From 722cc4ae8ed856f2667d84be161c13e6d9bf7bd8 Mon Sep 17 00:00:00 2001 From: Oracle Linux CVE analysis bot Date: Fri, 19 Dec 2025 15:09:29 +0000 Subject: [PATCH 1/8] Analysis for CVE-2025-40061.yml --- vulns/CVE-2025-40061.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 vulns/CVE-2025-40061.yml diff --git a/vulns/CVE-2025-40061.yml b/vulns/CVE-2025-40061.yml new file mode 100644 index 0000000..9b1e6f9 --- /dev/null +++ b/vulns/CVE-2025-40061.yml @@ -0,0 +1,10 @@ +reachability: Local +memory_corruption: true +bug_class: UaF +impact: DoS, LPE +privileges_required: false +notes: |2- + Use after free in rxe soft-RoCE driver leading to LPE through unprivileged + user's use of namespaces +author: Oracle Corporation +version: v0.1 From c4fd0a1f028fd79d4bb801f736cebd25f5f0cf83 Mon Sep 17 00:00:00 2001 From: Oracle Linux CVE analysis bot Date: Fri, 19 Dec 2025 15:09:29 +0000 Subject: [PATCH 2/8] Analysis for CVE-2025-40074.yml --- vulns/CVE-2025-40074.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 vulns/CVE-2025-40074.yml diff --git a/vulns/CVE-2025-40074.yml b/vulns/CVE-2025-40074.yml new file mode 100644 index 0000000..394adc0 --- /dev/null +++ b/vulns/CVE-2025-40074.yml @@ -0,0 +1,11 @@ +reachability: Local +memory_corruption: true +bug_class: Use-after-free +impact: LPE +privileges_required: false +notes: |2- + IPv4 helpers fetched dst->dev without holding an RCU read-side lock, + leading to a use-after-free on struct net_device. An unprivileged user can + reach this by making use of (unshare -rn). +author: Oracle Corporation +version: v0.1 From 24a93f6a3ac86325c680a91e56d4c5cec42a1e49 Mon Sep 17 00:00:00 2001 From: Oracle Linux CVE analysis bot Date: Fri, 19 Dec 2025 15:09:29 +0000 Subject: [PATCH 3/8] Analysis for CVE-2025-40135.yml --- vulns/CVE-2025-40135.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 vulns/CVE-2025-40135.yml diff --git a/vulns/CVE-2025-40135.yml b/vulns/CVE-2025-40135.yml new file mode 100644 index 0000000..76a2b18 --- /dev/null +++ b/vulns/CVE-2025-40135.yml @@ -0,0 +1,8 @@ +reachability: Local +memory_corruption: true +bug_class: Use-after-free +impact: LPE +privileges_required: false +notes: UAF in ipv6 code, unprivileged user can reach this with unshare -rn. +author: Oracle Corporation +version: v0.1 From 5079e8e435d273af2bd5abab7af29c5d27a738ad Mon Sep 17 00:00:00 2001 From: Oracle Linux CVE analysis bot Date: Fri, 19 Dec 2025 15:09:29 +0000 Subject: [PATCH 4/8] Analysis for CVE-2025-40159.yml --- vulns/CVE-2025-40159.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 vulns/CVE-2025-40159.yml diff --git a/vulns/CVE-2025-40159.yml b/vulns/CVE-2025-40159.yml new file mode 100644 index 0000000..da7a895 --- /dev/null +++ b/vulns/CVE-2025-40159.yml @@ -0,0 +1,11 @@ +reachability: Local +memory_corruption: true +bug_class: Buffer Overflow +impact: DoS, Info Leak, LPE +privileges_required: false +notes: |2- + Integer overflow or wraparound in net/xdp leading to DoS, OOB reads and OOB + writes in Zero-Copy environments giving unprivileged users a path to + arbitrary code execution and LPE +author: Oracle Corporation +version: v0.1 From 625aec6183e9c7062df204dfbd02fc2cee74a45a Mon Sep 17 00:00:00 2001 From: Oracle Linux CVE analysis bot Date: Fri, 19 Dec 2025 15:09:29 +0000 Subject: [PATCH 5/8] Analysis for CVE-2025-40176.yml --- vulns/CVE-2025-40176.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 vulns/CVE-2025-40176.yml diff --git a/vulns/CVE-2025-40176.yml b/vulns/CVE-2025-40176.yml new file mode 100644 index 0000000..26a29fd --- /dev/null +++ b/vulns/CVE-2025-40176.yml @@ -0,0 +1,10 @@ +reachability: Local +memory_corruption: true +bug_class: UaF +impact: DoS, LPE, Info Leak +privileges_required: false +notes: |2- + Use after free in net/tls leading to DoS, kernel information leak and + potentially arbitrary writes and LPE +author: Oracle Corporation +version: v0.1 From 2ee117d150c1e6bf2f62c9a72d98ac97cae49196 Mon Sep 17 00:00:00 2001 From: Oracle Linux CVE analysis bot Date: Fri, 19 Dec 2025 15:09:29 +0000 Subject: [PATCH 6/8] Analysis for CVE-2025-40186.yml --- vulns/CVE-2025-40186.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 vulns/CVE-2025-40186.yml diff --git a/vulns/CVE-2025-40186.yml b/vulns/CVE-2025-40186.yml new file mode 100644 index 0000000..510fcf4 --- /dev/null +++ b/vulns/CVE-2025-40186.yml @@ -0,0 +1,10 @@ +reachability: Local +memory_corruption: true +bug_class: Double Free +impact: DoS, LPE +privileges_required: false +notes: |2- + Double free in net/ipv4 leading to DoS and LPE, trigerrable by unprivileged + users through namespaces (unshare -Urn) +author: Oracle Corporation +version: v0.1 From cb6e38bcb6135ad9d703da6fe2902c340022b09b Mon Sep 17 00:00:00 2001 From: Oracle Linux CVE analysis bot Date: Fri, 19 Dec 2025 15:09:29 +0000 Subject: [PATCH 7/8] Analysis for CVE-2025-40215.yml --- vulns/CVE-2025-40215.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 vulns/CVE-2025-40215.yml diff --git a/vulns/CVE-2025-40215.yml b/vulns/CVE-2025-40215.yml new file mode 100644 index 0000000..c4e7bbb --- /dev/null +++ b/vulns/CVE-2025-40215.yml @@ -0,0 +1,10 @@ +reachability: Local +memory_corruption: false +bug_class: Memory Leak +impact: DoS +privileges_required: false +notes: |2- + Kernel will automatically load necessary modules when triggered by + privileged user in its own namespace, plus existing kCTF entry +author: Oracle Corporation +version: v0.1 From 4173e82401f9ba9a9d1b582d2bd7ce5f58f4777b Mon Sep 17 00:00:00 2001 From: Oracle Linux CVE analysis bot Date: Fri, 19 Dec 2025 15:09:29 +0000 Subject: [PATCH 8/8] Analysis for CVE-2025-40271.yml --- vulns/CVE-2025-40271.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 vulns/CVE-2025-40271.yml diff --git a/vulns/CVE-2025-40271.yml b/vulns/CVE-2025-40271.yml new file mode 100644 index 0000000..62c5f5d --- /dev/null +++ b/vulns/CVE-2025-40271.yml @@ -0,0 +1,10 @@ +reachability: Local +memory_corruption: false +bug_class: UaF +impact: DoS, Info Leak +privileges_required: false +notes: |2- + Use after free in fs/proc leading to DoS and kernel info leak by + unprivileged user through namespaces +author: Oracle Corporation +version: v0.1