-3784",
"cwe": {
"id": "CWE-305",
"name": "Authentication Bypass by Primary Weakness"
},
"notes": [
{
"category": "summary",
"text": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a\nserver, even if the new request uses different credentials for the HTTP proxy.\nThe proper behavior is to create or use a separate connection.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V4.0 or later version",
"product_ids": [
"1"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/110002573/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2026-3784"
},
{
"cve": "CVE-2026-22610",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
},
"notes": [
{
"category": "summary",
"text": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular\u2019s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG