From ffcb2fe989e8f76d1822f0f129db4500f24bcbd5 Mon Sep 17 00:00:00 2001
From: Flavio Ceolin <flavio.ceolin@gmail.com>
Date: Fri, 15 Nov 2024 09:26:48 -0800
Subject: [PATCH] doc: security: Disclose CVE-2024-11263

Disclose information about published CVE

Signed-off-by: Flavio Ceolin <flavio.ceolin@gmail.com>
---
 doc/security/vulnerabilities.rst | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/doc/security/vulnerabilities.rst b/doc/security/vulnerabilities.rst
index 6bdf011f9dcb843..9192c9a1c4ad8b9 100644
--- a/doc/security/vulnerabilities.rst
+++ b/doc/security/vulnerabilities.rst
@@ -1794,3 +1794,22 @@ Under embargo until 2024-11-22
 -----------------
 
 Under embargo until 2025-01-23
+
+:cve:`2024-11263`
+----------------
+
+arch: riscv: userspace: potential security risk when CONFIG_RISCV_GP=y
+
+A rogue thread can corrupt the gp reg and cause the entire system to hard fault at best, at worst,
+it can potentially trick the system to access another set of random global symbols.
+
+- `Zephyr project bug tracker GHSA-jjf3-7x72-pqm9
+  <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-jjf3-7x72-pqm9>`_
+
+This has been fixed in main for v4.0.0
+
+- `PR 81155 fix for main
+  <https://github.com/zephyrproject-rtos/zephyr/pull/81155>`_
+
+- `PR 81370 fix for 3.7
+  <https://github.com/zephyrproject-rtos/zephyr/pull/81370>`_