Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2025/01/GHSA-5wjw-h8x5-v65m/GHSA-5wjw-h8x5-v65m.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5wjw-h8x5-v65m",
-  "modified": "2026-02-10T09:30:26Z",
+  "modified": "2026-02-10T15:30:20Z",
   "published": "2025-01-14T18:32:06Z",
   "withdrawn": "2025-01-16T19:05:32Z",
   "aliases": [],
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:10924"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:10925"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:10926"

advisories/unreviewed/2025/10/GHSA-39wr-crm4-gxmv/GHSA-39wr-crm4-gxmv.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-39wr-crm4-gxmv",
-  "modified": "2025-10-04T18:31:15Z",
+  "modified": "2026-02-10T15:30:21Z",
   "published": "2025-10-04T18:31:15Z",
   "aliases": [
     "CVE-2023-53585"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: reject unhashed sockets in bpf_sk_assign\n\nThe semantics for bpf_sk_assign are as follows:\n\n    sk = some_lookup_func()\n    bpf_sk_assign(skb, sk)\n    bpf_sk_release(sk)\n\nThat is, the sk is not consumed by bpf_sk_assign. The function\ntherefore needs to make sure that sk lives long enough to be\nconsumed from __inet_lookup_skb. The path through the stack for a\nTCPv4 packet is roughly:\n\n  netif_receive_skb_core: takes RCU read lock\n    __netif_receive_skb_core:\n      sch_handle_ingress:\n        tcf_classify:\n          bpf_sk_assign()\n      deliver_ptype_list_skb:\n        deliver_skb:\n          ip_packet_type->func == ip_rcv:\n            ip_rcv_core:\n            ip_rcv_finish_core:\n              dst_input:\n                ip_local_deliver:\n                  ip_local_deliver_finish:\n                    ip_protocol_deliver_rcu:\n                      tcp_v4_rcv:\n                        __inet_lookup_skb:\n                          skb_steal_sock\n\nThe existing helper takes advantage of the fact that everything\nhappens in the same RCU critical section: for sockets with\nSOCK_RCU_FREE set bpf_sk_assign never takes a reference.\nskb_steal_sock then checks SOCK_RCU_FREE again and does sock_put\nif necessary.\n\nThis approach assumes that SOCK_RCU_FREE is never set on a sk\nbetween bpf_sk_assign and skb_steal_sock, but this invariant is\nviolated by unhashed UDP sockets. A new UDP socket is created\nin TCP_CLOSE state but without SOCK_RCU_FREE set. That flag is only\nadded in udp_lib_get_port() which happens when a socket is bound.\n\nWhen bpf_sk_assign was added it wasn't possible to access unhashed\nUDP sockets from BPF, so this wasn't a problem. This changed\nin commit 0c48eefae712 (\"sock_map: Lift socket state restriction\nfor datagram sockets\"), but the helper wasn't adjusted accordingly.\nThe following sequence of events will therefore lead to a refcount\nleak:\n\n1. Add socket(AF_INET, SOCK_DGRAM) to a sockmap.\n2. Pull socket out of sockmap and bpf_sk_assign it. Since\n   SOCK_RCU_FREE is not set we increment the refcount.\n3. bind() or connect() the socket, setting SOCK_RCU_FREE.\n4. skb_steal_sock will now set refcounted = false due to\n   SOCK_RCU_FREE.\n5. tcp_v4_rcv() skips sock_put().\n\nFix the problem by rejecting unhashed sockets in bpf_sk_assign().\nThis matches the behaviour of __inet_lookup_skb which is ultimately\nthe goal of bpf_sk_assign().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -41,7 +46,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-10-04T16:15:54Z"

advisories/unreviewed/2025/10/GHSA-5hv8-xrrg-hm72/GHSA-5hv8-xrrg-hm72.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5hv8-xrrg-hm72",
-  "modified": "2025-10-04T18:31:15Z",
+  "modified": "2026-02-10T15:30:20Z",
   "published": "2025-10-04T18:31:15Z",
   "aliases": [
     "CVE-2023-53565"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Check for probe() id argument being NULL\n\nThe probe() id argument may be NULL in 2 scenarios:\n\n1. brcmf_pcie_pm_leave_D3() calling brcmf_pcie_probe() to reprobe\n   the device.\n\n2. If a user tries to manually bind the driver from sysfs then the sdio /\n   pcie / usb probe() function gets called with NULL as id argument.\n\n1. Is being hit by users causing the following oops on resume and causing\nwifi to stop working:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000018\n<snip>\nHardware name: Dell Inc. XPS 13 9350/0PWNCR, BIDS 1.13.0 02/10/2020\nWorkgueue: events_unbound async_run_entry_fn\nRIP: 0010:brcmf_pcie_probe+Ox16b/0x7a0 [brcmfmac]\n<snip>\nCall Trace:\n <TASK>\n brcmf_pcie_pm_leave_D3+0xc5/8x1a0 [brcmfmac be3b4cefca451e190fa35be8f00db1bbec293887]\n ? pci_pm_resume+0x5b/0xf0\n ? pci_legacy_resume+0x80/0x80\n dpm_run_callback+0x47/0x150\n device_resume+0xa2/0x1f0\n async_resume+0x1d/0x30\n<snip>\n\nFix this by checking for id being NULL.\n\nIn the PCI and USB cases try a manual lookup of the id so that manually\nbinding the driver through sysfs and more importantly brcmf_pcie_probe()\non resume will work.\n\nFor the SDIO case there is no helper to do a manual sdio_device_id lookup,\nso just directly error out on a NULL id there.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-10-04T16:15:51Z"

advisories/unreviewed/2025/10/GHSA-655c-8jcm-3jqh/GHSA-655c-8jcm-3jqh.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-655c-8jcm-3jqh",
-  "modified": "2025-10-04T18:31:15Z",
+  "modified": "2026-02-10T15:30:20Z",
   "published": "2025-10-04T18:31:15Z",
   "aliases": [
     "CVE-2023-53579"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mvebu: fix irq domain leak\n\nUwe Kleine-König pointed out we still have one resource leak in the mvebu\ndriver triggered on driver detach. Let's address it with a custom devm\naction.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-401"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-10-04T16:15:53Z"

advisories/unreviewed/2025/10/GHSA-7977-f593-wgc3/GHSA-7977-f593-wgc3.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7977-f593-wgc3",
-  "modified": "2025-10-04T18:31:15Z",
+  "modified": "2026-02-10T15:30:21Z",
   "published": "2025-10-04T18:31:15Z",
   "aliases": [
     "CVE-2023-53577"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, cpumap: Make sure kthread is running before map update returns\n\nThe following warning was reported when running stress-mode enabled\nxdp_redirect_cpu with some RT threads:\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 4 PID: 65 at kernel/bpf/cpumap.c:135\n  CPU: 4 PID: 65 Comm: kworker/4:1 Not tainted 6.5.0-rc2+ #1\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n  Workqueue: events cpu_map_kthread_stop\n  RIP: 0010:put_cpu_map_entry+0xda/0x220\n  ......\n  Call Trace:\n   <TASK>\n   ? show_regs+0x65/0x70\n   ? __warn+0xa5/0x240\n   ......\n   ? put_cpu_map_entry+0xda/0x220\n   cpu_map_kthread_stop+0x41/0x60\n   process_one_work+0x6b0/0xb80\n   worker_thread+0x96/0x720\n   kthread+0x1a5/0x1f0\n   ret_from_fork+0x3a/0x70\n   ret_from_fork_asm+0x1b/0x30\n   </TASK>\n\nThe root cause is the same as commit 436901649731 (\"bpf: cpumap: Fix memory\nleak in cpu_map_update_elem\"). The kthread is stopped prematurely by\nkthread_stop() in cpu_map_kthread_stop(), and kthread() doesn't call\ncpu_map_kthread_run() at all but XDP program has already queued some\nframes or skbs into ptr_ring. So when __cpu_map_ring_cleanup() checks\nthe ptr_ring, it will find it was not emptied and report a warning.\n\nAn alternative fix is to use __cpu_map_ring_cleanup() to drop these\npending frames or skbs when kthread_stop() returns -EINTR, but it may\nconfuse the user, because these frames or skbs have been handled\ncorrectly by XDP program. So instead of dropping these frames or skbs,\njust make sure the per-cpu kthread is running before\n__cpu_map_entry_alloc() returns.\n\nAfter apply the fix, the error handle for kthread_stop() will be\nunnecessary because it will always return 0, so just remove it.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-401"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-10-04T16:15:53Z"

advisories/unreviewed/2025/10/GHSA-7wv9-8c5x-6hmc/GHSA-7wv9-8c5x-6hmc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7wv9-8c5x-6hmc",
-  "modified": "2025-10-04T18:31:15Z",
+  "modified": "2026-02-10T15:30:21Z",
   "published": "2025-10-04T18:31:15Z",
   "aliases": [
     "CVE-2023-53587"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Sync IRQ works before buffer destruction\n\nIf something was written to the buffer just before destruction,\nit may be possible (maybe not in a real system, but it did\nhappen in ARCH=um with time-travel) to destroy the ringbuffer\nbefore the IRQ work ran, leading this KASAN report (or a crash\nwithout KASAN):\n\n    BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a\n    Read of size 8 at addr 000000006d640a48 by task swapper/0\n\n    CPU: 0 PID: 0 Comm: swapper Tainted: G        W  O       6.3.0-rc1 #7\n    Stack:\n     60c4f20f 0c203d48 41b58ab3 60f224fc\n     600477fa 60f35687 60c4f20f 601273dd\n     00000008 6101eb00 6101eab0 615be548\n    Call Trace:\n     [<60047a58>] show_stack+0x25e/0x282\n     [<60c609e0>] dump_stack_lvl+0x96/0xfd\n     [<60c50d4c>] print_report+0x1a7/0x5a8\n     [<603078d3>] kasan_report+0xc1/0xe9\n     [<60308950>] __asan_report_load8_noabort+0x1b/0x1d\n     [<60232844>] irq_work_run_list+0x11a/0x13a\n     [<602328b4>] irq_work_tick+0x24/0x34\n     [<6017f9dc>] update_process_times+0x162/0x196\n     [<6019f335>] tick_sched_handle+0x1a4/0x1c3\n     [<6019fd9e>] tick_sched_timer+0x79/0x10c\n     [<601812b9>] __hrtimer_run_queues.constprop.0+0x425/0x695\n     [<60182913>] hrtimer_interrupt+0x16c/0x2c4\n     [<600486a3>] um_timer+0x164/0x183\n     [...]\n\n    Allocated by task 411:\n     save_stack_trace+0x99/0xb5\n     stack_trace_save+0x81/0x9b\n     kasan_save_stack+0x2d/0x54\n     kasan_set_track+0x34/0x3e\n     kasan_save_alloc_info+0x25/0x28\n     ____kasan_kmalloc+0x8b/0x97\n     __kasan_kmalloc+0x10/0x12\n     __kmalloc+0xb2/0xe8\n     load_elf_phdrs+0xee/0x182\n     [...]\n\n    The buggy address belongs to the object at 000000006d640800\n     which belongs to the cache kmalloc-1k of size 1024\n    The buggy address is located 584 bytes inside of\n     freed 1024-byte region [000000006d640800, 000000006d640c00)\n\nAdd the appropriate irq_work_sync() so the work finishes before\nthe buffers are destroyed.\n\nPrior to the commit in the Fixes tag below, there was only a\nsingle global IRQ work, so this issue didn't exist.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -52,8 +57,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-10-04T16:15:55Z"

advisories/unreviewed/2025/10/GHSA-8mqg-3fc7-qr47/GHSA-8mqg-3fc7-qr47.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8mqg-3fc7-qr47",
-  "modified": "2025-10-04T18:31:15Z",
+  "modified": "2026-02-10T15:30:21Z",
   "published": "2025-10-04T18:31:15Z",
   "aliases": [
     "CVE-2023-53586"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix multiple LUN_RESET handling\n\nThis fixes a bug where an initiator thinks a LUN_RESET has cleaned up\nrunning commands when it hasn't. The bug was added in commit 51ec502a3266\n(\"target: Delete tmr from list before processing\").\n\nThe problem occurs when:\n\n 1. We have N I/O cmds running in the target layer spread over 2 sessions.\n\n 2. The initiator sends a LUN_RESET for each session.\n\n 3. session1's LUN_RESET loops over all the running commands from both\n    sessions and moves them to its local drain_task_list.\n\n 4. session2's LUN_RESET does not see the LUN_RESET from session1 because\n    the commit above has it remove itself. session2 also does not see any\n    commands since the other reset moved them off the state lists.\n\n 5. sessions2's LUN_RESET will then complete with a successful response.\n\n 6. sessions2's inititor believes the running commands on its session are\n    now cleaned up due to the successful response and cleans up the running\n    commands from its side. It then restarts them.\n\n 7. The commands do eventually complete on the backend and the target\n    starts to return aborted task statuses for them. The initiator will\n    either throw a invalid ITT error or might accidentally lookup a new\n    task if the ITT has been reallocated already.\n\nFix the bug by reverting the patch, and serialize the execution of\nLUN_RESETs and Preempt and Aborts.\n\nAlso prevent us from waiting on LUN_RESETs in core_tmr_drain_tmr_list,\nbecause it turns out the original patch fixed a bug that was not\nmentioned. For LUN_RESET1 core_tmr_drain_tmr_list can see a second\nLUN_RESET and wait on it. Then the second reset will run\ncore_tmr_drain_tmr_list and see the first reset and wait on it resulting in\na deadlock.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -40,8 +45,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-415"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-10-04T16:15:54Z"

advisories/unreviewed/2025/10/GHSA-958g-2hvc-2pgw/GHSA-958g-2hvc-2pgw.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-958g-2hvc-2pgw",
-  "modified": "2025-10-04T18:31:16Z",
+  "modified": "2026-02-10T15:30:20Z",
   "published": "2025-10-04T18:31:15Z",
   "aliases": [
     "CVE-2023-53582"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds\n\nFix a stack-out-of-bounds read in brcmfmac that occurs\nwhen 'buf' that is not null-terminated is passed as an argument of\nstrreplace() in brcmf_c_preinit_dcmds(). This buffer is filled with\na CLM version string by memcpy() in brcmf_fil_iovar_data_get().\nEnsure buf is null-terminated.\n\nFound by a modified version of syzkaller.\n\n[   33.004414][ T1896] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available\n[   33.013486][ T1896] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22\n[   33.021554][ T1896] ==================================================================\n[   33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110\n[   33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896\n[   33.023852][ T1896]\n[   33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #132\n[   33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\n[   33.026065][ T1896] Workqueue: usb_hub_wq hub_event\n[   33.026581][ T1896] Call Trace:\n[   33.026896][ T1896]  dump_stack_lvl+0x57/0x7d\n[   33.027372][ T1896]  print_address_description.constprop.0.cold+0xf/0x334\n[   33.028037][ T1896]  ? strreplace+0xf2/0x110\n[   33.028403][ T1896]  ? strreplace+0xf2/0x110\n[   33.028807][ T1896]  kasan_report.cold+0x83/0xdf\n[   33.029283][ T1896]  ? strreplace+0xf2/0x110\n[   33.029666][ T1896]  strreplace+0xf2/0x110\n[   33.029966][ T1896]  brcmf_c_preinit_dcmds+0xab1/0xc40\n[   33.030351][ T1896]  ? brcmf_c_set_joinpref_default+0x100/0x100\n[   33.030787][ T1896]  ? rcu_read_lock_sched_held+0xa1/0xd0\n[   33.031223][ T1896]  ? rcu_read_lock_bh_held+0xb0/0xb0\n[   33.031661][ T1896]  ? lock_acquire+0x19d/0x4e0\n[   33.032091][ T1896]  ? find_held_lock+0x2d/0x110\n[   33.032605][ T1896]  ? brcmf_usb_deq+0x1a7/0x260\n[   33.033087][ T1896]  ? brcmf_usb_rx_fill_all+0x5a/0xf0\n[   33.033582][ T1896]  brcmf_attach+0x246/0xd40\n[   33.034022][ T1896]  ? wiphy_new_nm+0x1476/0x1d50\n[   33.034383][ T1896]  ? kmemdup+0x30/0x40\n[   33.034722][ T1896]  brcmf_usb_probe+0x12de/0x1690\n[   33.035223][ T1896]  ? brcmf_usbdev_qinit.constprop.0+0x470/0x470\n[   33.035833][ T1896]  usb_probe_interface+0x25f/0x710\n[   33.036315][ T1896]  really_probe+0x1be/0xa90\n[   33.036656][ T1896]  __driver_probe_device+0x2ab/0x460\n[   33.037026][ T1896]  ? usb_match_id.part.0+0x88/0xc0\n[   33.037383][ T1896]  driver_probe_device+0x49/0x120\n[   33.037790][ T1896]  __device_attach_driver+0x18a/0x250\n[   33.038300][ T1896]  ? driver_allows_async_probing+0x120/0x120\n[   33.038986][ T1896]  bus_for_each_drv+0x123/0x1a0\n[   33.039906][ T1896]  ? bus_rescan_devices+0x20/0x20\n[   33.041412][ T1896]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[   33.041861][ T1896]  ? trace_hardirqs_on+0x1c/0x120\n[   33.042330][ T1896]  __device_attach+0x207/0x330\n[   33.042664][ T1896]  ? device_bind_driver+0xb0/0xb0\n[   33.043026][ T1896]  ? kobject_uevent_env+0x230/0x12c0\n[   33.043515][ T1896]  bus_probe_device+0x1a2/0x260\n[   33.043914][ T1896]  device_add+0xa61/0x1ce0\n[   33.044227][ T1896]  ? __mutex_unlock_slowpath+0xe7/0x660\n[   33.044891][ T1896]  ? __fw_devlink_link_to_suppliers+0x550/0x550\n[   33.045531][ T1896]  usb_set_configuration+0x984/0x1770\n[   33.046051][ T1896]  ? kernfs_create_link+0x175/0x230\n[   33.046548][ T1896]  usb_generic_driver_probe+0x69/0x90\n[   33.046931][ T1896]  usb_probe_device+0x9c/0x220\n[   33.047434][ T1896]  really_probe+0x1be/0xa90\n[   33.047760][ T1896]  __driver_probe_device+0x2ab/0x460\n[   33.048134][ T1896]  driver_probe_device+0x49/0x120\n[   33.048516][ T1896]  __device_attach_driver+0x18a/0x250\n[   33.048910][ T1896]  ? driver_allows_async_probing+0x120/0x120\n---truncated---",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -44,8 +49,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-10-04T16:15:53Z"