CVE analysis - Week 3

vulns/CVE-2025-40018.yml

@@ -0,0 +1,10 @@
+reachability: Local
+memory_corruption: true
+bug_class: UaF
+impact: LPE
+privileges_required: false
+notes: |2-
+   UaF on struct ip_vs_app during netns cleanup, reachable by unprivileged user
+  through namespaces
+author: Oracle Corporation
+version: v0.1

vulns/CVE-2025-40214.yml

@@ -0,0 +1,8 @@
+reachability: Local
+memory_corruption: true
+bug_class: UaF
+impact: LPE
+privileges_required: false
+notes: UaF on struct sk_buff objects leading to LPE
+author: Oracle Corporation
+version: v0.1

vulns/CVE-2025-40216.yml

@@ -0,0 +1,10 @@
+reachability: Local
+memory_corruption: true
+bug_class: OOB Write
+impact: DoS, possibly LPE or VM-escape
+privileges_required: false
+notes: |2-
+   Out of bounds access in io_uring subsystem leading to Info Leak and
+  potentially LPE, confirmed by kCTF.
+author: Oracle Corporation
+version: v0.1

vulns/CVE-2025-40257.yml

@@ -0,0 +1,10 @@
+reachability: Local
+memory_corruption: true
+bug_class: UAF
+impact: DoS or LPE
+privileges_required: false
+notes: |2-
+   Race in mptcp_pm_del_add_timer() allows use-after-free of
+  mptcp_pm_addr_entry after it is unlinked and freed by another thread.
+author: Oracle Corporation
+version: v0.1

vulns/CVE-2025-40258.yml

@@ -0,0 +1,10 @@
+reachability: Local
+memory_corruption: true
+bug_class: UAF
+impact: DOS or LPE
+privileges_required: false
+notes: |2-
+   Race between schedule_work() and late sock_hold() in mptcp_schedule_work(),
+  yielding a classic use-after-free on kmem_cache_sock
+author: Oracle Corporation
+version: v0.1

vulns/CVE-2025-68209.yml

@@ -0,0 +1,10 @@
+reachability: Remote
+memory_corruption: false
+bug_class: Null Pointer Dereference
+impact: DoS
+privileges_required: false
+notes: |2-
+   This is possibly a remote DoS as any host that can send traffic could
+  possible create a DoS
+author: Oracle Corporation
+version: v0.1