Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0195
Vulnerability from certfr_avis - Published: 2026-02-20 - Updated: 2026-02-20
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 15 SP5 | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.5 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP5 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP6 | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 12 SP5 | ||
| SUSE | SUSE Linux Enterprise High Performance Computing | SUSE Linux Enterprise High Performance Computing 15 SP4 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 12-SP5 | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.4 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP6 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 12 SP5 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP7 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 12 SP5 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.2 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP5 | ||
| SUSE | openSUSE Leap | openSUSE Leap 15.6 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.3 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP6 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP4 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro for Rancher 5.2 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server for SAP Applications 15 SP4 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.5 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP4 | ||
| SUSE | SUSE Linux Enterprise Real Time | SUSE Linux Enterprise Real Time 15 SP6 | ||
| SUSE | SUSE Linux Micro | SUSE Linux Micro 6.0 | ||
| SUSE | SUSE Linux Enterprise Server | SUSE Linux Enterprise Server 15 SP7 | ||
| SUSE | SUSE Linux Enterprise Micro | SUSE Linux Enterprise Micro 5.4 | ||
| SUSE | SUSE Linux Enterprise Live Patching | SUSE Linux Enterprise Live Patching 15-SP4 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP5",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 12 SP5",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP4",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 12-SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP6",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP7",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.2",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.3",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro for Rancher 5.2",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Real Time",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Server",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.4",
"product": {
"name": "SUSE Linux Enterprise Micro",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP4",
"product": {
"name": "SUSE Linux Enterprise Live Patching",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2023-53407",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53407"
},
{
"name": "CVE-2023-53714",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53714"
},
{
"name": "CVE-2023-54142",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54142"
},
{
"name": "CVE-2025-38588",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38588"
},
{
"name": "CVE-2022-50488",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50488"
},
{
"name": "CVE-2023-53321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53321"
},
{
"name": "CVE-2025-40139",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40139"
},
{
"name": "CVE-2025-38563",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38563"
},
{
"name": "CVE-2025-21658",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21658"
},
{
"name": "CVE-2025-38375",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38375"
},
{
"name": "CVE-2024-54031",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-54031"
},
{
"name": "CVE-2025-68813",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68813"
},
{
"name": "CVE-2025-71085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71085"
},
{
"name": "CVE-2023-52923",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52923"
},
{
"name": "CVE-2024-26661",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26661"
},
{
"name": "CVE-2025-38565",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38565"
},
{
"name": "CVE-2024-26581",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26581"
},
{
"name": "CVE-2023-52433",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52433"
},
{
"name": "CVE-2025-38159",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38159"
},
{
"name": "CVE-2025-38068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38068"
},
{
"name": "CVE-2025-40186",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40186"
},
{
"name": "CVE-2025-21764",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21764"
},
{
"name": "CVE-2025-21766",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21766"
},
{
"name": "CVE-2022-50329",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50329"
},
{
"name": "CVE-2023-53418",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53418"
},
{
"name": "CVE-2023-54243",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54243"
},
{
"name": "CVE-2023-52983",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52983"
},
{
"name": "CVE-2025-40257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40257"
},
{
"name": "CVE-2025-21760",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21760"
},
{
"name": "CVE-2024-26832",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26832"
},
{
"name": "CVE-2025-68312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68312"
},
{
"name": "CVE-2025-68284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68284"
},
{
"name": "CVE-2025-68183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68183"
},
{
"name": "CVE-2026-22999",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22999"
},
{
"name": "CVE-2023-53178",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53178"
},
{
"name": "CVE-2024-50143",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50143"
},
{
"name": "CVE-2025-71089",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71089"
},
{
"name": "CVE-2022-49980",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49980"
},
{
"name": "CVE-2025-38111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38111"
},
{
"name": "CVE-2025-38129",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38129"
},
{
"name": "CVE-2026-23001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23001"
},
{
"name": "CVE-2023-53215",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53215"
},
{
"name": "CVE-2025-40129",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40129"
},
{
"name": "CVE-2022-49943",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49943"
},
{
"name": "CVE-2023-52874",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52874"
},
{
"name": "CVE-2023-53417",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53417"
},
{
"name": "CVE-2025-40044",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40044"
},
{
"name": "CVE-2022-50697",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50697"
},
{
"name": "CVE-2025-71116",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71116"
},
{
"name": "CVE-2022-49604",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49604"
},
{
"name": "CVE-2023-53412",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53412"
},
{
"name": "CVE-2025-40300",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40300"
},
{
"name": "CVE-2025-71112",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71112"
},
{
"name": "CVE-2025-21765",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21765"
},
{
"name": "CVE-2025-39742",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39742"
},
{
"name": "CVE-2025-38352",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38352"
},
{
"name": "CVE-2025-68771",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68771"
},
{
"name": "CVE-2025-38684",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38684"
},
{
"name": "CVE-2025-71120",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71120"
},
{
"name": "CVE-2024-44987",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-44987"
},
{
"name": "CVE-2022-50232",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50232"
},
{
"name": "CVE-2025-68285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68285"
}
],
"initial_release_date": "2026-02-20T00:00:00",
"last_revision_date": "2026-02-20T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0195",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-02-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2026-02-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0544-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260544-1"
},
{
"published_at": "2026-02-14",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0524-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260524-1"
},
{
"published_at": "2026-02-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0535-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260535-1"
},
{
"published_at": "2026-02-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0554-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260554-1"
},
{
"published_at": "2026-02-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0560-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260560-1"
},
{
"published_at": "2026-02-14",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0518-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260518-1"
},
{
"published_at": "2026-01-29",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20272-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620272-1"
},
{
"published_at": "2026-02-17",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0566-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260566-1"
},
{
"published_at": "2026-01-29",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20273-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620273-1"
},
{
"published_at": "2026-02-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0546-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260546-1"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0489-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260489-1"
},
{
"published_at": "2026-02-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0543-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260543-1"
},
{
"published_at": "2026-02-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0561-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260561-1"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0496-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260496-1"
},
{
"published_at": "2026-02-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0539-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260539-1"
},
{
"published_at": "2026-01-29",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20275-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620275-1"
},
{
"published_at": "2026-02-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0565-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260565-1"
},
{
"published_at": "2026-01-29",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20274-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620274-1"
},
{
"published_at": "2026-02-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0551-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260551-1"
},
{
"published_at": "2026-01-29",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20276-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620276-1"
},
{
"published_at": "2026-02-14",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0521-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260521-1"
},
{
"published_at": "2026-02-14",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0526-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260526-1"
},
{
"published_at": "2026-02-14",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0525-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260525-1"
},
{
"published_at": "2026-02-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0555-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260555-1"
},
{
"published_at": "2026-02-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0542-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260542-1"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0491-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260491-1"
},
{
"published_at": "2026-02-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0533-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260533-1"
},
{
"published_at": "2026-02-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0548-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260548-1"
},
{
"published_at": "2026-02-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0556-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260556-1"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0490-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260490-1"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0515-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260515-1"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0487-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260487-1"
},
{
"published_at": "2026-02-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0550-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260550-1"
},
{
"published_at": "2026-02-16",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0557-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260557-1"
},
{
"published_at": "2026-02-13",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0495-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260495-1"
},
{
"published_at": "2026-02-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0528-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260528-1"
}
]
}
CVE-2025-38352 (GCVE-0-2025-38352)
Vulnerability from cvelistv5 – Published: 2025-07-22 08:04 – Updated: 2026-01-07 15:03
VLAI?
EPSS
Title
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
Summary
In the Linux kernel, the following vulnerability has been resolved:
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().
If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.
Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.
This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because
exit_task_work() is called before exit_notify(). But the check still
makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail
anyway in this case.
Severity ?
7.4 (High)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 78a4b8e3795b31dae58762bc091bb0f4f74a2200
(git)
Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < c076635b3a42771ace7d276de8dc3bc76ee2ba1b (git) Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 2f3daa04a9328220de46f0d5c919a6c0073a9f0b (git) Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 764a7a5dfda23f69919441f2eac2a83e7db6e5bb (git) Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff (git) Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < c29d5318708e67ac13c1b6fc1007d179fb65b4d7 (git) Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 460188bc042a3f40f72d34b9f7fc6ee66b0b757b (git) Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < f90fff1e152dedf52b932240ebbd670d83330eca (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-38352",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T03:55:31.566379Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-09-04",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-38352"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T15:03:54.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-38352"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/farazsth98/chronomaly"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:37:02.965Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/time/posix-cpu-timers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78a4b8e3795b31dae58762bc091bb0f4f74a2200",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "c076635b3a42771ace7d276de8dc3bc76ee2ba1b",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "2f3daa04a9328220de46f0d5c919a6c0073a9f0b",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "764a7a5dfda23f69919441f2eac2a83e7db6e5bb",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "c29d5318708e67ac13c1b6fc1007d179fb65b4d7",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "460188bc042a3f40f72d34b9f7fc6ee66b0b757b",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "f90fff1e152dedf52b932240ebbd670d83330eca",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/time/posix-cpu-timers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()\n\nIf an exiting non-autoreaping task has already passed exit_notify() and\ncalls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent\nor debugger right after unlock_task_sighand().\n\nIf a concurrent posix_cpu_timer_del() runs at that moment, it won\u0027t be\nable to detect timer-\u003eit.cpu.firing != 0: cpu_timer_task_rcu() and/or\nlock_task_sighand() will fail.\n\nAdd the tsk-\u003eexit_state check into run_posix_cpu_timers() to fix this.\n\nThis fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because\nexit_task_work() is called before exit_notify(). But the check still\nmakes sense, task_work_add(\u0026tsk-\u003eposix_cputimers_work.work) will fail\nanyway in this case."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:19:41.105Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78a4b8e3795b31dae58762bc091bb0f4f74a2200"
},
{
"url": "https://git.kernel.org/stable/c/c076635b3a42771ace7d276de8dc3bc76ee2ba1b"
},
{
"url": "https://git.kernel.org/stable/c/2f3daa04a9328220de46f0d5c919a6c0073a9f0b"
},
{
"url": "https://git.kernel.org/stable/c/764a7a5dfda23f69919441f2eac2a83e7db6e5bb"
},
{
"url": "https://git.kernel.org/stable/c/2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff"
},
{
"url": "https://git.kernel.org/stable/c/c29d5318708e67ac13c1b6fc1007d179fb65b4d7"
},
{
"url": "https://git.kernel.org/stable/c/460188bc042a3f40f72d34b9f7fc6ee66b0b757b"
},
{
"url": "https://git.kernel.org/stable/c/f90fff1e152dedf52b932240ebbd670d83330eca"
}
],
"title": "posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38352",
"datePublished": "2025-07-22T08:04:25.277Z",
"dateReserved": "2025-04-16T04:51:24.006Z",
"dateUpdated": "2026-01-07T15:03:54.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40257 (GCVE-0-2025-40257)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
mptcp: fix a race in mptcp_pm_del_add_timer()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix a race in mptcp_pm_del_add_timer()
mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer)
while another might have free entry already, as reported by syzbot.
Add RCU protection to fix this issue.
Also change confusing add_timer variable with stop_timer boolean.
syzbot report:
BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44
CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: events mptcp_worker
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631
mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362
mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174
tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361
tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441
tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931
tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374
ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
__netif_receive_skb_one_core net/core/dev.c:6079 [inline]
__netif_receive_skb+0x143/0x380 net/core/dev.c:6192
process_backlog+0x31e/0x900 net/core/dev.c:6544
__napi_poll+0xb6/0x540 net/core/dev.c:7594
napi_poll net/core/dev.c:7657 [inline]
net_rx_action+0x5f7/0xda0 net/core/dev.c:7784
handle_softirqs+0x22f/0x710 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
__local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302
mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]
mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1
mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002
mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 44:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748
kmalloc_noprof include/linux/slab.h:957 [inline]
mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385
mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355
mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]
__mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529
mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008
mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 6630:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
__kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object m
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 9be29f8e7ce4e147e56caac2c3a0ce3573cf9c17
(git)
Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < e2d1ad207174a7cd7903dd27a00db4b2dfa6c64b (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 385ddc0f008f24d1e7d03be998b3a98a37bd29ff (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < c602cc344b4b8d41515fec3ffa98457ac963ee12 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 6d3275d4ca62e2c02e1b7e8cd32db59df91c14b7 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < bbbd75346c8e6490b19c2ba90f38ea66ccf352b2 (git) Affected: 00cfd77b9063dcdf3628a7087faba60de85a9cc8 , < 426358d9be7ce3518966422f87b96f1bad27295f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9be29f8e7ce4e147e56caac2c3a0ce3573cf9c17",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "e2d1ad207174a7cd7903dd27a00db4b2dfa6c64b",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "385ddc0f008f24d1e7d03be998b3a98a37bd29ff",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "c602cc344b4b8d41515fec3ffa98457ac963ee12",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "6d3275d4ca62e2c02e1b7e8cd32db59df91c14b7",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "bbbd75346c8e6490b19c2ba90f38ea66ccf352b2",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
},
{
"lessThan": "426358d9be7ce3518966422f87b96f1bad27295f",
"status": "affected",
"version": "00cfd77b9063dcdf3628a7087faba60de85a9cc8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix a race in mptcp_pm_del_add_timer()\n\nmptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, \u0026entry-\u003eadd_timer)\nwhile another might have free entry already, as reported by syzbot.\n\nAdd RCU protection to fix this issue.\n\nAlso change confusing add_timer variable with stop_timer boolean.\n\nsyzbot report:\n\nBUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616\nRead of size 4 at addr ffff8880311e4150 by task kworker/1:1/44\n\nCPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nWorkqueue: events mptcp_worker\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616\n sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631\n mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362\n mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174\n tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361\n tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441\n tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931\n tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374\n ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n __netif_receive_skb_one_core net/core/dev.c:6079 [inline]\n __netif_receive_skb+0x143/0x380 net/core/dev.c:6192\n process_backlog+0x31e/0x900 net/core/dev.c:6544\n __napi_poll+0xb6/0x540 net/core/dev.c:7594\n napi_poll net/core/dev.c:7657 [inline]\n net_rx_action+0x5f7/0xda0 net/core/dev.c:7784\n handle_softirqs+0x22f/0x710 kernel/softirq.c:622\n __do_softirq kernel/softirq.c:656 [inline]\n __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302\n mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]\n mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1\n mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002\n mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762\n process_one_work kernel/workqueue.c:3263 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 44:\n kasan_save_stack mm/kasan/common.c:56 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:400 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417\n kasan_kmalloc include/linux/kasan.h:262 [inline]\n __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748\n kmalloc_noprof include/linux/slab.h:957 [inline]\n mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385\n mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355\n mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]\n __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529\n mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008\n mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762\n process_one_work kernel/workqueue.c:3263 [inline]\n process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n\nFreed by task 6630:\n kasan_save_stack mm/kasan/common.c:56 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587\n kasan_save_free_info mm/kasan/kasan.h:406 [inline]\n poison_slab_object m\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:54.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9be29f8e7ce4e147e56caac2c3a0ce3573cf9c17"
},
{
"url": "https://git.kernel.org/stable/c/e2d1ad207174a7cd7903dd27a00db4b2dfa6c64b"
},
{
"url": "https://git.kernel.org/stable/c/385ddc0f008f24d1e7d03be998b3a98a37bd29ff"
},
{
"url": "https://git.kernel.org/stable/c/c602cc344b4b8d41515fec3ffa98457ac963ee12"
},
{
"url": "https://git.kernel.org/stable/c/6d3275d4ca62e2c02e1b7e8cd32db59df91c14b7"
},
{
"url": "https://git.kernel.org/stable/c/bbbd75346c8e6490b19c2ba90f38ea66ccf352b2"
},
{
"url": "https://git.kernel.org/stable/c/426358d9be7ce3518966422f87b96f1bad27295f"
}
],
"title": "mptcp: fix a race in mptcp_pm_del_add_timer()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40257",
"datePublished": "2025-12-04T16:08:18.433Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-06T21:38:54.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52983 (GCVE-0-2023-52983)
Vulnerability from cvelistv5 – Published: 2025-03-27 16:43 – Updated: 2025-05-04 12:50
VLAI?
EPSS
Title
block, bfq: fix uaf for bfqq in bic_set_bfqq()
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix uaf for bfqq in bic_set_bfqq()
After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"),
bic->bfqq will be accessed in bic_set_bfqq(), however, in some context
bic->bfqq will be freed, and bic_set_bfqq() is called with the freed
bic->bfqq.
Fix the problem by always freeing bfqq after bic_set_bfqq().
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a , < 7f77f3dab5066a7c9da73d72d1eee895ff84a8d5
(git)
Affected: 094f3d9314d67691cb21ba091c1b528f6e3c4893 , < 511c922c5bf6c8a166bea826e702336bc2424140 (git) Affected: 761564d93c8265f65543acf0a576b32d66bfa26a , < cb1876fc33af26d00efdd473311f1b664c77c44e (git) Affected: 64dc8c732f5c2b406cc752e6aaa1bd5471159cab , < b600de2d7d3a16f9007fad1bdae82a3951a26af2 (git) Affected: b22fd72bfebda3956efc4431b60ddfc0a51e03e0 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:59:42.552227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:22.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-cgroup.c",
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f77f3dab5066a7c9da73d72d1eee895ff84a8d5",
"status": "affected",
"version": "5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a",
"versionType": "git"
},
{
"lessThan": "511c922c5bf6c8a166bea826e702336bc2424140",
"status": "affected",
"version": "094f3d9314d67691cb21ba091c1b528f6e3c4893",
"versionType": "git"
},
{
"lessThan": "cb1876fc33af26d00efdd473311f1b664c77c44e",
"status": "affected",
"version": "761564d93c8265f65543acf0a576b32d66bfa26a",
"versionType": "git"
},
{
"lessThan": "b600de2d7d3a16f9007fad1bdae82a3951a26af2",
"status": "affected",
"version": "64dc8c732f5c2b406cc752e6aaa1bd5471159cab",
"versionType": "git"
},
{
"status": "affected",
"version": "b22fd72bfebda3956efc4431b60ddfc0a51e03e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-cgroup.c",
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.93",
"status": "affected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThan": "6.1.11",
"status": "affected",
"version": "6.1.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix uaf for bfqq in bic_set_bfqq()\n\nAfter commit 64dc8c732f5c (\"block, bfq: fix possible uaf for \u0027bfqq-\u003ebic\u0027\"),\nbic-\u003ebfqq will be accessed in bic_set_bfqq(), however, in some context\nbic-\u003ebfqq will be freed, and bic_set_bfqq() is called with the freed\nbic-\u003ebfqq.\n\nFix the problem by always freeing bfqq after bic_set_bfqq()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:01.199Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f77f3dab5066a7c9da73d72d1eee895ff84a8d5"
},
{
"url": "https://git.kernel.org/stable/c/511c922c5bf6c8a166bea826e702336bc2424140"
},
{
"url": "https://git.kernel.org/stable/c/cb1876fc33af26d00efdd473311f1b664c77c44e"
},
{
"url": "https://git.kernel.org/stable/c/b600de2d7d3a16f9007fad1bdae82a3951a26af2"
}
],
"title": "block, bfq: fix uaf for bfqq in bic_set_bfqq()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52983",
"datePublished": "2025-03-27T16:43:21.372Z",
"dateReserved": "2025-03-27T16:40:15.740Z",
"dateUpdated": "2025-05-04T12:50:01.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53407 (GCVE-0-2023-53407)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:58 – Updated: 2026-01-14 19:13
VLAI?
EPSS
Title
USB: gadget: pxa27x_udc: fix memory leak with using debugfs_lookup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: pxa27x_udc: fix memory leak with using debugfs_lookup()
When calling debugfs_lookup() the result must have dput() called on it,
otherwise the memory will leak over time. To make things simpler, just
call debugfs_lookup_and_remove() instead which handles all of the logic
at once.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8efd88f946017b69af67931a133b6dce92c27fd0 , < 8da78a60f3323ce7aac589d49fb82f71a04bc835
(git)
Affected: 8efd88f946017b69af67931a133b6dce92c27fd0 , < b14d188d0d0b86e2180525aefd570dbb6ebd6aa9 (git) Affected: 8efd88f946017b69af67931a133b6dce92c27fd0 , < 67c931a3f2f061bf457995fd21fff114325e0c30 (git) Affected: 8efd88f946017b69af67931a133b6dce92c27fd0 , < 7a6952fa0366d4408eb8695af1a0578c39ec718a (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:03:17.459458Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:13:05.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/pxa27x_udc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8da78a60f3323ce7aac589d49fb82f71a04bc835",
"status": "affected",
"version": "8efd88f946017b69af67931a133b6dce92c27fd0",
"versionType": "git"
},
{
"lessThan": "b14d188d0d0b86e2180525aefd570dbb6ebd6aa9",
"status": "affected",
"version": "8efd88f946017b69af67931a133b6dce92c27fd0",
"versionType": "git"
},
{
"lessThan": "67c931a3f2f061bf457995fd21fff114325e0c30",
"status": "affected",
"version": "8efd88f946017b69af67931a133b6dce92c27fd0",
"versionType": "git"
},
{
"lessThan": "7a6952fa0366d4408eb8695af1a0578c39ec718a",
"status": "affected",
"version": "8efd88f946017b69af67931a133b6dce92c27fd0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/pxa27x_udc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: pxa27x_udc: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:19:53.103Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8da78a60f3323ce7aac589d49fb82f71a04bc835"
},
{
"url": "https://git.kernel.org/stable/c/b14d188d0d0b86e2180525aefd570dbb6ebd6aa9"
},
{
"url": "https://git.kernel.org/stable/c/67c931a3f2f061bf457995fd21fff114325e0c30"
},
{
"url": "https://git.kernel.org/stable/c/7a6952fa0366d4408eb8695af1a0578c39ec718a"
}
],
"title": "USB: gadget: pxa27x_udc: fix memory leak with using debugfs_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53407",
"datePublished": "2025-09-18T13:58:45.968Z",
"dateReserved": "2025-09-17T14:54:09.739Z",
"dateUpdated": "2026-01-14T19:13:05.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21765 (GCVE-0-2025-21765)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-11-03 19:37
VLAI?
EPSS
Title
ipv6: use RCU protection in ip6_default_advmss()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: use RCU protection in ip6_default_advmss()
ip6_default_advmss() needs rcu protection to make
sure the net structure it reads does not disappear.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5578689a4e3c04f2d43ea39736fd3fa396d80c6e , < 78ad057472d8c76e0602402269222f9f9c698790
(git)
Affected: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e , < d02f30d220ef9511568a48dba8a9004c65f8d904 (git) Affected: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e , < 28de355b63ad42309ed5a03ee7c436c90512265b (git) Affected: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e , < 84212387caadb211cd9dadd6fd5563bd37dc1f5e (git) Affected: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e , < 4176a68b0db8fc74ac14fcd00ba8231371051dc2 (git) Affected: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e , < 713a40c892f40300d63691d9f85b2a23b48fe1e8 (git) Affected: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e , < 550ed693f47370502a71b85382e7f9e6417300b8 (git) Affected: 5578689a4e3c04f2d43ea39736fd3fa396d80c6e , < 3c8ffcd248da34fc41e52a46e51505900115fc2a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:20.115Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78ad057472d8c76e0602402269222f9f9c698790",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "d02f30d220ef9511568a48dba8a9004c65f8d904",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "28de355b63ad42309ed5a03ee7c436c90512265b",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "84212387caadb211cd9dadd6fd5563bd37dc1f5e",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "4176a68b0db8fc74ac14fcd00ba8231371051dc2",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "713a40c892f40300d63691d9f85b2a23b48fe1e8",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "550ed693f47370502a71b85382e7f9e6417300b8",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
},
{
"lessThan": "3c8ffcd248da34fc41e52a46e51505900115fc2a",
"status": "affected",
"version": "5578689a4e3c04f2d43ea39736fd3fa396d80c6e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU protection in ip6_default_advmss()\n\nip6_default_advmss() needs rcu protection to make\nsure the net structure it reads does not disappear."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:38.487Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78ad057472d8c76e0602402269222f9f9c698790"
},
{
"url": "https://git.kernel.org/stable/c/d02f30d220ef9511568a48dba8a9004c65f8d904"
},
{
"url": "https://git.kernel.org/stable/c/28de355b63ad42309ed5a03ee7c436c90512265b"
},
{
"url": "https://git.kernel.org/stable/c/84212387caadb211cd9dadd6fd5563bd37dc1f5e"
},
{
"url": "https://git.kernel.org/stable/c/4176a68b0db8fc74ac14fcd00ba8231371051dc2"
},
{
"url": "https://git.kernel.org/stable/c/713a40c892f40300d63691d9f85b2a23b48fe1e8"
},
{
"url": "https://git.kernel.org/stable/c/550ed693f47370502a71b85382e7f9e6417300b8"
},
{
"url": "https://git.kernel.org/stable/c/3c8ffcd248da34fc41e52a46e51505900115fc2a"
}
],
"title": "ipv6: use RCU protection in ip6_default_advmss()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21765",
"datePublished": "2025-02-27T02:18:16.078Z",
"dateReserved": "2024-12-29T08:45:45.761Z",
"dateUpdated": "2025-11-03T19:37:20.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26832 (GCVE-0-2024-26832)
Vulnerability from cvelistv5 – Published: 2024-04-17 10:10 – Updated: 2025-05-04 12:54
VLAI?
EPSS
Title
mm: zswap: fix missing folio cleanup in writeback race path
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: zswap: fix missing folio cleanup in writeback race path
In zswap_writeback_entry(), after we get a folio from
__read_swap_cache_async(), we grab the tree lock again to check that the
swap entry was not invalidated and recycled. If it was, we delete the
folio we just added to the swap cache and exit.
However, __read_swap_cache_async() returns the folio locked when it is
newly allocated, which is always true for this path, and the folio is
ref'd. Make sure to unlock and put the folio before returning.
This was discovered by code inspection, probably because this path handles
a race condition that should not happen often, and the bug would not crash
the system, it will only strand the folio indefinitely.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2cab13f500a6333bd2b853783ac76be9e4956f8a , < 14f1992430ef9e647b02aa8ca12c5bcb9a1dffea
(git)
Affected: 04fc7816089c5a32c29a04ec94b998e219dfb946 , < 6156277d1b26cb3fdb6fcbf0686ab78268571644 (git) Affected: 04fc7816089c5a32c29a04ec94b998e219dfb946 , < e2891c763aa2cff74dd6b5e978411ccf0cf94abe (git) Affected: 04fc7816089c5a32c29a04ec94b998e219dfb946 , < e3b63e966cac0bf78aaa1efede1827a252815a1d (git) Affected: ba700ea13bf0105a4773c654f7d3bef8adb64ab2 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26832",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T18:06:53.982230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T18:07:04.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:13.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/zswap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14f1992430ef9e647b02aa8ca12c5bcb9a1dffea",
"status": "affected",
"version": "2cab13f500a6333bd2b853783ac76be9e4956f8a",
"versionType": "git"
},
{
"lessThan": "6156277d1b26cb3fdb6fcbf0686ab78268571644",
"status": "affected",
"version": "04fc7816089c5a32c29a04ec94b998e219dfb946",
"versionType": "git"
},
{
"lessThan": "e2891c763aa2cff74dd6b5e978411ccf0cf94abe",
"status": "affected",
"version": "04fc7816089c5a32c29a04ec94b998e219dfb946",
"versionType": "git"
},
{
"lessThan": "e3b63e966cac0bf78aaa1efede1827a252815a1d",
"status": "affected",
"version": "04fc7816089c5a32c29a04ec94b998e219dfb946",
"versionType": "git"
},
{
"status": "affected",
"version": "ba700ea13bf0105a4773c654f7d3bef8adb64ab2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/zswap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.80",
"versionStartIncluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.19",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: fix missing folio cleanup in writeback race path\n\nIn zswap_writeback_entry(), after we get a folio from\n__read_swap_cache_async(), we grab the tree lock again to check that the\nswap entry was not invalidated and recycled. If it was, we delete the\nfolio we just added to the swap cache and exit.\n\nHowever, __read_swap_cache_async() returns the folio locked when it is\nnewly allocated, which is always true for this path, and the folio is\nref\u0027d. Make sure to unlock and put the folio before returning.\n\nThis was discovered by code inspection, probably because this path handles\na race condition that should not happen often, and the bug would not crash\nthe system, it will only strand the folio indefinitely."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:54:53.558Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea"
},
{
"url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644"
},
{
"url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe"
},
{
"url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d"
}
],
"title": "mm: zswap: fix missing folio cleanup in writeback race path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26832",
"datePublished": "2024-04-17T10:10:01.016Z",
"dateReserved": "2024-02-19T14:20:24.181Z",
"dateUpdated": "2025-05-04T12:54:53.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53714 (GCVE-0-2023-53714)
Vulnerability from cvelistv5 – Published: 2025-10-22 13:23 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
drm/stm: ltdc: fix late dereference check
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/stm: ltdc: fix late dereference check
In ltdc_crtc_set_crc_source(), struct drm_crtc was dereferenced in a
container_of() before the pointer check. This could cause a kernel panic.
Fix this smatch warning:
drivers/gpu/drm/stm/ltdc.c:1124 ltdc_crtc_set_crc_source() warn: variable dereferenced before check 'crtc' (see line 1119)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
79b44684a14e363d24c299b772f037344ad8c8dc , < 340dba127bbed51e8425cd8e097aacfadd175462
(git)
Affected: 79b44684a14e363d24c299b772f037344ad8c8dc , < 04fe3b82528232aa85a6c45464906d0727ef4f20 (git) Affected: 79b44684a14e363d24c299b772f037344ad8c8dc , < 898a9e3f56db9860ab091d4bf41b6caa99aafc3d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/stm/ltdc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "340dba127bbed51e8425cd8e097aacfadd175462",
"status": "affected",
"version": "79b44684a14e363d24c299b772f037344ad8c8dc",
"versionType": "git"
},
{
"lessThan": "04fe3b82528232aa85a6c45464906d0727ef4f20",
"status": "affected",
"version": "79b44684a14e363d24c299b772f037344ad8c8dc",
"versionType": "git"
},
{
"lessThan": "898a9e3f56db9860ab091d4bf41b6caa99aafc3d",
"status": "affected",
"version": "79b44684a14e363d24c299b772f037344ad8c8dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/stm/ltdc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/stm: ltdc: fix late dereference check\n\nIn ltdc_crtc_set_crc_source(), struct drm_crtc was dereferenced in a\ncontainer_of() before the pointer check. This could cause a kernel panic.\n\nFix this smatch warning:\ndrivers/gpu/drm/stm/ltdc.c:1124 ltdc_crtc_set_crc_source() warn: variable dereferenced before check \u0027crtc\u0027 (see line 1119)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:30.261Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/340dba127bbed51e8425cd8e097aacfadd175462"
},
{
"url": "https://git.kernel.org/stable/c/04fe3b82528232aa85a6c45464906d0727ef4f20"
},
{
"url": "https://git.kernel.org/stable/c/898a9e3f56db9860ab091d4bf41b6caa99aafc3d"
}
],
"title": "drm/stm: ltdc: fix late dereference check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53714",
"datePublished": "2025-10-22T13:23:48.341Z",
"dateReserved": "2025-10-22T13:21:37.347Z",
"dateUpdated": "2026-01-05T10:32:30.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71085 (GCVE-0-2025-71085)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
There exists a kernel oops caused by a BUG_ON(nhead < 0) at
net/core/skbuff.c:2232 in pskb_expand_head().
This bug is triggered as part of the calipso_skbuff_setattr()
routine when skb_cow() is passed headroom > INT_MAX
(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
The root cause of the bug is due to an implicit integer cast in
__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
that delta = headroom - skb_headroom(skb) is never negative, otherwise
we will trigger a BUG_ON in pskb_expand_head(). However, if
headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
becomes negative, and pskb_expand_head() is passed a negative value for
nhead.
Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
by only using skb_cow() to grow headroom.
PoC:
Using `netlabelctl` tool:
netlabelctl map del default
netlabelctl calipso add pass doi:7
netlabelctl map add default address:0::1/128 protocol:calipso,7
Then run the following PoC:
int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
// setup msghdr
int cmsg_size = 2;
int cmsg_len = 0x60;
struct msghdr msg;
struct sockaddr_in6 dest_addr;
struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
sizeof(struct cmsghdr) + cmsg_len);
msg.msg_name = &dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = NULL;
msg.msg_iovlen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = cmsg_len;
msg.msg_flags = 0;
// setup sockaddr
dest_addr.sin6_family = AF_INET6;
dest_addr.sin6_port = htons(31337);
dest_addr.sin6_flowinfo = htonl(31337);
dest_addr.sin6_addr = in6addr_loopback;
dest_addr.sin6_scope_id = 31337;
// setup cmsghdr
cmsg->cmsg_len = cmsg_len;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_HOPOPTS;
char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
sendmsg(fd, &msg, 0);
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 86f365897068d09418488165a68b23cb5baa37f2
(git)
Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 6b7522424529556c9cbc15e15e7bd4eeae310910 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 2bb759062efa188ea5d07242a43e5aa5464bbae1 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < c53aa6a5086f03f19564096ee084a202a8c738c0 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < bf3709738d8a8cc6fa275773170c5c29511a0b24 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 73744ad5696dce0e0f43872aba8de6a83d6ad570 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 58fc7342b529803d3c221101102fe913df7adb83 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86f365897068d09418488165a68b23cb5baa37f2",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "6b7522424529556c9cbc15e15e7bd4eeae310910",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "2bb759062efa188ea5d07242a43e5aa5464bbae1",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "c53aa6a5086f03f19564096ee084a202a8c738c0",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "bf3709738d8a8cc6fa275773170c5c29511a0b24",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "73744ad5696dce0e0f43872aba8de6a83d6ad570",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "58fc7342b529803d3c221101102fe913df7adb83",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()\n\nThere exists a kernel oops caused by a BUG_ON(nhead \u003c 0) at\nnet/core/skbuff.c:2232 in pskb_expand_head().\nThis bug is triggered as part of the calipso_skbuff_setattr()\nroutine when skb_cow() is passed headroom \u003e INT_MAX\n(i.e. (int)(skb_headroom(skb) + len_delta) \u003c 0).\n\nThe root cause of the bug is due to an implicit integer cast in\n__skb_cow(). The check (headroom \u003e skb_headroom(skb)) is meant to ensure\nthat delta = headroom - skb_headroom(skb) is never negative, otherwise\nwe will trigger a BUG_ON in pskb_expand_head(). However, if\nheadroom \u003e INT_MAX and delta \u003c= -NET_SKB_PAD, the check passes, delta\nbecomes negative, and pskb_expand_head() is passed a negative value for\nnhead.\n\nFix the trigger condition in calipso_skbuff_setattr(). Avoid passing\n\"negative\" headroom sizes to skb_cow() within calipso_skbuff_setattr()\nby only using skb_cow() to grow headroom.\n\nPoC:\n\tUsing `netlabelctl` tool:\n\n netlabelctl map del default\n netlabelctl calipso add pass doi:7\n netlabelctl map add default address:0::1/128 protocol:calipso,7\n\n Then run the following PoC:\n\n int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\n\n // setup msghdr\n int cmsg_size = 2;\n int cmsg_len = 0x60;\n struct msghdr msg;\n struct sockaddr_in6 dest_addr;\n struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,\n sizeof(struct cmsghdr) + cmsg_len);\n msg.msg_name = \u0026dest_addr;\n msg.msg_namelen = sizeof(dest_addr);\n msg.msg_iov = NULL;\n msg.msg_iovlen = 0;\n msg.msg_control = cmsg;\n msg.msg_controllen = cmsg_len;\n msg.msg_flags = 0;\n\n // setup sockaddr\n dest_addr.sin6_family = AF_INET6;\n dest_addr.sin6_port = htons(31337);\n dest_addr.sin6_flowinfo = htonl(31337);\n dest_addr.sin6_addr = in6addr_loopback;\n dest_addr.sin6_scope_id = 31337;\n\n // setup cmsghdr\n cmsg-\u003ecmsg_len = cmsg_len;\n cmsg-\u003ecmsg_level = IPPROTO_IPV6;\n cmsg-\u003ecmsg_type = IPV6_HOPOPTS;\n char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);\n hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80\n\n sendmsg(fd, \u0026msg, 0);"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:36.802Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86f365897068d09418488165a68b23cb5baa37f2"
},
{
"url": "https://git.kernel.org/stable/c/6b7522424529556c9cbc15e15e7bd4eeae310910"
},
{
"url": "https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1"
},
{
"url": "https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0"
},
{
"url": "https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24"
},
{
"url": "https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570"
},
{
"url": "https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83"
}
],
"title": "ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71085",
"datePublished": "2026-01-13T15:34:48.324Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-09T08:34:36.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38565 (GCVE-0-2025-38565)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-11-03 17:39
VLAI?
EPSS
Title
perf/core: Exit early on perf_mmap() fail
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Exit early on perf_mmap() fail
When perf_mmap() fails to allocate a buffer, it still invokes the
event_mapped() callback of the related event. On X86 this might increase
the perf_rdpmc_allowed reference counter. But nothing undoes this as
perf_mmap_close() is never called in this case, which causes another
reference count leak.
Return early on failure to prevent that.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb , < 5ffda7f3ed76ec8defc19d985e33b3b82ba07839
(git)
Affected: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb , < 9b90a48c7de828a15c7a4fc565d46999c6e22d6b (git) Affected: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb , < de85e72598d89880a02170a1cbc27b35a7d978a9 (git) Affected: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb , < 27d44145bd576bbef9bf6165bcd78128ec3e6cbd (git) Affected: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb , < f41e9eba77bf97626e04296dc5677d02816d2432 (git) Affected: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb , < 92043120a2e992800580855498ab8507e1b22db9 (git) Affected: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb , < 163b0d1a209fe0df5476c1df2330ca12b55abf92 (git) Affected: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb , < 7ff8521f30c4c2fcd4e88bd7640486602bf8a650 (git) Affected: 1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb , < 07091aade394f690e7b655578140ef84d0e8d7b0 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:55.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ffda7f3ed76ec8defc19d985e33b3b82ba07839",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "9b90a48c7de828a15c7a4fc565d46999c6e22d6b",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "de85e72598d89880a02170a1cbc27b35a7d978a9",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "27d44145bd576bbef9bf6165bcd78128ec3e6cbd",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "f41e9eba77bf97626e04296dc5677d02816d2432",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "92043120a2e992800580855498ab8507e1b22db9",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "163b0d1a209fe0df5476c1df2330ca12b55abf92",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "7ff8521f30c4c2fcd4e88bd7640486602bf8a650",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
},
{
"lessThan": "07091aade394f690e7b655578140ef84d0e8d7b0",
"status": "affected",
"version": "1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Exit early on perf_mmap() fail\n\nWhen perf_mmap() fails to allocate a buffer, it still invokes the\nevent_mapped() callback of the related event. On X86 this might increase\nthe perf_rdpmc_allowed reference counter. But nothing undoes this as\nperf_mmap_close() is never called in this case, which causes another\nreference count leak.\n\nReturn early on failure to prevent that."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:53:53.796Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ffda7f3ed76ec8defc19d985e33b3b82ba07839"
},
{
"url": "https://git.kernel.org/stable/c/9b90a48c7de828a15c7a4fc565d46999c6e22d6b"
},
{
"url": "https://git.kernel.org/stable/c/de85e72598d89880a02170a1cbc27b35a7d978a9"
},
{
"url": "https://git.kernel.org/stable/c/27d44145bd576bbef9bf6165bcd78128ec3e6cbd"
},
{
"url": "https://git.kernel.org/stable/c/f41e9eba77bf97626e04296dc5677d02816d2432"
},
{
"url": "https://git.kernel.org/stable/c/92043120a2e992800580855498ab8507e1b22db9"
},
{
"url": "https://git.kernel.org/stable/c/163b0d1a209fe0df5476c1df2330ca12b55abf92"
},
{
"url": "https://git.kernel.org/stable/c/7ff8521f30c4c2fcd4e88bd7640486602bf8a650"
},
{
"url": "https://git.kernel.org/stable/c/07091aade394f690e7b655578140ef84d0e8d7b0"
}
],
"title": "perf/core: Exit early on perf_mmap() fail",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38565",
"datePublished": "2025-08-19T17:02:41.700Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-11-03T17:39:55.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68284 (GCVE-0-2025-68284)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
libceph: prevent potential out-of-bounds writes in handle_auth_session_key()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: prevent potential out-of-bounds writes in handle_auth_session_key()
The len field originates from untrusted network packets. Boundary
checks have been added to prevent potential out-of-bounds writes when
decrypting the connection secret or processing service tickets.
[ idryomov: changelog ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < f22c55a20a2d9ffbbac57408d5d488cef8201e9d
(git)
Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < 8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09 (git) Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < ccbccfba25e9aa395daaea156b5e7790910054c4 (git) Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < 5ef575834ca99f719d7573cdece9df2fe2b72424 (git) Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < 6920ff09bf911bc919cd7a6b7176fbdd1a6e6850 (git) Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < 7fce830ecd0a0256590ee37eb65a39cbad3d64fc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/auth_x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f22c55a20a2d9ffbbac57408d5d488cef8201e9d",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "ccbccfba25e9aa395daaea156b5e7790910054c4",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "5ef575834ca99f719d7573cdece9df2fe2b72424",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "6920ff09bf911bc919cd7a6b7176fbdd1a6e6850",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
},
{
"lessThan": "7fce830ecd0a0256590ee37eb65a39cbad3d64fc",
"status": "affected",
"version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/auth_x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds writes in handle_auth_session_key()\n\nThe len field originates from untrusted network packets. Boundary\nchecks have been added to prevent potential out-of-bounds writes when\ndecrypting the connection secret or processing service tickets.\n\n[ idryomov: changelog ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:48.915Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f22c55a20a2d9ffbbac57408d5d488cef8201e9d"
},
{
"url": "https://git.kernel.org/stable/c/8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09"
},
{
"url": "https://git.kernel.org/stable/c/ccbccfba25e9aa395daaea156b5e7790910054c4"
},
{
"url": "https://git.kernel.org/stable/c/5ef575834ca99f719d7573cdece9df2fe2b72424"
},
{
"url": "https://git.kernel.org/stable/c/6920ff09bf911bc919cd7a6b7176fbdd1a6e6850"
},
{
"url": "https://git.kernel.org/stable/c/7fce830ecd0a0256590ee37eb65a39cbad3d64fc"
}
],
"title": "libceph: prevent potential out-of-bounds writes in handle_auth_session_key()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68284",
"datePublished": "2025-12-16T15:06:06.235Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2026-01-02T15:34:48.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71089 (GCVE-0-2025-71089)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-12 08:19
VLAI?
EPSS
Title
iommu: disable SVA when CONFIG_X86 is set
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu: disable SVA when CONFIG_X86 is set
Patch series "Fix stale IOTLB entries for kernel address space", v7.
This proposes a fix for a security vulnerability related to IOMMU Shared
Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
page table entries. When a kernel page table page is freed and
reallocated for another purpose, the IOMMU might still hold stale,
incorrect entries. This can be exploited to cause a use-after-free or
write-after-free condition, potentially leading to privilege escalation or
data corruption.
This solution introduces a deferred freeing mechanism for kernel page
table pages, which provides a safe window to notify the IOMMU to
invalidate its caches before the page is reused.
This patch (of 8):
In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
shares and walks the CPU's page tables. The x86 architecture maps the
kernel's virtual address space into the upper portion of every process's
page table. Consequently, in an SVA context, the IOMMU hardware can walk
and cache kernel page table entries.
The Linux kernel currently lacks a notification mechanism for kernel page
table changes, specifically when page table pages are freed and reused.
The IOMMU driver is only notified of changes to user virtual address
mappings. This can cause the IOMMU's internal caches to retain stale
entries for kernel VA.
Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
kernel page table pages are freed and later reallocated. The IOMMU could
misinterpret the new data as valid page table entries. The IOMMU might
then walk into attacker-controlled memory, leading to arbitrary physical
memory DMA access or privilege escalation. This is also a
Write-After-Free issue, as the IOMMU will potentially continue to write
Accessed and Dirty bits to the freed memory while attempting to walk the
stale page tables.
Currently, SVA contexts are unprivileged and cannot access kernel
mappings. However, the IOMMU will still walk kernel-only page tables all
the way down to the leaf entries, where it realizes the mapping is for the
kernel and errors out. This means the IOMMU still caches these
intermediate page table entries, making the described vulnerability a real
concern.
Disable SVA on x86 architecture until the IOMMU can receive notification
to flush the paging cache before freeing the CPU kernel page table pages.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < b34289505180a83607fcfdce14b5a290d0528476
(git)
Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 7cad37e358970af1bb49030ff01f06a69fa7d985 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 240cd7f2812cc25496b12063d11c823618f364e9 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < c2c3f1a3fd74ef16cf115f0c558616a13a8471b4 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < c341dee80b5df49a936182341b36395c831c2661 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 72f98ef9a4be30d2a60136dd6faee376f780d06c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommu-sva.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b34289505180a83607fcfdce14b5a290d0528476",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "7cad37e358970af1bb49030ff01f06a69fa7d985",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "240cd7f2812cc25496b12063d11c823618f364e9",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "c2c3f1a3fd74ef16cf115f0c558616a13a8471b4",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "c341dee80b5df49a936182341b36395c831c2661",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "72f98ef9a4be30d2a60136dd6faee376f780d06c",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommu-sva.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: disable SVA when CONFIG_X86 is set\n\nPatch series \"Fix stale IOTLB entries for kernel address space\", v7.\n\nThis proposes a fix for a security vulnerability related to IOMMU Shared\nVirtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel\npage table entries. When a kernel page table page is freed and\nreallocated for another purpose, the IOMMU might still hold stale,\nincorrect entries. This can be exploited to cause a use-after-free or\nwrite-after-free condition, potentially leading to privilege escalation or\ndata corruption.\n\nThis solution introduces a deferred freeing mechanism for kernel page\ntable pages, which provides a safe window to notify the IOMMU to\ninvalidate its caches before the page is reused.\n\n\nThis patch (of 8):\n\nIn the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware\nshares and walks the CPU\u0027s page tables. The x86 architecture maps the\nkernel\u0027s virtual address space into the upper portion of every process\u0027s\npage table. Consequently, in an SVA context, the IOMMU hardware can walk\nand cache kernel page table entries.\n\nThe Linux kernel currently lacks a notification mechanism for kernel page\ntable changes, specifically when page table pages are freed and reused. \nThe IOMMU driver is only notified of changes to user virtual address\nmappings. This can cause the IOMMU\u0027s internal caches to retain stale\nentries for kernel VA.\n\nUse-After-Free (UAF) and Write-After-Free (WAF) conditions arise when\nkernel page table pages are freed and later reallocated. The IOMMU could\nmisinterpret the new data as valid page table entries. The IOMMU might\nthen walk into attacker-controlled memory, leading to arbitrary physical\nmemory DMA access or privilege escalation. This is also a\nWrite-After-Free issue, as the IOMMU will potentially continue to write\nAccessed and Dirty bits to the freed memory while attempting to walk the\nstale page tables.\n\nCurrently, SVA contexts are unprivileged and cannot access kernel\nmappings. However, the IOMMU will still walk kernel-only page tables all\nthe way down to the leaf entries, where it realizes the mapping is for the\nkernel and errors out. This means the IOMMU still caches these\nintermediate page table entries, making the described vulnerability a real\nconcern.\n\nDisable SVA on x86 architecture until the IOMMU can receive notification\nto flush the paging cache before freeing the CPU kernel page table pages."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T08:19:30.721Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b34289505180a83607fcfdce14b5a290d0528476"
},
{
"url": "https://git.kernel.org/stable/c/7cad37e358970af1bb49030ff01f06a69fa7d985"
},
{
"url": "https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9"
},
{
"url": "https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4"
},
{
"url": "https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661"
},
{
"url": "https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c"
}
],
"title": "iommu: disable SVA when CONFIG_X86 is set",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71089",
"datePublished": "2026-01-13T15:34:51.079Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-02-12T08:19:30.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38068 (GCVE-0-2025-38068)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-01-02 15:29
VLAI?
EPSS
Title
crypto: lzo - Fix compression buffer overrun
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: lzo - Fix compression buffer overrun
Unlike the decompression code, the compression code in LZO never
checked for output overruns. It instead assumes that the caller
always provides enough buffer space, disregarding the buffer length
provided by the caller.
Add a safe compression interface that checks for the end of buffer
before each write. Use the safe interface in crypto/lzo.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
64c70b1cf43de158282bc1675918d503e5b15cc1 , < 4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111
(git)
Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < a98bd864e16f91c70b2469adf013d713d04d1d13 (git) Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a (git) Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 7caad075acb634a74911830d6386c50ea12566cd (git) Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 167373d77c70c2b558aae3e327b115249bb2652c (git) Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < cc47f07234f72cbd8e2c973cdbf2a6730660a463 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:37.495Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/lzo-rle.c",
"crypto/lzo.c",
"include/linux/lzo.h",
"lib/lzo/Makefile",
"lib/lzo/lzo1x_compress.c",
"lib/lzo/lzo1x_compress_safe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111",
"status": "affected",
"version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
"versionType": "git"
},
{
"lessThan": "a98bd864e16f91c70b2469adf013d713d04d1d13",
"status": "affected",
"version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
"versionType": "git"
},
{
"lessThan": "0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a",
"status": "affected",
"version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
"versionType": "git"
},
{
"lessThan": "7caad075acb634a74911830d6386c50ea12566cd",
"status": "affected",
"version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
"versionType": "git"
},
{
"lessThan": "167373d77c70c2b558aae3e327b115249bb2652c",
"status": "affected",
"version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
"versionType": "git"
},
{
"lessThan": "cc47f07234f72cbd8e2c973cdbf2a6730660a463",
"status": "affected",
"version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/lzo-rle.c",
"crypto/lzo.c",
"include/linux/lzo.h",
"lib/lzo/Makefile",
"lib/lzo/lzo1x_compress.c",
"lib/lzo/lzo1x_compress_safe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.23"
},
{
"lessThan": "2.6.23",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: lzo - Fix compression buffer overrun\n\nUnlike the decompression code, the compression code in LZO never\nchecked for output overruns. It instead assumes that the caller\nalways provides enough buffer space, disregarding the buffer length\nprovided by the caller.\n\nAdd a safe compression interface that checks for the end of buffer\nbefore each write. Use the safe interface in crypto/lzo."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:29:57.023Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111"
},
{
"url": "https://git.kernel.org/stable/c/a98bd864e16f91c70b2469adf013d713d04d1d13"
},
{
"url": "https://git.kernel.org/stable/c/0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a"
},
{
"url": "https://git.kernel.org/stable/c/7caad075acb634a74911830d6386c50ea12566cd"
},
{
"url": "https://git.kernel.org/stable/c/167373d77c70c2b558aae3e327b115249bb2652c"
},
{
"url": "https://git.kernel.org/stable/c/cc47f07234f72cbd8e2c973cdbf2a6730660a463"
}
],
"title": "crypto: lzo - Fix compression buffer overrun",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38068",
"datePublished": "2025-06-18T09:33:46.125Z",
"dateReserved": "2025-04-16T04:51:23.980Z",
"dateUpdated": "2026-01-02T15:29:57.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52433 (GCVE-0-2023-52433)
Vulnerability from cvelistv5 – Published: 2024-02-20 12:52 – Updated: 2025-10-01 19:12
VLAI?
EPSS
Title
netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
New elements in this transaction might expired before such transaction
ends. Skip sync GC for such elements otherwise commit path might walk
over an already released object. Once transaction is finished, async GC
will collect such expired element.
Severity ?
4.4 (Medium)
CWE
- CWE-273 - Improper Check for Dropped Privileges
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cb4d00b563675ba8ff6ef94b077f58d816f68ba3 , < 9db9feb841f7449772f9393c16b9ef4536d8c127
(git)
Affected: c357648929c8dff891502349769aafb8f0452bc2 , < 03caf75da1059f0460666c826e9f50e13dfd0017 (git) Affected: 146c76866795553dbc19998f36718d7986ad302b , < c323ed65f66e5387ee0a73452118d49f1dae81b8 (git) Affected: 479a2cf5259347d6a1f658b0f791d27a34908e91 , < 9af7dfb3c9d7985172a240f85e684c5cd33e29ce (git) Affected: df650d6a4bf47248261b61ef6b174d7c54034d15 , < 9a8c544158f68f656d1734eb5ba00c4f817b76b1 (git) Affected: f6c383b8c31a93752a52697f8430a71dcbc46adf , < e3213ff99a355cda811b41e8dbb3472d13167a3a (git) Affected: f6c383b8c31a93752a52697f8430a71dcbc46adf , < 2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4 (git) Affected: e4d71d6a9c7db93f7bf20c3a0f0659d63d7de681 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:12:40.632777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-273",
"description": "CWE-273 Improper Check for Dropped Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:12:53.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-28T15:02:46.362Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9db9feb841f7449772f9393c16b9ef4536d8c127"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/03caf75da1059f0460666c826e9f50e13dfd0017"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c323ed65f66e5387ee0a73452118d49f1dae81b8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9af7dfb3c9d7985172a240f85e684c5cd33e29ce"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9a8c544158f68f656d1734eb5ba00c4f817b76b1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e3213ff99a355cda811b41e8dbb3472d13167a3a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240828-0003/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9db9feb841f7449772f9393c16b9ef4536d8c127",
"status": "affected",
"version": "cb4d00b563675ba8ff6ef94b077f58d816f68ba3",
"versionType": "git"
},
{
"lessThan": "03caf75da1059f0460666c826e9f50e13dfd0017",
"status": "affected",
"version": "c357648929c8dff891502349769aafb8f0452bc2",
"versionType": "git"
},
{
"lessThan": "c323ed65f66e5387ee0a73452118d49f1dae81b8",
"status": "affected",
"version": "146c76866795553dbc19998f36718d7986ad302b",
"versionType": "git"
},
{
"lessThan": "9af7dfb3c9d7985172a240f85e684c5cd33e29ce",
"status": "affected",
"version": "479a2cf5259347d6a1f658b0f791d27a34908e91",
"versionType": "git"
},
{
"lessThan": "9a8c544158f68f656d1734eb5ba00c4f817b76b1",
"status": "affected",
"version": "df650d6a4bf47248261b61ef6b174d7c54034d15",
"versionType": "git"
},
{
"lessThan": "e3213ff99a355cda811b41e8dbb3472d13167a3a",
"status": "affected",
"version": "f6c383b8c31a93752a52697f8430a71dcbc46adf",
"versionType": "git"
},
{
"lessThan": "2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4",
"status": "affected",
"version": "f6c383b8c31a93752a52697f8430a71dcbc46adf",
"versionType": "git"
},
{
"status": "affected",
"version": "e4d71d6a9c7db93f7bf20c3a0f0659d63d7de681",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip sync GC for new elements in this transaction\n\nNew elements in this transaction might expired before such transaction\nends. Skip sync GC for such elements otherwise commit path might walk\nover an already released object. Once transaction is finished, async GC\nwill collect such expired element."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:48:59.453Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9db9feb841f7449772f9393c16b9ef4536d8c127"
},
{
"url": "https://git.kernel.org/stable/c/03caf75da1059f0460666c826e9f50e13dfd0017"
},
{
"url": "https://git.kernel.org/stable/c/c323ed65f66e5387ee0a73452118d49f1dae81b8"
},
{
"url": "https://git.kernel.org/stable/c/9af7dfb3c9d7985172a240f85e684c5cd33e29ce"
},
{
"url": "https://git.kernel.org/stable/c/9a8c544158f68f656d1734eb5ba00c4f817b76b1"
},
{
"url": "https://git.kernel.org/stable/c/e3213ff99a355cda811b41e8dbb3472d13167a3a"
},
{
"url": "https://git.kernel.org/stable/c/2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4"
}
],
"title": "netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52433",
"datePublished": "2024-02-20T12:52:56.753Z",
"dateReserved": "2024-02-20T12:30:33.290Z",
"dateUpdated": "2025-10-01T19:12:53.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38588 (GCVE-0-2025-38588)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
ipv6: prevent infinite loop in rt6_nlmsg_size()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: prevent infinite loop in rt6_nlmsg_size()
While testing prior patch, I was able to trigger
an infinite loop in rt6_nlmsg_size() in the following place:
list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,
fib6_siblings) {
rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);
}
This is because fib6_del_route() and fib6_add_rt2node()
uses list_del_rcu(), which can confuse rcu readers,
because they might no longer see the head of the list.
Restart the loop if f6i->fib6_nsiblings is zero.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2 , < 6d345136c9b875f065d226908a29c25cdf9343f8
(git)
Affected: 52da02521ede55fb86546c3fffd9377b3261b91f , < e1b7932af47f92432be8303d2439d1bf77b0be23 (git) Affected: 34a949e7a0869dfa31a40416d2a56973fae1807b , < cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38 (git) Affected: d9ccb18f83ea2bb654289b6ecf014fd267cc988b , < 3c13db3e47e170bab19e574404e7b6be45ea873d (git) Affected: d9ccb18f83ea2bb654289b6ecf014fd267cc988b , < 46aeb66e9e54ed0d56c18615e1c3dbd502b327ab (git) Affected: d9ccb18f83ea2bb654289b6ecf014fd267cc988b , < 54e6fe9dd3b0e7c481c2228782c9494d653546da (git) Affected: 11edcd026012ac18acee0f1514db3ed1b160fc6f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:13.723Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_fib.c",
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d345136c9b875f065d226908a29c25cdf9343f8",
"status": "affected",
"version": "d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2",
"versionType": "git"
},
{
"lessThan": "e1b7932af47f92432be8303d2439d1bf77b0be23",
"status": "affected",
"version": "52da02521ede55fb86546c3fffd9377b3261b91f",
"versionType": "git"
},
{
"lessThan": "cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38",
"status": "affected",
"version": "34a949e7a0869dfa31a40416d2a56973fae1807b",
"versionType": "git"
},
{
"lessThan": "3c13db3e47e170bab19e574404e7b6be45ea873d",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"lessThan": "46aeb66e9e54ed0d56c18615e1c3dbd502b327ab",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"lessThan": "54e6fe9dd3b0e7c481c2228782c9494d653546da",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"status": "affected",
"version": "11edcd026012ac18acee0f1514db3ed1b160fc6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_fib.c",
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "6.1.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.6.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent infinite loop in rt6_nlmsg_size()\n\nWhile testing prior patch, I was able to trigger\nan infinite loop in rt6_nlmsg_size() in the following place:\n\nlist_for_each_entry_rcu(sibling, \u0026f6i-\u003efib6_siblings,\n\t\t\tfib6_siblings) {\n\trt6_nh_nlmsg_size(sibling-\u003efib6_nh, \u0026nexthop_len);\n}\n\nThis is because fib6_del_route() and fib6_add_rt2node()\nuses list_del_rcu(), which can confuse rcu readers,\nbecause they might no longer see the head of the list.\n\nRestart the loop if f6i-\u003efib6_nsiblings is zero."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:20.550Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d345136c9b875f065d226908a29c25cdf9343f8"
},
{
"url": "https://git.kernel.org/stable/c/e1b7932af47f92432be8303d2439d1bf77b0be23"
},
{
"url": "https://git.kernel.org/stable/c/cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38"
},
{
"url": "https://git.kernel.org/stable/c/3c13db3e47e170bab19e574404e7b6be45ea873d"
},
{
"url": "https://git.kernel.org/stable/c/46aeb66e9e54ed0d56c18615e1c3dbd502b327ab"
},
{
"url": "https://git.kernel.org/stable/c/54e6fe9dd3b0e7c481c2228782c9494d653546da"
}
],
"title": "ipv6: prevent infinite loop in rt6_nlmsg_size()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38588",
"datePublished": "2025-08-19T17:03:09.856Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2025-11-03T17:40:13.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71116 (GCVE-0-2025-71116)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
libceph: make decode_pool() more resilient against corrupted osdmaps
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: make decode_pool() more resilient against corrupted osdmaps
If the osdmap is (maliciously) corrupted such that the encoded length
of ceph_pg_pool envelope is less than what is expected for a particular
encoding version, out-of-bounds reads may ensue because the only bounds
check that is there is based on that length value.
This patch adds explicit bounds checks for each field that is decoded
or skipped.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < d061be4c8040ffb1110d537654a038b8b6ad39d2
(git)
Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 145d140abda80e33331c5781d6603014fa75d258 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < c82e39ff67353a5a6cbc07b786b8690bd2c45aaa (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < e927ab132b87ba3f076705fc2684d94b24201ed1 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 5d0d8c292531fe356c4e94dcfdf7d7212aca9957 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 2acb8517429ab42146c6c0ac1daed1f03d2fd125 (git) Affected: 4f6a7e5ee1393ec4b243b39dac9f36992d161540 , < 8c738512714e8c0aa18f8a10c072d5b01c83db39 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d061be4c8040ffb1110d537654a038b8b6ad39d2",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "145d140abda80e33331c5781d6603014fa75d258",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "c82e39ff67353a5a6cbc07b786b8690bd2c45aaa",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "e927ab132b87ba3f076705fc2684d94b24201ed1",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "5d0d8c292531fe356c4e94dcfdf7d7212aca9957",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "2acb8517429ab42146c6c0ac1daed1f03d2fd125",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
},
{
"lessThan": "8c738512714e8c0aa18f8a10c072d5b01c83db39",
"status": "affected",
"version": "4f6a7e5ee1393ec4b243b39dac9f36992d161540",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/osdmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make decode_pool() more resilient against corrupted osdmaps\n\nIf the osdmap is (maliciously) corrupted such that the encoded length\nof ceph_pg_pool envelope is less than what is expected for a particular\nencoding version, out-of-bounds reads may ensue because the only bounds\ncheck that is there is based on that length value.\n\nThis patch adds explicit bounds checks for each field that is decoded\nor skipped."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:10.946Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d061be4c8040ffb1110d537654a038b8b6ad39d2"
},
{
"url": "https://git.kernel.org/stable/c/145d140abda80e33331c5781d6603014fa75d258"
},
{
"url": "https://git.kernel.org/stable/c/c82e39ff67353a5a6cbc07b786b8690bd2c45aaa"
},
{
"url": "https://git.kernel.org/stable/c/e927ab132b87ba3f076705fc2684d94b24201ed1"
},
{
"url": "https://git.kernel.org/stable/c/5d0d8c292531fe356c4e94dcfdf7d7212aca9957"
},
{
"url": "https://git.kernel.org/stable/c/2acb8517429ab42146c6c0ac1daed1f03d2fd125"
},
{
"url": "https://git.kernel.org/stable/c/8c738512714e8c0aa18f8a10c072d5b01c83db39"
}
],
"title": "libceph: make decode_pool() more resilient against corrupted osdmaps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71116",
"datePublished": "2026-01-14T15:06:04.476Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:10.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52874 (GCVE-0-2023-52874)
Vulnerability from cvelistv5 – Published: 2024-05-21 15:32 – Updated: 2025-05-04 07:44
VLAI?
EPSS
Title
x86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro
In the TDX_HYPERCALL asm, after the TDCALL instruction returns from the
untrusted VMM, the registers that the TDX guest shares to the VMM need
to be cleared to avoid speculative execution of VMM-provided values.
RSI is specified in the bitmap of those registers, but it is missing
when zeroing out those registers in the current TDX_HYPERCALL.
It was there when it was originally added in commit 752d13305c78
("x86/tdx: Expand __tdx_hypercall() to handle more arguments"), but was
later removed in commit 1e70c680375a ("x86/tdx: Do not corrupt
frame-pointer in __tdx_hypercall()"), which was correct because %rsi is
later restored in the "pop %rsi". However a later commit 7a3a401874be
("x86/tdx: Drop flags from __tdx_hypercall()") removed that "pop %rsi"
but forgot to add the "xor %rsi, %rsi" back.
Fix by adding it back.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7a3a401874bea02f568aa416ac29170d8cde0dc2 , < 2191950d35d8f81620ea8d4e04d983f664fe3a8a
(git)
Affected: 7a3a401874bea02f568aa416ac29170d8cde0dc2 , < de4c5bacca4f50233f1f791bec9eeb4dee1b14cd (git) Affected: 7a3a401874bea02f568aa416ac29170d8cde0dc2 , < 5d092b66119d774853cc9308522620299048a662 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:36.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2191950d35d8f81620ea8d4e04d983f664fe3a8a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/de4c5bacca4f50233f1f791bec9eeb4dee1b14cd"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5d092b66119d774853cc9308522620299048a662"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52874",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:36:24.980070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:32:54.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/coco/tdx/tdcall.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2191950d35d8f81620ea8d4e04d983f664fe3a8a",
"status": "affected",
"version": "7a3a401874bea02f568aa416ac29170d8cde0dc2",
"versionType": "git"
},
{
"lessThan": "de4c5bacca4f50233f1f791bec9eeb4dee1b14cd",
"status": "affected",
"version": "7a3a401874bea02f568aa416ac29170d8cde0dc2",
"versionType": "git"
},
{
"lessThan": "5d092b66119d774853cc9308522620299048a662",
"status": "affected",
"version": "7a3a401874bea02f568aa416ac29170d8cde0dc2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/coco/tdx/tdcall.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.12",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.2",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro\n\nIn the TDX_HYPERCALL asm, after the TDCALL instruction returns from the\nuntrusted VMM, the registers that the TDX guest shares to the VMM need\nto be cleared to avoid speculative execution of VMM-provided values.\n\nRSI is specified in the bitmap of those registers, but it is missing\nwhen zeroing out those registers in the current TDX_HYPERCALL.\n\nIt was there when it was originally added in commit 752d13305c78\n(\"x86/tdx: Expand __tdx_hypercall() to handle more arguments\"), but was\nlater removed in commit 1e70c680375a (\"x86/tdx: Do not corrupt\nframe-pointer in __tdx_hypercall()\"), which was correct because %rsi is\nlater restored in the \"pop %rsi\". However a later commit 7a3a401874be\n(\"x86/tdx: Drop flags from __tdx_hypercall()\") removed that \"pop %rsi\"\nbut forgot to add the \"xor %rsi, %rsi\" back.\n\nFix by adding it back."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:44:50.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2191950d35d8f81620ea8d4e04d983f664fe3a8a"
},
{
"url": "https://git.kernel.org/stable/c/de4c5bacca4f50233f1f791bec9eeb4dee1b14cd"
},
{
"url": "https://git.kernel.org/stable/c/5d092b66119d774853cc9308522620299048a662"
}
],
"title": "x86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52874",
"datePublished": "2024-05-21T15:32:07.937Z",
"dateReserved": "2024-05-21T15:19:24.264Z",
"dateUpdated": "2025-05-04T07:44:50.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-23001 (GCVE-0-2026-23001)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
macvlan: fix possible UAF in macvlan_forward_source()
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix possible UAF in macvlan_forward_source()
Add RCU protection on (struct macvlan_source_entry)->vlan.
Whenever macvlan_hash_del_source() is called, we must clear
entry->vlan pointer before RCU grace period starts.
This allows macvlan_forward_source() to skip over
entries queued for freeing.
Note that macvlan_dev are already RCU protected, as they
are embedded in a standard netdev (netdev_priv(ndev)).
https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 8133e85b8a3ec9f10d861e0002ec6037256e987e
(git)
Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 484919832e2db6ce1e8add92c469e5d459a516b5 (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 232afc74a6dde0fe1830988e5827921f5ec9bb3f (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 15f6faf36e162532bec5cc05eb3fc622108bf2ed (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 8518712a2ca952d6da2238c6f0a16b4ae5ea3f13 (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 6dbead9c7677186f22b7981dd085a0feec1f038e (git) Affected: 79cf79abce71eb7dbc40e2f3121048ca5405cb47 , < 7470a7a63dc162f07c26dbf960e41ee1e248d80e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8133e85b8a3ec9f10d861e0002ec6037256e987e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "484919832e2db6ce1e8add92c469e5d459a516b5",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "232afc74a6dde0fe1830988e5827921f5ec9bb3f",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "15f6faf36e162532bec5cc05eb3fc622108bf2ed",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "8518712a2ca952d6da2238c6f0a16b4ae5ea3f13",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "6dbead9c7677186f22b7981dd085a0feec1f038e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
},
{
"lessThan": "7470a7a63dc162f07c26dbf960e41ee1e248d80e",
"status": "affected",
"version": "79cf79abce71eb7dbc40e2f3121048ca5405cb47",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix possible UAF in macvlan_forward_source()\n\nAdd RCU protection on (struct macvlan_source_entry)-\u003evlan.\n\nWhenever macvlan_hash_del_source() is called, we must clear\nentry-\u003evlan pointer before RCU grace period starts.\n\nThis allows macvlan_forward_source() to skip over\nentries queued for freeing.\n\nNote that macvlan_dev are already RCU protected, as they\nare embedded in a standard netdev (netdev_priv(ndev)).\n\nhttps: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:53.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8133e85b8a3ec9f10d861e0002ec6037256e987e"
},
{
"url": "https://git.kernel.org/stable/c/484919832e2db6ce1e8add92c469e5d459a516b5"
},
{
"url": "https://git.kernel.org/stable/c/232afc74a6dde0fe1830988e5827921f5ec9bb3f"
},
{
"url": "https://git.kernel.org/stable/c/15f6faf36e162532bec5cc05eb3fc622108bf2ed"
},
{
"url": "https://git.kernel.org/stable/c/8518712a2ca952d6da2238c6f0a16b4ae5ea3f13"
},
{
"url": "https://git.kernel.org/stable/c/6dbead9c7677186f22b7981dd085a0feec1f038e"
},
{
"url": "https://git.kernel.org/stable/c/7470a7a63dc162f07c26dbf960e41ee1e248d80e"
}
],
"title": "macvlan: fix possible UAF in macvlan_forward_source()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23001",
"datePublished": "2026-01-25T14:36:15.790Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:53.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-44987 (GCVE-0-2024-44987)
Vulnerability from cvelistv5 – Published: 2024-09-04 19:54 – Updated: 2025-11-03 22:14
VLAI?
EPSS
Title
ipv6: prevent UAF in ip6_send_skb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: prevent UAF in ip6_send_skb()
syzbot reported an UAF in ip6_send_skb() [1]
After ip6_local_out() has returned, we no longer can safely
dereference rt, unless we hold rcu_read_lock().
A similar issue has been fixed in commit
a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()")
Another potential issue in ip6_finish_output2() is handled in a
separate patch.
[1]
BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964
Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530
CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964
rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588
rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x1a6/0x270 net/socket.c:745
sock_write_iter+0x2dd/0x400 net/socket.c:1160
do_iter_readv_writev+0x60a/0x890
vfs_writev+0x37c/0xbb0 fs/read_write.c:971
do_writev+0x1b1/0x350 fs/read_write.c:1018
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f936bf79e79
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79
RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8
</TASK>
Allocated by task 6530:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:312 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3988 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044
dst_alloc+0x12b/0x190 net/core/dst.c:89
ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670
make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]
xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313
ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257
rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x1a6/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
___sys_sendmsg net/socket.c:2651 [inline]
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 45:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2252 [inline]
slab_free mm/slub.c:4473 [inline]
kmem_cache_free+0x145/0x350 mm/slub.c:4548
dst_destroy+0x2ac/0x460 net/core/dst.c:124
rcu_do_batch kernel/rcu/tree.c:2569 [inline]
rcu_core+0xafd/0x1830 kernel/rcu/tree.
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0625491493d9000e4556bf566d205c28c8e7dc4e , < 571567e0277008459750f0728f246086b2659429
(git)
Affected: 0625491493d9000e4556bf566d205c28c8e7dc4e , < ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8 (git) Affected: 0625491493d9000e4556bf566d205c28c8e7dc4e , < cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e (git) Affected: 0625491493d9000e4556bf566d205c28c8e7dc4e , < 24e93695b1239fbe4c31e224372be77f82dab69a (git) Affected: 0625491493d9000e4556bf566d205c28c8e7dc4e , < 9a3e55afa95ed4ac9eda112d4f918af645d72f25 (git) Affected: 0625491493d9000e4556bf566d205c28c8e7dc4e , < af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011 (git) Affected: 0625491493d9000e4556bf566d205c28c8e7dc4e , < e44bd76dd072756e674f45c5be00153f4ded68b2 (git) Affected: 0625491493d9000e4556bf566d205c28c8e7dc4e , < faa389b2fbaaec7fd27a390b4896139f9da662e3 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-44987",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T20:20:00.407827Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T20:21:05.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:14:37.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "571567e0277008459750f0728f246086b2659429",
"status": "affected",
"version": "0625491493d9000e4556bf566d205c28c8e7dc4e",
"versionType": "git"
},
{
"lessThan": "ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8",
"status": "affected",
"version": "0625491493d9000e4556bf566d205c28c8e7dc4e",
"versionType": "git"
},
{
"lessThan": "cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e",
"status": "affected",
"version": "0625491493d9000e4556bf566d205c28c8e7dc4e",
"versionType": "git"
},
{
"lessThan": "24e93695b1239fbe4c31e224372be77f82dab69a",
"status": "affected",
"version": "0625491493d9000e4556bf566d205c28c8e7dc4e",
"versionType": "git"
},
{
"lessThan": "9a3e55afa95ed4ac9eda112d4f918af645d72f25",
"status": "affected",
"version": "0625491493d9000e4556bf566d205c28c8e7dc4e",
"versionType": "git"
},
{
"lessThan": "af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011",
"status": "affected",
"version": "0625491493d9000e4556bf566d205c28c8e7dc4e",
"versionType": "git"
},
{
"lessThan": "e44bd76dd072756e674f45c5be00153f4ded68b2",
"status": "affected",
"version": "0625491493d9000e4556bf566d205c28c8e7dc4e",
"versionType": "git"
},
{
"lessThan": "faa389b2fbaaec7fd27a390b4896139f9da662e3",
"status": "affected",
"version": "0625491493d9000e4556bf566d205c28c8e7dc4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.321",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.225",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.321",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.283",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.225",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.166",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.107",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.48",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.7",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent UAF in ip6_send_skb()\n\nsyzbot reported an UAF in ip6_send_skb() [1]\n\nAfter ip6_local_out() has returned, we no longer can safely\ndereference rt, unless we hold rcu_read_lock().\n\nA similar issue has been fixed in commit\na688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\")\n\nAnother potential issue in ip6_finish_output2() is handled in a\nseparate patch.\n\n[1]\n BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964\nRead of size 8 at addr ffff88806dde4858 by task syz.1.380/6530\n\nCPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964\n rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588\n rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n sock_write_iter+0x2dd/0x400 net/socket.c:1160\n do_iter_readv_writev+0x60a/0x890\n vfs_writev+0x37c/0xbb0 fs/read_write.c:971\n do_writev+0x1b1/0x350 fs/read_write.c:1018\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f936bf79e79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79\nRDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004\nRBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8\n \u003c/TASK\u003e\n\nAllocated by task 6530:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:312 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3988 [inline]\n slab_alloc_node mm/slub.c:4037 [inline]\n kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044\n dst_alloc+0x12b/0x190 net/core/dst.c:89\n ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670\n make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]\n xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313\n ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257\n rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n ___sys_sendmsg net/socket.c:2651 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 45:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n poison_slab_object+0xe0/0x150 mm/kasan/common.c:240\n __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2252 [inline]\n slab_free mm/slub.c:4473 [inline]\n kmem_cache_free+0x145/0x350 mm/slub.c:4548\n dst_destroy+0x2ac/0x460 net/core/dst.c:124\n rcu_do_batch kernel/rcu/tree.c:2569 [inline]\n rcu_core+0xafd/0x1830 kernel/rcu/tree.\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:30:28.766Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/571567e0277008459750f0728f246086b2659429"
},
{
"url": "https://git.kernel.org/stable/c/ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8"
},
{
"url": "https://git.kernel.org/stable/c/cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e"
},
{
"url": "https://git.kernel.org/stable/c/24e93695b1239fbe4c31e224372be77f82dab69a"
},
{
"url": "https://git.kernel.org/stable/c/9a3e55afa95ed4ac9eda112d4f918af645d72f25"
},
{
"url": "https://git.kernel.org/stable/c/af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011"
},
{
"url": "https://git.kernel.org/stable/c/e44bd76dd072756e674f45c5be00153f4ded68b2"
},
{
"url": "https://git.kernel.org/stable/c/faa389b2fbaaec7fd27a390b4896139f9da662e3"
}
],
"title": "ipv6: prevent UAF in ip6_send_skb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-44987",
"datePublished": "2024-09-04T19:54:35.510Z",
"dateReserved": "2024-08-21T05:34:56.671Z",
"dateUpdated": "2025-11-03T22:14:37.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54243 (GCVE-0-2023-54243)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
netfilter: ebtables: fix table blob use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ebtables: fix table blob use-after-free
We are not allowed to return an error at this point.
Looking at the code it looks like ret is always 0 at this
point, but its not.
t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
... this can return a valid table, with ret != 0.
This bug causes update of table->private with the new
blob, but then frees the blob right away in the caller.
Syzbot report:
BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168
Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74
Workqueue: netns cleanup_net
Call Trace:
kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
__ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168
ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372
ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169
cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613
...
ip(6)tables appears to be ok (ret should be 0 at this point) but make
this more obvious.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c58dd2dd443c26d856a168db108a0cd11c285bf3 , < 9060abce3305ab2354c892c09d5689df51486df5
(git)
Affected: c58dd2dd443c26d856a168db108a0cd11c285bf3 , < dbb3cbbf03b3c52cb390fabec357f1e4638004f5 (git) Affected: c58dd2dd443c26d856a168db108a0cd11c285bf3 , < 3dd6ac973351308d4117eda32298a9f1d68764fd (git) Affected: c58dd2dd443c26d856a168db108a0cd11c285bf3 , < cda0e0243bd3c04008fcd37a46b0269fb3c49249 (git) Affected: c58dd2dd443c26d856a168db108a0cd11c285bf3 , < e58a171d35e32e6e8c37cfe0e8a94406732a331f (git) Affected: a3bc0f8ea439762aa62d40a295157410498cbea7 (git) Affected: 8ed40c122919cd79bc3c059e5864e5e7d9d455f0 (git) Affected: c5e4ef499cfc78de45a4f01b8c557b5964d77c53 (git) Affected: f34728610b2a8c7b9864f9404f2884c17f6fca5c (git) Affected: 8b5740915a9faa8b1fa9166193a33e2a9ae30ec6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/netfilter/ebtables.c",
"net/ipv4/netfilter/ip_tables.c",
"net/ipv6/netfilter/ip6_tables.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9060abce3305ab2354c892c09d5689df51486df5",
"status": "affected",
"version": "c58dd2dd443c26d856a168db108a0cd11c285bf3",
"versionType": "git"
},
{
"lessThan": "dbb3cbbf03b3c52cb390fabec357f1e4638004f5",
"status": "affected",
"version": "c58dd2dd443c26d856a168db108a0cd11c285bf3",
"versionType": "git"
},
{
"lessThan": "3dd6ac973351308d4117eda32298a9f1d68764fd",
"status": "affected",
"version": "c58dd2dd443c26d856a168db108a0cd11c285bf3",
"versionType": "git"
},
{
"lessThan": "cda0e0243bd3c04008fcd37a46b0269fb3c49249",
"status": "affected",
"version": "c58dd2dd443c26d856a168db108a0cd11c285bf3",
"versionType": "git"
},
{
"lessThan": "e58a171d35e32e6e8c37cfe0e8a94406732a331f",
"status": "affected",
"version": "c58dd2dd443c26d856a168db108a0cd11c285bf3",
"versionType": "git"
},
{
"status": "affected",
"version": "a3bc0f8ea439762aa62d40a295157410498cbea7",
"versionType": "git"
},
{
"status": "affected",
"version": "8ed40c122919cd79bc3c059e5864e5e7d9d455f0",
"versionType": "git"
},
{
"status": "affected",
"version": "c5e4ef499cfc78de45a4f01b8c557b5964d77c53",
"versionType": "git"
},
{
"status": "affected",
"version": "f34728610b2a8c7b9864f9404f2884c17f6fca5c",
"versionType": "git"
},
{
"status": "affected",
"version": "8b5740915a9faa8b1fa9166193a33e2a9ae30ec6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/netfilter/ebtables.c",
"net/ipv4/netfilter/ip_tables.c",
"net/ipv6/netfilter/ip6_tables.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix table blob use-after-free\n\nWe are not allowed to return an error at this point.\nLooking at the code it looks like ret is always 0 at this\npoint, but its not.\n\nt = find_table_lock(net, repl-\u003ename, \u0026ret, \u0026ebt_mutex);\n\n... this can return a valid table, with ret != 0.\n\nThis bug causes update of table-\u003eprivate with the new\nblob, but then frees the blob right away in the caller.\n\nSyzbot report:\n\nBUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\nRead of size 4 at addr ffffc90005425000 by task kworker/u4:4/74\nWorkqueue: netns cleanup_net\nCall Trace:\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:517\n __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\n ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372\n ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169\n cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613\n...\n\nip(6)tables appears to be ok (ret should be 0 at this point) but make\nthis more obvious."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:31.180Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9060abce3305ab2354c892c09d5689df51486df5"
},
{
"url": "https://git.kernel.org/stable/c/dbb3cbbf03b3c52cb390fabec357f1e4638004f5"
},
{
"url": "https://git.kernel.org/stable/c/3dd6ac973351308d4117eda32298a9f1d68764fd"
},
{
"url": "https://git.kernel.org/stable/c/cda0e0243bd3c04008fcd37a46b0269fb3c49249"
},
{
"url": "https://git.kernel.org/stable/c/e58a171d35e32e6e8c37cfe0e8a94406732a331f"
}
],
"title": "netfilter: ebtables: fix table blob use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54243",
"datePublished": "2025-12-30T12:11:31.180Z",
"dateReserved": "2025-12-30T12:06:44.510Z",
"dateUpdated": "2025-12-30T12:11:31.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50697 (GCVE-0-2022-50697)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-02 15:03
VLAI?
EPSS
Title
mrp: introduce active flags to prevent UAF when applicant uninit
Summary
In the Linux kernel, the following vulnerability has been resolved:
mrp: introduce active flags to prevent UAF when applicant uninit
The caller of del_timer_sync must prevent restarting of the timer, If
we have no this synchronization, there is a small probability that the
cancellation will not be successful.
And syzbot report the fellowing crash:
==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]
BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
Write at addr f9ff000024df6058 by task syz-fuzzer/2256
Pointer tag: [f9], memory tag: [fe]
CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-
ge01d50cbd6ee #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156
dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]
show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x1a8/0x4a0 mm/kasan/report.c:395
kasan_report+0x94/0xb4 mm/kasan/report.c:495
__do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320
do_bad_area arch/arm64/mm/fault.c:473 [inline]
do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749
do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825
el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367
el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427
el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576
hlist_add_head include/linux/list.h:929 [inline]
enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
mod_timer+0x14/0x20 kernel/time/timer.c:1161
mrp_periodic_timer_arm net/802/mrp.c:614 [inline]
mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627
call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474
expire_timers+0x98/0xc4 kernel/time/timer.c:1519
To fix it, we can introduce a new active flags to make sure the timer will
not restart.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
febf018d22347b5df94066bca05d0c11a84e839d , < 98f53e591940e4c3818be358c5dc684d5b30cb56
(git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 78d48bc41f7726113c9f114268d3ab11212814da (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < aadb1507a77b060c529edfeaf67f803e31461f24 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 755eb0879224ffc2a43de724554aeaf0e51e5a64 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 5d5a481a7fd0234f617535dc464ea010804a1129 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 563e45fd5046045cc194af3ba17f5423e1c98170 (git) Affected: febf018d22347b5df94066bca05d0c11a84e839d , < ab0377803dafc58f1e22296708c1c28e309414d6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/mrp.h",
"net/802/mrp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98f53e591940e4c3818be358c5dc684d5b30cb56",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "78d48bc41f7726113c9f114268d3ab11212814da",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "aadb1507a77b060c529edfeaf67f803e31461f24",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "755eb0879224ffc2a43de724554aeaf0e51e5a64",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "5d5a481a7fd0234f617535dc464ea010804a1129",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "563e45fd5046045cc194af3ba17f5423e1c98170",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
},
{
"lessThan": "ab0377803dafc58f1e22296708c1c28e309414d6",
"status": "affected",
"version": "febf018d22347b5df94066bca05d0c11a84e839d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/mrp.h",
"net/802/mrp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmrp: introduce active flags to prevent UAF when applicant uninit\n\nThe caller of del_timer_sync must prevent restarting of the timer, If\nwe have no this synchronization, there is a small probability that the\ncancellation will not be successful.\n\nAnd syzbot report the fellowing crash:\n==================================================================\nBUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]\nBUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605\nWrite at addr f9ff000024df6058 by task syz-fuzzer/2256\nPointer tag: [f9], memory tag: [fe]\n\nCPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-\nge01d50cbd6ee #0\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156\n dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]\n show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x1a8/0x4a0 mm/kasan/report.c:395\n kasan_report+0x94/0xb4 mm/kasan/report.c:495\n __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320\n do_bad_area arch/arm64/mm/fault.c:473 [inline]\n do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749\n do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825\n el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367\n el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427\n el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576\n hlist_add_head include/linux/list.h:929 [inline]\n enqueue_timer+0x18/0xa4 kernel/time/timer.c:605\n mod_timer+0x14/0x20 kernel/time/timer.c:1161\n mrp_periodic_timer_arm net/802/mrp.c:614 [inline]\n mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627\n call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474\n expire_timers+0x98/0xc4 kernel/time/timer.c:1519\n\nTo fix it, we can introduce a new active flags to make sure the timer will\nnot restart."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:03:54.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98f53e591940e4c3818be358c5dc684d5b30cb56"
},
{
"url": "https://git.kernel.org/stable/c/aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9"
},
{
"url": "https://git.kernel.org/stable/c/78d48bc41f7726113c9f114268d3ab11212814da"
},
{
"url": "https://git.kernel.org/stable/c/aadb1507a77b060c529edfeaf67f803e31461f24"
},
{
"url": "https://git.kernel.org/stable/c/755eb0879224ffc2a43de724554aeaf0e51e5a64"
},
{
"url": "https://git.kernel.org/stable/c/5d5a481a7fd0234f617535dc464ea010804a1129"
},
{
"url": "https://git.kernel.org/stable/c/1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6"
},
{
"url": "https://git.kernel.org/stable/c/563e45fd5046045cc194af3ba17f5423e1c98170"
},
{
"url": "https://git.kernel.org/stable/c/ab0377803dafc58f1e22296708c1c28e309414d6"
}
],
"title": "mrp: introduce active flags to prevent UAF when applicant uninit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50697",
"datePublished": "2025-12-24T10:55:13.762Z",
"dateReserved": "2025-12-24T10:53:15.517Z",
"dateUpdated": "2026-01-02T15:03:54.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68813 (GCVE-0-2025-68813)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:34
VLAI?
EPSS
Title
ipvs: fix ipv4 null-ptr-deref in route error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix ipv4 null-ptr-deref in route error path
The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()
without ensuring skb->dev is set, leading to a NULL pointer dereference
in fib_compute_spec_dst() when ipv4_link_failure() attempts to send
ICMP destination unreachable messages.
The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options
in ipv4_link_failure") started calling __ip_options_compile() from
ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()
which dereferences skb->dev. An attempt was made to fix the NULL skb->dev
dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in
ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev)
dereference by using a fallback device. The fix was incomplete because
fib_compute_spec_dst() later in the call chain still accesses skb->dev
directly, which remains NULL when IPVS calls dst_link_failure().
The crash occurs when:
1. IPVS processes a packet in NAT mode with a misconfigured destination
2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route
3. The error path calls dst_link_failure(skb) with skb->dev == NULL
4. ipv4_link_failure() → ipv4_send_dest_unreach() →
__ip_options_compile() → fib_compute_spec_dst()
5. fib_compute_spec_dst() dereferences NULL skb->dev
Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix
ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before
calling dst_link_failure().
KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]
CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2
RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233
RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285
Call Trace:
<TASK>
spec_dst_fill net/ipv4/ip_options.c:232
spec_dst_fill net/ipv4/ip_options.c:229
__ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330
ipv4_send_dest_unreach net/ipv4/route.c:1252
ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265
dst_link_failure include/net/dst.h:437
__ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412
ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed0de45a1008991fdaa27a0152befcb74d126a8b , < dd72a93c80408f06327dd2d956eb1a656d0b5903
(git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 312d7cd88882fc6cadcc08b02287497aaaf94bcd (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < cdeff10851c37a002d87a035818ebd60fdb74447 (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 4729ff0581fbb7ad098b6153b76b6f5aac94618a (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 25ab24df31f7af843c96a38e0781b9165216e1a8 (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 689a627d14788ad772e0fa24c2e57a23dbc7ce90 (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < ad891bb3d079a46a821bf2b8867854645191bab0 (git) Affected: 6c2fa855d8178699706b1192db2f1f8102b0ba1e (git) Affected: fbf569d2beee2a4a7a0bc8b619c26101d1211a88 (git) Affected: ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38 (git) Affected: 3d988fcddbe7b8673a231958bd2fba61b5a7ced9 (git) Affected: 8a430e56a6485267a1b2d3747209d26c54d1a34b (git) Affected: 6bd1ee0a993fc9574ae43c1994c54a60cb23a380 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_xmit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd72a93c80408f06327dd2d956eb1a656d0b5903",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "312d7cd88882fc6cadcc08b02287497aaaf94bcd",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "cdeff10851c37a002d87a035818ebd60fdb74447",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "4729ff0581fbb7ad098b6153b76b6f5aac94618a",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "25ab24df31f7af843c96a38e0781b9165216e1a8",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "689a627d14788ad772e0fa24c2e57a23dbc7ce90",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "ad891bb3d079a46a821bf2b8867854645191bab0",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"status": "affected",
"version": "6c2fa855d8178699706b1192db2f1f8102b0ba1e",
"versionType": "git"
},
{
"status": "affected",
"version": "fbf569d2beee2a4a7a0bc8b619c26101d1211a88",
"versionType": "git"
},
{
"status": "affected",
"version": "ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38",
"versionType": "git"
},
{
"status": "affected",
"version": "3d988fcddbe7b8673a231958bd2fba61b5a7ced9",
"versionType": "git"
},
{
"status": "affected",
"version": "8a430e56a6485267a1b2d3747209d26c54d1a34b",
"versionType": "git"
},
{
"status": "affected",
"version": "6bd1ee0a993fc9574ae43c1994c54a60cb23a380",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_xmit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.139",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix ipv4 null-ptr-deref in route error path\n\nThe IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()\nwithout ensuring skb-\u003edev is set, leading to a NULL pointer dereference\nin fib_compute_spec_dst() when ipv4_link_failure() attempts to send\nICMP destination unreachable messages.\n\nThe issue emerged after commit ed0de45a1008 (\"ipv4: recompile ip options\nin ipv4_link_failure\") started calling __ip_options_compile() from\nipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()\nwhich dereferences skb-\u003edev. An attempt was made to fix the NULL skb-\u003edev\ndereference in commit 0113d9c9d1cc (\"ipv4: fix null-deref in\nipv4_link_failure\"), but it only addressed the immediate dev_net(skb-\u003edev)\ndereference by using a fallback device. The fix was incomplete because\nfib_compute_spec_dst() later in the call chain still accesses skb-\u003edev\ndirectly, which remains NULL when IPVS calls dst_link_failure().\n\nThe crash occurs when:\n1. IPVS processes a packet in NAT mode with a misconfigured destination\n2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route\n3. The error path calls dst_link_failure(skb) with skb-\u003edev == NULL\n4. ipv4_link_failure() \u2192 ipv4_send_dest_unreach() \u2192\n __ip_options_compile() \u2192 fib_compute_spec_dst()\n5. fib_compute_spec_dst() dereferences NULL skb-\u003edev\n\nApply the same fix used for IPv6 in commit 326bf17ea5d4 (\"ipvs: fix\nipv6 route unreach panic\"): set skb-\u003edev from skb_dst(skb)-\u003edev before\ncalling dst_link_failure().\n\nKASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]\nCPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2\nRIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233\nRIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285\nCall Trace:\n \u003cTASK\u003e\n spec_dst_fill net/ipv4/ip_options.c:232\n spec_dst_fill net/ipv4/ip_options.c:229\n __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330\n ipv4_send_dest_unreach net/ipv4/route.c:1252\n ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265\n dst_link_failure include/net/dst.h:437\n __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412\n ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764"
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:34:02.933Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903"
},
{
"url": "https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd"
},
{
"url": "https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447"
},
{
"url": "https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a"
},
{
"url": "https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8"
},
{
"url": "https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90"
},
{
"url": "https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0"
}
],
"title": "ipvs: fix ipv4 null-ptr-deref in route error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68813",
"datePublished": "2026-01-13T15:29:18.483Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-02-09T08:34:02.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40044 (GCVE-0-2025-40044)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
fs: udf: fix OOB read in lengthAllocDescs handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: udf: fix OOB read in lengthAllocDescs handling
When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
on-disk data and must be validated against the block size. Crafted or
corrupted images may set lengthAllocDescs so that the total descriptor
length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
trigger a KASAN use-after-free read.
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261
udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179
extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46
udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106
udf_release_file+0xc1/0x120 fs/udf/file.c:185
__fput+0x23f/0x880 fs/file_table.c:431
task_work_run+0x24f/0x310 kernel/task_work.c:239
exit_task_work include/linux/task_work.h:43 [inline]
do_exit+0xa2f/0x28e0 kernel/exit.c:939
do_group_exit+0x207/0x2c0 kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Validate the computed total length against epos->bh->b_size.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 14496175b264d30c2045584ee31d062af2e3a660
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1d1847812a1a5375c10a2a779338df643f79c047 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 918649364fbca7d5df72522ca795479edcd25f91 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a70dcfa8d0a0cc530a6af59483dfca260b652c1b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 459404f858213967ccfff336c41747d8dd186d38 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3bd5e45c2ce30e239d596becd5db720f7eb83c99 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14496175b264d30c2045584ee31d062af2e3a660",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1d1847812a1a5375c10a2a779338df643f79c047",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "918649364fbca7d5df72522ca795479edcd25f91",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a70dcfa8d0a0cc530a6af59483dfca260b652c1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "459404f858213967ccfff336c41747d8dd186d38",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3bd5e45c2ce30e239d596becd5db720f7eb83c99",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: udf: fix OOB read in lengthAllocDescs handling\n\nWhen parsing Allocation Extent Descriptor, lengthAllocDescs comes from\non-disk data and must be validated against the block size. Crafted or\ncorrupted images may set lengthAllocDescs so that the total descriptor\nlength (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,\nleading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and\ntrigger a KASAN use-after-free read.\n\nBUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60\nRead of size 1 at addr ffff888041e7d000 by task syz-executor317/5309\n\nCPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60\n udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261\n udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179\n extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46\n udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106\n udf_release_file+0xc1/0x120 fs/udf/file.c:185\n __fput+0x23f/0x880 fs/file_table.c:431\n task_work_run+0x24f/0x310 kernel/task_work.c:239\n exit_task_work include/linux/task_work.h:43 [inline]\n do_exit+0xa2f/0x28e0 kernel/exit.c:939\n do_group_exit+0x207/0x2c0 kernel/exit.c:1088\n __do_sys_exit_group kernel/exit.c:1099 [inline]\n __se_sys_exit_group kernel/exit.c:1097 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097\n x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nValidate the computed total length against epos-\u003ebh-\u003eb_size.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:49.032Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14496175b264d30c2045584ee31d062af2e3a660"
},
{
"url": "https://git.kernel.org/stable/c/d2ed9aa8ae50fb0d4ac5ab07e4c67ba7e9a24818"
},
{
"url": "https://git.kernel.org/stable/c/1d1847812a1a5375c10a2a779338df643f79c047"
},
{
"url": "https://git.kernel.org/stable/c/918649364fbca7d5df72522ca795479edcd25f91"
},
{
"url": "https://git.kernel.org/stable/c/a70dcfa8d0a0cc530a6af59483dfca260b652c1b"
},
{
"url": "https://git.kernel.org/stable/c/b57f2d7d3e6bb89ed82330c5fe106cdfa34d3e24"
},
{
"url": "https://git.kernel.org/stable/c/459404f858213967ccfff336c41747d8dd186d38"
},
{
"url": "https://git.kernel.org/stable/c/3bd5e45c2ce30e239d596becd5db720f7eb83c99"
}
],
"title": "fs: udf: fix OOB read in lengthAllocDescs handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40044",
"datePublished": "2025-10-28T11:48:22.827Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2025-12-01T06:16:49.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50329 (GCVE-0-2022-50329)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:49 – Updated: 2025-09-15 14:49
VLAI?
EPSS
Title
block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq
Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'")
will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq()
can free bfqq first, and then call bic_set_bfqq(), which will cause uaf.
Fix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a , < 1425f1bb5df5239021fd09ebc2a5e8070e705d36
(git)
Affected: 094f3d9314d67691cb21ba091c1b528f6e3c4893 , < 7949b0df3dd9f4817ed4a4e989fa9ee81df6205f (git) Affected: b22fd72bfebda3956efc4431b60ddfc0a51e03e0 , < cfe5b38c37720313eff0dec5517442c7ab3c9a20 (git) Affected: 761564d93c8265f65543acf0a576b32d66bfa26a , < 1ed959fef5b1c6f1a7a3fbea543698c30ebd6678 (git) Affected: 64dc8c732f5c2b406cc752e6aaa1bd5471159cab , < 246cf66e300b76099b5dbd3fdd39e9a5dbc53f02 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1425f1bb5df5239021fd09ebc2a5e8070e705d36",
"status": "affected",
"version": "5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a",
"versionType": "git"
},
{
"lessThan": "7949b0df3dd9f4817ed4a4e989fa9ee81df6205f",
"status": "affected",
"version": "094f3d9314d67691cb21ba091c1b528f6e3c4893",
"versionType": "git"
},
{
"lessThan": "cfe5b38c37720313eff0dec5517442c7ab3c9a20",
"status": "affected",
"version": "b22fd72bfebda3956efc4431b60ddfc0a51e03e0",
"versionType": "git"
},
{
"lessThan": "1ed959fef5b1c6f1a7a3fbea543698c30ebd6678",
"status": "affected",
"version": "761564d93c8265f65543acf0a576b32d66bfa26a",
"versionType": "git"
},
{
"lessThan": "246cf66e300b76099b5dbd3fdd39e9a5dbc53f02",
"status": "affected",
"version": "64dc8c732f5c2b406cc752e6aaa1bd5471159cab",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.87",
"status": "affected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThan": "6.0.17",
"status": "affected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThan": "6.1.3",
"status": "affected",
"version": "6.1.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "6.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq\n\nCommit 64dc8c732f5c (\"block, bfq: fix possible uaf for \u0027bfqq-\u003ebic\u0027\")\nwill access \u0027bic-\u003ebfqq\u0027 in bic_set_bfqq(), however, bfq_exit_icq_bfqq()\ncan free bfqq first, and then call bic_set_bfqq(), which will cause uaf.\n\nFix the problem by moving bfq_exit_bfqq() behind bic_set_bfqq()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:49:32.123Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1425f1bb5df5239021fd09ebc2a5e8070e705d36"
},
{
"url": "https://git.kernel.org/stable/c/7949b0df3dd9f4817ed4a4e989fa9ee81df6205f"
},
{
"url": "https://git.kernel.org/stable/c/cfe5b38c37720313eff0dec5517442c7ab3c9a20"
},
{
"url": "https://git.kernel.org/stable/c/1ed959fef5b1c6f1a7a3fbea543698c30ebd6678"
},
{
"url": "https://git.kernel.org/stable/c/246cf66e300b76099b5dbd3fdd39e9a5dbc53f02"
}
],
"title": "block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50329",
"datePublished": "2025-09-15T14:49:32.123Z",
"dateReserved": "2025-09-15T14:18:36.815Z",
"dateUpdated": "2025-09-15T14:49:32.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50143 (GCVE-0-2024-50143)
Vulnerability from cvelistv5 – Published: 2024-11-07 09:31 – Updated: 2026-01-05 10:55
VLAI?
EPSS
Title
udf: fix uninit-value use in udf_get_fileshortad
Summary
In the Linux kernel, the following vulnerability has been resolved:
udf: fix uninit-value use in udf_get_fileshortad
Check for overflow when computing alen in udf_current_aext to mitigate
later uninit-value use in udf_get_fileshortad KMSAN bug[1].
After applying the patch reproducer did not trigger any issue[2].
[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000
Severity ?
7.8 (High)
CWE
- CWE-908 - Use of Uninitialized Resource
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5eb76fb98b3335aa5cca6a7db2e659561c79c32b
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 417bd613bdbe791549f7687bb1b9b8012ff111c2 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0ce61b1f6b32df822b59c680cbe8e5ba5d335742 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4fc0d8660e391dcd8dde23c44d702be1f6846c61 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 72e445df65a0aa9066c6fe2b8736ba2fcca6dac7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1ac49babc952f48d82676979b20885e480e69be8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e52e0b92ed31dc62afbda15c243dcee0bb5bb58d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 264db9d666ad9a35075cc9ed9ec09d021580fbb1 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-50143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:21:00.516802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:27:14.006Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:26:02.747Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5eb76fb98b3335aa5cca6a7db2e659561c79c32b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "417bd613bdbe791549f7687bb1b9b8012ff111c2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0ce61b1f6b32df822b59c680cbe8e5ba5d335742",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4fc0d8660e391dcd8dde23c44d702be1f6846c61",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "72e445df65a0aa9066c6fe2b8736ba2fcca6dac7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1ac49babc952f48d82676979b20885e480e69be8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e52e0b92ed31dc62afbda15c243dcee0bb5bb58d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "264db9d666ad9a35075cc9ed9ec09d021580fbb1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/udf/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.285",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.323",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.285",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.170",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.115",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.59",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: fix uninit-value use in udf_get_fileshortad\n\nCheck for overflow when computing alen in udf_current_aext to mitigate\nlater uninit-value use in udf_get_fileshortad KMSAN bug[1].\nAfter applying the patch reproducer did not trigger any issue[2].\n\n[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df\n[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:55:11.255Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5eb76fb98b3335aa5cca6a7db2e659561c79c32b"
},
{
"url": "https://git.kernel.org/stable/c/417bd613bdbe791549f7687bb1b9b8012ff111c2"
},
{
"url": "https://git.kernel.org/stable/c/0ce61b1f6b32df822b59c680cbe8e5ba5d335742"
},
{
"url": "https://git.kernel.org/stable/c/4fc0d8660e391dcd8dde23c44d702be1f6846c61"
},
{
"url": "https://git.kernel.org/stable/c/72e445df65a0aa9066c6fe2b8736ba2fcca6dac7"
},
{
"url": "https://git.kernel.org/stable/c/1ac49babc952f48d82676979b20885e480e69be8"
},
{
"url": "https://git.kernel.org/stable/c/e52e0b92ed31dc62afbda15c243dcee0bb5bb58d"
},
{
"url": "https://git.kernel.org/stable/c/264db9d666ad9a35075cc9ed9ec09d021580fbb1"
}
],
"title": "udf: fix uninit-value use in udf_get_fileshortad",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-50143",
"datePublished": "2024-11-07T09:31:20.340Z",
"dateReserved": "2024-10-21T19:36:19.956Z",
"dateUpdated": "2026-01-05T10:55:11.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38129 (GCVE-0-2025-38129)
Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
page_pool: Fix use-after-free in page_pool_recycle_in_ring
Summary
In the Linux kernel, the following vulnerability has been resolved:
page_pool: Fix use-after-free in page_pool_recycle_in_ring
syzbot reported a uaf in page_pool_recycle_in_ring:
BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862
Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943
CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]
_raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]
page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]
page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826
page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]
page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]
napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036
skb_pp_recycle net/core/skbuff.c:1047 [inline]
skb_free_head net/core/skbuff.c:1094 [inline]
skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125
skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb net/core/skbuff.c:1204 [inline]
sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242
kfree_skb_reason include/linux/skbuff.h:1263 [inline]
__skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]
root cause is:
page_pool_recycle_in_ring
ptr_ring_produce
spin_lock(&r->producer_lock);
WRITE_ONCE(r->queue[r->producer++], ptr)
//recycle last page to pool
page_pool_release
page_pool_scrub
page_pool_empty_ring
ptr_ring_consume
page_pool_return_page //release all page
__page_pool_destroy
free_percpu(pool->recycle_stats);
free(pool) //free
spin_unlock(&r->producer_lock); //pool->ring uaf read
recycle_stat_inc(pool, ring);
page_pool can be free while page pool recycle the last page in ring.
Add producer-lock barrier to page_pool_release to prevent the page
pool from being free before all pages have been recycled.
recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not
enabled, which will trigger Wempty-body build warning. Add definition
for pool stat macro to fix warning.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8
(git)
Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 1a8c0b61d4cb55c5440583ec9e7f86a730369e32 (git) Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 4914c0a166540e534a0c1d43affd329d95fb56fd (git) Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < e869a85acc2e60dc554579b910826a4919d8cd98 (git) Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 4ab8c0f8905c9c4d05e7f437e65a9a365573ff02 (git) Affected: ff7d6b27f894f1469dc51ccb828b7363ccd9799f , < 271683bb2cf32e5126c592b5d5e6a756fa374fd9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "1a8c0b61d4cb55c5440583ec9e7f86a730369e32",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "4914c0a166540e534a0c1d43affd329d95fb56fd",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "e869a85acc2e60dc554579b910826a4919d8cd98",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "4ab8c0f8905c9c4d05e7f437e65a9a365573ff02",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
},
{
"lessThan": "271683bb2cf32e5126c592b5d5e6a756fa374fd9",
"status": "affected",
"version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: Fix use-after-free in page_pool_recycle_in_ring\n\nsyzbot reported a uaf in page_pool_recycle_in_ring:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\nRead of size 8 at addr ffff8880286045a0 by task syz.0.284/6943\n\nCPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]\n _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]\n page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]\n page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826\n page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]\n page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]\n napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036\n skb_pp_recycle net/core/skbuff.c:1047 [inline]\n skb_free_head net/core/skbuff.c:1094 [inline]\n skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb net/core/skbuff.c:1204 [inline]\n sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242\n kfree_skb_reason include/linux/skbuff.h:1263 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]\n\nroot cause is:\n\npage_pool_recycle_in_ring\n ptr_ring_produce\n spin_lock(\u0026r-\u003eproducer_lock);\n WRITE_ONCE(r-\u003equeue[r-\u003eproducer++], ptr)\n //recycle last page to pool\n\t\t\t\tpage_pool_release\n\t\t\t\t page_pool_scrub\n\t\t\t\t page_pool_empty_ring\n\t\t\t\t ptr_ring_consume\n\t\t\t\t page_pool_return_page //release all page\n\t\t\t\t __page_pool_destroy\n\t\t\t\t free_percpu(pool-\u003erecycle_stats);\n\t\t\t\t free(pool) //free\n\n spin_unlock(\u0026r-\u003eproducer_lock); //pool-\u003ering uaf read\n recycle_stat_inc(pool, ring);\n\npage_pool can be free while page pool recycle the last page in ring.\nAdd producer-lock barrier to page_pool_release to prevent the page\npool from being free before all pages have been recycled.\n\nrecycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not\nenabled, which will trigger Wempty-body build warning. Add definition\nfor pool stat macro to fix warning."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:00.706Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8"
},
{
"url": "https://git.kernel.org/stable/c/1a8c0b61d4cb55c5440583ec9e7f86a730369e32"
},
{
"url": "https://git.kernel.org/stable/c/4914c0a166540e534a0c1d43affd329d95fb56fd"
},
{
"url": "https://git.kernel.org/stable/c/e869a85acc2e60dc554579b910826a4919d8cd98"
},
{
"url": "https://git.kernel.org/stable/c/4ab8c0f8905c9c4d05e7f437e65a9a365573ff02"
},
{
"url": "https://git.kernel.org/stable/c/271683bb2cf32e5126c592b5d5e6a756fa374fd9"
}
],
"title": "page_pool: Fix use-after-free in page_pool_recycle_in_ring",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38129",
"datePublished": "2025-07-03T08:35:33.728Z",
"dateReserved": "2025-04-16T04:51:23.987Z",
"dateUpdated": "2026-01-19T12:18:00.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38375 (GCVE-0-2025-38375)
Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2025-11-03 17:37
VLAI?
EPSS
Title
virtio-net: ensure the received length does not exceed allocated size
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio-net: ensure the received length does not exceed allocated size
In xdp_linearize_page, when reading the following buffers from the ring,
we forget to check the received length with the true allocate size. This
can lead to an out-of-bound read. This commit adds that missing check.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4941d472bf95b4345d6e38906fcf354e74afa311 , < 773e95c268b5d859f51f7547559734fd2a57660c
(git)
Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < ddc8649d363141fb3371dd81a73e1cb4ef8ed1e1 (git) Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < 982beb7582c193544eb9c6083937ec5ac1c9d651 (git) Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < 6aca3dad2145e864dfe4d1060f45eb1bac75dd58 (git) Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < 80b971be4c37a4d23a7f1abc5ff33dc7733d649b (git) Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < bc68bc3563344ccdc57d1961457cdeecab8f81ef (git) Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < 11f2d0e8be2b5e784ac45fa3da226492c3e506d8 (git) Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:37:12.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "773e95c268b5d859f51f7547559734fd2a57660c",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "ddc8649d363141fb3371dd81a73e1cb4ef8ed1e1",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "982beb7582c193544eb9c6083937ec5ac1c9d651",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "6aca3dad2145e864dfe4d1060f45eb1bac75dd58",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "80b971be4c37a4d23a7f1abc5ff33dc7733d649b",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "bc68bc3563344ccdc57d1961457cdeecab8f81ef",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "11f2d0e8be2b5e784ac45fa3da226492c3e506d8",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "315dbdd7cdf6aa533829774caaf4d25f1fd20e73",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.144",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.144",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.97",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.37",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.6",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: ensure the received length does not exceed allocated size\n\nIn xdp_linearize_page, when reading the following buffers from the ring,\nwe forget to check the received length with the true allocate size. This\ncan lead to an out-of-bound read. This commit adds that missing check."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:06.603Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/773e95c268b5d859f51f7547559734fd2a57660c"
},
{
"url": "https://git.kernel.org/stable/c/ddc8649d363141fb3371dd81a73e1cb4ef8ed1e1"
},
{
"url": "https://git.kernel.org/stable/c/982beb7582c193544eb9c6083937ec5ac1c9d651"
},
{
"url": "https://git.kernel.org/stable/c/6aca3dad2145e864dfe4d1060f45eb1bac75dd58"
},
{
"url": "https://git.kernel.org/stable/c/80b971be4c37a4d23a7f1abc5ff33dc7733d649b"
},
{
"url": "https://git.kernel.org/stable/c/bc68bc3563344ccdc57d1961457cdeecab8f81ef"
},
{
"url": "https://git.kernel.org/stable/c/11f2d0e8be2b5e784ac45fa3da226492c3e506d8"
},
{
"url": "https://git.kernel.org/stable/c/315dbdd7cdf6aa533829774caaf4d25f1fd20e73"
}
],
"title": "virtio-net: ensure the received length does not exceed allocated size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38375",
"datePublished": "2025-07-25T12:53:17.629Z",
"dateReserved": "2025-04-16T04:51:24.009Z",
"dateUpdated": "2025-11-03T17:37:12.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53215 (GCVE-0-2023-53215)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2026-01-14 17:52
VLAI?
EPSS
Title
sched/fair: Don't balance task to its current running CPU
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/fair: Don't balance task to its current running CPU
We've run into the case that the balancer tries to balance a migration
disabled task and trigger the warning in set_task_cpu() like below:
------------[ cut here ]------------
WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240
Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip>
CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1
Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021
pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : set_task_cpu+0x188/0x240
lr : load_balance+0x5d0/0xc60
sp : ffff80000803bc70
x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040
x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001
x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78
x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000
x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000
x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530
x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e
x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a
x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001
Call trace:
set_task_cpu+0x188/0x240
load_balance+0x5d0/0xc60
rebalance_domains+0x26c/0x380
_nohz_idle_balance.isra.0+0x1e0/0x370
run_rebalance_domains+0x6c/0x80
__do_softirq+0x128/0x3d8
____do_softirq+0x18/0x24
call_on_irq_stack+0x2c/0x38
do_softirq_own_stack+0x24/0x3c
__irq_exit_rcu+0xcc/0xf4
irq_exit_rcu+0x18/0x24
el1_interrupt+0x4c/0xe4
el1h_64_irq_handler+0x18/0x2c
el1h_64_irq+0x74/0x78
arch_cpu_idle+0x18/0x4c
default_idle_call+0x58/0x194
do_idle+0x244/0x2b0
cpu_startup_entry+0x30/0x3c
secondary_start_kernel+0x14c/0x190
__secondary_switched+0xb0/0xb4
---[ end trace 0000000000000000 ]---
Further investigation shows that the warning is superfluous, the migration
disabled task is just going to be migrated to its current running CPU.
This is because that on load balance if the dst_cpu is not allowed by the
task, we'll re-select a new_dst_cpu as a candidate. If no task can be
balanced to dst_cpu we'll try to balance the task to the new_dst_cpu
instead. In this case when the migration disabled task is not on CPU it
only allows to run on its current CPU, load balance will select its
current CPU as new_dst_cpu and later triggers the warning above.
The new_dst_cpu is chosen from the env->dst_grpmask. Currently it
contains CPUs in sched_group_span() and if we have overlapped groups it's
possible to run into this case. This patch makes env->dst_grpmask of
group_balance_mask() which exclude any CPUs from the busiest group and
solve the issue. For balancing in a domain with no overlapped groups
the behaviour keeps same as before.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 32d937f94b7805d4c9028b8727a7d6241547da54
(git)
Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < a5286f4655ce2fa28f477c0b957ea7f323fe2fab (git) Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < cec1857b1ea5cc3ea2b600564f1c95d1a6f27ad1 (git) Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 6b0c79aa33075b34c3cdcea4132c0afb3fc42d68 (git) Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 3cb43222bab8ab328fc91ed30899b3df2efbccfd (git) Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 78a5f711efceb37e32c48cd6b40addb671fea9cc (git) Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 34eb902050d473bb2befa15714fb1d30a0991c15 (git) Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:49:11.026903Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:52:57.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/fair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32d937f94b7805d4c9028b8727a7d6241547da54",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "a5286f4655ce2fa28f477c0b957ea7f323fe2fab",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "cec1857b1ea5cc3ea2b600564f1c95d1a6f27ad1",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "6b0c79aa33075b34c3cdcea4132c0afb3fc42d68",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "3cb43222bab8ab328fc91ed30899b3df2efbccfd",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "78a5f711efceb37e32c48cd6b40addb671fea9cc",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "34eb902050d473bb2befa15714fb1d30a0991c15",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
},
{
"lessThan": "0dd37d6dd33a9c23351e6115ae8cdac7863bc7de",
"status": "affected",
"version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/fair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Don\u0027t balance task to its current running CPU\n\nWe\u0027ve run into the case that the balancer tries to balance a migration\ndisabled task and trigger the warning in set_task_cpu() like below:\n\n ------------[ cut here ]------------\n WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240\n Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 \u003c...snip\u003e\n CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1\n Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021\n pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : set_task_cpu+0x188/0x240\n lr : load_balance+0x5d0/0xc60\n sp : ffff80000803bc70\n x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040\n x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001\n x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78\n x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000\n x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000\n x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530\n x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e\n x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a\n x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001\n Call trace:\n set_task_cpu+0x188/0x240\n load_balance+0x5d0/0xc60\n rebalance_domains+0x26c/0x380\n _nohz_idle_balance.isra.0+0x1e0/0x370\n run_rebalance_domains+0x6c/0x80\n __do_softirq+0x128/0x3d8\n ____do_softirq+0x18/0x24\n call_on_irq_stack+0x2c/0x38\n do_softirq_own_stack+0x24/0x3c\n __irq_exit_rcu+0xcc/0xf4\n irq_exit_rcu+0x18/0x24\n el1_interrupt+0x4c/0xe4\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x74/0x78\n arch_cpu_idle+0x18/0x4c\n default_idle_call+0x58/0x194\n do_idle+0x244/0x2b0\n cpu_startup_entry+0x30/0x3c\n secondary_start_kernel+0x14c/0x190\n __secondary_switched+0xb0/0xb4\n ---[ end trace 0000000000000000 ]---\n\nFurther investigation shows that the warning is superfluous, the migration\ndisabled task is just going to be migrated to its current running CPU.\nThis is because that on load balance if the dst_cpu is not allowed by the\ntask, we\u0027ll re-select a new_dst_cpu as a candidate. If no task can be\nbalanced to dst_cpu we\u0027ll try to balance the task to the new_dst_cpu\ninstead. In this case when the migration disabled task is not on CPU it\nonly allows to run on its current CPU, load balance will select its\ncurrent CPU as new_dst_cpu and later triggers the warning above.\n\nThe new_dst_cpu is chosen from the env-\u003edst_grpmask. Currently it\ncontains CPUs in sched_group_span() and if we have overlapped groups it\u0027s\npossible to run into this case. This patch makes env-\u003edst_grpmask of\ngroup_balance_mask() which exclude any CPUs from the busiest group and\nsolve the issue. For balancing in a domain with no overlapped groups\nthe behaviour keeps same as before."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:18:44.612Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32d937f94b7805d4c9028b8727a7d6241547da54"
},
{
"url": "https://git.kernel.org/stable/c/a5286f4655ce2fa28f477c0b957ea7f323fe2fab"
},
{
"url": "https://git.kernel.org/stable/c/cec1857b1ea5cc3ea2b600564f1c95d1a6f27ad1"
},
{
"url": "https://git.kernel.org/stable/c/6b0c79aa33075b34c3cdcea4132c0afb3fc42d68"
},
{
"url": "https://git.kernel.org/stable/c/3cb43222bab8ab328fc91ed30899b3df2efbccfd"
},
{
"url": "https://git.kernel.org/stable/c/78a5f711efceb37e32c48cd6b40addb671fea9cc"
},
{
"url": "https://git.kernel.org/stable/c/34eb902050d473bb2befa15714fb1d30a0991c15"
},
{
"url": "https://git.kernel.org/stable/c/0dd37d6dd33a9c23351e6115ae8cdac7863bc7de"
}
],
"title": "sched/fair: Don\u0027t balance task to its current running CPU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53215",
"datePublished": "2025-09-15T14:21:43.107Z",
"dateReserved": "2025-09-15T14:19:21.845Z",
"dateUpdated": "2026-01-14T17:52:57.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54142 (GCVE-0-2023-54142)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
gtp: Fix use-after-free in __gtp_encap_destroy().
Summary
In the Linux kernel, the following vulnerability has been resolved:
gtp: Fix use-after-free in __gtp_encap_destroy().
syzkaller reported use-after-free in __gtp_encap_destroy(). [0]
It shows the same process freed sk and touched it illegally.
Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock()
and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data,
but release_sock() is called after sock_put() releases the last refcnt.
[0]:
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]
BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178
Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401
CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:351 [inline]
print_report+0xcc/0x620 mm/kasan/report.c:462
kasan_report+0xb2/0xe0 mm/kasan/report.c:572
check_region_inline mm/kasan/generic.c:181 [inline]
kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
do_raw_spin_lock include/linux/spinlock.h:186 [inline]
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
_raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:355 [inline]
release_sock+0x1f/0x1a0 net/core/sock.c:3526
gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]
gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664
gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728
unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841
rtnl_delete_link net/core/rtnetlink.c:3216 [inline]
rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268
rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423
netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg+0x1b7/0x200 net/socket.c:747
____sys_sendmsg+0x75a/0x990 net/socket.c:2493
___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547
__sys_sendmsg+0xfe/0x1d0 net/socket.c:2576
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f1168b1fe5d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d
RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003
RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000
</TASK>
Allocated by task 1483:
kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
01f3c64e405ab3d25887d080a103ad76f30661d2 , < d38039697184aacff1cf576e14ef583112fdefef
(git)
Affected: e117a04133c673cc54292e12086a8177cd9bd4a4 , < e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6 (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < 9c9662e2512b5e4ee7b03108802c5222e0fa77a4 (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < bccc7ace12e69dee4684a3bb4b69737972e570d6 (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < ebd6d2077a083329110695a996c00e8ca94bc640 (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < 17d6b6354f0025b7c10a56da783fd0cbb3819c5d (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < dae6095bdb24f537b4798ffd9201515b97bac94e (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < 58fa341327fdb4bdf92597fd8796a9abc8d20ea3 (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < ce3aee7114c575fab32a5e9e939d4bbb3dcca79f (git) Affected: bf75202df8e473d4ee914894542f213158066d8b (git) Affected: 76357f65f18f180f44ccbbbf713461881d0ab219 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/gtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d38039697184aacff1cf576e14ef583112fdefef",
"status": "affected",
"version": "01f3c64e405ab3d25887d080a103ad76f30661d2",
"versionType": "git"
},
{
"lessThan": "e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6",
"status": "affected",
"version": "e117a04133c673cc54292e12086a8177cd9bd4a4",
"versionType": "git"
},
{
"lessThan": "9c9662e2512b5e4ee7b03108802c5222e0fa77a4",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"lessThan": "bccc7ace12e69dee4684a3bb4b69737972e570d6",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"lessThan": "ebd6d2077a083329110695a996c00e8ca94bc640",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"lessThan": "17d6b6354f0025b7c10a56da783fd0cbb3819c5d",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"lessThan": "dae6095bdb24f537b4798ffd9201515b97bac94e",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"lessThan": "58fa341327fdb4bdf92597fd8796a9abc8d20ea3",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"lessThan": "ce3aee7114c575fab32a5e9e939d4bbb3dcca79f",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"status": "affected",
"version": "bf75202df8e473d4ee914894542f213158066d8b",
"versionType": "git"
},
{
"status": "affected",
"version": "76357f65f18f180f44ccbbbf713461881d0ab219",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/gtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.14.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.19.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.1.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Fix use-after-free in __gtp_encap_destroy().\n\nsyzkaller reported use-after-free in __gtp_encap_destroy(). [0]\n\nIt shows the same process freed sk and touched it illegally.\n\nCommit e198987e7dd7 (\"gtp: fix suspicious RCU usage\") added lock_sock()\nand release_sock() in __gtp_encap_destroy() to protect sk-\u003esk_user_data,\nbut release_sock() is called after sock_put() releases the last refcnt.\n\n[0]:\nBUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\nBUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]\nBUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178\nWrite of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401\n\nCPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:351 [inline]\n print_report+0xcc/0x620 mm/kasan/report.c:462\n kasan_report+0xb2/0xe0 mm/kasan/report.c:572\n check_region_inline mm/kasan/generic.c:181 [inline]\n kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]\n queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]\n do_raw_spin_lock include/linux/spinlock.h:186 [inline]\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]\n _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:355 [inline]\n release_sock+0x1f/0x1a0 net/core/sock.c:3526\n gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]\n gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664\n gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728\n unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841\n rtnl_delete_link net/core/rtnetlink.c:3216 [inline]\n rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268\n rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423\n netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548\n netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\n netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365\n netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg+0x1b7/0x200 net/socket.c:747\n ____sys_sendmsg+0x75a/0x990 net/socket.c:2493\n ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547\n __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f1168b1fe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d\nRDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAllocated by task 1483:\n kasan_save_stack+0x22/0x50 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:56.204Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d38039697184aacff1cf576e14ef583112fdefef"
},
{
"url": "https://git.kernel.org/stable/c/e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6"
},
{
"url": "https://git.kernel.org/stable/c/9c9662e2512b5e4ee7b03108802c5222e0fa77a4"
},
{
"url": "https://git.kernel.org/stable/c/bccc7ace12e69dee4684a3bb4b69737972e570d6"
},
{
"url": "https://git.kernel.org/stable/c/ebd6d2077a083329110695a996c00e8ca94bc640"
},
{
"url": "https://git.kernel.org/stable/c/17d6b6354f0025b7c10a56da783fd0cbb3819c5d"
},
{
"url": "https://git.kernel.org/stable/c/dae6095bdb24f537b4798ffd9201515b97bac94e"
},
{
"url": "https://git.kernel.org/stable/c/58fa341327fdb4bdf92597fd8796a9abc8d20ea3"
},
{
"url": "https://git.kernel.org/stable/c/ce3aee7114c575fab32a5e9e939d4bbb3dcca79f"
}
],
"title": "gtp: Fix use-after-free in __gtp_encap_destroy().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54142",
"datePublished": "2025-12-24T13:06:56.204Z",
"dateReserved": "2025-12-24T13:02:52.523Z",
"dateUpdated": "2025-12-24T13:06:56.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68285 (GCVE-0-2025-68285)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
libceph: fix potential use-after-free in have_mon_and_osd_map()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libceph: fix potential use-after-free in have_mon_and_osd_map()
The wait loop in __ceph_open_session() can race with the client
receiving a new monmap or osdmap shortly after the initial map is
received. Both ceph_monc_handle_map() and handle_one_map() install
a new map immediately after freeing the old one
kfree(monc->monmap);
monc->monmap = monmap;
ceph_osdmap_destroy(osdc->osdmap);
osdc->osdmap = newmap;
under client->monc.mutex and client->osdc.lock respectively, but
because neither is taken in have_mon_and_osd_map() it's possible for
client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in
client->monc.monmap && client->monc.monmap->epoch &&
client->osdc.osdmap && client->osdc.osdmap->epoch;
condition to dereference an already freed map. This happens to be
reproducible with generic/395 and generic/397 with KASAN enabled:
BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70
Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305
CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266
...
Call Trace:
<TASK>
have_mon_and_osd_map+0x56/0x70
ceph_open_session+0x182/0x290
ceph_get_tree+0x333/0x680
vfs_get_tree+0x49/0x180
do_new_mount+0x1a3/0x2d0
path_mount+0x6dd/0x730
do_mount+0x99/0xe0
__do_sys_mount+0x141/0x180
do_syscall_64+0x9f/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Allocated by task 13305:
ceph_osdmap_alloc+0x16/0x130
ceph_osdc_init+0x27a/0x4c0
ceph_create_client+0x153/0x190
create_fs_client+0x50/0x2a0
ceph_get_tree+0xff/0x680
vfs_get_tree+0x49/0x180
do_new_mount+0x1a3/0x2d0
path_mount+0x6dd/0x730
do_mount+0x99/0xe0
__do_sys_mount+0x141/0x180
do_syscall_64+0x9f/0x100
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 9475:
kfree+0x212/0x290
handle_one_map+0x23c/0x3b0
ceph_osdc_handle_map+0x3c9/0x590
mon_dispatch+0x655/0x6f0
ceph_con_process_message+0xc3/0xe0
ceph_con_v1_try_read+0x614/0x760
ceph_con_workfn+0x2de/0x650
process_one_work+0x486/0x7c0
process_scheduled_works+0x73/0x90
worker_thread+0x1c8/0x2a0
kthread+0x2ec/0x300
ret_from_fork+0x24/0x40
ret_from_fork_asm+0x1a/0x30
Rewrite the wait loop to check the above condition directly with
client->monc.mutex and client->osdc.lock taken as appropriate. While
at it, improve the timeout handling (previously mount_timeout could be
exceeded in case wait_event_interruptible_timeout() slept more than
once) and access client->auth_err under client->monc.mutex to match
how it's set in finish_auth().
monmap_show() and osdmap_show() now take the respective lock before
accessing the map as well.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < bb4910c5fd436701faf367e1b5476a5a6d2aff1c
(git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 05ec43e9a9de67132dc8cd3b22afef001574947f (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 7c8ccdc1714d9fabecd26e1be7db1771061acc6e (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 183ad6e3b651e8fb0b66d6a2678f4b80bfbba092 (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < e08021b3b56b2407f37b5fe47b654be80cc665fb (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 3fc43120b22a3d4f1fbeff56a35ce2105b6a5683 (git) Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 076381c261374c587700b3accf410bdd2dba334e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ceph/ceph_common.c",
"net/ceph/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb4910c5fd436701faf367e1b5476a5a6d2aff1c",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "05ec43e9a9de67132dc8cd3b22afef001574947f",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "7c8ccdc1714d9fabecd26e1be7db1771061acc6e",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "183ad6e3b651e8fb0b66d6a2678f4b80bfbba092",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "e08021b3b56b2407f37b5fe47b654be80cc665fb",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "3fc43120b22a3d4f1fbeff56a35ce2105b6a5683",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
},
{
"lessThan": "076381c261374c587700b3accf410bdd2dba334e",
"status": "affected",
"version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ceph/ceph_common.c",
"net/ceph/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix potential use-after-free in have_mon_and_osd_map()\n\nThe wait loop in __ceph_open_session() can race with the client\nreceiving a new monmap or osdmap shortly after the initial map is\nreceived. Both ceph_monc_handle_map() and handle_one_map() install\na new map immediately after freeing the old one\n\n kfree(monc-\u003emonmap);\n monc-\u003emonmap = monmap;\n\n ceph_osdmap_destroy(osdc-\u003eosdmap);\n osdc-\u003eosdmap = newmap;\n\nunder client-\u003emonc.mutex and client-\u003eosdc.lock respectively, but\nbecause neither is taken in have_mon_and_osd_map() it\u0027s possible for\nclient-\u003emonc.monmap-\u003eepoch and client-\u003eosdc.osdmap-\u003eepoch arms in\n\n client-\u003emonc.monmap \u0026\u0026 client-\u003emonc.monmap-\u003eepoch \u0026\u0026\n client-\u003eosdc.osdmap \u0026\u0026 client-\u003eosdc.osdmap-\u003eepoch;\n\ncondition to dereference an already freed map. This happens to be\nreproducible with generic/395 and generic/397 with KASAN enabled:\n\n BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70\n Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305\n CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266\n ...\n Call Trace:\n \u003cTASK\u003e\n have_mon_and_osd_map+0x56/0x70\n ceph_open_session+0x182/0x290\n ceph_get_tree+0x333/0x680\n vfs_get_tree+0x49/0x180\n do_new_mount+0x1a3/0x2d0\n path_mount+0x6dd/0x730\n do_mount+0x99/0xe0\n __do_sys_mount+0x141/0x180\n do_syscall_64+0x9f/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\n Allocated by task 13305:\n ceph_osdmap_alloc+0x16/0x130\n ceph_osdc_init+0x27a/0x4c0\n ceph_create_client+0x153/0x190\n create_fs_client+0x50/0x2a0\n ceph_get_tree+0xff/0x680\n vfs_get_tree+0x49/0x180\n do_new_mount+0x1a3/0x2d0\n path_mount+0x6dd/0x730\n do_mount+0x99/0xe0\n __do_sys_mount+0x141/0x180\n do_syscall_64+0x9f/0x100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n Freed by task 9475:\n kfree+0x212/0x290\n handle_one_map+0x23c/0x3b0\n ceph_osdc_handle_map+0x3c9/0x590\n mon_dispatch+0x655/0x6f0\n ceph_con_process_message+0xc3/0xe0\n ceph_con_v1_try_read+0x614/0x760\n ceph_con_workfn+0x2de/0x650\n process_one_work+0x486/0x7c0\n process_scheduled_works+0x73/0x90\n worker_thread+0x1c8/0x2a0\n kthread+0x2ec/0x300\n ret_from_fork+0x24/0x40\n ret_from_fork_asm+0x1a/0x30\n\nRewrite the wait loop to check the above condition directly with\nclient-\u003emonc.mutex and client-\u003eosdc.lock taken as appropriate. While\nat it, improve the timeout handling (previously mount_timeout could be\nexceeded in case wait_event_interruptible_timeout() slept more than\nonce) and access client-\u003eauth_err under client-\u003emonc.mutex to match\nhow it\u0027s set in finish_auth().\n\nmonmap_show() and osdmap_show() now take the respective lock before\naccessing the map as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:50.454Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb4910c5fd436701faf367e1b5476a5a6d2aff1c"
},
{
"url": "https://git.kernel.org/stable/c/05ec43e9a9de67132dc8cd3b22afef001574947f"
},
{
"url": "https://git.kernel.org/stable/c/7c8ccdc1714d9fabecd26e1be7db1771061acc6e"
},
{
"url": "https://git.kernel.org/stable/c/183ad6e3b651e8fb0b66d6a2678f4b80bfbba092"
},
{
"url": "https://git.kernel.org/stable/c/e08021b3b56b2407f37b5fe47b654be80cc665fb"
},
{
"url": "https://git.kernel.org/stable/c/3fc43120b22a3d4f1fbeff56a35ce2105b6a5683"
},
{
"url": "https://git.kernel.org/stable/c/076381c261374c587700b3accf410bdd2dba334e"
}
],
"title": "libceph: fix potential use-after-free in have_mon_and_osd_map()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68285",
"datePublished": "2025-12-16T15:06:07.078Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2026-01-02T15:34:50.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71112 (GCVE-0-2025-71112)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
net: hns3: add VLAN id validation before using
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: add VLAN id validation before using
Currently, the VLAN id may be used without validation when
receive a VLAN configuration mailbox from VF. The length of
vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause
out-of-bounds memory access once the VLAN id is bigger than
or equal to VLAN_N_VID.
Therefore, VLAN id needs to be checked to ensure it is within
the range of VLAN_N_VID.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8
(git)
Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 42c91dfa772c57de141e5a55a187ac760c0fd7e1 (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 00e56a7706e10b3d00a258d81fcb85a7e96372d6 (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < b7b4f3bf118f51b67691a55b464f04452e5dc6fc (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 95cca255a7a5ad782639ff0298c2a486707d1046 (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 91a51d01be5c9f82c12c2921ca5cceaa31b67128 (git) Affected: fe4144d47eef8453459c53a34e9d5940a3e6c219 , < 6ef935e65902bfed53980ad2754b06a284ea8ac1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "42c91dfa772c57de141e5a55a187ac760c0fd7e1",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "00e56a7706e10b3d00a258d81fcb85a7e96372d6",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "b7b4f3bf118f51b67691a55b464f04452e5dc6fc",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "95cca255a7a5ad782639ff0298c2a486707d1046",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "91a51d01be5c9f82c12c2921ca5cceaa31b67128",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
},
{
"lessThan": "6ef935e65902bfed53980ad2754b06a284ea8ac1",
"status": "affected",
"version": "fe4144d47eef8453459c53a34e9d5940a3e6c219",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: add VLAN id validation before using\n\nCurrently, the VLAN id may be used without validation when\nreceive a VLAN configuration mailbox from VF. The length of\nvlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause\nout-of-bounds memory access once the VLAN id is bigger than\nor equal to VLAN_N_VID.\n\nTherefore, VLAN id needs to be checked to ensure it is within\nthe range of VLAN_N_VID."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:06.680Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8"
},
{
"url": "https://git.kernel.org/stable/c/42c91dfa772c57de141e5a55a187ac760c0fd7e1"
},
{
"url": "https://git.kernel.org/stable/c/00e56a7706e10b3d00a258d81fcb85a7e96372d6"
},
{
"url": "https://git.kernel.org/stable/c/b7b4f3bf118f51b67691a55b464f04452e5dc6fc"
},
{
"url": "https://git.kernel.org/stable/c/95cca255a7a5ad782639ff0298c2a486707d1046"
},
{
"url": "https://git.kernel.org/stable/c/91a51d01be5c9f82c12c2921ca5cceaa31b67128"
},
{
"url": "https://git.kernel.org/stable/c/6ef935e65902bfed53980ad2754b06a284ea8ac1"
}
],
"title": "net: hns3: add VLAN id validation before using",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71112",
"datePublished": "2026-01-14T15:05:59.308Z",
"dateReserved": "2026-01-13T15:30:19.653Z",
"dateUpdated": "2026-02-09T08:35:06.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21766 (GCVE-0-2025-21766)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-11-03 19:37
VLAI?
EPSS
Title
ipv4: use RCU protection in __ip_rt_update_pmtu()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: use RCU protection in __ip_rt_update_pmtu()
__ip_rt_update_pmtu() must use RCU protection to make
sure the net structure it reads does not disappear.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2fbc6e89b2f1403189e624cabaf73e189c5e50c6 , < ce3c6165fce0f06305c806696882a3ad4b90e33f
(git)
Affected: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 , < ea07480b23225942208f1b754fea1e7ec486d37e (git) Affected: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 , < 9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4 (git) Affected: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 , < 4583748b65dee4d61bd50a2214715b4237bc152a (git) Affected: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 , < a39f61d212d822b3062d7f70fa0588e50e55664e (git) Affected: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 , < 139512191bd06f1b496117c76372b2ce372c9a41 (git) Affected: f415c264176e6095e9dee823e09c5bdd0ee0d337 (git) Affected: 98776a365da509ad923083ae54b38ee521c52742 (git) Affected: 860e2cc78c697c95bc749abb20047239fa1722ea (git) Affected: 2b1be6c925cdf4638811765a9160796291494b89 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:21.502Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ce3c6165fce0f06305c806696882a3ad4b90e33f",
"status": "affected",
"version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
"versionType": "git"
},
{
"lessThan": "ea07480b23225942208f1b754fea1e7ec486d37e",
"status": "affected",
"version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
"versionType": "git"
},
{
"lessThan": "9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4",
"status": "affected",
"version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
"versionType": "git"
},
{
"lessThan": "4583748b65dee4d61bd50a2214715b4237bc152a",
"status": "affected",
"version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
"versionType": "git"
},
{
"lessThan": "a39f61d212d822b3062d7f70fa0588e50e55664e",
"status": "affected",
"version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
"versionType": "git"
},
{
"lessThan": "139512191bd06f1b496117c76372b2ce372c9a41",
"status": "affected",
"version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
"versionType": "git"
},
{
"status": "affected",
"version": "f415c264176e6095e9dee823e09c5bdd0ee0d337",
"versionType": "git"
},
{
"status": "affected",
"version": "98776a365da509ad923083ae54b38ee521c52742",
"versionType": "git"
},
{
"status": "affected",
"version": "860e2cc78c697c95bc749abb20047239fa1722ea",
"versionType": "git"
},
{
"status": "affected",
"version": "2b1be6c925cdf4638811765a9160796291494b89",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: use RCU protection in __ip_rt_update_pmtu()\n\n__ip_rt_update_pmtu() must use RCU protection to make\nsure the net structure it reads does not disappear."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:06:29.555Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce3c6165fce0f06305c806696882a3ad4b90e33f"
},
{
"url": "https://git.kernel.org/stable/c/ea07480b23225942208f1b754fea1e7ec486d37e"
},
{
"url": "https://git.kernel.org/stable/c/9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4"
},
{
"url": "https://git.kernel.org/stable/c/4583748b65dee4d61bd50a2214715b4237bc152a"
},
{
"url": "https://git.kernel.org/stable/c/a39f61d212d822b3062d7f70fa0588e50e55664e"
},
{
"url": "https://git.kernel.org/stable/c/139512191bd06f1b496117c76372b2ce372c9a41"
}
],
"title": "ipv4: use RCU protection in __ip_rt_update_pmtu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21766",
"datePublished": "2025-02-27T02:18:16.570Z",
"dateReserved": "2024-12-29T08:45:45.762Z",
"dateUpdated": "2025-11-03T19:37:21.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49604 (GCVE-0-2022-49604)
Vulnerability from cvelistv5 – Published: 2025-02-26 02:23 – Updated: 2025-10-01 19:36
VLAI?
EPSS
Title
ip: Fix data-races around sysctl_ip_fwd_use_pmtu.
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip: Fix data-races around sysctl_ip_fwd_use_pmtu.
While reading sysctl_ip_fwd_use_pmtu, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its readers.
Severity ?
4.7 (Medium)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f87c10a8aa1e82498c42d0335524d6ae7cf5a52b , < eb15262128b793e4b1d1c4514d3e6d19c3959764
(git)
Affected: f87c10a8aa1e82498c42d0335524d6ae7cf5a52b , < 7828309df0f89419a9349761a37c7d1b0da45697 (git) Affected: f87c10a8aa1e82498c42d0335524d6ae7cf5a52b , < b96ed5ccb09ae71103023ed13acefb194f609794 (git) Affected: f87c10a8aa1e82498c42d0335524d6ae7cf5a52b , < 93fbc06da1d819f3981a7bd7928c3641ea67b364 (git) Affected: f87c10a8aa1e82498c42d0335524d6ae7cf5a52b , < e364b5f6ffbfc457a997ad09a7baa16c19581edc (git) Affected: f87c10a8aa1e82498c42d0335524d6ae7cf5a52b , < 60c158dc7b1f0558f6cadd5b50d0386da0000d50 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49604",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:35:08.137133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:51.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/ip.h",
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb15262128b793e4b1d1c4514d3e6d19c3959764",
"status": "affected",
"version": "f87c10a8aa1e82498c42d0335524d6ae7cf5a52b",
"versionType": "git"
},
{
"lessThan": "7828309df0f89419a9349761a37c7d1b0da45697",
"status": "affected",
"version": "f87c10a8aa1e82498c42d0335524d6ae7cf5a52b",
"versionType": "git"
},
{
"lessThan": "b96ed5ccb09ae71103023ed13acefb194f609794",
"status": "affected",
"version": "f87c10a8aa1e82498c42d0335524d6ae7cf5a52b",
"versionType": "git"
},
{
"lessThan": "93fbc06da1d819f3981a7bd7928c3641ea67b364",
"status": "affected",
"version": "f87c10a8aa1e82498c42d0335524d6ae7cf5a52b",
"versionType": "git"
},
{
"lessThan": "e364b5f6ffbfc457a997ad09a7baa16c19581edc",
"status": "affected",
"version": "f87c10a8aa1e82498c42d0335524d6ae7cf5a52b",
"versionType": "git"
},
{
"lessThan": "60c158dc7b1f0558f6cadd5b50d0386da0000d50",
"status": "affected",
"version": "f87c10a8aa1e82498c42d0335524d6ae7cf5a52b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/ip.h",
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.254",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.208",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip: Fix data-races around sysctl_ip_fwd_use_pmtu.\n\nWhile reading sysctl_ip_fwd_use_pmtu, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:36.879Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb15262128b793e4b1d1c4514d3e6d19c3959764"
},
{
"url": "https://git.kernel.org/stable/c/7828309df0f89419a9349761a37c7d1b0da45697"
},
{
"url": "https://git.kernel.org/stable/c/b96ed5ccb09ae71103023ed13acefb194f609794"
},
{
"url": "https://git.kernel.org/stable/c/93fbc06da1d819f3981a7bd7928c3641ea67b364"
},
{
"url": "https://git.kernel.org/stable/c/e364b5f6ffbfc457a997ad09a7baa16c19581edc"
},
{
"url": "https://git.kernel.org/stable/c/60c158dc7b1f0558f6cadd5b50d0386da0000d50"
}
],
"title": "ip: Fix data-races around sysctl_ip_fwd_use_pmtu.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49604",
"datePublished": "2025-02-26T02:23:30.387Z",
"dateReserved": "2025-02-26T02:21:30.416Z",
"dateUpdated": "2025-10-01T19:36:51.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21760 (GCVE-0-2025-21760)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-11-03 19:37
VLAI?
EPSS
Title
ndisc: extend RCU protection in ndisc_send_skb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ndisc: extend RCU protection in ndisc_send_skb()
ndisc_send_skb() can be called without RTNL or RCU held.
Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu()
and avoid a potential UAF.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1762f7e88eb34f653b4a915be99a102e347dd45e , < 10a1f3fece2f0d23a3a618b72b2b4e6f408ef7d1
(git)
Affected: 1762f7e88eb34f653b4a915be99a102e347dd45e , < 4d576202b90b1b95a7c428a80b536f91b8201bcc (git) Affected: 1762f7e88eb34f653b4a915be99a102e347dd45e , < e24d225e4cb8cf108bde00b76594499b98f0a74d (git) Affected: 1762f7e88eb34f653b4a915be99a102e347dd45e , < a9319d800b5701e7f5e3fa71a5b7c4831fc20d6d (git) Affected: 1762f7e88eb34f653b4a915be99a102e347dd45e , < ae38982f521621c216fc2f5182cd091f4734641d (git) Affected: 1762f7e88eb34f653b4a915be99a102e347dd45e , < 789230e5a8c1097301afc802e242c79bc8835c67 (git) Affected: 1762f7e88eb34f653b4a915be99a102e347dd45e , < 04e05112f10354ffc3bb6cc796d553bab161594c (git) Affected: 1762f7e88eb34f653b4a915be99a102e347dd45e , < ed6ae1f325d3c43966ec1b62ac1459e2b8e45640 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:40.416234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:27.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:05.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "10a1f3fece2f0d23a3a618b72b2b4e6f408ef7d1",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "4d576202b90b1b95a7c428a80b536f91b8201bcc",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "e24d225e4cb8cf108bde00b76594499b98f0a74d",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "a9319d800b5701e7f5e3fa71a5b7c4831fc20d6d",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "ae38982f521621c216fc2f5182cd091f4734641d",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "789230e5a8c1097301afc802e242c79bc8835c67",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "04e05112f10354ffc3bb6cc796d553bab161594c",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
},
{
"lessThan": "ed6ae1f325d3c43966ec1b62ac1459e2b8e45640",
"status": "affected",
"version": "1762f7e88eb34f653b4a915be99a102e347dd45e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nndisc: extend RCU protection in ndisc_send_skb()\n\nndisc_send_skb() can be called without RTNL or RCU held.\n\nAcquire rcu_read_lock() earlier, so that we can use dev_net_rcu()\nand avoid a potential UAF."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:32.521Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/10a1f3fece2f0d23a3a618b72b2b4e6f408ef7d1"
},
{
"url": "https://git.kernel.org/stable/c/4d576202b90b1b95a7c428a80b536f91b8201bcc"
},
{
"url": "https://git.kernel.org/stable/c/e24d225e4cb8cf108bde00b76594499b98f0a74d"
},
{
"url": "https://git.kernel.org/stable/c/a9319d800b5701e7f5e3fa71a5b7c4831fc20d6d"
},
{
"url": "https://git.kernel.org/stable/c/ae38982f521621c216fc2f5182cd091f4734641d"
},
{
"url": "https://git.kernel.org/stable/c/789230e5a8c1097301afc802e242c79bc8835c67"
},
{
"url": "https://git.kernel.org/stable/c/04e05112f10354ffc3bb6cc796d553bab161594c"
},
{
"url": "https://git.kernel.org/stable/c/ed6ae1f325d3c43966ec1b62ac1459e2b8e45640"
}
],
"title": "ndisc: extend RCU protection in ndisc_send_skb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21760",
"datePublished": "2025-02-27T02:18:13.496Z",
"dateReserved": "2024-12-29T08:45:45.761Z",
"dateUpdated": "2025-11-03T19:37:05.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40139 (GCVE-0-2025-40139)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().
smc_clc_prfx_set() is called during connect() and not under RCU
nor RTNL.
Using sk_dst_get(sk)->dev could trigger UAF.
Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()
after kernel_getsockname().
Note that the returned value of smc_clc_prfx_set() is not used
in the caller.
While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()
not to touch dst there.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_clc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0736993bfe5c7a9c744ae3fac62d769dfdae54e1",
"status": "affected",
"version": "a046d57da19f812216f393e7c535f5858f793ac3",
"versionType": "git"
},
{
"lessThan": "935d783e5de9b64587f3adb25641dd8385e64ddb",
"status": "affected",
"version": "a046d57da19f812216f393e7c535f5858f793ac3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_clc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().\n\nsmc_clc_prfx_set() is called during connect() and not under RCU\nnor RTNL.\n\nUsing sk_dst_get(sk)-\u003edev could trigger UAF.\n\nLet\u0027s use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()\nafter kernel_getsockname().\n\nNote that the returned value of smc_clc_prfx_set() is not used\nin the caller.\n\nWhile at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()\nnot to touch dst there."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:47.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0736993bfe5c7a9c744ae3fac62d769dfdae54e1"
},
{
"url": "https://git.kernel.org/stable/c/935d783e5de9b64587f3adb25641dd8385e64ddb"
}
],
"title": "smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40139",
"datePublished": "2025-11-12T10:23:24.216Z",
"dateReserved": "2025-04-16T07:20:57.171Z",
"dateUpdated": "2025-12-01T06:18:47.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40129 (GCVE-0-2025-40129)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
sunrpc: fix null pointer dereference on zero-length checksum
Summary
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix null pointer dereference on zero-length checksum
In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes
checksum.data to be set to NULL. This triggers a NPD when accessing
checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that
the value of checksum.len is not less than XDR_UNIT.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0653028e8f1c97fec30710813a001ad8a2ec34f4 , < 81cec07d303186d0d8c623ef8b5ecd3b81e94cf6
(git)
Affected: 0653028e8f1c97fec30710813a001ad8a2ec34f4 , < affc03d44921f493deaae1d33151e3067a6f9f8f (git) Affected: 0653028e8f1c97fec30710813a001ad8a2ec34f4 , < ab9a70cd2386a0d70c164b0905dd66bc9af52e77 (git) Affected: 0653028e8f1c97fec30710813a001ad8a2ec34f4 , < 6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "81cec07d303186d0d8c623ef8b5ecd3b81e94cf6",
"status": "affected",
"version": "0653028e8f1c97fec30710813a001ad8a2ec34f4",
"versionType": "git"
},
{
"lessThan": "affc03d44921f493deaae1d33151e3067a6f9f8f",
"status": "affected",
"version": "0653028e8f1c97fec30710813a001ad8a2ec34f4",
"versionType": "git"
},
{
"lessThan": "ab9a70cd2386a0d70c164b0905dd66bc9af52e77",
"status": "affected",
"version": "0653028e8f1c97fec30710813a001ad8a2ec34f4",
"versionType": "git"
},
{
"lessThan": "6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42",
"status": "affected",
"version": "0653028e8f1c97fec30710813a001ad8a2ec34f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix null pointer dereference on zero-length checksum\n\nIn xdr_stream_decode_opaque_auth(), zero-length checksum.len causes\nchecksum.data to be set to NULL. This triggers a NPD when accessing\nchecksum.data in gss_krb5_verify_mic_v2(). This patch ensures that\nthe value of checksum.len is not less than XDR_UNIT."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:34.691Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/81cec07d303186d0d8c623ef8b5ecd3b81e94cf6"
},
{
"url": "https://git.kernel.org/stable/c/affc03d44921f493deaae1d33151e3067a6f9f8f"
},
{
"url": "https://git.kernel.org/stable/c/ab9a70cd2386a0d70c164b0905dd66bc9af52e77"
},
{
"url": "https://git.kernel.org/stable/c/6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42"
}
],
"title": "sunrpc: fix null pointer dereference on zero-length checksum",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40129",
"datePublished": "2025-11-12T10:23:21.327Z",
"dateReserved": "2025-04-16T07:20:57.170Z",
"dateUpdated": "2025-12-01T06:18:34.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21764 (GCVE-0-2025-21764)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-11-03 19:37
VLAI?
EPSS
Title
ndisc: use RCU protection in ndisc_alloc_skb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ndisc: use RCU protection in ndisc_alloc_skb()
ndisc_alloc_skb() can be called without RTNL or RCU being held.
Add RCU protection to avoid possible UAF.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
de09334b9326632bbf1a74bfd8b01866cbbf2f61 , < 96fc896d0e5b37c12808df797397fb16f3080879
(git)
Affected: de09334b9326632bbf1a74bfd8b01866cbbf2f61 , < c30893ef3d9cde8e7e8e4fd06b53d2c935bbccb1 (git) Affected: de09334b9326632bbf1a74bfd8b01866cbbf2f61 , < b870256dd2a5648d5ed2f22316b3ac29a7e5ed63 (git) Affected: de09334b9326632bbf1a74bfd8b01866cbbf2f61 , < 3c2d705f5adf5d860aaef90cb4211c0fde2ba66d (git) Affected: de09334b9326632bbf1a74bfd8b01866cbbf2f61 , < 9e0ec817eb41a55327a46cd3ce331a9868d60304 (git) Affected: de09334b9326632bbf1a74bfd8b01866cbbf2f61 , < bbec88e4108e8d6fb468d3817fa652140a44ff28 (git) Affected: de09334b9326632bbf1a74bfd8b01866cbbf2f61 , < cd1065f92eb7ff21b9ba5308a86f33d1670bf926 (git) Affected: de09334b9326632bbf1a74bfd8b01866cbbf2f61 , < 628e6d18930bbd21f2d4562228afe27694f66da9 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:20.278381Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:26.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:17.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96fc896d0e5b37c12808df797397fb16f3080879",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "c30893ef3d9cde8e7e8e4fd06b53d2c935bbccb1",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "b870256dd2a5648d5ed2f22316b3ac29a7e5ed63",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "3c2d705f5adf5d860aaef90cb4211c0fde2ba66d",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "9e0ec817eb41a55327a46cd3ce331a9868d60304",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "bbec88e4108e8d6fb468d3817fa652140a44ff28",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "cd1065f92eb7ff21b9ba5308a86f33d1670bf926",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
},
{
"lessThan": "628e6d18930bbd21f2d4562228afe27694f66da9",
"status": "affected",
"version": "de09334b9326632bbf1a74bfd8b01866cbbf2f61",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ndisc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nndisc: use RCU protection in ndisc_alloc_skb()\n\nndisc_alloc_skb() can be called without RTNL or RCU being held.\n\nAdd RCU protection to avoid possible UAF."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:20:36.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96fc896d0e5b37c12808df797397fb16f3080879"
},
{
"url": "https://git.kernel.org/stable/c/c30893ef3d9cde8e7e8e4fd06b53d2c935bbccb1"
},
{
"url": "https://git.kernel.org/stable/c/b870256dd2a5648d5ed2f22316b3ac29a7e5ed63"
},
{
"url": "https://git.kernel.org/stable/c/3c2d705f5adf5d860aaef90cb4211c0fde2ba66d"
},
{
"url": "https://git.kernel.org/stable/c/9e0ec817eb41a55327a46cd3ce331a9868d60304"
},
{
"url": "https://git.kernel.org/stable/c/bbec88e4108e8d6fb468d3817fa652140a44ff28"
},
{
"url": "https://git.kernel.org/stable/c/cd1065f92eb7ff21b9ba5308a86f33d1670bf926"
},
{
"url": "https://git.kernel.org/stable/c/628e6d18930bbd21f2d4562228afe27694f66da9"
}
],
"title": "ndisc: use RCU protection in ndisc_alloc_skb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21764",
"datePublished": "2025-02-27T02:18:15.598Z",
"dateReserved": "2024-12-29T08:45:45.761Z",
"dateUpdated": "2025-11-03T19:37:17.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38159 (GCVE-0-2025-38159)
Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2025-11-03 17:34
VLAI?
EPSS
Title
wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds
Set the size to 6 instead of 2, since 'para' array is passed to
'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads
5 bytes:
void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)
{
...
SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);
SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));
...
SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));
Detected using the static analysis tool - Svace.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4136214f7c46839c15f0f177fe1d5052302c0205 , < 1ee8ea6937d13b20f90ff35d71ccc03ba448182d
(git)
Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 68a1037f0bac4de9a585aa9c879ef886109f3647 (git) Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 74e18211c2c89ab66c9546baa7408288db61aa0d (git) Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < c13255389499275bc5489a0b5b7940ccea3aef04 (git) Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 9febcc8bded8be0d7efd8237fcef599b6d93b788 (git) Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 4c2c372de2e108319236203cce6de44d70ae15cd (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:34:48.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw88/coex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1ee8ea6937d13b20f90ff35d71ccc03ba448182d",
"status": "affected",
"version": "4136214f7c46839c15f0f177fe1d5052302c0205",
"versionType": "git"
},
{
"lessThan": "68a1037f0bac4de9a585aa9c879ef886109f3647",
"status": "affected",
"version": "4136214f7c46839c15f0f177fe1d5052302c0205",
"versionType": "git"
},
{
"lessThan": "74e18211c2c89ab66c9546baa7408288db61aa0d",
"status": "affected",
"version": "4136214f7c46839c15f0f177fe1d5052302c0205",
"versionType": "git"
},
{
"lessThan": "c13255389499275bc5489a0b5b7940ccea3aef04",
"status": "affected",
"version": "4136214f7c46839c15f0f177fe1d5052302c0205",
"versionType": "git"
},
{
"lessThan": "9febcc8bded8be0d7efd8237fcef599b6d93b788",
"status": "affected",
"version": "4136214f7c46839c15f0f177fe1d5052302c0205",
"versionType": "git"
},
{
"lessThan": "4c2c372de2e108319236203cce6de44d70ae15cd",
"status": "affected",
"version": "4136214f7c46839c15f0f177fe1d5052302c0205",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw88/coex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: fix the \u0027para\u0027 buffer size to avoid reading out of bounds\n\nSet the size to 6 instead of 2, since \u0027para\u0027 array is passed to\n\u0027rtw_fw_bt_wifi_control(rtwdev, para[0], \u0026para[1])\u0027, which reads\n5 bytes:\n\nvoid rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)\n{\n ...\n SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);\n SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));\n ...\n SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));\n\nDetected using the static analysis tool - Svace."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:13:51.003Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1ee8ea6937d13b20f90ff35d71ccc03ba448182d"
},
{
"url": "https://git.kernel.org/stable/c/68a1037f0bac4de9a585aa9c879ef886109f3647"
},
{
"url": "https://git.kernel.org/stable/c/74e18211c2c89ab66c9546baa7408288db61aa0d"
},
{
"url": "https://git.kernel.org/stable/c/c13255389499275bc5489a0b5b7940ccea3aef04"
},
{
"url": "https://git.kernel.org/stable/c/9febcc8bded8be0d7efd8237fcef599b6d93b788"
},
{
"url": "https://git.kernel.org/stable/c/4c2c372de2e108319236203cce6de44d70ae15cd"
}
],
"title": "wifi: rtw88: fix the \u0027para\u0027 buffer size to avoid reading out of bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38159",
"datePublished": "2025-07-03T08:36:01.490Z",
"dateReserved": "2025-04-16T04:51:23.990Z",
"dateUpdated": "2025-11-03T17:34:48.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-54031 (GCVE-0-2024-54031)
Vulnerability from cvelistv5 – Published: 2025-01-15 13:10 – Updated: 2025-11-03 20:48
VLAI?
EPSS
Title
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Access to genmask field in struct nft_set_ext results in unaligned
atomic read:
[ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c
[ 72.131036] Mem abort info:
[ 72.131213] ESR = 0x0000000096000021
[ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits
[ 72.132209] SET = 0, FnV = 0
[ 72.133216] EA = 0, S1PTW = 0
[ 72.134080] FSC = 0x21: alignment fault
[ 72.135593] Data abort info:
[ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000
[ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000
[ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403,
+pte=0068000102bb7707
[ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP
[...]
[ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2
[ 72.170509] Tainted: [E]=UNSIGNED_MODULE
[ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023
[ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]
[ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables]
[ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables]
[ 72.172546] sp : ffff800081f2bce0
[ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038
[ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78
[ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78
[ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000
[ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978
[ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0
[ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000
[ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000
[ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000
[ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004
[ 72.176207] Call trace:
[ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P)
[ 72.176653] process_one_work+0x178/0x3d0
[ 72.176831] worker_thread+0x200/0x3f0
[ 72.176995] kthread+0xe8/0xf8
[ 72.177130] ret_from_fork+0x10/0x20
[ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f)
[ 72.177557] ---[ end trace 0000000000000000 ]---
Align struct nft_set_ext to word size to address this and
documentation it.
pahole reports that this increases the size of elements for rhash and
pipapo in 8 bytes on x86_64.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98d62cf0e26305dd6a1932a4054004290f4194bb , < 352f8eaaabd008f09d1e176194edc261a7304084
(git)
Affected: e21855091f11df80d41239dbc5f8545b772c657d , < 6a14b46052eeb83175a95baf399283860b9d94c4 (git) Affected: 59a59da8de47848575eedc141a74aae57696706d , < 277f00b0c2dca8794cf4837722960bdc4174911f (git) Affected: 23a6919bb3ecf6787f060476ee6810ad55ebf9c8 , < 607774a13764676d4b8be9c8b9c66b8cf3469043 (git) Affected: 86c27603514cb8ead29857365cdd145404ee9706 , < 4f49349c1963e507aa37c1ec05178faeb0103959 (git) Affected: be4d0ac67d92e6a285cd3eeb672188d249c121b2 , < d24cbc43cc7b41a0824b0bc6ec4d8436d8d7a9c0 (git) Affected: 7ffc7481153bbabf3332c6a19b289730c7e1edf5 , < 542ed8145e6f9392e3d0a86a0e9027d2ffd183e4 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:48:29.554Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "352f8eaaabd008f09d1e176194edc261a7304084",
"status": "affected",
"version": "98d62cf0e26305dd6a1932a4054004290f4194bb",
"versionType": "git"
},
{
"lessThan": "6a14b46052eeb83175a95baf399283860b9d94c4",
"status": "affected",
"version": "e21855091f11df80d41239dbc5f8545b772c657d",
"versionType": "git"
},
{
"lessThan": "277f00b0c2dca8794cf4837722960bdc4174911f",
"status": "affected",
"version": "59a59da8de47848575eedc141a74aae57696706d",
"versionType": "git"
},
{
"lessThan": "607774a13764676d4b8be9c8b9c66b8cf3469043",
"status": "affected",
"version": "23a6919bb3ecf6787f060476ee6810ad55ebf9c8",
"versionType": "git"
},
{
"lessThan": "4f49349c1963e507aa37c1ec05178faeb0103959",
"status": "affected",
"version": "86c27603514cb8ead29857365cdd145404ee9706",
"versionType": "git"
},
{
"lessThan": "d24cbc43cc7b41a0824b0bc6ec4d8436d8d7a9c0",
"status": "affected",
"version": "be4d0ac67d92e6a285cd3eeb672188d249c121b2",
"versionType": "git"
},
{
"lessThan": "542ed8145e6f9392e3d0a86a0e9027d2ffd183e4",
"status": "affected",
"version": "7ffc7481153bbabf3332c6a19b289730c7e1edf5",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.4.289",
"status": "affected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThan": "5.10.233",
"status": "affected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThan": "5.15.176",
"status": "affected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThan": "6.1.124",
"status": "affected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThan": "6.6.70",
"status": "affected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThan": "6.12.9",
"status": "affected",
"version": "6.12.5",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.289",
"versionStartIncluding": "5.4.287",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.233",
"versionStartIncluding": "5.10.231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.176",
"versionStartIncluding": "5.15.174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.124",
"versionStartIncluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.70",
"versionStartIncluding": "6.6.66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.9",
"versionStartIncluding": "6.12.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext\n\nAccess to genmask field in struct nft_set_ext results in unaligned\natomic read:\n\n[ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c\n[ 72.131036] Mem abort info:\n[ 72.131213] ESR = 0x0000000096000021\n[ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 72.132209] SET = 0, FnV = 0\n[ 72.133216] EA = 0, S1PTW = 0\n[ 72.134080] FSC = 0x21: alignment fault\n[ 72.135593] Data abort info:\n[ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000\n[ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000\n[ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403,\n+pte=0068000102bb7707\n[ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP\n[...]\n[ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2\n[ 72.170509] Tainted: [E]=UNSIGNED_MODULE\n[ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023\n[ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]\n[ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables]\n[ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables]\n[ 72.172546] sp : ffff800081f2bce0\n[ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038\n[ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78\n[ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78\n[ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000\n[ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978\n[ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0\n[ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000\n[ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000\n[ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000\n[ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004\n[ 72.176207] Call trace:\n[ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P)\n[ 72.176653] process_one_work+0x178/0x3d0\n[ 72.176831] worker_thread+0x200/0x3f0\n[ 72.176995] kthread+0xe8/0xf8\n[ 72.177130] ret_from_fork+0x10/0x20\n[ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f)\n[ 72.177557] ---[ end trace 0000000000000000 ]---\n\nAlign struct nft_set_ext to word size to address this and\ndocumentation it.\n\npahole reports that this increases the size of elements for rhash and\npipapo in 8 bytes on x86_64."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:56:59.169Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/352f8eaaabd008f09d1e176194edc261a7304084"
},
{
"url": "https://git.kernel.org/stable/c/6a14b46052eeb83175a95baf399283860b9d94c4"
},
{
"url": "https://git.kernel.org/stable/c/277f00b0c2dca8794cf4837722960bdc4174911f"
},
{
"url": "https://git.kernel.org/stable/c/607774a13764676d4b8be9c8b9c66b8cf3469043"
},
{
"url": "https://git.kernel.org/stable/c/4f49349c1963e507aa37c1ec05178faeb0103959"
},
{
"url": "https://git.kernel.org/stable/c/d24cbc43cc7b41a0824b0bc6ec4d8436d8d7a9c0"
},
{
"url": "https://git.kernel.org/stable/c/542ed8145e6f9392e3d0a86a0e9027d2ffd183e4"
}
],
"title": "netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-54031",
"datePublished": "2025-01-15T13:10:23.140Z",
"dateReserved": "2025-01-15T13:08:59.769Z",
"dateUpdated": "2025-11-03T20:48:29.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53321 (GCVE-0-2023-53321)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:11 – Updated: 2026-01-14 18:32
VLAI?
EPSS
Title
wifi: mac80211_hwsim: drop short frames
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211_hwsim: drop short frames
While technically some control frames like ACK are shorter and
end after Address 1, such frames shouldn't be forwarded through
wmediumd or similar userspace, so require the full 3-address
header to avoid accessing invalid memory if shorter frames are
passed in.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
05d610af3e71a782fa28a1351b687da982d208ee , < 3beb97bed860d95b14ad23578ce8ddaea62023db
(git)
Affected: 05d610af3e71a782fa28a1351b687da982d208ee , < 672205c6f2d11978fcd7f0f336bb2c708e28874b (git) Affected: 05d610af3e71a782fa28a1351b687da982d208ee , < c64ee9dd335832d5e2ab0a8fc83a34ad4c729799 (git) Affected: 05d610af3e71a782fa28a1351b687da982d208ee , < b9a175e3b250b0dc6e152988040aa5014e98e61e (git) Affected: 05d610af3e71a782fa28a1351b687da982d208ee , < 89a41ed7f21476301659ebd25ccb48a60791c1a7 (git) Affected: 05d610af3e71a782fa28a1351b687da982d208ee , < fba360a047d5eeeb9d4b7c3a9b1c8308980ce9a6 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:27:28.261822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:32:58.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/virtual/mac80211_hwsim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3beb97bed860d95b14ad23578ce8ddaea62023db",
"status": "affected",
"version": "05d610af3e71a782fa28a1351b687da982d208ee",
"versionType": "git"
},
{
"lessThan": "672205c6f2d11978fcd7f0f336bb2c708e28874b",
"status": "affected",
"version": "05d610af3e71a782fa28a1351b687da982d208ee",
"versionType": "git"
},
{
"lessThan": "c64ee9dd335832d5e2ab0a8fc83a34ad4c729799",
"status": "affected",
"version": "05d610af3e71a782fa28a1351b687da982d208ee",
"versionType": "git"
},
{
"lessThan": "b9a175e3b250b0dc6e152988040aa5014e98e61e",
"status": "affected",
"version": "05d610af3e71a782fa28a1351b687da982d208ee",
"versionType": "git"
},
{
"lessThan": "89a41ed7f21476301659ebd25ccb48a60791c1a7",
"status": "affected",
"version": "05d610af3e71a782fa28a1351b687da982d208ee",
"versionType": "git"
},
{
"lessThan": "fba360a047d5eeeb9d4b7c3a9b1c8308980ce9a6",
"status": "affected",
"version": "05d610af3e71a782fa28a1351b687da982d208ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/virtual/mac80211_hwsim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211_hwsim: drop short frames\n\nWhile technically some control frames like ACK are shorter and\nend after Address 1, such frames shouldn\u0027t be forwarded through\nwmediumd or similar userspace, so require the full 3-address\nheader to avoid accessing invalid memory if shorter frames are\npassed in."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:19:26.112Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3beb97bed860d95b14ad23578ce8ddaea62023db"
},
{
"url": "https://git.kernel.org/stable/c/672205c6f2d11978fcd7f0f336bb2c708e28874b"
},
{
"url": "https://git.kernel.org/stable/c/c64ee9dd335832d5e2ab0a8fc83a34ad4c729799"
},
{
"url": "https://git.kernel.org/stable/c/b9a175e3b250b0dc6e152988040aa5014e98e61e"
},
{
"url": "https://git.kernel.org/stable/c/89a41ed7f21476301659ebd25ccb48a60791c1a7"
},
{
"url": "https://git.kernel.org/stable/c/fba360a047d5eeeb9d4b7c3a9b1c8308980ce9a6"
}
],
"title": "wifi: mac80211_hwsim: drop short frames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53321",
"datePublished": "2025-09-16T16:11:57.206Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2026-01-14T18:32:58.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53418 (GCVE-0-2023-53418)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:58 – Updated: 2026-01-14 19:13
VLAI?
EPSS
Title
USB: gadget: lpc32xx_udc: fix memory leak with using debugfs_lookup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: lpc32xx_udc: fix memory leak with using debugfs_lookup()
When calling debugfs_lookup() the result must have dput() called on it,
otherwise the memory will leak over time. To make things simpler, just
call debugfs_lookup_and_remove() instead which handles all of the logic
at once.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e3d59eff47b8cc385acae9d7fb1c787857023376 , < 036ada6ca9eea926abc0b0ef550b10488d66d4d8
(git)
Affected: e3d59eff47b8cc385acae9d7fb1c787857023376 , < 7a5fdd8660174a8056de57d1fdce3a7e9f77f60e (git) Affected: e3d59eff47b8cc385acae9d7fb1c787857023376 , < 72c25eb9ae4993ccac4821354ff34eb1f32e4781 (git) Affected: e3d59eff47b8cc385acae9d7fb1c787857023376 , < e3965acaf3739fde9d74ad82979b46d37c6c208f (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53418",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:06:20.866271Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:13:07.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/lpc32xx_udc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "036ada6ca9eea926abc0b0ef550b10488d66d4d8",
"status": "affected",
"version": "e3d59eff47b8cc385acae9d7fb1c787857023376",
"versionType": "git"
},
{
"lessThan": "7a5fdd8660174a8056de57d1fdce3a7e9f77f60e",
"status": "affected",
"version": "e3d59eff47b8cc385acae9d7fb1c787857023376",
"versionType": "git"
},
{
"lessThan": "72c25eb9ae4993ccac4821354ff34eb1f32e4781",
"status": "affected",
"version": "e3d59eff47b8cc385acae9d7fb1c787857023376",
"versionType": "git"
},
{
"lessThan": "e3965acaf3739fde9d74ad82979b46d37c6c208f",
"status": "affected",
"version": "e3d59eff47b8cc385acae9d7fb1c787857023376",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/lpc32xx_udc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: lpc32xx_udc: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:20:08.781Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/036ada6ca9eea926abc0b0ef550b10488d66d4d8"
},
{
"url": "https://git.kernel.org/stable/c/7a5fdd8660174a8056de57d1fdce3a7e9f77f60e"
},
{
"url": "https://git.kernel.org/stable/c/72c25eb9ae4993ccac4821354ff34eb1f32e4781"
},
{
"url": "https://git.kernel.org/stable/c/e3965acaf3739fde9d74ad82979b46d37c6c208f"
}
],
"title": "USB: gadget: lpc32xx_udc: fix memory leak with using debugfs_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53418",
"datePublished": "2025-09-18T13:58:54.007Z",
"dateReserved": "2025-09-17T14:54:09.741Z",
"dateUpdated": "2026-01-14T19:13:07.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53412 (GCVE-0-2023-53412)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:58 – Updated: 2026-01-14 19:13
VLAI?
EPSS
Title
USB: gadget: bcm63xx_udc: fix memory leak with using debugfs_lookup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: bcm63xx_udc: fix memory leak with using debugfs_lookup()
When calling debugfs_lookup() the result must have dput() called on it,
otherwise the memory will leak over time. To make things simpler, just
call debugfs_lookup_and_remove() instead which handles all of the logic
at once.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0cac357717168f84d2f75e884a9cff52e6471aaa , < b0a2663ecbe8f65cd3bab2b34dd90156ceb0dbb8
(git)
Affected: 0cac357717168f84d2f75e884a9cff52e6471aaa , < 31de0b70ae5661a407e9d578bbc41de2d83ac25d (git) Affected: 0cac357717168f84d2f75e884a9cff52e6471aaa , < f30c7046dfa2748520a8045bb43ed2fbca0373b5 (git) Affected: 0cac357717168f84d2f75e884a9cff52e6471aaa , < a91c99b1fe5c6f7e52fb932ad9e57ec7cfe913ec (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:04:40.362123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:13:06.625Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/bcm63xx_udc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b0a2663ecbe8f65cd3bab2b34dd90156ceb0dbb8",
"status": "affected",
"version": "0cac357717168f84d2f75e884a9cff52e6471aaa",
"versionType": "git"
},
{
"lessThan": "31de0b70ae5661a407e9d578bbc41de2d83ac25d",
"status": "affected",
"version": "0cac357717168f84d2f75e884a9cff52e6471aaa",
"versionType": "git"
},
{
"lessThan": "f30c7046dfa2748520a8045bb43ed2fbca0373b5",
"status": "affected",
"version": "0cac357717168f84d2f75e884a9cff52e6471aaa",
"versionType": "git"
},
{
"lessThan": "a91c99b1fe5c6f7e52fb932ad9e57ec7cfe913ec",
"status": "affected",
"version": "0cac357717168f84d2f75e884a9cff52e6471aaa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/bcm63xx_udc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: bcm63xx_udc: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:19:58.884Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b0a2663ecbe8f65cd3bab2b34dd90156ceb0dbb8"
},
{
"url": "https://git.kernel.org/stable/c/31de0b70ae5661a407e9d578bbc41de2d83ac25d"
},
{
"url": "https://git.kernel.org/stable/c/f30c7046dfa2748520a8045bb43ed2fbca0373b5"
},
{
"url": "https://git.kernel.org/stable/c/a91c99b1fe5c6f7e52fb932ad9e57ec7cfe913ec"
}
],
"title": "USB: gadget: bcm63xx_udc: fix memory leak with using debugfs_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53412",
"datePublished": "2025-09-18T13:58:49.646Z",
"dateReserved": "2025-09-17T14:54:09.740Z",
"dateUpdated": "2026-01-14T19:13:06.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71120 (GCVE-0-2025-71120)
Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-02-09 08:35
VLAI?
EPSS
Title
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
Summary
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
A zero length gss_token results in pages == 0 and in_token->pages[0]
is NULL. The code unconditionally evaluates
page_address(in_token->pages[0]) for the initial memcpy, which can
dereference NULL even when the copy length is 0. Guard the first
memcpy so it only runs when length > 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5866efa8cbfbadf3905072798e96652faf02dbe8 , < a8f1e445ce3545c90d69c9e8ff8f7821825fe810
(git)
Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < f9e53f69ac3bc4ef568b08d3542edac02e83fefd (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 7452d53f293379e2c38cfa8ad0694aa46fc4788b (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < a2c6f25ab98b423f99ccd94874d655b8bcb01a19 (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 1c8bb965e9b0559ff0f5690615a527c30f651dd8 (git) Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < d4b69a6186b215d2dc1ebcab965ed88e8d41768d (git) Affected: 66ed7b413d31c6ff23901ac4443b1cc1af2f6113 (git) Affected: 7be8c165dc81564705e8e0b72d398ef708f67eaa (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8f1e445ce3545c90d69c9e8ff8f7821825fe810",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "f9e53f69ac3bc4ef568b08d3542edac02e83fefd",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "7452d53f293379e2c38cfa8ad0694aa46fc4788b",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "a2c6f25ab98b423f99ccd94874d655b8bcb01a19",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "1c8bb965e9b0559ff0f5690615a527c30f651dd8",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"lessThan": "d4b69a6186b215d2dc1ebcab965ed88e8d41768d",
"status": "affected",
"version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
"versionType": "git"
},
{
"status": "affected",
"version": "66ed7b413d31c6ff23901ac4443b1cc1af2f6113",
"versionType": "git"
},
{
"status": "affected",
"version": "7be8c165dc81564705e8e0b72d398ef708f67eaa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf\n\nA zero length gss_token results in pages == 0 and in_token-\u003epages[0]\nis NULL. The code unconditionally evaluates\npage_address(in_token-\u003epages[0]) for the initial memcpy, which can\ndereference NULL even when the copy length is 0. Guard the first\nmemcpy so it only runs when length \u003e 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:35:15.157Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8f1e445ce3545c90d69c9e8ff8f7821825fe810"
},
{
"url": "https://git.kernel.org/stable/c/4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d"
},
{
"url": "https://git.kernel.org/stable/c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd"
},
{
"url": "https://git.kernel.org/stable/c/7452d53f293379e2c38cfa8ad0694aa46fc4788b"
},
{
"url": "https://git.kernel.org/stable/c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19"
},
{
"url": "https://git.kernel.org/stable/c/1c8bb965e9b0559ff0f5690615a527c30f651dd8"
},
{
"url": "https://git.kernel.org/stable/c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d"
}
],
"title": "SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71120",
"datePublished": "2026-01-14T15:06:07.194Z",
"dateReserved": "2026-01-13T15:30:19.654Z",
"dateUpdated": "2026-02-09T08:35:15.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38563 (GCVE-0-2025-38563)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-11-03 17:39
VLAI?
EPSS
Title
perf/core: Prevent VMA split of buffer mappings
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Prevent VMA split of buffer mappings
The perf mmap code is careful about mmap()'ing the user page with the
ringbuffer and additionally the auxiliary buffer, when the event supports
it. Once the first mapping is established, subsequent mapping have to use
the same offset and the same size in both cases. The reference counting for
the ringbuffer and the auxiliary buffer depends on this being correct.
Though perf does not prevent that a related mapping is split via mmap(2),
munmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls,
which take reference counts, but then the subsequent perf_mmap_close()
calls are not longer fulfilling the offset and size checks. This leads to
reference count leaks.
As perf already has the requirement for subsequent mappings to match the
initial mapping, the obvious consequence is that VMA splits, caused by
resizing of a mapping or partial unmapping, have to be prevented.
Implement the vm_operations_struct::may_split() callback and return
unconditionally -EINVAL.
That ensures that the mapping offsets and sizes cannot be changed after the
fact. Remapping to a different fixed address with the same size is still
possible as it takes the references for the new mapping and drops those of
the old mapping.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
45bfb2e50471abbbfd83d40d28c986078b0d24ff , < e4346ffec2c44d6b0be834d59b20632b5bb5729e
(git)
Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < d52451a9210f2e5a079ba052918c93563518a9ff (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < 3bd518cc7ea61076bcd725e36ff0e690754977c0 (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < 7b84cb58d1f0aa07656802eae24689566e5f5b1b (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < 6757a31a8e295ae4f01717a954afda173f25a121 (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < e529888b7e8092912dd8789bdfc76685ccd2ff5f (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < ff668930871e0198c7f4e325058b8b7c286787bd (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < 65311aad4c808bedad0c05d9bb8b06c47dae73eb (git) Affected: 45bfb2e50471abbbfd83d40d28c986078b0d24ff , < b024d7b56c77191cde544f838debb7f8451cd0d6 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:53.460Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e4346ffec2c44d6b0be834d59b20632b5bb5729e",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "d52451a9210f2e5a079ba052918c93563518a9ff",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "3bd518cc7ea61076bcd725e36ff0e690754977c0",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "7b84cb58d1f0aa07656802eae24689566e5f5b1b",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "6757a31a8e295ae4f01717a954afda173f25a121",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "e529888b7e8092912dd8789bdfc76685ccd2ff5f",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "ff668930871e0198c7f4e325058b8b7c286787bd",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "65311aad4c808bedad0c05d9bb8b06c47dae73eb",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
},
{
"lessThan": "b024d7b56c77191cde544f838debb7f8451cd0d6",
"status": "affected",
"version": "45bfb2e50471abbbfd83d40d28c986078b0d24ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Prevent VMA split of buffer mappings\n\nThe perf mmap code is careful about mmap()\u0027ing the user page with the\nringbuffer and additionally the auxiliary buffer, when the event supports\nit. Once the first mapping is established, subsequent mapping have to use\nthe same offset and the same size in both cases. The reference counting for\nthe ringbuffer and the auxiliary buffer depends on this being correct.\n\nThough perf does not prevent that a related mapping is split via mmap(2),\nmunmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls,\nwhich take reference counts, but then the subsequent perf_mmap_close()\ncalls are not longer fulfilling the offset and size checks. This leads to\nreference count leaks.\n\nAs perf already has the requirement for subsequent mappings to match the\ninitial mapping, the obvious consequence is that VMA splits, caused by\nresizing of a mapping or partial unmapping, have to be prevented.\n\nImplement the vm_operations_struct::may_split() callback and return\nunconditionally -EINVAL.\n\nThat ensures that the mapping offsets and sizes cannot be changed after the\nfact. Remapping to a different fixed address with the same size is still\npossible as it takes the references for the new mapping and drops those of\nthe old mapping."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T15:32:41.878Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e4346ffec2c44d6b0be834d59b20632b5bb5729e"
},
{
"url": "https://git.kernel.org/stable/c/d52451a9210f2e5a079ba052918c93563518a9ff"
},
{
"url": "https://git.kernel.org/stable/c/3bd518cc7ea61076bcd725e36ff0e690754977c0"
},
{
"url": "https://git.kernel.org/stable/c/7b84cb58d1f0aa07656802eae24689566e5f5b1b"
},
{
"url": "https://git.kernel.org/stable/c/6757a31a8e295ae4f01717a954afda173f25a121"
},
{
"url": "https://git.kernel.org/stable/c/e529888b7e8092912dd8789bdfc76685ccd2ff5f"
},
{
"url": "https://git.kernel.org/stable/c/ff668930871e0198c7f4e325058b8b7c286787bd"
},
{
"url": "https://git.kernel.org/stable/c/65311aad4c808bedad0c05d9bb8b06c47dae73eb"
},
{
"url": "https://git.kernel.org/stable/c/b024d7b56c77191cde544f838debb7f8451cd0d6"
},
{
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-873/"
}
],
"title": "perf/core: Prevent VMA split of buffer mappings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38563",
"datePublished": "2025-08-19T17:02:40.249Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-11-03T17:39:53.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50232 (GCVE-0-2022-50232)
Vulnerability from cvelistv5 – Published: 2025-06-18 11:04 – Updated: 2025-10-10 15:46
VLAI?
EPSS
Title
arm64: set UXN on swapper page tables
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: set UXN on swapper page tables
[ This issue was fixed upstream by accident in c3cee924bd85 ("arm64:
head: cover entire kernel image in initial ID map") as part of a
large refactoring of the arm64 boot flow. This simple fix is therefore
preferred for -stable backporting ]
On a system that implements FEAT_EPAN, read/write access to the idmap
is denied because UXN is not set on the swapper PTEs. As a result,
idmap_kpti_install_ng_mappings panics the kernel when accessing
__idmap_kpti_flag. Fix it by setting UXN on these PTEs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/kernel-pgtable.h",
"arch/arm64/kernel/head.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "775871d4be0d75e219cca937af843a4a1b60489a",
"status": "affected",
"version": "18107f8a2df6bf1c6cac8d0713f757f866d5af51",
"versionType": "git"
},
{
"lessThan": "c3cee924bd855184d15bc4aa6088dcf8e2c1394c",
"status": "affected",
"version": "18107f8a2df6bf1c6cac8d0713f757f866d5af51",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/kernel-pgtable.h",
"arch/arm64/kernel/head.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.60",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: set UXN on swapper page tables\n\n[ This issue was fixed upstream by accident in c3cee924bd85 (\"arm64:\n head: cover entire kernel image in initial ID map\") as part of a\n large refactoring of the arm64 boot flow. This simple fix is therefore\n preferred for -stable backporting ]\n\nOn a system that implements FEAT_EPAN, read/write access to the idmap\nis denied because UXN is not set on the swapper PTEs. As a result,\nidmap_kpti_install_ng_mappings panics the kernel when accessing\n__idmap_kpti_flag. Fix it by setting UXN on these PTEs."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T15:46:07.476Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/775871d4be0d75e219cca937af843a4a1b60489a"
},
{
"url": "https://git.kernel.org/stable/c/c3cee924bd855184d15bc4aa6088dcf8e2c1394c"
}
],
"title": "arm64: set UXN on swapper page tables",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50232",
"datePublished": "2025-06-18T11:04:07.956Z",
"dateReserved": "2025-06-18T10:57:27.432Z",
"dateUpdated": "2025-10-10T15:46:07.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39742 (GCVE-0-2025-39742)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:52 – Updated: 2026-01-02 15:31
VLAI?
EPSS
Title
RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()
The function divides number of online CPUs by num_core_siblings, and
later checks the divider by zero. This implies a possibility to get
and divide-by-zero runtime error. Fix it by moving the check prior to
division. This also helps to save one indentation level.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b094a36f90975373c3a241839869217a65f17d81 , < 9bba1a9994c523b44db64f63b564b4719ea2b7ef
(git)
Affected: b094a36f90975373c3a241839869217a65f17d81 , < 1a7cf828ed861de5be1aff99e10f114b363c19d3 (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < 9d3211cb61a0773a2440d0a0698c1e6e7429f907 (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < 4b4317b0d758ff92ba96f4e448a8992a6fe607bf (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < 89fdac333a17ed990b41565630ef4791782e02f5 (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < 9b05e91afe948ed819bf87d7ba0fccf451ed79a6 (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < 31d0599a23efdbfe579bfbd1eb8f8c942f13744d (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < ac53f377393cc85156afdc90b636e84e544a6f96 (git) Affected: b094a36f90975373c3a241839869217a65f17d81 , < 59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:57.252Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/affinity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9bba1a9994c523b44db64f63b564b4719ea2b7ef",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "1a7cf828ed861de5be1aff99e10f114b363c19d3",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "9d3211cb61a0773a2440d0a0698c1e6e7429f907",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "4b4317b0d758ff92ba96f4e448a8992a6fe607bf",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "89fdac333a17ed990b41565630ef4791782e02f5",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "9b05e91afe948ed819bf87d7ba0fccf451ed79a6",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "31d0599a23efdbfe579bfbd1eb8f8c942f13744d",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "ac53f377393cc85156afdc90b636e84e544a6f96",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
},
{
"lessThan": "59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a",
"status": "affected",
"version": "b094a36f90975373c3a241839869217a65f17d81",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/affinity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()\n\nThe function divides number of online CPUs by num_core_siblings, and\nlater checks the divider by zero. This implies a possibility to get\nand divide-by-zero runtime error. Fix it by moving the check prior to\ndivision. This also helps to save one indentation level."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:31:53.787Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9bba1a9994c523b44db64f63b564b4719ea2b7ef"
},
{
"url": "https://git.kernel.org/stable/c/1a7cf828ed861de5be1aff99e10f114b363c19d3"
},
{
"url": "https://git.kernel.org/stable/c/9d3211cb61a0773a2440d0a0698c1e6e7429f907"
},
{
"url": "https://git.kernel.org/stable/c/4b4317b0d758ff92ba96f4e448a8992a6fe607bf"
},
{
"url": "https://git.kernel.org/stable/c/89fdac333a17ed990b41565630ef4791782e02f5"
},
{
"url": "https://git.kernel.org/stable/c/9b05e91afe948ed819bf87d7ba0fccf451ed79a6"
},
{
"url": "https://git.kernel.org/stable/c/31d0599a23efdbfe579bfbd1eb8f8c942f13744d"
},
{
"url": "https://git.kernel.org/stable/c/ac53f377393cc85156afdc90b636e84e544a6f96"
},
{
"url": "https://git.kernel.org/stable/c/59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a"
}
],
"title": "RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39742",
"datePublished": "2025-09-11T16:52:16.339Z",
"dateReserved": "2025-04-16T07:20:57.120Z",
"dateUpdated": "2026-01-02T15:31:53.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40300 (GCVE-0-2025-40300)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:49 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
x86/vmscape: Add conditional IBPB mitigation
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/vmscape: Add conditional IBPB mitigation
VMSCAPE is a vulnerability that exploits insufficient branch predictor
isolation between a guest and a userspace hypervisor (like QEMU). Existing
mitigations already protect kernel/KVM from a malicious guest. Userspace
can additionally be protected by flushing the branch predictors after a
VMexit.
Since it is the userspace that consumes the poisoned branch predictors,
conditionally issue an IBPB after a VMexit and before returning to
userspace. Workloads that frequently switch between hypervisor and
userspace will incur the most overhead from the new IBPB.
This new IBPB is not integrated with the existing IBPB sites. For
instance, a task can use the existing speculation control prctl() to
get an IBPB at context switch time. With this implementation, the
IBPB is doubled up: one at context switch and another before running
userspace.
The intent is to integrate and optimize these cases post-embargo.
[ dhansen: elaborate on suboptimal IBPB solution ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
15d45071523d89b3fb7372e2135fbd72f6af9506 , < ac60717f9a8d21c58617d0b34274babf24135835
(git)
Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < c08192b5d6730a914dee6175bc71092ee6a65f14 (git) Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < d5490dfa35427a2967e00a4c7a1b95fdbc8ede34 (git) Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e (git) Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 15006289e5c38b2a830e1fba221977a27598176c (git) Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 893387c18612bb452336a5881da0d015a7e8f4a2 (git) Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < f866eef8d1c65504d30923c3f14082ad294d0e6d (git) Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 34e5667041050711a947e260fc9ebebe08bddee5 (git) Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < d7ddc93392e4a7ffcccc86edf6ef3e64c778db52 (git) Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 459274c77b37ac63b78c928b4b4e748d1f9d05c8 (git) Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 510603f504796c3535f67f55fb0b124a303b44c8 (git) Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 9c23a90648e831d611152ac08dbcd1283d405e7f (git) Affected: 15d45071523d89b3fb7372e2135fbd72f6af9506 , < 2f8f173413f1cbf52660d04df92d0069c4306d25 (git) Affected: c51f1e5f57cca88d8d5894b6fad1638f643a99d0 (git) Affected: 4b3870c343a82cd2df7192cc5149c87205dcc611 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-17T16:05:33.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/14/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/14/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/14/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/17/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/17/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/cpufeatures.h",
"arch/x86/include/asm/entry-common.h",
"arch/x86/include/asm/nospec-branch.h",
"arch/x86/kernel/cpu/bugs.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac60717f9a8d21c58617d0b34274babf24135835",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"lessThan": "c08192b5d6730a914dee6175bc71092ee6a65f14",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"lessThan": "d5490dfa35427a2967e00a4c7a1b95fdbc8ede34",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"lessThan": "2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"lessThan": "15006289e5c38b2a830e1fba221977a27598176c",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"lessThan": "893387c18612bb452336a5881da0d015a7e8f4a2",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"lessThan": "f866eef8d1c65504d30923c3f14082ad294d0e6d",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"lessThan": "34e5667041050711a947e260fc9ebebe08bddee5",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"lessThan": "d7ddc93392e4a7ffcccc86edf6ef3e64c778db52",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"lessThan": "459274c77b37ac63b78c928b4b4e748d1f9d05c8",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"lessThan": "510603f504796c3535f67f55fb0b124a303b44c8",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"lessThan": "9c23a90648e831d611152ac08dbcd1283d405e7f",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"lessThan": "2f8f173413f1cbf52660d04df92d0069c4306d25",
"status": "affected",
"version": "15d45071523d89b3fb7372e2135fbd72f6af9506",
"versionType": "git"
},
{
"status": "affected",
"version": "c51f1e5f57cca88d8d5894b6fad1638f643a99d0",
"versionType": "git"
},
{
"status": "affected",
"version": "4b3870c343a82cd2df7192cc5149c87205dcc611",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/cpufeatures.h",
"arch/x86/include/asm/entry-common.h",
"arch/x86/include/asm/nospec-branch.h",
"arch/x86/kernel/cpu/bugs.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.193",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.106",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.244",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.244",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.193",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.193",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.152",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.152",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.106",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.106",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.47",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.47",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.7",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.7",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.168",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/vmscape: Add conditional IBPB mitigation\n\nVMSCAPE is a vulnerability that exploits insufficient branch predictor\nisolation between a guest and a userspace hypervisor (like QEMU). Existing\nmitigations already protect kernel/KVM from a malicious guest. Userspace\ncan additionally be protected by flushing the branch predictors after a\nVMexit.\n\nSince it is the userspace that consumes the poisoned branch predictors,\nconditionally issue an IBPB after a VMexit and before returning to\nuserspace. Workloads that frequently switch between hypervisor and\nuserspace will incur the most overhead from the new IBPB.\n\nThis new IBPB is not integrated with the existing IBPB sites. For\ninstance, a task can use the existing speculation control prctl() to\nget an IBPB at context switch time. With this implementation, the\nIBPB is doubled up: one at context switch and another before running\nuserspace.\n\nThe intent is to integrate and optimize these cases post-embargo.\n\n[ dhansen: elaborate on suboptimal IBPB solution ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:23.260Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac60717f9a8d21c58617d0b34274babf24135835"
},
{
"url": "https://git.kernel.org/stable/c/c08192b5d6730a914dee6175bc71092ee6a65f14"
},
{
"url": "https://git.kernel.org/stable/c/d5490dfa35427a2967e00a4c7a1b95fdbc8ede34"
},
{
"url": "https://git.kernel.org/stable/c/2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e"
},
{
"url": "https://git.kernel.org/stable/c/15006289e5c38b2a830e1fba221977a27598176c"
},
{
"url": "https://git.kernel.org/stable/c/893387c18612bb452336a5881da0d015a7e8f4a2"
},
{
"url": "https://git.kernel.org/stable/c/f866eef8d1c65504d30923c3f14082ad294d0e6d"
},
{
"url": "https://git.kernel.org/stable/c/34e5667041050711a947e260fc9ebebe08bddee5"
},
{
"url": "https://git.kernel.org/stable/c/d7ddc93392e4a7ffcccc86edf6ef3e64c778db52"
},
{
"url": "https://git.kernel.org/stable/c/459274c77b37ac63b78c928b4b4e748d1f9d05c8"
},
{
"url": "https://git.kernel.org/stable/c/510603f504796c3535f67f55fb0b124a303b44c8"
},
{
"url": "https://git.kernel.org/stable/c/9c23a90648e831d611152ac08dbcd1283d405e7f"
},
{
"url": "https://git.kernel.org/stable/c/2f8f173413f1cbf52660d04df92d0069c4306d25"
}
],
"title": "x86/vmscape: Add conditional IBPB mitigation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40300",
"datePublished": "2025-09-11T16:49:24.809Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:23.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52923 (GCVE-0-2023-52923)
Vulnerability from cvelistv5 – Published: 2025-01-20 10:48 – Updated: 2025-05-04 07:46
VLAI?
EPSS
Title
netfilter: nf_tables: adapt set backend to use GC transaction API
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: adapt set backend to use GC transaction API
Use the GC transaction API to replace the old and buggy gc API and the
busy mark approach.
No set elements are removed from async garbage collection anymore,
instead the _DEAD bit is set on so the set element is not visible from
lookup path anymore. Async GC enqueues transaction work that might be
aborted and retried later.
rbtree and pipapo set backends does not set on the _DEAD bit from the
sync GC path since this runs in control plane path where mutex is held.
In this case, set elements are deactivated, removed and then released
via RCU callback, sync GC never fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9d0982927e79049675cb6c6c04a0ebb3dad5a434 , < cb4d00b563675ba8ff6ef94b077f58d816f68ba3
(git)
Affected: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 , < c357648929c8dff891502349769aafb8f0452bc2 (git) Affected: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 , < 146c76866795553dbc19998f36718d7986ad302b (git) Affected: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 , < 479a2cf5259347d6a1f658b0f791d27a34908e91 (git) Affected: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 , < df650d6a4bf47248261b61ef6b174d7c54034d15 (git) Affected: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 , < e4d71d6a9c7db93f7bf20c3a0f0659d63d7de681 (git) Affected: 9d0982927e79049675cb6c6c04a0ebb3dad5a434 , < f6c383b8c31a93752a52697f8430a71dcbc46adf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_set_hash.c",
"net/netfilter/nft_set_pipapo.c",
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb4d00b563675ba8ff6ef94b077f58d816f68ba3",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
},
{
"lessThan": "c357648929c8dff891502349769aafb8f0452bc2",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
},
{
"lessThan": "146c76866795553dbc19998f36718d7986ad302b",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
},
{
"lessThan": "479a2cf5259347d6a1f658b0f791d27a34908e91",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
},
{
"lessThan": "df650d6a4bf47248261b61ef6b174d7c54034d15",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
},
{
"lessThan": "e4d71d6a9c7db93f7bf20c3a0f0659d63d7de681",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
},
{
"lessThan": "f6c383b8c31a93752a52697f8430a71dcbc46adf",
"status": "affected",
"version": "9d0982927e79049675cb6c6c04a0ebb3dad5a434",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_set_hash.c",
"net/netfilter/nft_set_pipapo.c",
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.316",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.262",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.198",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.134",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.56",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: adapt set backend to use GC transaction API\n\nUse the GC transaction API to replace the old and buggy gc API and the\nbusy mark approach.\n\nNo set elements are removed from async garbage collection anymore,\ninstead the _DEAD bit is set on so the set element is not visible from\nlookup path anymore. Async GC enqueues transaction work that might be\naborted and retried later.\n\nrbtree and pipapo set backends does not set on the _DEAD bit from the\nsync GC path since this runs in control plane path where mutex is held.\nIn this case, set elements are deactivated, removed and then released\nvia RCU callback, sync GC never fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:05.066Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb4d00b563675ba8ff6ef94b077f58d816f68ba3"
},
{
"url": "https://git.kernel.org/stable/c/c357648929c8dff891502349769aafb8f0452bc2"
},
{
"url": "https://git.kernel.org/stable/c/146c76866795553dbc19998f36718d7986ad302b"
},
{
"url": "https://git.kernel.org/stable/c/479a2cf5259347d6a1f658b0f791d27a34908e91"
},
{
"url": "https://git.kernel.org/stable/c/df650d6a4bf47248261b61ef6b174d7c54034d15"
},
{
"url": "https://git.kernel.org/stable/c/e4d71d6a9c7db93f7bf20c3a0f0659d63d7de681"
},
{
"url": "https://git.kernel.org/stable/c/f6c383b8c31a93752a52697f8430a71dcbc46adf"
}
],
"title": "netfilter: nf_tables: adapt set backend to use GC transaction API",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52923",
"datePublished": "2025-01-20T10:48:13.723Z",
"dateReserved": "2024-08-21T06:07:11.018Z",
"dateUpdated": "2025-05-04T07:46:05.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26661 (GCVE-0-2024-26661)
Vulnerability from cvelistv5 – Published: 2024-04-02 06:22 – Updated: 2025-05-04 08:53
VLAI?
EPSS
Title
drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'
In "u32 otg_inst = pipe_ctx->stream_res.tg->inst;"
pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to
ensure the tg is not NULL.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
474ac4a875ca6fea3fc5183d3ad22ef7523dca53 , < 3f3c237a706580326d3b7a1b97697e5031ca4667
(git)
Affected: 474ac4a875ca6fea3fc5183d3ad22ef7523dca53 , < 39f24c08363af1cd945abad84e3c87fd3e3c845a (git) Affected: 474ac4a875ca6fea3fc5183d3ad22ef7523dca53 , < 66951d98d9bf45ba25acf37fe0747253fafdf298 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26661",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T17:47:14.668657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T19:20:51.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:12.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f3c237a706580326d3b7a1b97697e5031ca4667",
"status": "affected",
"version": "474ac4a875ca6fea3fc5183d3ad22ef7523dca53",
"versionType": "git"
},
{
"lessThan": "39f24c08363af1cd945abad84e3c87fd3e3c845a",
"status": "affected",
"version": "474ac4a875ca6fea3fc5183d3ad22ef7523dca53",
"versionType": "git"
},
{
"lessThan": "66951d98d9bf45ba25acf37fe0747253fafdf298",
"status": "affected",
"version": "474ac4a875ca6fea3fc5183d3ad22ef7523dca53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.17",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.5",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL test for \u0027timing generator\u0027 in \u0027dcn21_set_pipe()\u0027\n\nIn \"u32 otg_inst = pipe_ctx-\u003estream_res.tg-\u003einst;\"\npipe_ctx-\u003estream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:53:21.527Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667"
},
{
"url": "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a"
},
{
"url": "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298"
}
],
"title": "drm/amd/display: Add NULL test for \u0027timing generator\u0027 in \u0027dcn21_set_pipe()\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26661",
"datePublished": "2024-04-02T06:22:10.989Z",
"dateReserved": "2024-02-19T14:20:24.148Z",
"dateUpdated": "2025-05-04T08:53:21.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26581 (GCVE-0-2024-26581)
Vulnerability from cvelistv5 – Published: 2024-02-20 12:52 – Updated: 2025-10-01 19:10
VLAI?
EPSS
Title
netfilter: nft_set_rbtree: skip end interval element from gc
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_rbtree: skip end interval element from gc
rbtree lazy gc on insert might collect an end interval element that has
been just added in this transactions, skip end interval elements that
are not yet active.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8284a79136c384059e85e278da2210b809730287 , < c60d252949caf9aba537525195edae6bbabc35eb
(git)
Affected: acaee227cf79c45a5d2d49c3e9a66333a462802c , < 10e9cb39313627f2eae4cd70c4b742074e998fd8 (git) Affected: 893cb3c3513cf661a0ff45fe0cfa83fe27131f76 , < 4cee42fcf54fec46b344681e7cc4f234bb22f85a (git) Affected: 50cbb9d195c197af671869c8cadce3bd483735a0 , < 2bab493a5624444ec6e648ad0d55a362bcb4c003 (git) Affected: 89a4d1a89751a0fbd520e64091873e19cc0979e8 , < 1296c110c5a0b45a8fcf58e7d18bc5da61a565cb (git) Affected: f718863aca469a109895cb855e6b81fff4827d71 , < b734f7a47aeb32a5ba298e4ccc16bb0c52b6dbf7 (git) Affected: f718863aca469a109895cb855e6b81fff4827d71 , < 6eb14441f10602fa1cf691da9d685718b68b78a9 (git) Affected: f718863aca469a109895cb855e6b81fff4827d71 , < 60c0c230c6f046da536d3df8b39a20b9a9fd6af0 (git) Affected: cd66733932399475fe933cb3ec03e687ed401462 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T19:31:46.616632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:10:25.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.615Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c60d252949caf9aba537525195edae6bbabc35eb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/10e9cb39313627f2eae4cd70c4b742074e998fd8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4cee42fcf54fec46b344681e7cc4f234bb22f85a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2bab493a5624444ec6e648ad0d55a362bcb4c003"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1296c110c5a0b45a8fcf58e7d18bc5da61a565cb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b734f7a47aeb32a5ba298e4ccc16bb0c52b6dbf7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6eb14441f10602fa1cf691da9d685718b68b78a9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/60c0c230c6f046da536d3df8b39a20b9a9fd6af0"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c60d252949caf9aba537525195edae6bbabc35eb",
"status": "affected",
"version": "8284a79136c384059e85e278da2210b809730287",
"versionType": "git"
},
{
"lessThan": "10e9cb39313627f2eae4cd70c4b742074e998fd8",
"status": "affected",
"version": "acaee227cf79c45a5d2d49c3e9a66333a462802c",
"versionType": "git"
},
{
"lessThan": "4cee42fcf54fec46b344681e7cc4f234bb22f85a",
"status": "affected",
"version": "893cb3c3513cf661a0ff45fe0cfa83fe27131f76",
"versionType": "git"
},
{
"lessThan": "2bab493a5624444ec6e648ad0d55a362bcb4c003",
"status": "affected",
"version": "50cbb9d195c197af671869c8cadce3bd483735a0",
"versionType": "git"
},
{
"lessThan": "1296c110c5a0b45a8fcf58e7d18bc5da61a565cb",
"status": "affected",
"version": "89a4d1a89751a0fbd520e64091873e19cc0979e8",
"versionType": "git"
},
{
"lessThan": "b734f7a47aeb32a5ba298e4ccc16bb0c52b6dbf7",
"status": "affected",
"version": "f718863aca469a109895cb855e6b81fff4827d71",
"versionType": "git"
},
{
"lessThan": "6eb14441f10602fa1cf691da9d685718b68b78a9",
"status": "affected",
"version": "f718863aca469a109895cb855e6b81fff4827d71",
"versionType": "git"
},
{
"lessThan": "60c0c230c6f046da536d3df8b39a20b9a9fd6af0",
"status": "affected",
"version": "f718863aca469a109895cb855e6b81fff4827d71",
"versionType": "git"
},
{
"status": "affected",
"version": "cd66733932399475fe933cb3ec03e687ed401462",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.269",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.269",
"versionStartIncluding": "5.4.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.210",
"versionStartIncluding": "5.10.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "5.15.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.78",
"versionStartIncluding": "6.1.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.17",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip end interval element from gc\n\nrbtree lazy gc on insert might collect an end interval element that has\nbeen just added in this transactions, skip end interval elements that\nare not yet active."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:54:12.921Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c60d252949caf9aba537525195edae6bbabc35eb"
},
{
"url": "https://git.kernel.org/stable/c/10e9cb39313627f2eae4cd70c4b742074e998fd8"
},
{
"url": "https://git.kernel.org/stable/c/4cee42fcf54fec46b344681e7cc4f234bb22f85a"
},
{
"url": "https://git.kernel.org/stable/c/2bab493a5624444ec6e648ad0d55a362bcb4c003"
},
{
"url": "https://git.kernel.org/stable/c/1296c110c5a0b45a8fcf58e7d18bc5da61a565cb"
},
{
"url": "https://git.kernel.org/stable/c/b734f7a47aeb32a5ba298e4ccc16bb0c52b6dbf7"
},
{
"url": "https://git.kernel.org/stable/c/6eb14441f10602fa1cf691da9d685718b68b78a9"
},
{
"url": "https://git.kernel.org/stable/c/60c0c230c6f046da536d3df8b39a20b9a9fd6af0"
}
],
"title": "netfilter: nft_set_rbtree: skip end interval element from gc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26581",
"datePublished": "2024-02-20T12:52:57.398Z",
"dateReserved": "2024-02-19T14:20:24.125Z",
"dateUpdated": "2025-10-01T19:10:25.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38111 (GCVE-0-2025-38111)
Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2025-11-03 17:34
VLAI?
EPSS
Title
net/mdiobus: Fix potential out-of-bounds read/write access
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mdiobus: Fix potential out-of-bounds read/write access
When using publicly available tools like 'mdio-tools' to read/write data
from/to network interface and its PHY via mdiobus, there is no verification of
parameters passed to the ioctl and it accepts any mdio address.
Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,
but it is possible to pass higher value than that via ioctl.
While read/write operation should generally fail in this case,
mdiobus provides stats array, where wrong address may allow out-of-bounds
read/write.
Fix that by adding address verification before read/write operation.
While this excludes this access from any statistics, it improves security of
read/write operation.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
080bb352fad00d04995102f681b134e3754bfb6e , < 19c5875e26c4ed5686d82a7d8f7051385461b9eb
(git)
Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 014ad9210373d2104f6ef10e6bb999a7a0a4c50e (git) Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 73d478234a619f3476028cb02dee699c30ae8262 (git) Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < bab6bca0834cbb5be2a7cfe59ec6ad016ec72608 (git) Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < b02d9d2732483e670bc34cb233d28e1d43b15da4 (git) Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 049af7ac45a6b407748ee0995278fd861e36df8f (git) Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 0e629694126ca388916f059453a1c36adde219c4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:34:13.486Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/mdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19c5875e26c4ed5686d82a7d8f7051385461b9eb",
"status": "affected",
"version": "080bb352fad00d04995102f681b134e3754bfb6e",
"versionType": "git"
},
{
"lessThan": "014ad9210373d2104f6ef10e6bb999a7a0a4c50e",
"status": "affected",
"version": "080bb352fad00d04995102f681b134e3754bfb6e",
"versionType": "git"
},
{
"lessThan": "73d478234a619f3476028cb02dee699c30ae8262",
"status": "affected",
"version": "080bb352fad00d04995102f681b134e3754bfb6e",
"versionType": "git"
},
{
"lessThan": "bab6bca0834cbb5be2a7cfe59ec6ad016ec72608",
"status": "affected",
"version": "080bb352fad00d04995102f681b134e3754bfb6e",
"versionType": "git"
},
{
"lessThan": "b02d9d2732483e670bc34cb233d28e1d43b15da4",
"status": "affected",
"version": "080bb352fad00d04995102f681b134e3754bfb6e",
"versionType": "git"
},
{
"lessThan": "049af7ac45a6b407748ee0995278fd861e36df8f",
"status": "affected",
"version": "080bb352fad00d04995102f681b134e3754bfb6e",
"versionType": "git"
},
{
"lessThan": "0e629694126ca388916f059453a1c36adde219c4",
"status": "affected",
"version": "080bb352fad00d04995102f681b134e3754bfb6e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/mdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds read/write access\n\nWhen using publicly available tools like \u0027mdio-tools\u0027 to read/write data\nfrom/to network interface and its PHY via mdiobus, there is no verification of\nparameters passed to the ioctl and it accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:12:27.829Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19c5875e26c4ed5686d82a7d8f7051385461b9eb"
},
{
"url": "https://git.kernel.org/stable/c/014ad9210373d2104f6ef10e6bb999a7a0a4c50e"
},
{
"url": "https://git.kernel.org/stable/c/73d478234a619f3476028cb02dee699c30ae8262"
},
{
"url": "https://git.kernel.org/stable/c/bab6bca0834cbb5be2a7cfe59ec6ad016ec72608"
},
{
"url": "https://git.kernel.org/stable/c/b02d9d2732483e670bc34cb233d28e1d43b15da4"
},
{
"url": "https://git.kernel.org/stable/c/049af7ac45a6b407748ee0995278fd861e36df8f"
},
{
"url": "https://git.kernel.org/stable/c/0e629694126ca388916f059453a1c36adde219c4"
}
],
"title": "net/mdiobus: Fix potential out-of-bounds read/write access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38111",
"datePublished": "2025-07-03T08:35:20.643Z",
"dateReserved": "2025-04-16T04:51:23.985Z",
"dateUpdated": "2025-11-03T17:34:13.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68183 (GCVE-0-2025-68183)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr
Currently when both IMA and EVM are in fix mode, the IMA signature will
be reset to IMA hash if a program first stores IMA signature in
security.ima and then writes/removes some other security xattr for the
file.
For example, on Fedora, after booting the kernel with "ima_appraise=fix
evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima,
installing/reinstalling a package will not make good reference IMA
signature generated. Instead IMA hash is generated,
# getfattr -m - -d -e hex /usr/bin/bash
# file: usr/bin/bash
security.ima=0x0404...
This happens because when setting security.selinux, the IMA_DIGSIG flag
that had been set early was cleared. As a result, IMA hash is generated
when the file is closed.
Similarly, IMA signature can be cleared on file close after removing
security xattr like security.evm or setting/removing ACL.
Prevent replacing the IMA file signature with a file hash, by preventing
the IMA_DIGSIG flag from being reset.
Here's a minimal C reproducer which sets security.selinux as the last
step which can also replaced by removing security.evm or setting ACL,
#include <stdio.h>
#include <sys/xattr.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
int main() {
const char* file_path = "/usr/sbin/test_binary";
const char* hex_string = "030204d33204490066306402304";
int length = strlen(hex_string);
char* ima_attr_value;
int fd;
fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
if (fd == -1) {
perror("Error opening file");
return 1;
}
ima_attr_value = (char*)malloc(length / 2 );
for (int i = 0, j = 0; i < length; i += 2, j++) {
sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
}
if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
const char* selinux_value= "system_u:object_r:bin_t:s0";
if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
close(fd);
return 0;
}
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e3ccfe1ad7d895487977ef64eda3441d16c9851a , < d2993a7e98eb70c737c6f5365a190e79c72b8407
(git)
Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < edd824eb45e4f7e05ad3ab090dab6dbdb79cd292 (git) Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < 02aa671c08a4834bef5166743a7b88686fbfa023 (git) Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < 88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_appraise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2993a7e98eb70c737c6f5365a190e79c72b8407",
"status": "affected",
"version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
"versionType": "git"
},
{
"lessThan": "edd824eb45e4f7e05ad3ab090dab6dbdb79cd292",
"status": "affected",
"version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
"versionType": "git"
},
{
"lessThan": "02aa671c08a4834bef5166743a7b88686fbfa023",
"status": "affected",
"version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
"versionType": "git"
},
{
"lessThan": "88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd",
"status": "affected",
"version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_appraise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: don\u0027t clear IMA_DIGSIG flag when setting or removing non-IMA xattr\n\nCurrently when both IMA and EVM are in fix mode, the IMA signature will\nbe reset to IMA hash if a program first stores IMA signature in\nsecurity.ima and then writes/removes some other security xattr for the\nfile.\n\nFor example, on Fedora, after booting the kernel with \"ima_appraise=fix\nevm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima,\ninstalling/reinstalling a package will not make good reference IMA\nsignature generated. Instead IMA hash is generated,\n\n # getfattr -m - -d -e hex /usr/bin/bash\n # file: usr/bin/bash\n security.ima=0x0404...\n\nThis happens because when setting security.selinux, the IMA_DIGSIG flag\nthat had been set early was cleared. As a result, IMA hash is generated\nwhen the file is closed.\n\nSimilarly, IMA signature can be cleared on file close after removing\nsecurity xattr like security.evm or setting/removing ACL.\n\nPrevent replacing the IMA file signature with a file hash, by preventing\nthe IMA_DIGSIG flag from being reset.\n\nHere\u0027s a minimal C reproducer which sets security.selinux as the last\nstep which can also replaced by removing security.evm or setting ACL,\n\n #include \u003cstdio.h\u003e\n #include \u003csys/xattr.h\u003e\n #include \u003cfcntl.h\u003e\n #include \u003cunistd.h\u003e\n #include \u003cstring.h\u003e\n #include \u003cstdlib.h\u003e\n\n int main() {\n const char* file_path = \"/usr/sbin/test_binary\";\n const char* hex_string = \"030204d33204490066306402304\";\n int length = strlen(hex_string);\n char* ima_attr_value;\n int fd;\n\n fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);\n if (fd == -1) {\n perror(\"Error opening file\");\n return 1;\n }\n\n ima_attr_value = (char*)malloc(length / 2 );\n for (int i = 0, j = 0; i \u003c length; i += 2, j++) {\n sscanf(hex_string + i, \"%2hhx\", \u0026ima_attr_value[j]);\n }\n\n if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) {\n perror(\"Error setting extended attribute\");\n close(fd);\n return 1;\n }\n\n const char* selinux_value= \"system_u:object_r:bin_t:s0\";\n if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) {\n perror(\"Error setting extended attribute\");\n close(fd);\n return 1;\n }\n\n close(fd);\n\n return 0;\n }"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:14.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2993a7e98eb70c737c6f5365a190e79c72b8407"
},
{
"url": "https://git.kernel.org/stable/c/edd824eb45e4f7e05ad3ab090dab6dbdb79cd292"
},
{
"url": "https://git.kernel.org/stable/c/02aa671c08a4834bef5166743a7b88686fbfa023"
},
{
"url": "https://git.kernel.org/stable/c/88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd"
}
],
"title": "ima: don\u0027t clear IMA_DIGSIG flag when setting or removing non-IMA xattr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68183",
"datePublished": "2025-12-16T13:43:01.178Z",
"dateReserved": "2025-12-16T13:41:40.252Z",
"dateUpdated": "2026-01-02T15:34:14.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53417 (GCVE-0-2023-53417)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:58 – Updated: 2026-01-14 19:13
VLAI?
EPSS
Title
USB: sl811: fix memory leak with using debugfs_lookup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: sl811: fix memory leak with using debugfs_lookup()
When calling debugfs_lookup() the result must have dput() called on it,
otherwise the memory will leak over time. To make things simpler, just
call debugfs_lookup_and_remove() instead which handles all of the logic
at once.
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
82d4afcfa9b507c983bb261ad1d6d13cb52d6e06 , < bb4d5eefb67095d7c3b70b08498b23b7f2895f76
(git)
Affected: 82d4afcfa9b507c983bb261ad1d6d13cb52d6e06 , < 54166af8941d0cf46b65cfa2fbce76e38d82fadf (git) Affected: 82d4afcfa9b507c983bb261ad1d6d13cb52d6e06 , < 04fdfec7b0286972cb5457ef958c92585447a39f (git) Affected: 82d4afcfa9b507c983bb261ad1d6d13cb52d6e06 , < e1523c4dbc54e164638ff8729d511cf91e27be04 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53417",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:06:03.396002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:13:07.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/sl811-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb4d5eefb67095d7c3b70b08498b23b7f2895f76",
"status": "affected",
"version": "82d4afcfa9b507c983bb261ad1d6d13cb52d6e06",
"versionType": "git"
},
{
"lessThan": "54166af8941d0cf46b65cfa2fbce76e38d82fadf",
"status": "affected",
"version": "82d4afcfa9b507c983bb261ad1d6d13cb52d6e06",
"versionType": "git"
},
{
"lessThan": "04fdfec7b0286972cb5457ef958c92585447a39f",
"status": "affected",
"version": "82d4afcfa9b507c983bb261ad1d6d13cb52d6e06",
"versionType": "git"
},
{
"lessThan": "e1523c4dbc54e164638ff8729d511cf91e27be04",
"status": "affected",
"version": "82d4afcfa9b507c983bb261ad1d6d13cb52d6e06",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/sl811-hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: sl811: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:20:07.233Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb4d5eefb67095d7c3b70b08498b23b7f2895f76"
},
{
"url": "https://git.kernel.org/stable/c/54166af8941d0cf46b65cfa2fbce76e38d82fadf"
},
{
"url": "https://git.kernel.org/stable/c/04fdfec7b0286972cb5457ef958c92585447a39f"
},
{
"url": "https://git.kernel.org/stable/c/e1523c4dbc54e164638ff8729d511cf91e27be04"
}
],
"title": "USB: sl811: fix memory leak with using debugfs_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53417",
"datePublished": "2025-09-18T13:58:53.286Z",
"dateReserved": "2025-09-17T14:54:09.740Z",
"dateUpdated": "2026-01-14T19:13:07.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50488 (GCVE-0-2022-50488)
Vulnerability from cvelistv5 – Published: 2025-10-04 15:43 – Updated: 2025-10-04 15:43
VLAI?
EPSS
Title
block, bfq: fix possible uaf for 'bfqq->bic'
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix possible uaf for 'bfqq->bic'
Our test report a uaf for 'bfqq->bic' in 5.10:
==================================================================
BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30
CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014
Call Trace:
bfq_select_queue+0x378/0xa30
bfq_dispatch_request+0xe8/0x130
blk_mq_do_dispatch_sched+0x62/0xb0
__blk_mq_sched_dispatch_requests+0x215/0x2a0
blk_mq_sched_dispatch_requests+0x8f/0xd0
__blk_mq_run_hw_queue+0x98/0x180
__blk_mq_delay_run_hw_queue+0x22b/0x240
blk_mq_run_hw_queue+0xe3/0x190
blk_mq_sched_insert_requests+0x107/0x200
blk_mq_flush_plug_list+0x26e/0x3c0
blk_finish_plug+0x63/0x90
__iomap_dio_rw+0x7b5/0x910
iomap_dio_rw+0x36/0x80
ext4_dio_read_iter+0x146/0x190 [ext4]
ext4_file_read_iter+0x1e2/0x230 [ext4]
new_sync_read+0x29f/0x400
vfs_read+0x24e/0x2d0
ksys_read+0xd5/0x1b0
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x61/0xc6
Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups")
changes that move process to a new cgroup will allocate a new bfqq to
use, however, the old bfqq and new bfqq can point to the same bic:
1) Initial state, two process with io in the same cgroup.
Process 1 Process 2
(BIC1) (BIC2)
| Λ | Λ
| | | |
V | V |
bfqq1 bfqq2
2) bfqq1 is merged to bfqq2.
Process 1 Process 2
(BIC1) (BIC2)
| |
\-------------\|
V
bfqq1 bfqq2(coop)
3) Process 1 exit, then issue new io(denoce IOA) from Process 2.
(BIC2)
| Λ
| |
V |
bfqq2(coop)
4) Before IOA is completed, move Process 2 to another cgroup and issue io.
Process 2
(BIC2)
Λ
|\--------------\
| V
bfqq2 bfqq3
Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.
If all the requests are completed, and Process 2 exit, BIC2 will be
freed while there is no guarantee that bfqq2 will be freed before BIC2.
Fix the problem by clearing bfqq->bic while bfqq is detached from bic.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4dfc12f8c94c8052e975060f595938f75e8b7165 , < 5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a
(git)
Affected: 81b7d0c717a487ec50e2924a773ff501ee40f0d5 , < 094f3d9314d67691cb21ba091c1b528f6e3c4893 (git) Affected: 3bc5e683c67d94bd839a1da2e796c15847b51b69 , < b22fd72bfebda3956efc4431b60ddfc0a51e03e0 (git) Affected: 3bc5e683c67d94bd839a1da2e796c15847b51b69 , < 761564d93c8265f65543acf0a576b32d66bfa26a (git) Affected: 3bc5e683c67d94bd839a1da2e796c15847b51b69 , < 64dc8c732f5c2b406cc752e6aaa1bd5471159cab (git) Affected: 31326bf551269fb9bafa84ca99172b8340e5d8f8 (git) Affected: 43c51b86dbe551cff5d39b88aa2f41d29479f9c4 (git) Affected: 8615f6c0c9e7cf0ca90b6b5408784d797cbe5621 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a",
"status": "affected",
"version": "4dfc12f8c94c8052e975060f595938f75e8b7165",
"versionType": "git"
},
{
"lessThan": "094f3d9314d67691cb21ba091c1b528f6e3c4893",
"status": "affected",
"version": "81b7d0c717a487ec50e2924a773ff501ee40f0d5",
"versionType": "git"
},
{
"lessThan": "b22fd72bfebda3956efc4431b60ddfc0a51e03e0",
"status": "affected",
"version": "3bc5e683c67d94bd839a1da2e796c15847b51b69",
"versionType": "git"
},
{
"lessThan": "761564d93c8265f65543acf0a576b32d66bfa26a",
"status": "affected",
"version": "3bc5e683c67d94bd839a1da2e796c15847b51b69",
"versionType": "git"
},
{
"lessThan": "64dc8c732f5c2b406cc752e6aaa1bd5471159cab",
"status": "affected",
"version": "3bc5e683c67d94bd839a1da2e796c15847b51b69",
"versionType": "git"
},
{
"status": "affected",
"version": "31326bf551269fb9bafa84ca99172b8340e5d8f8",
"versionType": "git"
},
{
"status": "affected",
"version": "43c51b86dbe551cff5d39b88aa2f41d29479f9c4",
"versionType": "git"
},
{
"status": "affected",
"version": "8615f6c0c9e7cf0ca90b6b5408784d797cbe5621",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.175",
"versionStartIncluding": "5.10.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible uaf for \u0027bfqq-\u003ebic\u0027\n\nOur test report a uaf for \u0027bfqq-\u003ebic\u0027 in 5.10:\n\n==================================================================\nBUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30\n\nCPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014\nCall Trace:\n bfq_select_queue+0x378/0xa30\n bfq_dispatch_request+0xe8/0x130\n blk_mq_do_dispatch_sched+0x62/0xb0\n __blk_mq_sched_dispatch_requests+0x215/0x2a0\n blk_mq_sched_dispatch_requests+0x8f/0xd0\n __blk_mq_run_hw_queue+0x98/0x180\n __blk_mq_delay_run_hw_queue+0x22b/0x240\n blk_mq_run_hw_queue+0xe3/0x190\n blk_mq_sched_insert_requests+0x107/0x200\n blk_mq_flush_plug_list+0x26e/0x3c0\n blk_finish_plug+0x63/0x90\n __iomap_dio_rw+0x7b5/0x910\n iomap_dio_rw+0x36/0x80\n ext4_dio_read_iter+0x146/0x190 [ext4]\n ext4_file_read_iter+0x1e2/0x230 [ext4]\n new_sync_read+0x29f/0x400\n vfs_read+0x24e/0x2d0\n ksys_read+0xd5/0x1b0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nCommit 3bc5e683c67d (\"bfq: Split shared queues on move between cgroups\")\nchanges that move process to a new cgroup will allocate a new bfqq to\nuse, however, the old bfqq and new bfqq can point to the same bic:\n\n1) Initial state, two process with io in the same cgroup.\n\nProcess 1 Process 2\n (BIC1) (BIC2)\n | \u039b | \u039b\n | | | |\n V | V |\n bfqq1 bfqq2\n\n2) bfqq1 is merged to bfqq2.\n\nProcess 1 Process 2\n (BIC1) (BIC2)\n | |\n \\-------------\\|\n V\n bfqq1 bfqq2(coop)\n\n3) Process 1 exit, then issue new io(denoce IOA) from Process 2.\n\n (BIC2)\n | \u039b\n | |\n V |\n bfqq2(coop)\n\n4) Before IOA is completed, move Process 2 to another cgroup and issue io.\n\nProcess 2\n (BIC2)\n \u039b\n |\\--------------\\\n | V\n bfqq2 bfqq3\n\nNow that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.\nIf all the requests are completed, and Process 2 exit, BIC2 will be\nfreed while there is no guarantee that bfqq2 will be freed before BIC2.\n\nFix the problem by clearing bfqq-\u003ebic while bfqq is detached from bic."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:43:42.352Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a"
},
{
"url": "https://git.kernel.org/stable/c/094f3d9314d67691cb21ba091c1b528f6e3c4893"
},
{
"url": "https://git.kernel.org/stable/c/b22fd72bfebda3956efc4431b60ddfc0a51e03e0"
},
{
"url": "https://git.kernel.org/stable/c/761564d93c8265f65543acf0a576b32d66bfa26a"
},
{
"url": "https://git.kernel.org/stable/c/64dc8c732f5c2b406cc752e6aaa1bd5471159cab"
}
],
"title": "block, bfq: fix possible uaf for \u0027bfqq-\u003ebic\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50488",
"datePublished": "2025-10-04T15:43:42.352Z",
"dateReserved": "2025-10-04T15:13:33.468Z",
"dateUpdated": "2025-10-04T15:43:42.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53178 (GCVE-0-2023-53178)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:04 – Updated: 2025-09-16 08:02
VLAI?
EPSS
Title
mm: fix zswap writeback race condition
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: fix zswap writeback race condition
The zswap writeback mechanism can cause a race condition resulting in
memory corruption, where a swapped out page gets swapped in with data that
was written to a different page.
The race unfolds like this:
1. a page with data A and swap offset X is stored in zswap
2. page A is removed off the LRU by zpool driver for writeback in
zswap-shrink work, data for A is mapped by zpool driver
3. user space program faults and invalidates page entry A, offset X is
considered free
4. kswapd stores page B at offset X in zswap (zswap could also be
full, if so, page B would then be IOed to X, then skip step 5.)
5. entry A is replaced by B in tree->rbroot, this doesn't affect the
local reference held by zswap-shrink work
6. zswap-shrink work writes back A at X, and frees zswap entry A
7. swapin of slot X brings A in memory instead of B
The fix:
Once the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW),
zswap-shrink work just checks that the local zswap_entry reference is
still the same as the one in the tree. If it's not the same it means that
it's either been invalidated or replaced, in both cases the writeback is
aborted because the local entry contains stale data.
Reproducer:
I originally found this by running `stress` overnight to validate my work
on the zswap writeback mechanism, it manifested after hours on my test
machine. The key to make it happen is having zswap writebacks, so
whatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do
the trick.
In order to reproduce this faster on a vm, I setup a system with ~100M of
available memory and a 500M swap file, then running `stress --vm 1
--vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens
of minutes. One can speed things up even more by swinging
/sys/module/zswap/parameters/max_pool_percent up and down between, say, 20
and 1; this makes it reproduce in tens of seconds. It's crucial to set
`--vm-stride` to something other than 4096 otherwise `stress` won't
realize that memory has been corrupted because all pages would have the
same data.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2b2811178e85553405b86e3fe78357b9b95889ce , < 2cab13f500a6333bd2b853783ac76be9e4956f8a
(git)
Affected: 2b2811178e85553405b86e3fe78357b9b95889ce , < ba700ea13bf0105a4773c654f7d3bef8adb64ab2 (git) Affected: 2b2811178e85553405b86e3fe78357b9b95889ce , < 04fc7816089c5a32c29a04ec94b998e219dfb946 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/zswap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2cab13f500a6333bd2b853783ac76be9e4956f8a",
"status": "affected",
"version": "2b2811178e85553405b86e3fe78357b9b95889ce",
"versionType": "git"
},
{
"lessThan": "ba700ea13bf0105a4773c654f7d3bef8adb64ab2",
"status": "affected",
"version": "2b2811178e85553405b86e3fe78357b9b95889ce",
"versionType": "git"
},
{
"lessThan": "04fc7816089c5a32c29a04ec94b998e219dfb946",
"status": "affected",
"version": "2b2811178e85553405b86e3fe78357b9b95889ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/zswap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix zswap writeback race condition\n\nThe zswap writeback mechanism can cause a race condition resulting in\nmemory corruption, where a swapped out page gets swapped in with data that\nwas written to a different page.\n\nThe race unfolds like this:\n1. a page with data A and swap offset X is stored in zswap\n2. page A is removed off the LRU by zpool driver for writeback in\n zswap-shrink work, data for A is mapped by zpool driver\n3. user space program faults and invalidates page entry A, offset X is\n considered free\n4. kswapd stores page B at offset X in zswap (zswap could also be\n full, if so, page B would then be IOed to X, then skip step 5.)\n5. entry A is replaced by B in tree-\u003erbroot, this doesn\u0027t affect the\n local reference held by zswap-shrink work\n6. zswap-shrink work writes back A at X, and frees zswap entry A\n7. swapin of slot X brings A in memory instead of B\n\nThe fix:\nOnce the swap page cache has been allocated (case ZSWAP_SWAPCACHE_NEW),\nzswap-shrink work just checks that the local zswap_entry reference is\nstill the same as the one in the tree. If it\u0027s not the same it means that\nit\u0027s either been invalidated or replaced, in both cases the writeback is\naborted because the local entry contains stale data.\n\nReproducer:\nI originally found this by running `stress` overnight to validate my work\non the zswap writeback mechanism, it manifested after hours on my test\nmachine. The key to make it happen is having zswap writebacks, so\nwhatever setup pumps /sys/kernel/debug/zswap/written_back_pages should do\nthe trick.\n\nIn order to reproduce this faster on a vm, I setup a system with ~100M of\navailable memory and a 500M swap file, then running `stress --vm 1\n--vm-bytes 300000000 --vm-stride 4000` makes it happen in matter of tens\nof minutes. One can speed things up even more by swinging\n/sys/module/zswap/parameters/max_pool_percent up and down between, say, 20\nand 1; this makes it reproduce in tens of seconds. It\u0027s crucial to set\n`--vm-stride` to something other than 4096 otherwise `stress` won\u0027t\nrealize that memory has been corrupted because all pages would have the\nsame data."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:20.669Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2cab13f500a6333bd2b853783ac76be9e4956f8a"
},
{
"url": "https://git.kernel.org/stable/c/ba700ea13bf0105a4773c654f7d3bef8adb64ab2"
},
{
"url": "https://git.kernel.org/stable/c/04fc7816089c5a32c29a04ec94b998e219dfb946"
}
],
"title": "mm: fix zswap writeback race condition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53178",
"datePublished": "2025-09-15T14:04:23.768Z",
"dateReserved": "2025-09-15T13:59:19.065Z",
"dateUpdated": "2025-09-16T08:02:20.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49943 (GCVE-0-2022-49943)
Vulnerability from cvelistv5 – Published: 2025-06-18 10:59 – Updated: 2025-06-18 10:59
VLAI?
EPSS
Title
USB: gadget: Fix obscure lockdep violation for udc_mutex
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: Fix obscure lockdep violation for udc_mutex
A recent commit expanding the scope of the udc_lock mutex in the
gadget core managed to cause an obscure and slightly bizarre lockdep
violation. In abbreviated form:
======================================================
WARNING: possible circular locking dependency detected
5.19.0-rc7+ #12510 Not tainted
------------------------------------------------------
udevadm/312 is trying to acquire lock:
ffff80000aae1058 (udc_lock){+.+.}-{3:3}, at: usb_udc_uevent+0x54/0xe0
but task is already holding lock:
ffff000002277548 (kn->active#4){++++}-{0:0}, at: kernfs_seq_start+0x34/0xe0
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (kn->active#4){++++}-{0:0}:
lock_acquire+0x68/0x84
__kernfs_remove+0x268/0x380
kernfs_remove_by_name_ns+0x58/0xac
sysfs_remove_file_ns+0x18/0x24
device_del+0x15c/0x440
-> #2 (device_links_lock){+.+.}-{3:3}:
lock_acquire+0x68/0x84
__mutex_lock+0x9c/0x430
mutex_lock_nested+0x38/0x64
device_link_remove+0x3c/0xa0
_regulator_put.part.0+0x168/0x190
regulator_put+0x3c/0x54
devm_regulator_release+0x14/0x20
-> #1 (regulator_list_mutex){+.+.}-{3:3}:
lock_acquire+0x68/0x84
__mutex_lock+0x9c/0x430
mutex_lock_nested+0x38/0x64
regulator_lock_dependent+0x54/0x284
regulator_enable+0x34/0x80
phy_power_on+0x24/0x130
__dwc2_lowlevel_hw_enable+0x100/0x130
dwc2_lowlevel_hw_enable+0x18/0x40
dwc2_hsotg_udc_start+0x6c/0x2f0
gadget_bind_driver+0x124/0x1f4
-> #0 (udc_lock){+.+.}-{3:3}:
__lock_acquire+0x1298/0x20cc
lock_acquire.part.0+0xe0/0x230
lock_acquire+0x68/0x84
__mutex_lock+0x9c/0x430
mutex_lock_nested+0x38/0x64
usb_udc_uevent+0x54/0xe0
Evidently this was caused by the scope of udc_mutex being too large.
The mutex is only meant to protect udc->driver along with a few other
things. As far as I can tell, there's no reason for the mutex to be
held while the gadget core calls a gadget driver's ->bind or ->unbind
routine, or while a UDC is being started or stopped. (This accounts
for link #1 in the chain above, where the mutex is held while the
dwc2_hsotg_udc is started as part of driver probing.)
Gadget drivers' ->disconnect callbacks are problematic. Even though
usb_gadget_disconnect() will now acquire the udc_mutex, there's a
window in usb_gadget_bind_driver() between the times when the mutex is
released and the ->bind callback is invoked. If a disconnect occurred
during that window, we could call the driver's ->disconnect routine
before its ->bind routine. To prevent this from happening, it will be
necessary to prevent a UDC from connecting while it has no gadget
driver. This should be done already but it doesn't seem to be;
currently usb_gadget_connect() has no check for this. Such a check
will have to be added later.
Some degree of mutual exclusion is required in soft_connect_store(),
which can dereference udc->driver at arbitrary times since it is a
sysfs callback. The solution here is to acquire the gadget's device
lock rather than the udc_mutex. Since the driver core guarantees that
the device lock is always held during driver binding and unbinding,
this will make the accesses in soft_connect_store() mutually exclusive
with any changes to udc->driver.
Lastly, it turns out there is one place which should hold the
udc_mutex but currently does not: The function_show() routine needs
protection while it dereferences udc->driver. The missing lock and
unlock calls are added.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a065e4673cbdd9f222a05f85e17d78ea50c8d9c",
"status": "affected",
"version": "f44b0b95d50fffeca036e1ba36770390e0b519dd",
"versionType": "git"
},
{
"lessThan": "1016fc0c096c92dd0e6e0541daac7a7868169903",
"status": "affected",
"version": "2191c00855b03aa59c20e698be713d952d51fc18",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.19.8",
"status": "affected",
"version": "5.19.7",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.8",
"versionStartIncluding": "5.19.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix obscure lockdep violation for udc_mutex\n\nA recent commit expanding the scope of the udc_lock mutex in the\ngadget core managed to cause an obscure and slightly bizarre lockdep\nviolation. In abbreviated form:\n\n======================================================\nWARNING: possible circular locking dependency detected\n5.19.0-rc7+ #12510 Not tainted\n------------------------------------------------------\nudevadm/312 is trying to acquire lock:\nffff80000aae1058 (udc_lock){+.+.}-{3:3}, at: usb_udc_uevent+0x54/0xe0\n\nbut task is already holding lock:\nffff000002277548 (kn-\u003eactive#4){++++}-{0:0}, at: kernfs_seq_start+0x34/0xe0\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #3 (kn-\u003eactive#4){++++}-{0:0}:\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lock_acquire+0x68/0x84\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __kernfs_remove+0x268/0x380\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 kernfs_remove_by_name_ns+0x58/0xac\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sysfs_remove_file_ns+0x18/0x24\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 device_del+0x15c/0x440\n\n-\u003e #2 (device_links_lock){+.+.}-{3:3}:\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lock_acquire+0x68/0x84\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __mutex_lock+0x9c/0x430\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mutex_lock_nested+0x38/0x64\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 device_link_remove+0x3c/0xa0\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 _regulator_put.part.0+0x168/0x190\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 regulator_put+0x3c/0x54\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 devm_regulator_release+0x14/0x20\n\n-\u003e #1 (regulator_list_mutex){+.+.}-{3:3}:\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lock_acquire+0x68/0x84\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __mutex_lock+0x9c/0x430\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mutex_lock_nested+0x38/0x64\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 regulator_lock_dependent+0x54/0x284\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 regulator_enable+0x34/0x80\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 phy_power_on+0x24/0x130\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __dwc2_lowlevel_hw_enable+0x100/0x130\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dwc2_lowlevel_hw_enable+0x18/0x40\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dwc2_hsotg_udc_start+0x6c/0x2f0\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 gadget_bind_driver+0x124/0x1f4\n\n-\u003e #0 (udc_lock){+.+.}-{3:3}:\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __lock_acquire+0x1298/0x20cc\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lock_acquire.part.0+0xe0/0x230\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lock_acquire+0x68/0x84\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __mutex_lock+0x9c/0x430\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mutex_lock_nested+0x38/0x64\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 usb_udc_uevent+0x54/0xe0\n\nEvidently this was caused by the scope of udc_mutex being too large.\nThe mutex is only meant to protect udc-\u003edriver along with a few other\nthings. As far as I can tell, there\u0027s no reason for the mutex to be\nheld while the gadget core calls a gadget driver\u0027s -\u003ebind or -\u003eunbind\nroutine, or while a UDC is being started or stopped. (This accounts\nfor link #1 in the chain above, where the mutex is held while the\ndwc2_hsotg_udc is started as part of driver probing.)\n\nGadget drivers\u0027 -\u003edisconnect callbacks are problematic. Even though\nusb_gadget_disconnect() will now acquire the udc_mutex, there\u0027s a\nwindow in usb_gadget_bind_driver() between the times when the mutex is\nreleased and the -\u003ebind callback is invoked. If a disconnect occurred\nduring that window, we could call the driver\u0027s -\u003edisconnect routine\nbefore its -\u003ebind routine. To prevent this from happening, it will be\nnecessary to prevent a UDC from connecting while it has no gadget\ndriver. This should be done already but it doesn\u0027t seem to be;\ncurrently usb_gadget_connect() has no check for this. Such a check\nwill have to be added later.\n\nSome degree of mutual exclusion is required in soft_connect_store(),\nwhich can dereference udc-\u003edriver at arbitrary times since it is a\nsysfs callback. The solution here is to acquire the gadget\u0027s device\nlock rather than the udc_mutex. Since the driver core guarantees that\nthe device lock is always held during driver binding and unbinding,\nthis will make the accesses in soft_connect_store() mutually exclusive\nwith any changes to udc-\u003edriver.\n\nLastly, it turns out there is one place which should hold the\nudc_mutex but currently does not: The function_show() routine needs\nprotection while it dereferences udc-\u003edriver. The missing lock and\nunlock calls are added."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T10:59:58.516Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a065e4673cbdd9f222a05f85e17d78ea50c8d9c"
},
{
"url": "https://git.kernel.org/stable/c/1016fc0c096c92dd0e6e0541daac7a7868169903"
}
],
"title": "USB: gadget: Fix obscure lockdep violation for udc_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49943",
"datePublished": "2025-06-18T10:59:58.516Z",
"dateReserved": "2025-06-18T10:57:27.381Z",
"dateUpdated": "2025-06-18T10:59:58.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68771 (GCVE-0-2025-68771)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33
VLAI?
EPSS
Title
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the
`cl_next_free_rec` field of the allocation chain list (next free slot in
the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec)
condition in ocfs2_find_victim_chain() and panicking the kernel.
To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),
just before calling ocfs2_find_victim_chain(), the code block in it being
executed when either of the following conditions is true:
1. `cl_next_free_rec` is equal to 0, indicating that there are no free
chains in the allocation chain list
2. `cl_next_free_rec` is greater than `cl_count` (the total number of
chains in the allocation chain list)
Either of them being true is indicative of the fact that there are no
chains left for usage.
This is addressed using ocfs2_error(), which prints
the error log for debugging purposes, rather than panicking the kernel.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7
(git)
Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < d0fd1f732ea8063cecd07a3879b7d815c7ee71ed (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < b08a33d5f80efe6979a6e8f905c1a898910c21dd (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 96f1b074c98c20f55a3b23d2ab44d9fb0f619869 (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < e24aedae71652d4119049f1fbef6532ccbe3966d (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 7acc0390e0dd7474c4451d05465a677d55ad4268 (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 039bef30e320827bac8990c9f29d2a68cd8adb5f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/suballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "d0fd1f732ea8063cecd07a3879b7d815c7ee71ed",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "b08a33d5f80efe6979a6e8f905c1a898910c21dd",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "96f1b074c98c20f55a3b23d2ab44d9fb0f619869",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "e24aedae71652d4119049f1fbef6532ccbe3966d",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "7acc0390e0dd7474c4451d05465a677d55ad4268",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "039bef30e320827bac8990c9f29d2a68cd8adb5f",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/suballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix kernel BUG in ocfs2_find_victim_chain\n\nsyzbot reported a kernel BUG in ocfs2_find_victim_chain() because the\n`cl_next_free_rec` field of the allocation chain list (next free slot in\nthe chain list) is 0, triggring the BUG_ON(!cl-\u003ecl_next_free_rec)\ncondition in ocfs2_find_victim_chain() and panicking the kernel.\n\nTo fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),\njust before calling ocfs2_find_victim_chain(), the code block in it being\nexecuted when either of the following conditions is true:\n\n1. `cl_next_free_rec` is equal to 0, indicating that there are no free\nchains in the allocation chain list\n2. `cl_next_free_rec` is greater than `cl_count` (the total number of\nchains in the allocation chain list)\n\nEither of them being true is indicative of the fact that there are no\nchains left for usage.\n\nThis is addressed using ocfs2_error(), which prints\nthe error log for debugging purposes, rather than panicking the kernel."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:33:16.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7"
},
{
"url": "https://git.kernel.org/stable/c/d0fd1f732ea8063cecd07a3879b7d815c7ee71ed"
},
{
"url": "https://git.kernel.org/stable/c/b08a33d5f80efe6979a6e8f905c1a898910c21dd"
},
{
"url": "https://git.kernel.org/stable/c/96f1b074c98c20f55a3b23d2ab44d9fb0f619869"
},
{
"url": "https://git.kernel.org/stable/c/e24aedae71652d4119049f1fbef6532ccbe3966d"
},
{
"url": "https://git.kernel.org/stable/c/7acc0390e0dd7474c4451d05465a677d55ad4268"
},
{
"url": "https://git.kernel.org/stable/c/039bef30e320827bac8990c9f29d2a68cd8adb5f"
}
],
"title": "ocfs2: fix kernel BUG in ocfs2_find_victim_chain",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68771",
"datePublished": "2026-01-13T15:28:49.272Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-02-09T08:33:16.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49980 (GCVE-0-2022-49980)
Vulnerability from cvelistv5 – Published: 2025-06-18 11:00 – Updated: 2025-12-23 13:26
VLAI?
EPSS
Title
USB: gadget: Fix use-after-free Read in usb_udc_uevent()
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: Fix use-after-free Read in usb_udc_uevent()
The syzbot fuzzer found a race between uevent callbacks and gadget
driver unregistration that can cause a use-after-free bug:
---------------------------------------------------------------
BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130
drivers/usb/gadget/udc/core.c:1732
Read of size 8 at addr ffff888078ce2050 by task udevd/2968
CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
06/29/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xbe/0x1f0 mm/kasan/report.c:495
usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732
dev_uevent+0x290/0x770 drivers/base/core.c:2424
---------------------------------------------------------------
The bug occurs because usb_udc_uevent() dereferences udc->driver but
does so without acquiring the udc_lock mutex, which protects this
field. If the gadget driver is unbound from the udc concurrently with
uevent processing, the driver structure may be accessed after it has
been deallocated.
To prevent the race, we make sure that the routine holds the mutex
around the racing accesses.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f44b0b95d50fffeca036e1ba36770390e0b519dd",
"status": "affected",
"version": "2ccea03a8f7ec93641791f2760d7cdc6cab6205f",
"versionType": "git"
},
{
"lessThan": "2191c00855b03aa59c20e698be713d952d51fc18",
"status": "affected",
"version": "2ccea03a8f7ec93641791f2760d7cdc6cab6205f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.7",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix use-after-free Read in usb_udc_uevent()\n\nThe syzbot fuzzer found a race between uevent callbacks and gadget\ndriver unregistration that can cause a use-after-free bug:\n\n---------------------------------------------------------------\nBUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130\ndrivers/usb/gadget/udc/core.c:1732\nRead of size 8 at addr ffff888078ce2050 by task udevd/2968\n\nCPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n06/29/2022\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:317 [inline]\n print_report.cold+0x2ba/0x719 mm/kasan/report.c:433\n kasan_report+0xbe/0x1f0 mm/kasan/report.c:495\n usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732\n dev_uevent+0x290/0x770 drivers/base/core.c:2424\n---------------------------------------------------------------\n\nThe bug occurs because usb_udc_uevent() dereferences udc-\u003edriver but\ndoes so without acquiring the udc_lock mutex, which protects this\nfield. If the gadget driver is unbound from the udc concurrently with\nuevent processing, the driver structure may be accessed after it has\nbeen deallocated.\n\nTo prevent the race, we make sure that the routine holds the mutex\naround the racing accesses."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:26:19.966Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f44b0b95d50fffeca036e1ba36770390e0b519dd"
},
{
"url": "https://git.kernel.org/stable/c/2191c00855b03aa59c20e698be713d952d51fc18"
}
],
"title": "USB: gadget: Fix use-after-free Read in usb_udc_uevent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49980",
"datePublished": "2025-06-18T11:00:42.433Z",
"dateReserved": "2025-06-18T10:57:27.385Z",
"dateUpdated": "2025-12-23T13:26:19.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68312 (GCVE-0-2025-68312)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2025-12-16 15:39
VLAI?
EPSS
Title
usbnet: Prevents free active kevent
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Prevents free active kevent
The root cause of this issue are:
1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);
put the kevent work in global workqueue. However, the kevent has not yet
been scheduled when the usbnet device is unregistered. Therefore, executing
free_netdev() results in the "free active object (kevent)" error reported
here.
2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),
if the usbnet device is up, ndo_stop() is executed to cancel the kevent.
However, because the device is not up, ndo_stop() is not executed.
The solution to this problem is to cancel the kevent before executing
free_netdev().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b4588b8b00b299be16a35be67b331d8fdba03f3 , < 285d4b953f2ca03c358f986718dd89ee9bde632e
(git)
Affected: 135199a2edd459d2b123144efcd7f9bcd95128e4 , < 88a38b135d69f5db9024ff6527232f1b51be8915 (git) Affected: 635fd8953e4309b54ca6a81bed1d4a87668694f4 , < 43005002b60ef3424719ecda16d124714b45da3b (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 3a10619fdefd3051aeb14860e4d4335529b4e94d (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 9a579d6a39513069d298eee70770bbac8a148565 (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 2ce1de32e05445d77fc056f6ff8339cfb78a5f84 (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 5158fb8da162e3982940f30cd01ed77bdf42c6fc (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 420c84c330d1688b8c764479e5738bbdbf0a33de (git) Affected: d2d6b530d89b0a912148018027386aa049f0a309 (git) Affected: e2a521a7dcc463c5017b4426ca0804e151faeff7 (git) Affected: 7f77dcbc030c2faa6d8e8a594985eeb34018409e (git) Affected: d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f (git) Affected: db3b738ae5f726204876f4303c49cfdf4311403f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "285d4b953f2ca03c358f986718dd89ee9bde632e",
"status": "affected",
"version": "8b4588b8b00b299be16a35be67b331d8fdba03f3",
"versionType": "git"
},
{
"lessThan": "88a38b135d69f5db9024ff6527232f1b51be8915",
"status": "affected",
"version": "135199a2edd459d2b123144efcd7f9bcd95128e4",
"versionType": "git"
},
{
"lessThan": "43005002b60ef3424719ecda16d124714b45da3b",
"status": "affected",
"version": "635fd8953e4309b54ca6a81bed1d4a87668694f4",
"versionType": "git"
},
{
"lessThan": "3a10619fdefd3051aeb14860e4d4335529b4e94d",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "9a579d6a39513069d298eee70770bbac8a148565",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "2ce1de32e05445d77fc056f6ff8339cfb78a5f84",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "5158fb8da162e3982940f30cd01ed77bdf42c6fc",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "420c84c330d1688b8c764479e5738bbdbf0a33de",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"status": "affected",
"version": "d2d6b530d89b0a912148018027386aa049f0a309",
"versionType": "git"
},
{
"status": "affected",
"version": "e2a521a7dcc463c5017b4426ca0804e151faeff7",
"versionType": "git"
},
{
"status": "affected",
"version": "7f77dcbc030c2faa6d8e8a594985eeb34018409e",
"versionType": "git"
},
{
"status": "affected",
"version": "d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f",
"versionType": "git"
},
{
"status": "affected",
"version": "db3b738ae5f726204876f4303c49cfdf4311403f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.211",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Prevents free active kevent\n\nThe root cause of this issue are:\n1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);\nput the kevent work in global workqueue. However, the kevent has not yet\nbeen scheduled when the usbnet device is unregistered. Therefore, executing\nfree_netdev() results in the \"free active object (kevent)\" error reported\nhere.\n\n2. Another factor is that when calling usbnet_disconnect()-\u003eunregister_netdev(),\nif the usbnet device is up, ndo_stop() is executed to cancel the kevent.\nHowever, because the device is not up, ndo_stop() is not executed.\n\nThe solution to this problem is to cancel the kevent before executing\nfree_netdev()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:43.174Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/285d4b953f2ca03c358f986718dd89ee9bde632e"
},
{
"url": "https://git.kernel.org/stable/c/88a38b135d69f5db9024ff6527232f1b51be8915"
},
{
"url": "https://git.kernel.org/stable/c/43005002b60ef3424719ecda16d124714b45da3b"
},
{
"url": "https://git.kernel.org/stable/c/3a10619fdefd3051aeb14860e4d4335529b4e94d"
},
{
"url": "https://git.kernel.org/stable/c/9a579d6a39513069d298eee70770bbac8a148565"
},
{
"url": "https://git.kernel.org/stable/c/2ce1de32e05445d77fc056f6ff8339cfb78a5f84"
},
{
"url": "https://git.kernel.org/stable/c/5158fb8da162e3982940f30cd01ed77bdf42c6fc"
},
{
"url": "https://git.kernel.org/stable/c/420c84c330d1688b8c764479e5738bbdbf0a33de"
}
],
"title": "usbnet: Prevents free active kevent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68312",
"datePublished": "2025-12-16T15:39:43.174Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:39:43.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21658 (GCVE-0-2025-21658)
Vulnerability from cvelistv5 – Published: 2025-01-21 12:18 – Updated: 2025-10-01 19:57
VLAI?
EPSS
Title
btrfs: avoid NULL pointer dereference if no valid extent tree
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: avoid NULL pointer dereference if no valid extent tree
[BUG]
Syzbot reported a crash with the following call trace:
BTRFS info (device loop0): scrub: started on devid 1
BUG: kernel NULL pointer dereference, address: 0000000000000208
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ #206
Tainted: [O]=OOT_MODULE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022
RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs]
Call Trace:
<TASK>
scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs]
scrub_simple_mirror+0x175/0x260 [btrfs]
scrub_stripe+0x5d4/0x6c0 [btrfs]
scrub_chunk+0xbb/0x170 [btrfs]
scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs]
btrfs_scrub_dev+0x240/0x600 [btrfs]
btrfs_ioctl+0x1dc8/0x2fa0 [btrfs]
? do_sys_openat2+0xa5/0xf0
__x64_sys_ioctl+0x97/0xc0
do_syscall_64+0x4f/0x120
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
[CAUSE]
The reproducer is using a corrupted image where extent tree root is
corrupted, thus forcing to use "rescue=all,ro" mount option to mount the
image.
Then it triggered a scrub, but since scrub relies on extent tree to find
where the data/metadata extents are, scrub_find_fill_first_stripe()
relies on an non-empty extent root.
But unfortunately scrub_find_fill_first_stripe() doesn't really expect
an NULL pointer for extent root, it use extent_root to grab fs_info and
triggered a NULL pointer dereference.
[FIX]
Add an extra check for a valid extent root at the beginning of
scrub_find_fill_first_stripe().
The new error path is introduced by 42437a6386ff ("btrfs: introduce
mount option rescue=ignorebadroots"), but that's pretty old, and later
commit b979547513ff ("btrfs: scrub: introduce helper to find and fill
sector info for a scrub_stripe") changed how we do scrub.
So for kernels older than 6.6, the fix will need manual backport.
Severity ?
5.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
42437a6386ffeaaf200731e73d723ea491f3fe7d , < 24b85a8b0310e0144da9ab30be42e87e6476638a
(git)
Affected: 42437a6386ffeaaf200731e73d723ea491f3fe7d , < aee5f69f3e6cd82bfefaca1b70b40b6cd8f3f784 (git) Affected: 42437a6386ffeaaf200731e73d723ea491f3fe7d , < 6aecd91a5c5b68939cf4169e32bc49f3cd2dd329 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21658",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:52:37.080379Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:57:13.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/scrub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "24b85a8b0310e0144da9ab30be42e87e6476638a",
"status": "affected",
"version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
"versionType": "git"
},
{
"lessThan": "aee5f69f3e6cd82bfefaca1b70b40b6cd8f3f784",
"status": "affected",
"version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
"versionType": "git"
},
{
"lessThan": "6aecd91a5c5b68939cf4169e32bc49f3cd2dd329",
"status": "affected",
"version": "42437a6386ffeaaf200731e73d723ea491f3fe7d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/scrub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.72",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.72",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.10",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: avoid NULL pointer dereference if no valid extent tree\n\n[BUG]\nSyzbot reported a crash with the following call trace:\n\n BTRFS info (device loop0): scrub: started on devid 1\n BUG: kernel NULL pointer dereference, address: 0000000000000208\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ #206\n Tainted: [O]=OOT_MODULE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs]\n Call Trace:\n \u003cTASK\u003e\n scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs]\n scrub_simple_mirror+0x175/0x260 [btrfs]\n scrub_stripe+0x5d4/0x6c0 [btrfs]\n scrub_chunk+0xbb/0x170 [btrfs]\n scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs]\n btrfs_scrub_dev+0x240/0x600 [btrfs]\n btrfs_ioctl+0x1dc8/0x2fa0 [btrfs]\n ? do_sys_openat2+0xa5/0xf0\n __x64_sys_ioctl+0x97/0xc0\n do_syscall_64+0x4f/0x120\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\n[CAUSE]\nThe reproducer is using a corrupted image where extent tree root is\ncorrupted, thus forcing to use \"rescue=all,ro\" mount option to mount the\nimage.\n\nThen it triggered a scrub, but since scrub relies on extent tree to find\nwhere the data/metadata extents are, scrub_find_fill_first_stripe()\nrelies on an non-empty extent root.\n\nBut unfortunately scrub_find_fill_first_stripe() doesn\u0027t really expect\nan NULL pointer for extent root, it use extent_root to grab fs_info and\ntriggered a NULL pointer dereference.\n\n[FIX]\nAdd an extra check for a valid extent root at the beginning of\nscrub_find_fill_first_stripe().\n\nThe new error path is introduced by 42437a6386ff (\"btrfs: introduce\nmount option rescue=ignorebadroots\"), but that\u0027s pretty old, and later\ncommit b979547513ff (\"btrfs: scrub: introduce helper to find and fill\nsector info for a scrub_stripe\") changed how we do scrub.\n\nSo for kernels older than 6.6, the fix will need manual backport."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:18:24.189Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/24b85a8b0310e0144da9ab30be42e87e6476638a"
},
{
"url": "https://git.kernel.org/stable/c/aee5f69f3e6cd82bfefaca1b70b40b6cd8f3f784"
},
{
"url": "https://git.kernel.org/stable/c/6aecd91a5c5b68939cf4169e32bc49f3cd2dd329"
}
],
"title": "btrfs: avoid NULL pointer dereference if no valid extent tree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21658",
"datePublished": "2025-01-21T12:18:14.578Z",
"dateReserved": "2024-12-29T08:45:45.731Z",
"dateUpdated": "2025-10-01T19:57:13.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-38684 (GCVE-0-2025-38684)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2025-11-03 17:41
VLAI?
EPSS
Title
net/sched: ets: use old 'nbands' while purging unused classes
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: ets: use old 'nbands' while purging unused classes
Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()
after recent changes from Lion [2]. The problem is: in ets_qdisc_change()
we purge unused DWRR queues; the value of 'q->nbands' is the new one, and
the cleanup should be done with the old one. The problem is here since my
first attempts to fix ets_qdisc_change(), but it surfaced again after the
recent qdisc len accounting fixes. Fix it purging idle DWRR queues before
assigning a new value of 'q->nbands', so that all purge operations find a
consistent configuration:
- old 'q->nbands' because it's needed by ets_class_find()
- old 'q->nstrict' because it's needed by ets_class_is_strict()
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)
Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021
RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80
Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab
RSP: 0018:ffffba186009f400 EFLAGS: 00010202
RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004
RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004
R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000
R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000
FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
ets_class_qlen_notify+0x65/0x90 [sch_ets]
qdisc_tree_reduce_backlog+0x74/0x110
ets_qdisc_change+0x630/0xa40 [sch_ets]
__tc_modify_qdisc.constprop.0+0x216/0x7f0
tc_modify_qdisc+0x7c/0x120
rtnetlink_rcv_msg+0x145/0x3f0
netlink_rcv_skb+0x53/0x100
netlink_unicast+0x245/0x390
netlink_sendmsg+0x21b/0x470
____sys_sendmsg+0x39d/0x3d0
___sys_sendmsg+0x9a/0xe0
__sys_sendmsg+0x7a/0xd0
do_syscall_64+0x7d/0x160
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f2155114084
Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084
RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003
RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f
R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0
R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0
</TASK>
[1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/
[2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < bdfddcde86e8b9245d9c0c2efe2b6fe8dcf6bf41
(git)
Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < be9692dafdfb36d9c43afd9d4e1d9d9ba8e7b51b (git) Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 97ec167cd2e8a81a2d87331a2ed92daf007542c8 (git) Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 84a24fb446ee07b22b64aae6f0e3f4a38266310a (git) Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 5b3b346bc4c2aa2c428735438a11989d251f32f1 (git) Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < d69f4a258cd91b3bcef7089eb0401005aae2aed5 (git) Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 970c1c731c4ede46d05f5b0355724d1e400cfbca (git) Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 87c6efc5ce9c126ae4a781bc04504b83780e3650 (git) Affected: 3b290923ad2b23596208c1e29520badef4356a43 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:11.527Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bdfddcde86e8b9245d9c0c2efe2b6fe8dcf6bf41",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "be9692dafdfb36d9c43afd9d4e1d9d9ba8e7b51b",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "97ec167cd2e8a81a2d87331a2ed92daf007542c8",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "84a24fb446ee07b22b64aae6f0e3f4a38266310a",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "5b3b346bc4c2aa2c428735438a11989d251f32f1",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "d69f4a258cd91b3bcef7089eb0401005aae2aed5",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "970c1c731c4ede46d05f5b0355724d1e400cfbca",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "87c6efc5ce9c126ae4a781bc04504b83780e3650",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"status": "affected",
"version": "3b290923ad2b23596208c1e29520badef4356a43",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.296",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: use old \u0027nbands\u0027 while purging unused classes\n\nShuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()\nafter recent changes from Lion [2]. The problem is: in ets_qdisc_change()\nwe purge unused DWRR queues; the value of \u0027q-\u003enbands\u0027 is the new one, and\nthe cleanup should be done with the old one. The problem is here since my\nfirst attempts to fix ets_qdisc_change(), but it surfaced again after the\nrecent qdisc len accounting fixes. Fix it purging idle DWRR queues before\nassigning a new value of \u0027q-\u003enbands\u0027, so that all purge operations find a\nconsistent configuration:\n\n - old \u0027q-\u003enbands\u0027 because it\u0027s needed by ets_class_find()\n - old \u0027q-\u003enstrict\u0027 because it\u0027s needed by ets_class_is_strict()\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)\n Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021\n RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80\n Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa \u003c48\u003e 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab\n RSP: 0018:ffffba186009f400 EFLAGS: 00010202\n RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004\n RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004\n R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000\n R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000\n FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n ets_class_qlen_notify+0x65/0x90 [sch_ets]\n qdisc_tree_reduce_backlog+0x74/0x110\n ets_qdisc_change+0x630/0xa40 [sch_ets]\n __tc_modify_qdisc.constprop.0+0x216/0x7f0\n tc_modify_qdisc+0x7c/0x120\n rtnetlink_rcv_msg+0x145/0x3f0\n netlink_rcv_skb+0x53/0x100\n netlink_unicast+0x245/0x390\n netlink_sendmsg+0x21b/0x470\n ____sys_sendmsg+0x39d/0x3d0\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xd0\n do_syscall_64+0x7d/0x160\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f2155114084\n Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\n RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084\n RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003\n RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f\n R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0\n R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0\n \u003c/TASK\u003e\n\n [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/\n [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:55:56.243Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bdfddcde86e8b9245d9c0c2efe2b6fe8dcf6bf41"
},
{
"url": "https://git.kernel.org/stable/c/be9692dafdfb36d9c43afd9d4e1d9d9ba8e7b51b"
},
{
"url": "https://git.kernel.org/stable/c/97ec167cd2e8a81a2d87331a2ed92daf007542c8"
},
{
"url": "https://git.kernel.org/stable/c/84a24fb446ee07b22b64aae6f0e3f4a38266310a"
},
{
"url": "https://git.kernel.org/stable/c/5b3b346bc4c2aa2c428735438a11989d251f32f1"
},
{
"url": "https://git.kernel.org/stable/c/d69f4a258cd91b3bcef7089eb0401005aae2aed5"
},
{
"url": "https://git.kernel.org/stable/c/970c1c731c4ede46d05f5b0355724d1e400cfbca"
},
{
"url": "https://git.kernel.org/stable/c/87c6efc5ce9c126ae4a781bc04504b83780e3650"
}
],
"title": "net/sched: ets: use old \u0027nbands\u0027 while purging unused classes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38684",
"datePublished": "2025-09-04T15:32:38.927Z",
"dateReserved": "2025-04-16T04:51:24.032Z",
"dateUpdated": "2025-11-03T17:41:11.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22999 (GCVE-0-2026-22999)
Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:36
VLAI?
EPSS
Title
net/sched: sch_qfq: do not free existing class in qfq_change_class()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: do not free existing class in qfq_change_class()
Fixes qfq_change_class() error case.
cl->qdisc and cl should only be freed if a new class and qdisc
were allocated, or we risk various UAF.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
462dbc9101acd38e92eda93c0726857517a24bbd , < 2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e
(git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < cff6cd703f41d8071995956142729e4bba160363 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < f06f7635499bc806cbe2bbc8805c7cef8b1edddf (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 0a234660dc70ce45d771cbc76b20d925b73ec160 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 362e269bb03f7076ba9990e518aeddb898232e50 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < e9d8f11652fa08c647bf7bba7dd8163241a332cd (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "cff6cd703f41d8071995956142729e4bba160363",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "f06f7635499bc806cbe2bbc8805c7cef8b1edddf",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "0a234660dc70ce45d771cbc76b20d925b73ec160",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "362e269bb03f7076ba9990e518aeddb898232e50",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "e9d8f11652fa08c647bf7bba7dd8163241a332cd",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "3879cffd9d07aa0377c4b8835c4f64b4fb24ac78",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: do not free existing class in qfq_change_class()\n\nFixes qfq_change_class() error case.\n\ncl-\u003eqdisc and cl should only be freed if a new class and qdisc\nwere allocated, or we risk various UAF."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:36:51.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a64fb9b47afffeb5dbab5fd3a518e1436dcc90e"
},
{
"url": "https://git.kernel.org/stable/c/cff6cd703f41d8071995956142729e4bba160363"
},
{
"url": "https://git.kernel.org/stable/c/f06f7635499bc806cbe2bbc8805c7cef8b1edddf"
},
{
"url": "https://git.kernel.org/stable/c/0a234660dc70ce45d771cbc76b20d925b73ec160"
},
{
"url": "https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50"
},
{
"url": "https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd"
},
{
"url": "https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78"
}
],
"title": "net/sched: sch_qfq: do not free existing class in qfq_change_class()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-22999",
"datePublished": "2026-01-25T14:36:13.909Z",
"dateReserved": "2026-01-13T15:37:45.938Z",
"dateUpdated": "2026-02-09T08:36:51.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40186 (GCVE-0-2025-40186)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
syzbot reported the splat below in tcp_conn_request(). [0]
If a listener is close()d while a TFO socket is being processed in
tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk
and calls inet_child_forget(), which calls tcp_disconnect() for the
TFO socket.
After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),
where reqsk_put() is called due to !reqsk->sk.
Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the
last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the
drop_and_free label causes the refcount underflow for the listener
and double-free of the reqsk.
Let's remove reqsk_fastopen_remove() in tcp_conn_request().
Note that other callers make sure tp->fastopen_rsk is not NULL.
[0]:
refcount_t: underflow; use-after-free.
WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)
Modules linked in:
CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:refcount_warn_saturate (lib/refcount.c:28)
Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6
RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246
RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900
RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280
RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280
R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100
R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8
FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0
Call Trace:
<IRQ>
tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)
tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)
tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)
tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)
ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)
ip6_input (net/ipv6/ip6_input.c:500)
ipv6_rcv (net/ipv6/ip6_input.c:311)
__netif_receive_skb (net/core/dev.c:6104)
process_backlog (net/core/dev.c:6456)
__napi_poll (net/core/dev.c:7506)
net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)
handle_softirqs (kernel/softirq.c:579)
do_softirq (kernel/softirq.c:480)
</IRQ>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7ec092a91ff351dcde89c23e795b73a328274db6 , < e359b742eac1eac75cff4e38ee2e8cea492acd9b
(git)
Affected: a4378dedd6e07e62f2fccb17d78c9665718763d0 , < ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d (git) Affected: 33a4fdf0b4a25f8ce65380c3b0136b407ca57609 , < eb85ad5f23268d64b037bfb545cbcba3752f90c7 (git) Affected: 17d699727577814198d744d6afe54735c6b54c99 , < 643a94b0cf767325e953591c212be2eb826b9d7f (git) Affected: dfd06131107e7b699ef1e2a24ed2f7d17c917753 , < 422c1c173c39bbbae1e0eaaf8aefe40b2596233b (git) Affected: fa4749c065644af4db496b338452a69a3e5147d9 , < c11ace909e873118295e9eb22dc8c58b0b50eb32 (git) Affected: 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 , < 64dc47a13aa3d9daf7cec29b44dca8e22a6aea15 (git) Affected: 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 , < 2e7cbbbe3d61c63606994b7ff73c72537afe2e1c (git) Affected: ae313d14b45eca7a6bb29cb9bf396d977e7d28fb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e359b742eac1eac75cff4e38ee2e8cea492acd9b",
"status": "affected",
"version": "7ec092a91ff351dcde89c23e795b73a328274db6",
"versionType": "git"
},
{
"lessThan": "ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d",
"status": "affected",
"version": "a4378dedd6e07e62f2fccb17d78c9665718763d0",
"versionType": "git"
},
{
"lessThan": "eb85ad5f23268d64b037bfb545cbcba3752f90c7",
"status": "affected",
"version": "33a4fdf0b4a25f8ce65380c3b0136b407ca57609",
"versionType": "git"
},
{
"lessThan": "643a94b0cf767325e953591c212be2eb826b9d7f",
"status": "affected",
"version": "17d699727577814198d744d6afe54735c6b54c99",
"versionType": "git"
},
{
"lessThan": "422c1c173c39bbbae1e0eaaf8aefe40b2596233b",
"status": "affected",
"version": "dfd06131107e7b699ef1e2a24ed2f7d17c917753",
"versionType": "git"
},
{
"lessThan": "c11ace909e873118295e9eb22dc8c58b0b50eb32",
"status": "affected",
"version": "fa4749c065644af4db496b338452a69a3e5147d9",
"versionType": "git"
},
{
"lessThan": "64dc47a13aa3d9daf7cec29b44dca8e22a6aea15",
"status": "affected",
"version": "45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01",
"versionType": "git"
},
{
"lessThan": "2e7cbbbe3d61c63606994b7ff73c72537afe2e1c",
"status": "affected",
"version": "45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01",
"versionType": "git"
},
{
"status": "affected",
"version": "ae313d14b45eca7a6bb29cb9bf396d977e7d28fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4.300",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.245",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "6.1.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "6.6.108",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "6.12.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Don\u0027t call reqsk_fastopen_remove() in tcp_conn_request().\n\nsyzbot reported the splat below in tcp_conn_request(). [0]\n\nIf a listener is close()d while a TFO socket is being processed in\ntcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk-\u003esk\nand calls inet_child_forget(), which calls tcp_disconnect() for the\nTFO socket.\n\nAfter the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),\nwhere reqsk_put() is called due to !reqsk-\u003esk.\n\nThen, reqsk_fastopen_remove() in tcp_conn_request() decrements the\nlast req-\u003ersk_refcnt and frees reqsk, and __reqsk_free() at the\ndrop_and_free label causes the refcount underflow for the listener\nand double-free of the reqsk.\n\nLet\u0027s remove reqsk_fastopen_remove() in tcp_conn_request().\n\nNote that other callers make sure tp-\u003efastopen_rsk is not NULL.\n\n[0]:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)\nModules linked in:\nCPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:refcount_warn_saturate (lib/refcount.c:28)\nCode: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff \u003c0f\u003e 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6\nRSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246\nRAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900\nRDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280\nRBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280\nR10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100\nR13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8\nFS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0\nCall Trace:\n \u003cIRQ\u003e\n tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)\n tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)\n tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)\n ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)\n ip6_input (net/ipv6/ip6_input.c:500)\n ipv6_rcv (net/ipv6/ip6_input.c:311)\n __netif_receive_skb (net/core/dev.c:6104)\n process_backlog (net/core/dev.c:6456)\n __napi_poll (net/core/dev.c:7506)\n net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480)\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:44.477Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e359b742eac1eac75cff4e38ee2e8cea492acd9b"
},
{
"url": "https://git.kernel.org/stable/c/ff6a8883f96a5bc74241ce5b3d431a6dcfa2124d"
},
{
"url": "https://git.kernel.org/stable/c/eb85ad5f23268d64b037bfb545cbcba3752f90c7"
},
{
"url": "https://git.kernel.org/stable/c/643a94b0cf767325e953591c212be2eb826b9d7f"
},
{
"url": "https://git.kernel.org/stable/c/422c1c173c39bbbae1e0eaaf8aefe40b2596233b"
},
{
"url": "https://git.kernel.org/stable/c/c11ace909e873118295e9eb22dc8c58b0b50eb32"
},
{
"url": "https://git.kernel.org/stable/c/64dc47a13aa3d9daf7cec29b44dca8e22a6aea15"
},
{
"url": "https://git.kernel.org/stable/c/2e7cbbbe3d61c63606994b7ff73c72537afe2e1c"
}
],
"title": "tcp: Don\u0027t call reqsk_fastopen_remove() in tcp_conn_request().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40186",
"datePublished": "2025-11-12T21:56:29.033Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:44.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…